A streamlined approach to assessing the inherent risk posed by third parties, selecting an appropriate assurance mechanism leveraging the HITRUST CSF and CSF Assurance Program, and qualifying third parties for proposed or existing business relationships.
HITRUST, since 2007, has been championing and delivering solutions to address the lack of a common understanding of the security and privacy controls needed to safeguard sensitive information and individual privacy. These solutions include:
- An industry-accepted information security and privacy control framework, the HITRUST CSF, that incorporates multiple regulatory requirements and best practice standards and frameworks,
- A standard, open, and transparent assessment process to provide accurate, consistent, and repeatable assurances around the level of protection provided by an organization, and
- An industry-recognized certification of an organization’s conformity to the protection requirements specified in the HITRUST CSF through the HITRUST CSF Assurance Program.
However, there is currently no common or consistent approach to determining what information risk assurances should be provided and maintained when an organization shares sensitive information with a third party. This creates inefficiencies as organizations are seeking greater assurances from their third parties than are warranted based on risk or regulatory compliance requirements, or they are not seeking enough assurance and exposing themselves to more risk than intended.
The HITRUST Third-Party Risk Management (TPRM) Methodology provides:
- The information needed to help organizations triage third parties based on the inherent risk they pose,
- A standardized approach to triaging third parties based on specific inherent risk factors and selecting an assessment that provides a level of assurance appropriate to the risk,
- The various risk assessments available (including a targeted, ‘pre-qualifying’ HITRUST CSF Rapid Assessment that addresses high-risk, high-interest, and foundational security controls) and how they can be leveraged in an iterative assurance process,
- A HITRUST CSF Trust Score™ that helps improve the reliability of self-assessments used in the iterative assurance process and supports an organization’s evaluation of the overall trustworthiness of a third party,
- A gap analysis based on a comparison of a third party’s current and target security profiles, and the creation and prioritization of corrective action plans (CAPs),
- The evaluation and reporting of risk based on control maturity and relative impact of a control failure, and
- Formal risk acceptance by management based on the risk target(s) provided by the third-party’s target profile and the residual risk indicated by its current security profile.
The HITRUST TPRM Qualification Methodology—based on one of the most comprehensive, prescriptive yet tailorable, control-based security and privacy risk and compliance management frameworks available—provides a common, standard approach for organizations in any industry, foreign and domestic, to manage their third-party risk consistently, efficiently, and effectively at a reasonable cost. Widespread adoption will also provide similar benefits for third parties, who will be able to leverage their TPRM-based assessments for multiple organizations: a ‘win-win’ for organizations and third parties alike.
Interested in learning more about HITRUST’s Third-Party Risk Management Qualification Methodology?