Search
Related topics are listed below.
Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?
HITRUST CSF and SOC 2® Frequently Asked Questions » Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?
The answer to this question is either. HITRUST has updated the SOC 2 + HITRUST guidance to illustrate how a SOC 2 + HITRUST CSF opinion could be based upon all 135 security CSF Controls or only those security controls required for Certification. There are three (3)…
Will the interim submission that will be conducted on the HITRUST portal be same/similar as full assessment or will it show only selected sample questions to be scored and validated?
Interim Review FAQ » Will the interim submission that will be conducted on the HITRUST portal be same/similar as full assessment or will it show only selected sample questions to be scored and validated?
The interim assessment will be performed against a random sample of requirements that will be selected at the time the interim assessment is generated. HITRUST will only process the selected sample but will verify, in cases where an object was recreated to ensure the…
Will the validation of all maturity scores and related evidence be examined by HITRUST or will that only apply to scores that are measured and managed scores?
Interim Review FAQ » Will the validation of all maturity scores and related evidence be examined by HITRUST or will that only apply to scores that are measured and managed scores?
The interim assessment is performed against a random sample of control requirements. They will be assessed against all maturity domains and HITRUST will review all maturity domains of the sampled control requirements. In addition, control requirements that generated…
How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?
HITRUST Threat Catalogue FAQ » How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?
The threat landscape is constantly changing, as are the technologies and tools that organizations rely upon to support their business missions. Consequently, an organization’s information protection program must change and adapt. Threat intelligence is one of several…
Will all the threats to personal data be listed in the HITRUST Threat Catalogue?
HITRUST Threat Catalogue FAQ » Will all the threats to personal data be listed in the HITRUST Threat Catalogue?
The HITRUST Threat Catalogue’s initial release is focused on providing as comprehensive a list as possible. However, users of the HITRUST Threat Catalogue should keep in mind that the threats are enumerated at a level consistent with the control specification in the…
What evidence do you have that controls with high maturity will not change or degrade?
Control Maturity and Continuous Monitoring and Assessment FAQ » What evidence do you have that controls with high maturity will not change or degrade?
HITRUST’s analysis of organizational assessment data over the past 10 years indicates that the more mature an organization’s information protection program, specifically their information security controls which demonstrate proficiency of operation, management, and…
If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST Cybersecurity Framework?
Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST Cybersecurity Framework?
Yes, you’re well on your way as the HITRUST Risk Management Framework (RMF)—consisting of the HITRUST CSF, CSF Assurance Program and related method and tools—is the foundation for a model implementation of the NIST CsF in the private sector. Since the NIST…
Who will need to subscribe for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?
MyCSF FAQ » Who will need to subscribe for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?
Anyone that wishes to allow their assessments to be inherited will need to subscribe. This applies to internal as well as external inheritance. External inheritance is viewed as a service that is provided to customers making it easier to assess if they are working with…
Does the use of alternate controls diminish the value of HITRUST Certification?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does the use of alternate controls diminish the value of HITRUST Certification?
Alternate (or compensating) controls, by definition, mitigate a similar type and amount of risk as the control it’s intended to replace. This is illustrated in the Risk Analysis Guide for HITRUST Organizations and Assessors by an example proposing the extension of…
Will you be able to produce the targeted assessment, i.e., PCI from the HITRUST assessment, for the questions that are the same?
MyCSF FAQ » Will you be able to produce the targeted assessment, i.e., PCI from the HITRUST assessment, for the questions that are the same?
No. A targeted assessment will be generated from the CSF library by pulling all requirements related to the targeted authoritative source. It will be a stand-alone assessment, but it can inherit from other assessments with the appropriate subscription…
APIs – which GRC tools will the APIs connect to? Will it allow the import of controls into the GRC tool and export from GRC response fulfillment into MyCSF 2.0?
MyCSF FAQ » APIs – which GRC tools will the APIs connect to? Will it allow the import of controls into the GRC tool and export from GRC response fulfillment into MyCSF 2.0?
The API allows use by many GRC tools. We are working with the largest players in the GRC market to develop guidance for the integration process. The current API deployment will allow for information to be extracted from MyCSF. In the future, you will be able to place…
How will the HITRUST Threat Catalogue evolve over time?
HITRUST Threat Catalogue FAQ » How will the HITRUST Threat Catalogue evolve over time?
HITRUST anticipates the HITRUST Threat Catalogue will be a “living document” due to the constantly changing threat environment, including planned improvements to better facilitate risk analyses and the consumption of threat intelligence. Changes will likely include…
How often will the HITRUST Threat Catalogue be updated?
HITRUST Threat Catalogue FAQ » How often will the HITRUST Threat Catalogue be updated?
We anticipate updates to occur annually, shortly after each HITRUST CSF release, or when significant changes in the threat environment would warrant an interim release.
Will HITRUST Assessors be assessing against the NIST Cybersecurity Framework?
HITRUST CSF and NIST CSF Frequently Asked Question » Will HITRUST Assessors be assessing against the NIST Cybersecurity Framework?
Yes, this is done automatically because the same control requirements evaluated by the HITRUST Assessor for HITRUST CSF Certification are also used for certification of the organization’s NIST Cybersecurity Framework implementation. The control requirements are…
What controls are included in both a HITRUST CSF Certification and HITRUST’s certification for the NIST Cybersecurity Framework?
HITRUST CSF and NIST CSF Frequently Asked Question » What controls are included in both a HITRUST CSF Certification and HITRUST’s certification for the NIST Cybersecurity Framework?
An organization selects an appropriate set of security control requirements for its information protection program based on its organizational, system and regulatory risk factors, and it is this set of control requirements that constitute its NIST Cybersecurity…
Will the HITRUST Threat Catalogue help me with HIPAA compliance?
HITRUST Threat Catalogue FAQ » Will the HITRUST Threat Catalogue help me with HIPAA compliance?
By enumerating common threats and, when available, common vulnerabilities, an organization will have additional information to support a risk analysis consistent with NIST and HHS recommendations, which requires an “accurate and thorough assessment of the potential…
How does the definition of a mature organization correspond to the scores required for HITRUST CSF® Certification?
Control Maturity and Continuous Monitoring and Assessment FAQ » How does the definition of a mature organization correspond to the scores required for HITRUST CSF® Certification?
Mature organizations are defined as those organizations with ‘best-in-class’ information protection programs that not only have robust policies and procedures in place to support full implementation of their information security and privacy controls—a complete…
Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?
Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?
HITRUST works closely with NIST and we constantly analyze their documentation to see what additional guidance can be utilized. Many guidelines—most often those that are very technical or technology-specific—are typically outside the scope of the HITRUST CSF;…
What is the difference between a HITRUST CSF Certification and a service auditor’s report expressing an opinion on the fairness of the system description, suitability of design, and operating effectiveness of controls based on The HITRUST CSF?
HITRUST CSF and SOC 2® Frequently Asked Questions » What is the difference between a HITRUST CSF Certification and a service auditor’s report expressing an opinion on the fairness of the system description, suitability of design, and operating effectiveness of controls based on The HITRUST CSF?
See the question “In the future, it looks like the SOC 2 HITRUST certification will only assess 75 controls. Does that mean organizations will not have to certify?”
When will cyber threat intelligence be linked to the threats in the catalogue?
HITRUST Threat Catalogue FAQ » When will cyber threat intelligence be linked to the threats in the catalogue?
Once the mappings between threats and HITRUST CSF controls is completed, HITRUST will begin exploring ways to relate these mappings to the more granular threats identified in active threat intelligence. HITRUST anticipates this work will begin in…
How can my organization utilize the HITRUST CSF framework for a SOC 2 report?
HITRUST CSF Framework FAQ » How can my organization utilize the HITRUST CSF framework for a SOC 2 report?
HITRUST and AICPA collaborated on the mapping of the HITRUST CSF controls to the AICPA Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Subsequently, any AICPA firm can perform a SOC 2 examination, leveraging the…
Does the tool support organizations other than those in healthcare?
MyCSF FAQ » Does the tool support organizations other than those in healthcare?
Yes. MyCSF and the HITRUST CSF support organizations across all industries and globally.
Will all of my relying parties accept the HITRUST CSF Bridge Certificate?
HITRUST CSF Bridge Assessment and Certificate » Will all of my relying parties accept the HITRUST CSF Bridge Certificate?
HITRUST believes that a HITRUST CSF Bridge Certificate adds value in demonstrating that an organization’s scoped control environment is unlikely to have degraded since the last validated assessment and that the organization has indicated its commitment to complete a…
HITRUST CSF and SOC 2® Frequently Asked Questions
HITRUST CSF and SOC 2® Frequently Asked Questions
Subtopics Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification? Do you have an ETA for when the updating of the Practitioner Document and Reporting Template to opine on meeting the 66 controls required for…
Are HITRUST assessments only useful for formal certification against the CSF?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Are HITRUST assessments only useful for formal certification against the CSF?
Certification is only one of the ways the HITRUST CSF can be used. Not all organizations need to pursue certification, and validation will provide assurances that specific controls are implemented, which ones are not or may have been changed, and how well they are…
How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework?
HITRUST CSF and NIST CSF Frequently Asked Question » How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework?
As part of the HIITRUST CSF Assurance Program, upon receiving a HITRUST CSF Assessment Report, organizations may request a Press Kit with details on how they may publicly communicate their HITRUST CSF Certification status, which also includes certification of its…
If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?
To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of ePHI against all reasonably anticipated threats.…
If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?
CSF Assurance Program FAQ » If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?
In principle yes, but it is not black and white. To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of…
Do you support a hierarchy so that you can respond once on common controls like HR related items with the parent company and the responses go to all the sub assessments?
MyCSF FAQ » Do you support a hierarchy so that you can respond once on common controls like HR related items with the parent company and the responses go to all the sub assessments?
No. We do not have a hierarchy nor maintain any relationships between assessments. We encourage organizations to take advantage of the inheritance capability to achieve this.
Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?
Control Maturity and Continuous Monitoring and Assessment FAQ » Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?
HITRUST provides a common approach to triaging vendor risk by identifying the means and rigor of the assurances needed from a vendor based on the inherent information-related risks of a proposed or existing business relationship. This includes the information security…
Will HITRUST provide a webinar specifically for assessors and practitioners? How do practitioners see customer comments, the evidence cited and how will assessors and practitioners provide comments?
MyCSF FAQ » Will HITRUST provide a webinar specifically for assessors and practitioners? How do practitioners see customer comments, the evidence cited and how will assessors and practitioners provide comments?
Yes. We will be revising the full and refresher training courses. These can be taken through our LMS and will walk assessors through the process. We intend to make this module available to all CCSFPs.
Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x?
HITRUST Threat Catalogue FAQ » Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x?
HITRUST is developing the Threat Catalogue as part of the upcoming HITRUST CSF v10 release anticipated in Q1/Q2 2019. The Nov 2018 early release is being provided to the user community as part of a concerted effort to elicit feedback from the public and further…
Will it be the same level of access as we get for full assessment submission?
Interim Review FAQ » Will it be the same level of access as we get for full assessment submission?
Non-subscriber’s access will be the same as the “report only” option, currently set at 1 object and 3 users.
Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?
MyCSF FAQ » Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?
There are several changes that will be announced relating to the Assurance Program requirements. These are independent of the HITRUST CSF and MyCSF and are designed to increase the consistency and integrity of the assurance process.
What is the process for an organization to achieve HITRUST CSF Certification?
CSF Assurance Program FAQ » What is the process for an organization to achieve HITRUST CSF Certification?
Before starting the Certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the Certification process, please select a HITRUST Assessor. Once you select an…
Can organizations select which assessment version they use? Will you now be able to grandfather organizations into a previous assessment version if they completed their self-assessment on that version?
MyCSF FAQ » Can organizations select which assessment version they use? Will you now be able to grandfather organizations into a previous assessment version if they completed their self-assessment on that version?
MyCSF 2.0 will be launched with CSF v9.1 in its library. It will have the feature to maintain multiple CSF versions and you will be able to take advantage of this once CSF v10.0 is released.
How does the HITRUST Threat Catalogue make the HITRUST CSF better or improve its ability to help manage risk?
HITRUST Threat Catalogue FAQ » How does the HITRUST Threat Catalogue make the HITRUST CSF better or improve its ability to help manage risk?
Taken together, the HITRUST Threat Catalogue and HITRUST CSF allow security and privacy practitioners to confidently provide their senior executives, boards, trading partners, customers, and other third-parties the necessary assurances that the organization is…
Do HITRUST Certification programs provide safe harbor in the event of a breach?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Do HITRUST Certification programs provide safe harbor in the event of a breach?
Certification is not required by any regulatory body, nor has any regulatory body sanctioned certification as a mechanism to provide safe harbor in the event of a breach. This is true not just for the HITRUST CSF but for other standards and frameworks as they apply to…
What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?
HITRUST CSF Framework FAQ » What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?
The simple answer is that there is no relationship between the HITRUST CSF control categories and the assessment domains. The HITRUST CSF control categories were derived from ISO and provide the structure for the framework. The assessment domains take the control…
What is the process for an organization to achieve HITRUST CSF Certification?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What is the process for an organization to achieve HITRUST CSF Certification?
The organization should first determine the business drivers for attempting certification which should include identifying key stakeholders, defining scope, and selecting an Authorized External Assessor Organization. HITRUST recommends a Readiness Assessment be…
How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?
HITRUST Threat Catalogue FAQ » How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?
By linking granular threats identified in active threat intelligence to higher-level threats contained in the HITRUST Threat Catalogue and related HITRUST CSF control specifications, organizations will gain greater insight into how well they are addressing extant and…
Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?
MyCSF FAQ » Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?
No. This functionality is part of the HITRUST Assessment XChange. For more information on the XChange, contact jacob.bustos@hitrustax.com.
Who will accept HITRUST CSF Assurance Reports?
CSF Assurance Program FAQ » Who will accept HITRUST CSF Assurance Reports?
Many organizations accept CSF Assurance reports as a means of evaluating a business partner’s privacy and security controls and in fact a growing number of organizations require their business partners obtain a CSF Certification.. Reference: HITRUST CSF Assurance…
Does the HITRUST CSF take a “one-size-fits-all” approach to information security?
Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Does the HITRUST CSF take a “one-size-fits-all” approach to information security?
The HITRUST CSF is actually one of the most flexible data protection frameworks ever developed. First, the HITRUST CSF was created by integrating multiple legislative, regulatory, and leading practice guidelines and frameworks, and tailoring the incorporated…
What is the length of time it takes to become HITRUST CSF Certified?
CSF Assurance Program FAQ » What is the length of time it takes to become HITRUST CSF Certified?
CSF Certification can be achieved when the minimum compliance level (a score of 3+ or 3 with corrective action plans) is met for all 75 CSF controls required for certification (2019 CSF v9.2 requirement). The total amount of time it can take an organization to become…
Does evidence always have to be referenced to the requirement for each assessed area (e.g., implementation, measured, managed) or can we say that we observed and explained what is being done?
MyCSF FAQ » Does evidence always have to be referenced to the requirement for each assessed area (e.g., implementation, measured, managed) or can we say that we observed and explained what is being done?
When possible, all evidence should be uploaded into MyCSF. This ensures a quick and consistent QA process. Failure to upload all evidence of testing will result in a “live” QA review by HITRUST via Webex.
How many organizations have completed a HITRUST CSF assessment?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How many organizations have completed a HITRUST CSF assessment?
38,000 CSF assessments have been performed in the last three years with 15,000 CSF assessments in 2015 alone. HITRUST anticipates a continued demand for CSF Certification due to third-party assurance requirements from several major health organizations and requests for…
Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?
MyCSF FAQ » Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?
The only way to efficiently tailor an assessment and generate the control requirements is in MyCSF. Organizations that are undergoing a SOC2 that is based on the HITRUST CSF can leverage MyCSF to make the process more efficient. This is the case even if only pursuing…
What is the difference between the HITRUST Scorecard of the NIST Cybersecurity Framework and the HITRUST CSF Certification?
HITRUST CSF and NIST CSF Frequently Asked Question » What is the difference between the HITRUST Scorecard of the NIST Cybersecurity Framework and the HITRUST CSF Certification?
HITRUST CSF Certification is based on an organization meeting specific scoring criteria for the assessed requirements aggregated into 19 topical domains, e.g., access control and wireless network security. The scorecard HITRUST uses to support certification of an…
Does MyCSF allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?
MyCSF FAQ » Does MyCSF allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?
No. When you inherit a control requirement, it inherits scores related to all maturity domains based on the weight given to each. If you inherit from an object that has only scored policy, you will also be inheriting the zeros for the remaining maturity…
Why is the three-month period of the HITRUST CSF Bridge Certificate deducted from the organization’s next HITRUST CSF Certification?
