Addresses Risk and Cost Inconsistencies In Assessing Supply Chain
Frisco, TX., February 7, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced the availability of the HITRUST Third Party Assurance (TPA) Risk Triage Methodology, providing an efficient and effective way to determine the inherent risk exposure of a third party relationship and provides a standardized approach to quickly determine the type and rigor of assurance required of vendors and business partners.
Currently many organizations are requiring and relying upon inappropriate information protection and assurance requirements which creates inefficiencies, poses additional risk, and increases costs for organizations and their third parties across the entire supply chain. When an organization fails to appropriately evaluate the effectiveness of a third party’s security and privacy controls, they are exposing themselves to greater risk. Alternatively, unnecessarily requiring third parties to provide higher levels of assurances increases costs for all parties needlessly.
While applicable to vendors and supply chains in any industry, the TPA Risk Triage Methodology was developed in consultation and coordination with the Provider Third Party Risk Management (TPRM) Council, which recognized the need for an approach that assesses the inherent risk a third party poses and prescribes the appropriate level of assurance necessary to protect sensitive information and support regulatory compliance.
“Until today’s release of the HITRUST TPA Risk Triage Methodology, there was no consistent approach to determining what type of assurance a third party should provide and maintain in cases where information or intellectual property is shared,” says Taylor Lehmann, Vice President and CISO, Wellforce and co-chair Provider TPRM Council. “This void either creates inefficiencies as organizations are seeking greater assurances from their third parties than is warranted, or they are not seeking the level of assurance needed to meet compliance requirements and avoid unnecessary risk exposure.”
Triaging third parties based on inherent risk allows organizations to gain better assurances at a reduced cost and greater efficiency by only seeking the assurance level consistent to the risk posed by the third party. The TPA Risk Triage Methodology, when used with the HITRUST CSF® and the HITRUST CSF Assurance Program, enables organizations to ensure their third parties are implementing an appropriate level of due care and due diligence for the protection of sensitive information and individual privacy.
The HITRUST TPA Risk Triage Methodology is unique in its ability to differentiate inherent risk among third parties by identifying common factors that categorize risk in three areas: organizational; compliance; and technical.
- Organizational risk factors reflect the value of the data shared with third parties;
- Compliance factors address fines or penalties an organization can face due to breach by a third party, which also influences the probable impact of a data compromise, and;
- Technical factors relate to how a third party accesses, processes, stores and/or disposes of an organization’s data and can affect the likelihood data will be compromised.
“The Provider TPRM Council has been actively engaging with industry to reduce risks and increase efficiencies around third-party risk management through promoting a standardized set of policies, practices and approach,” says John Houston, Vice President, Information Security and Privacy; Associate Counsel, UPMC and co-chair Provider TPRM Council. “This risk triage methodology has been a missing component and can be used as the first step in an organization’s third-party risk management process to quickly assess the risks inherent in the sharing of information with a particular third party and determine an appropriate assurance mechanism, thereby increasing efficiency and effectiveness of the process.”
The HITRUST TPA Risk Triage Methodology also incorporates a risk scoring model to help quantify the risk and offers specific recommendations for the type and rigor of the assessment and the maturity of the organization’s information protection. The scoring model estimates the relative likelihood of a data breach by the third-party based on five technical risk factors and the relative impact of such a breach based on three organizational risk factors and four compliance risk factors. These estimates provide a risk score that can then be used to determine one of five levels of assessment a third-party would be asked to complete. Organizations also have the flexibility of weighting some factors more heavily than others when calculating the likelihood and impact of a third-party’s inherent risk to address its specific risk tolerances.
“This risk triage methodology, another component in HITRUST’s comprehensive approach, helps organizations determine their risk management priorities when assessing the risk their third-party business partners present,” says Dr. Bryan Cline, Vice President, Standards and Analysis, HITRUST. “With limited resources, this process determines how much assurance organizations need from a supplier to ensure they’re managing information risk and compliance.”