This process is a good start, but how can we rely on the results of an assessment conducted by the third party, i.e., a HITRUST CSF Rapid Assessment, for something as important as qualifying it to enter into, or continue, a business relationship with relatively high inherent risk?
Let’s think about this a bit.
One’s ability to rely on the evidence provided by a particular assessment is based on the concept of trust, which is essentially a measure of trustworthiness. From a legal perspective, trustworthiness may be further defined as being “worthy of confidence” or, more specifically, “being or deriving from a source worthy of belief or consideration for evidentiary purposes.”
So, how can we determine the level of trust that can be placed in a self-assessment?
The obvious answer is to compare the results of a self-assessment with the results of an independent but otherwise identical assessment, i.e., compare a HITRUST CSF Readiness Assessment with a HITRUST CSF Validated Assessment. While this can’t be done in parallel since the proposed readiness assessment occurs well before a validated assessment, they can be compared longitudinally over time to generate a ‘trust score,’ i.e., a measure of trustworthiness, that would contribute to the organization’s overall assessment of risk.
If a third party provides a reliable HITRUST CSF Readiness Assessment and later provides a HITRUST CSF Validated Assessment, the expectation is the control maturity scores would remain consistent, if not improve over time. Additionally, control maturity scores that decrease over time would indicate that the original readiness assessment was unreliable. HITRUST therefore proposes a scoring model in which larger differences in the ‘right direction’ would result in higher trust scores, and those in the ‘wrong direction’ would result in lower trust scores.
The HITRUST Trust Score™ is subsequently based on the difference of the mean (average) HITRUST CSF maturity scores between the two assessments. By subtracting scores for the HITRUST CSF Readiness Assessment from the corresponding maturity scores in the HITRUST CSF Validated Assessment, an overestimation of control maturity scores in the readiness assessment will result in negative values for the differences and consistent overestimation will likely result in a negative mean of the differences.
The HITRUST Trust Score will subsequently focus on the negative portion of the bell curve for a Standard () Score, establish a Trust Score of zero (0) for scores less than -3 standard deviations from the mean, and establish a maximum Trust Score of ten (10) for scores greater than or equal to zero, as shown in Figure 3.
Figure 3. Modified Bell Curve for the HITRUST Trust Score
A higher Trust Score indicates organizations with consistent HITRUST CSF Readiness and Validated Assessment results as well as those that underestimate their maturity on a readiness assessment that are equally trustworthy.
The HITRUST Trust Score will provide yet another useful data point in one’s evaluation of the overall trustworthiness of a third party. Additionally, just the knowledge that the customer will be presented with this information could have the added benefit of encouraging third parties to be more accurate and truthful when conducting these types of self-assessments.
So, how well do self-assessments support TPRM?
Admittedly, self-assessments often provide inflated results and are not as reliable as an assessment conducted by an independent party. There’s just no getting around it. However, self-assessments can still provide value when used properly—especially when used as part of a formal TPRM program based on a rigorous approach to risk triage and utilizing HITRUST CSF Rapid, Readiness, and Validated Assessments of the risk posed by a third party to your organization.
HITRUST will be incorporating elements of the HITRUST Risk Triage, Rapid and Readiness Assessments, and HITRUST Trust Score methodologies as upcoming enhancements to the HITRUST Assessment XChange™ and HITRUST Assessment XChange Manager platform to further facilitate an organization’s internal TPRM programs and processes. For more information, go to hitrustax.com.
For more information on the HITRUST TPRM Qualification Methodology, read the HITRUST TPRM Qualification Methodology white paper.
 Ross, J. (2006, Nov). The reliability, validity and utility of self-assessment. Practical Assessment, Research & Evaluation, 11(10), p.3. Available from https://pareonline.net/getvn.asp?v=%2011&n=%2010
 Ross (2006, Nov).
 Ross (2006, Nov), pp. 4-5.
 Hughes et al., (1985); Schunk, (1996); Sparks, (1991), cited by Ross (2006, Nov), p. 7.
 The FAIR Institute provides a simple explanation of risk appetite and risk tolerance at https://www.fairinstitute.org/blog/risk-appetite-vs.-risk-tolerance.-whats-the-difference.
 Bishop, M. (2003). Computer Security: Art and Science. Boston, MA: Addison-Wesley, pp. 477-478. Cited in Gegick, M. and Barnum, M. (2013, May 10). Reluctance to Trust, US-CERT Cyber-Infrastructure. Available from https://www.us-cert.gov/bsi/articles/knowledge/principles/reluctance-to-trust.
 Merriam-Webster (n.d.). Trustworthy. Available from https://www.merriam-webster.com/dictionary/trustworthy.
Read More: 1 2
You may be interested
Improving the Throughput and Transparency of the HITRUST Assurance Program: July 2020 UpdateLacy Deatrich - Jul 27, 2020
By Bimal Sheth, Vice President of Assurance Services Welcome back for the July update in our series on Improving the…
HITRUST Answers the Call for Adapting Security and Compliance Assessments During PandemicLacy Deatrich - Jul 22, 2020
By Michael Parisi, Vice President of Assurance Strategy and Community Development As the COVID-19 pandemic hit, businesses found themselves in…