By Dr. Bryan S. Cline, Chief Research Officer, HITRUST
Information risk assessments are an integral component of the third-party risk management (TPRM) process, providing necessary insights into the effectiveness of a third party’s information privacy and security controls. They can provide a meaningful and appropriate level of assurance when properly executed but, in many cases, they offer limited value due to a lack of perspective, understanding, or truthfulness by the third party.
Take this interaction as a case in point:
Dad: So, Johnny…how well are you doing in math?
Johnny: Pretty good.
Dad: Really? How did you do on your mid-term?
Johnny: I got a C.
Did Johnny lie when he said he was doing “pretty good”? Or is there simply a disconnect between how Johnny assessed himself and how the instructor assessed Johnny via a standardized test instrument? Honestly, it could go either way; this is because assessing oneself will most often result in higher estimates of performance than if the assessment is performed by an instructor.[1]
However, when preceded with appropriate guidance and facilitated by an instructor, the strengths of self-assessments can be enhanced and their weaknesses subsequently reduced.[2] In fact, when used appropriately, self-assessments have been shown to contribute to higher academic achievement[3] as well as better non-academic behavior.[4]
Unfortunately, we also have to deal with scenarios that are less ‘equivocal’ than the one provided earlier:
Dad: So, Johnny…how well are you doing in math?
Johnny: Pretty good.
Dad: Really? How did you do on your mid-term?
Johnny: I got a B. So, can I still drive the car?
Dad: I’m sorry, but no. I called your instructor and he said you received a C on your mid-term.
No amount of guidance or facilitation will address outright dishonesty: Johnny knew, if he didn’t get a B, he would lose his driving privileges, which subsequently motivated him to mislead.
What does this have to do with TPRM?
Well, quite a lot, actually.
Over the years, HITRUST® has observed similar trends with organizations that assess themselves against the HITRUST CSF® security and privacy control framework. An organization with a very immature program will tend to rate itself much higher than the underlying evidence would otherwise suggest, whereas an organization with a more robust program will tend to be ‘closer to the mark’ with their self-assessment when compared with a valid third-party assessment.
In HITRUST terms, a self-assessment is less reliable than a validated assessment; by less reliable, we mean less ‘rely-ability’ and subsequently lower assurance for your organization.
So, what role should self-assessments play in a TPRM program?
Given the limited rely-ability of self-assessments, HITRUST recommends limiting their use to:
- Vetting smaller entities that present inherently low risk to an organization, and
- Readiness assessments for a future third-party (i.e., validated) assessment, if needed.
Both use cases have been part of the HITRUST Approach for almost a decade, and now HITRUST is providing formal guidance on how they can be used to support an organization’s TPRM program.
The HITRUST TPRM methodology consists of a six-step process, as shown in Figure 1.
Figure 1. TPRM Process
The third step of TPRM, Qualify, further breaks down into a 6-step process, as shown in Figure 2, which is intended to ‘qualify’ a third party based on the residual risk it presents to the organization.
Figure 2. TPRM Step 3 – Qualify Process
Risk Triage, the second step in the third-party qualification process, determines the type of assessment needed to provide a level of assurance commensurate with the level of information risk inherent in a proposed or existing business relationship with a third party. The intent is to ensure the remaining residual risk after controls are applied does not exceed the organization’s risk tolerances.[5]
This leads to the third step in the process, Risk Assessment, where self-assessments can be put to good use. To understand how, let’s dig a bit deeper into the types of assessments that may be required of a third party in this step.
A self-assessment may be specified for organizations that present a very low inherent risk, but higher levels of inherent risk will always require a third-party assessment, such as the HITRUST CSF Validated Assessment, i.e., an assessment conducted by an independent Authorized External Assessor Organization. Depending on the level of inherent risk, these validated assessments can range from an assessment with no minimum aggregated maturity scores to a certified assessment with specific minimums.
However, this can also create challenges in circumstances where an organization wants to engage with a third party, but there is insufficient time to complete a HITRUST CSF Validated Assessment. HITRUST is subsequently proposing the use of two types of self-assessments to provide interim assurances between the inherent risk assessment performed during triage and any validated assessment needed to provide independent assurances for the organization.
The first assessment is a ‘pre-qualifying’ self-assessment—which we refer to as a HITRUST CSF Rapid Assessment for the purpose of TPRM—that would focus on a subset of foundational and high interest, high-risk CSF control requirements, could be performed very quickly, and would serve as the first ‘gate’ during the qualifying process. The second self-assessment would be a HITRUST CSF Readiness Assessment of the same scope and with the same controls in the HITRUST CSF Validated Assessment specified during risk triage. This could be provided in a relatively short time period of three months or less and would serve as the second qualifying gate prior to a HITRUST CSF Validated Assessment.
Third parties that fail to meet a particular qualifying gate would be subject to further review by management and potential disqualification from doing business with the organization.