HITRUST evaluates likelihood based on an assessment of the control’s maturity level. To understand the approach, one must understand that a control framework is based on a broad risk analysis that considers threats to similar types of organizations for specific classes of information using common types of technology. Control baselines are then established based on specific factors. In the case of the (now legacy) Department of Defense (DoD) Information Technology Security Certification and Accreditation Program (DITSCAP) control framework, estimates of the information’s confidentiality and criticality requirements resulted in up to nine specific control baselines. The current NIST framework takes a high watermark approach and provides three baselines. HITRUST takes a similar approach based on organizational, system and regulatory risk factors, which can result in dozens of possible baselines.
By implementing an appropriate control baseline that meets the confidentiality, integrity and availability requirements of the information, the organization is then able to manage risk to the organization to an acceptable level. With certain exceptions (such as for payment card information), HITRUST adopts a single security baseline and then tailors the controls to the organization based on organizational, system and regulatory risk factors. This process provides for the flexibility allowed under HIPAA with respect to the determination of the “security measures that allow the [organization] to reasonably and appropriately implement the standards and implementation specifications” (45 CFR § 164.306(b)) based on organizational size, complexity, capabilities, and infrastructure constraints.
Organizations may then simply focus on the implementation and maintenance of the selected controls to manage excessive residual risk. Since it’s intuitively obvious that well-implemented controls are less likely to fail than those that are poorly implemented, the evaluation of the maturity of the control then provides a likelihood estimator for the probability (likelihood) that a threat will successfully exploit a vulnerability and potentially compromise the confidentiality, integrity and/or availability of the information protected.
One should note that evaluating a control’s implementation is one of the most common methods used to help organizations determine security risk, and the HITRUST approach is very similar to the maturity model described in NIST Interagency Report (NISTIR) 7358, Program Review for Information Security Management Assistance (PRISMA). Subsequently, maturity is a valid method for evaluating the relative effectiveness of a control, which in turn provides an estimate of how likely the control will fail.
- Policy: Requirements stated in a policy or standard are understood by the organization. If not stated, there is little guarantee that it will be implemented or continue to be implemented.
- Procedures: Processes are necessary to ensure the control can be implemented in a repeatable and consistent way. They may be ad hoc, documented or automated.
- Implemented: Evaluation of the control’s implementation across the breadth and depth of the organization is the most common way of assessing a control’s effectiveness.
- Measured and Managed: These last two levels of HITRUST’s version of the PRISMA model, which together have the same value as any one of the first three levels when scoring out the control, simply address the concept of continuous monitoring. “One can’t manage what one doesn’t measure.” The idea is to avoid past practices of ‘implementing and forgetting’ a control and instead monitor the effectiveness of the control and take action should problems occur. This level of maturity beyond implementation provides additional assurance the control will continue operating as intended.
For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.