HITRUST, a leading data protection standards development and certification organization, today announced continued adoption of its HITRUST CSF Assurance Program, and specifically the HITRUST CSF Assessment Report, as the most effective means of communicating an organization’s information privacy and security controls with their business partners and regulators.

Sabre Corporation, a leading technology provider to the global travel industry, is the latest organization to require its vendors to provide a HITRUST CSF Assessment as a means of demonstrating the effectiveness of their information privacy and security controls. Sabre sought an approach that would provide a comprehensive and consistent privacy and security assessment without requiring their vendors globally to undergo a proprietary Sabre assessment.

“We are committed to safeguarding our customers’ sensitive information, and our vendors play a key role in the process,” said Roy Mellinger, Senior Vice President and CISO, Sabre Corporation. “By leveraging HITRUST CSF Assessment Reports, Sabre can get the consistency and assurance it requires while leveraging a common and widely adopted assessment approach.”

“Customers and their vendors across industries and geographies are recognizing the benefits of the HITRUST CSF Assessment Report as the most efficient and effective way to communicate information risk,” said Michael Parisi, Vice President, Assurance Strategy and Community Development, HITRUST. “The HITRUST CSF Assessment Report addresses issues of transparency, integrity and consistency not found in other commonly used assessment and assurance approaches.”

Organizations can have from a handful to hundreds of thousands of different vendors, with those vendors’ services varying in the sensitivity and volume of information they have access to. Assessing the information privacy and security posture of vendors in a manner that is valuable for both the customer and vendor is crucial in ensuring both the integrity and efficiency in the ecosystem – and is increasingly required for demonstrating compliance with regulations such as the EU’s General Data Protection Regulation (GDPR). The HITRUST CSF Assurance Program’s design and reliability is key to streamlining the assessment process and enables vendors to reduce the number and associated costs of information privacy and security assessments and assurance reporting.

“Highmark has required our third parties to be HITRUST CSF Certified for the past three years. By adopting a comprehensive and risk-based, yet transparent and consistent approach, we have simplified the process of ensuring our third parties adequately protect our information. Without this approach, our third-party risk program would not have been able to scale as effectively,” said Omar Khawaja, Vice President and Chief Information Security Officer, Highmark Health.

“Our adoption, and subsequent pursuit, of HITRUST CSF Certification is delivering on the promise of reduced assessments and associated costs, as more and more organizations across industries accept our HITRUST CSF Certification Report as evidence of the effectiveness of our information security program,” said Rick A. Gilmore, Corporate Security, Cognizant.

The HITRUST CSF Assurance Program helps organizations understand and report their effectiveness against many standards, regulations and leading practice frameworks. With just one assessment, organizations can understand and report their information privacy and security program against the HIPAA Security and Privacy Rules, NIST Cybersecurity Framework, GDPR, International Organization for Standardization (ISO) 27001, Payment Card Industry (PCI) and the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria and can even obtain a Service Organization Control (SOC) 2® report. The HITRUST CSF Assurance Program is part of HITRUST’s integrated risk management and compliance programs and services called The HITRUST Approach.

About HITRUST

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis and resilience.

HITRUST actively participates in many efforts in government advocacy, community building, and cybersecurity education. For more information, visit www.hitrustalliance.net.