Managing Supplier Compliance Through Shared Assessments
How are you assessing and managing vendor compliance against key information security and data privacy regulations? Are you taking the “cowboy” approach—working long hours gathering and trying to maintain information from each vendor based on your own set of criteria (albeit tied to a standard but your own)?
Are you part of a new group of managers relying on shared assessment programs to gather the information for them and thereby allowing them to focus on managing the risk at hand?
If the idea of participating in a shared assessment program sounds appealing, read on. If you are part of either the financial services or healthcare industries, you should be even more interested. Both industries have shared assessment programs well underway with a growing population of completed assessment on hand.
Here are a few of the leading programs:
BITS Shared Assessments Program
Developed by the financial services industry but offering cross industry value, the BITS Shared Assessment Program provides a comprehensive IT and third-party control assessment framework. This framework maps to leading industry and regulatory requirements pertaining to IT security, privacy, and third-party risk management. The program has the added benefit of being able to share the now commonly accepted results across organizations as needed.
The BITS Shared Assessment Program goes a long way toward removing the internal burden of creating and maintaining a common IT control framework that is up to date and accepted by both the regulators and within the industry. Get more information at http://www.sharedassessments.org/.
HITRUST Alliance
HITRUST is a healthcare based program with a Common Security Framework (CSF) for assessing and certifying vendors against security requirements found in key standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). The framework was designed for all organizations that create, access, store or exchange personal health and financial information. Get more information at http://www.hitrustalliance.net/.
Both programs offer a solid industry standard assessment framework that you can use on your vendors or simply request that they complete one of the shared assessments as a condition of doing business with you. You can include the request for an annual review in the terms of your service contract. The cowboys in all of us are quickly realizing the benefit of sharing!
About the Author: Chris Bell is a founder and VP of Product Management at Evantix, who provides an on-demand risk management solution that helps companies assess, manage, and monitor risk across their complex business relationships. He builds innovative risk management solutions for the market and advises companies about how to improve their programs. You can read more from Chris on the Evantix blog.
Want a first-hand view of the power of shared assessments?