The ‘heart’ of TPRM is arguably Step 3 – Qualification, which provides organizations a comprehensive approach to defining inherent risk factors, triaging third parties based on inherent risk, working with third parties to obtain those assurances, evaluating, and reporting on residual risk, and qualifying third parties for business by making a formal recommendation for the acceptance of that risk. And the ‘heart’ of Step 3 – Qualification is third-party triage based on inherent risk and the iterative assessment approach to obtaining necessary assurances.
By providing a common set of risk factors that are independent of the security and privacy controls that may or may not implemented by a third-party, an organization can readily ascertain the relative inherent risk between and amongst its vendors and determine a reasonable and appropriate mechanism to provide the assurances it needs at a reasonable cost. The approach also provides the flexibility organizations need in managing risk in terms of weighting some factors more heavily than others when computing likelihood and impact values or requiring more robust assurances, e.g., by mandating a HITRUST CSF Assessment against all the control requirements for which a vendor is responsible, as determined by its scoping and risk factors.
Qualification also supports multiple assessment types that may be used to obtain successively rigorous assurances based on the completeness of the control requirements specified —whether it’s conducted by a third party or an independent HITRUST CSF assessor, the rigor of the assessment and scoring approach, and the maturity of program implementation as reflected by the scores—until the required level of assurance is provided.
The qualification process consists of six basic steps:
- Pre-Qualification Work (PQW) – Data access is reviewed based on the information gathered in the prior step in the TPRM process model;
- Risk Triage (RT) – The third-party is classified or tiered according to the level of inherent risk it presents based on specific risk factors;
- Risk Assessment (RA) – Assurances around the level of residual risk the third-party poses to the organization based on an attestation or assessment of conformity to an organization-defined security and privacy standard are obtained and reviewed;
- Risk Mitigation (RM) – Any gaps in conformity are evaluated along with the third-party’s corrective action plans (CAPs) to address those gaps, if any;
- Risk Evaluation (RA) – The remaining or residual risk is evaluated and a recommendation is made to either accept or reject the residual risk; and
- Qualification Recommendation (QR) – A recommendation is made to either accept or decline to accept that risk based on its general risk appetite180 and specific risk tolerances.”181
Figure 25. Generic Third-Party Qualification Process
The resulting methodology—based on one of the most comprehensive, prescriptive yet tailorable control-based security and privacy risk and compliance risk management frameworks available—provides a common, standardized approach for organizations in any industry, foreign and domestic, to manage their third-party risk consistently, efficiently, and effectively at a reasonable cost. Widespread adoption will also provide similar benefits for third parties, who will be able to leverage their TPRM-based assessments for multiple organizations: a ‘win-win’ for organizations and third parties alike.182
180 Defined here as the total amount and type of risk an organization is willing to pursue or retain. See Appendix C.
181 Defined here as the amount and type of risk, usually expressed as a range of values, for which an organization is prepared to accept in total or more narrowly within a certain business unit, a particular risk category, or for a specific initiative. See Appendix C.
182 For more information, refer to Cline, B. (2022, Feb).