Understanding and Improving the Role of Self-assessments in Third-Party Risk Management

November 11, 2019
1249 Views

By Dr. Bryan S. Cline, Chief Research Officer, HITRUST

Information risk assessments are an integral component of the third-party risk management (TPRM) process, providing necessary insights into the effectiveness of a third party’s information privacy and security controls. They can provide a meaningful and appropriate level of assurance when properly executed but, in many cases, they offer limited value due to a lack of perspective, understanding, or truthfulness by the third party.

Take this interaction as a case in point:

Dad: So, Johnny…how well are you doing in math?

Johnny: Pretty good.

Dad: Really? How did you do on your mid-term?

Johnny: I got a C.

Did Johnny lie when he said he was doing “pretty good”? Or is there simply a disconnect between how Johnny assessed himself and how the instructor assessed Johnny via a standardized test instrument? Honestly, it could go either way; this is because assessing oneself will most often result in higher estimates of performance than if the assessment is performed by an instructor.[1]

However, when preceded with appropriate guidance and facilitated by an instructor, the strengths of self-assessments can be enhanced and their weaknesses subsequently reduced.[2] In fact, when used appropriately, self-assessments have been shown to contribute to higher academic achievement[3] as well as better non-academic behavior.[4]

Unfortunately, we also have to deal with scenarios that are less ‘equivocal’ than the one provided earlier:

Dad: So, Johnny…how well are you doing in math?

Johnny: Pretty good.

Dad: Really? How did you do on your mid-term?

Johnny: I got a B. So, can I still drive the car?

Dad: I’m sorry, but no. I called your instructor and he said you received a C on your mid-term.

No amount of guidance or facilitation will address outright dishonesty: Johnny knew, if he didn’t get a B, he would lose his driving privileges, which subsequently motivated him to mislead.

What does this have to do with TPRM?

Well, quite a lot, actually.

Over the years, HITRUST® has observed similar trends with organizations that assess themselves against the HITRUST CSF® security and privacy control framework. An organization with a very immature program will tend to rate itself much higher than the underlying evidence would otherwise suggest, whereas an organization with a more robust program will tend to be ‘closer to the mark’ with their self-assessment when compared with a valid third-party assessment.

In HITRUST terms, a self-assessment is less reliable than a validated assessment; by less reliable, we mean less ‘rely-ability’ and subsequently lower assurance for your organization.

So, what role should self-assessments play in a TPRM program?

Given the limited rely-ability of self-assessments, HITRUST recommends limiting their use to:

  • Vetting smaller entities that present inherently low risk to an organization, and
  • Readiness assessments for a future third-party (i.e., validated) assessment, if needed.

Both use cases have been part of the HITRUST Approach for almost a decade, and now HITRUST is providing formal guidance on how they can be used to support an organization’s TPRM program.

The HITRUST TPRM methodology consists of a six-step process, as shown in Figure 1.

Figure 1. TPRM Process

The third step of TPRM, Qualify, further breaks down into a 6-step process, as shown in Figure 2, which is intended to ‘qualify’ a third party based on the residual risk it presents to the organization.

TPRM-blog-fig2

Figure 2. TPRM Step 3 – Qualify Process

Risk Triage, the second step in the third-party qualification process, determines the type of assessment needed to provide a level of assurance commensurate with the level of information risk inherent in a proposed or existing business relationship with a third party. The intent is to ensure the remaining residual risk after controls are applied does not exceed the organization’s risk tolerances.[5]

This leads to the third step in the process, Risk Assessment, where self-assessments can be put to good use. To understand how, let’s dig a bit deeper into the types of assessments that may be required of a third party in this step.

A self-assessment may be specified for organizations that present a very low inherent risk, but higher levels of inherent risk will always require a third-party assessment, such as the HITRUST CSF Validated Assessment, i.e., an assessment conducted by an independent Authorized External Assessor Organization. Depending on the level of inherent risk, these validated assessments can range from an assessment with no minimum aggregated maturity scores to a certified assessment with specific minimums.

However, this can also create challenges in circumstances where an organization wants to engage with a third party, but there is insufficient time to complete a HITRUST CSF Validated Assessment. HITRUST is subsequently proposing the use of two types of self-assessments to provide interim assurances between the inherent risk assessment performed during triage and any validated assessment needed to provide independent assurances for the organization.

The first assessment is a ‘pre-qualifying’ self-assessment—which we refer to as a HITRUST CSF Rapid Assessment for the purpose of TPRM—that would focus on a subset of foundational and high interest, high-risk CSF control requirements, could be performed very quickly, and would serve as the first ‘gate’ during the qualifying process. The second self-assessment would be a HITRUST CSF Readiness Assessment of the same scope and with the same controls in the HITRUST CSF Validated Assessment specified during risk triage. This could be provided in a relatively short time period of three months or less and would serve as the second qualifying gate prior to a HITRUST CSF Validated Assessment.

Third parties that fail to meet a particular qualifying gate would be subject to further review by management and potential disqualification from doing business with the organization.

Read More: 1 2

You may be interested

It’s More of a Guideline Than a Rule…
CISO Corner
shares131 views
CISO Corner
shares131 views

It’s More of a Guideline Than a Rule…

Lacy Deatrich - Apr 02, 2020

Maintaining information protection and compliance rigor throughout the COVID-19 outbreak By Jason Taule, Chief Information Security Officer & Vice President…

Addressing the Impact of COVID-19 on CSF Assessment Procedures
Compliance & Risk Management
shares806 views
Compliance & Risk Management
shares806 views

Addressing the Impact of COVID-19 on CSF Assessment Procedures

Lacy Deatrich - Apr 01, 2020

By Jeremy Huval, Chief Compliance Officer As COVID-19 continues to spread across the globe and affect the way we live…

Solutions to Common QA Issues
Assurance
shares190 views
Assurance
shares190 views

Solutions to Common QA Issues

Lacy Deatrich - Mar 17, 2020

By Bimal Sheth, Vice President of Assurance Services During a recent team meeting, the Assurance team was discussing some commonly…