Third-Party Assurance (TPA) Risk Triage Methodology
A streamlined approach to assessing the inherent risk posed by a third party and selecting an appropriate assurance mechanism leveraging the HITRUST CSF® and CSF Assurance™ Program.
HITRUST®, since 2007, has been championing and delivering solutions to address the lack of a common understanding around the security and privacy controls needed to safeguard sensitive information and individual privacy. These solutions include:
- An industry accepted information security and privacy control framework, the HITRUST CSF, that incorporates multiple regulatory requirements and best practice standards and frameworks
- A standard, open and transparent assessment process to provide accurate, consistent and repeatable assurances around the level of protection provided by an organization
- An industry recognized certification of an organization’s conformity to the protection requirements specified in the HITRUST CSF through the HITRUST CSF Assurance Program
However, there is currently no common or consistent approach to determining what information risk assurances should be provided and maintained when an organization shares sensitive information with a third-party. This creates inefficiencies—as organizations are seeking greater assurances from their third parties than is warranted based on risk or regulatory compliance requirements—or they are not seeking enough assurance—and organizations expose themselves to more risk than intended.
The HITRUST Third-Party Assurance (TPA) Risk Triage Methodology provides
- Specific organizational, compliance and technical factors that help identify the type and amount of inherent risk
- The business relationship with the vendor poses
- A simple risk scoring model to help quantify the risk
- Specific recommendations for the type and rigor of the assessment and the maturity of the organization’s information protection
The methodology can be used as the first step in an organization’s third-party risk management process to quickly assess the risks inherent in the sharing of information with a particular third-party and determine an appropriate assurance mechanism, thereby increasing efficiency and effectiveness of the process. Broad adoption will also significantly reduce costs for the organization as well as any third-party that needs to provide assurances to multiple customers or business partners.
To learn more about HITRUST’s Third-party Assurance (TPA) Risk Triage Methodology: