As part of the HITRUST 2019 conference today, I attended a panel called Streamlining Your Third-Party Risk Management Program.
The panel was composed of:
- Michael Parisi: Vice President, Assurance Strategy & Community Development, HiTRUST
- Brenda Callaway: Divisional Vice President, Information Security Risk Management, HCSC
- Melissa Bendana: IT Compliance and Third Party Risk Management, BlueShield of California
- Justin Bovee: Senior Manager, Information Security & Risk Management, Johnson & Johnson
- Spencer Langston: Business Development Manager, HITRUST
Streamlining Your Third-Party Risk Management Program – My Takeaways
Here are my takeaways from the panel:
- Vendor management is very tough for Johnson & Johnson. Thousands of vendors to manage
- BlueShield of CA: They accept HiTRUST, SOC 2, or have vendors fill out a questionnaire
- HCSC ranks vendors from high-risk to low-risk profiles
- Fourth parties (e.g. AWS) and security of data in the cloud is a concern to Melissa
- “The one thing we don’t want to do is stifle innovation.” (Justin Bovee)
- Fourth party risk management is a hot topic now
- Limited staff and resources is a shared constraint among all panelists
- “I like to focus my staff on the highest risk, most important value-added work.” (Brenda Callaway)
- Risk Acknowledgement Process: When a vendor falls below acceptable risk criteria, they get placed into this category by J&J
- HITRUST is a requirement for doing business with HCSC. “We think that’s the bar.” (Brenda Callaway)
- Brenda likes to see the full HITRUST report. Corrective Action Plans are important to her.
- “The HITRUST framework…. really means a lot more to me.” (Brenda)
- Melissa expects to view the full HITRUST report from vendors
- “We prefer the HITRUST full report.” (Brenda)
- Justin also likes to see the full HITRUST report
- HITRUST is more security-based, as opposed to SOC 2, which is more audit-based
- “Our security program is not special. It’s supposed to be best in class.” (Justin Bovee)
- “You can usually tell right away if a vendor knows security.” (Melissa)
- What’s next for third-party risk management?
- Automation to improve process
- Standardization remains elusive
- Scalability and better reporting
- “We struggle with smaller vendors. (Brenda)
- Vendors who have HITRUST certification: It speaks volumes to Brenda
See also: De-Identification: Its Value to Businesses and How to do it Right – HITRUST 2019
HITRUST 2019 positions itself is the most comprehensive and definitive information risk management conference for privacy, security, and compliance professionals.
The conference is held at the Gaylord Texan Resort in Grapevine, Texas.