The HITRUST Results Distribution System (RDS) addresses the highly inefficient process of obtaining, interpreting, and analyzing assessment results from third-party vendors. (Initial Release Planned by End of 2021)
The Need for Efficiency in
Managing Third-Party Risk
Those that manage risk know the current process of obtaining, interpreting, and analyzing assessment results from third parties is both time-consuming and highly inefficient. Today, third-party attested security and privacy assessment reports are delivered to the assessed entity in PDF format. In many cases, the assessed entity is asked to share their assessment report with a relying party (e.g., customer, trading partner, or regulator), who then must manually review the report to identify the salient information they need to make better-informed decisions about the risk an assessed entity presents to their organization.
At a minimum, they want to review the scope, scoring, and details on specific controls of interest. In many cases, they post or upload the entire report as documentation into a vendor risk management system for compliance purposes and then repeat this process with each vendor annually. This is a very time-consuming and labor-intensive process and often distracts resources from identifying and focusing on those vendors that pose the greatest residual risk (risk left after controls are put in place and assessed).
To learn more, join our upcoming webinar on November 9, 2021.
A Better Way to Exchange and Consume Third-Party Assessment Results
The HITRUST Results Distribution System (RDS) addresses many of the shortcomings with the current methods in which assessment results are exchanged and consumed by enabling the results from an assessed entity to be sent to a secure portal. The RDS Portal allows assessed entities to designate which parties they want to share their assessment results with, how the results can be accessed (via a web browser and/or API), and the specific assessment detail reports they want to share (such as: certification letter, expanded scope description, and findings). The relying party can review and search online for specific elements they are seeking, set up customizable views, and create alerts for assessment results outside of a defined threshold. In addition, relying parties can leverage an API to integrate with various third-party risk management systems and receive the results directly into those systems. Customers also will be able to use an API for integration into their specific environment and Third-Party Risk Management program. (Initial Release Planned by the End of 2021)
The HITRUST Results Distribution System (RDS) Addresses the Highly Inefficient Process of Obtaining, Interpreting, and Analyzing Third-Party Assessment Results
At-A-Glance Benefits of the HITRUST Results Distribution System (RDS)
- Enables electronic delivery of assessment results to specific individuals or organizations via portal or API
- Enables portal recipients to set alerts based on various assessment attributes
- Enables portal recipients to set up customized views and dashboards
- Reduces the inefficiencies in the current approaches to assessment result sharing and consuming
Results Distribution System Drives More Efficient Assurance Exchange
The HITRUST Results Distribution System (RDS) reduces the inefficiencies in the current approaches to assessment result sharing and consuming by enabling an assessed entity to efficiently transfer assessment information to a relying party through a highly secure portal or API. The RDS portal allows assessed entities to designate who may access their assessment results and supports integration with GRC and VRM platforms via an API.
Recipients can customize dashboards to view the results that interest them most, including the type of HITRUST Assessment, scope, aggregate scores, Corrective Action Plans (CAPs), and specific control scores, or only controls for organizations that are not HITRUST CSF Certified. In addition, recipients can configure dashboards to display results across multiple assessments in a manner consistent with their preferred format.
Integration with Third-Party Risk Management Systems
The HITRUST RDS API will enable GRC and VRM platforms to electronically consume assessment results and allow users of those systems to fully leverage the analytics capabilities that they offer. HITRUST is partnering with key GRC and VRM vendors to facilitate this process.
“For third-party risk management systems to achieve their full potential in helping organizations manage their vendor risk, assessment results need to be electronically shared and consumed,” said Jeremy Fisher, Vice President of Product at Archer. “HITRUST’s Results Distribution System is a big step in making that possible and will be a strong complement to our focus on vendor interaction through Archer Engage.”
Additional searchable data analytics and results categorization is coming in the future, which will allow for segmenting result subsets such as specific controls and Authoritative Sources. Organizations also will be able to report against “categorical” controls for relevant stakeholders organized by domain and/or risk, for example, provide assurance results for all controls associated with addressing ransomware.