HITRUST CSF Bridge Assessment and Certificate » Why is the three-month period of the HITRUST CSF Bridge Certificate deducted from the organization’s next HITRUST CSF Certification?
The HITUST CSF Bridge Certificate is designed to assist organizations who need to maintain HITRUST CSF Certification but may be experiencing challenges in completing their next HITRUST CSF Validated Assessment. The HITRUST CSF Bridge Assessment links the two HITRUST…
Will companies still have to pay to allow their assessments to be inherited?
MyCSF FAQ » Will companies still have to pay to allow their assessments to be inherited?
Yes. Inheritance will continue to be a premium feature in MyCSF and will require an appropriate subscription.
Is HITRUST’s certification for the NIST Cybersecurity Framework separate from HITRUST CSF Certification?
HITRUST CSF and NIST CSF Frequently Asked Question » Is HITRUST’s certification for the NIST Cybersecurity Framework separate from HITRUST CSF Certification?
Yes, one certification is for the organization’s implementation of the HITRUST CSF controls and is based on minimum scoring criteria for 19 topical control areas, such as access control and wireless network security. The other is a certification of an…
Is the scope of the HITRUST CSF too large for most organizations?
Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Is the scope of the HITRUST CSF too large for most organizations?
Although HITRUST specifically provides for significant tailoring of the HITRUST CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. Given the relatively uncontrolled sprawl of sensitive information in many…
How many organizations have completed a HITRUST CSF Assessment?
CSF Assurance Program FAQ » How many organizations have completed a HITRUST CSF Assessment?
Hundreds of thousands of HITRUST CSF Assessments have been performed to-date. HITRUST anticipates continued demand for HITRUST CSF Certification due to third-party assurance requirements from organizations across multiple industries.
What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
HITRUST CSF and NIST CSF Frequently Asked Question » What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs…
If we have already completed the evidence sampling and review with our HITRUST assessor firm, do we need to use the memorandum interim submission or the HITRUST MyCSF interim submission?
Interim Review FAQ » If we have already completed the evidence sampling and review with our HITRUST assessor firm, do we need to use the memorandum interim submission or the HITRUST MyCSF interim submission?
Interim assessments completed after April 1, 2019 need to adhere to the current guidelines, including submitting through MyCSF. The only exception is for organizations holding a certification on CSF v9.0 or prior versions – they can submit outside of MyCSF but…
Does the CSF Assurance Program support an “assess once, report many” approach?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does the CSF Assurance Program support an “assess once, report many” approach?
HITRUST has recognized for some time that the current model used in the industry for third-party Assurance is fraught with inefficiencies and unnecessary costs by requiring duplicative questionnaires and assessments, which tend to distract organizations from monitoring…
Is the HITRUST certification for the NIST Cybersecurity Framework just for healthcare?
HITRUST CSF and NIST CSF Frequently Asked Question » Is the HITRUST certification for the NIST Cybersecurity Framework just for healthcare?
No, HITRUST certification of an organization’s implementation of the NIST Cybersecurity Framework—just like HITRUST CSF certification—can be obtained by any organization, regardless of industry or whether they are US-based or international.
Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late
Interim Review FAQ » Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late
Interim assessments need to be submitted by the one-year anniversary of the certification date. Exceptions may be requested prior to the anniversary date to account for extraordinary circumstances that prohibit completion.
Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?
Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?
Many of the elements for the argument are presented in FAQs throughout this section. But more specifically, the HITRUST CSF is designed with certain highly-regulated industries in mind; however, it is a region- and industry-agnostic control framework that can be used…
How can my organization utilize the CSF framework for an AICPA SOC 2 report?
CSF Assurance Program FAQ » How can my organization utilize the CSF framework for an AICPA SOC 2 report?
HITRUST and AICPA collaborated on the mapping of HITRUST CSF controls to AICPA Trust Principles and Criteria for Security, Confidentiality, and Availability. Subsequently, any AICPA firm can perform a SOC 2 examination leveraging the CSF framework. This allows the…
What is the cost to download the HITRUST CSF?
HITRUST CSF Framework FAQ » What is the cost to download the HITRUST CSF?
The HITRUST CSF framework is FREE for qualified organizations.
Is a current SOC 2 acceptable for meeting the third-party assurance requirements?
Third Party Assurance FAQ » Is a current SOC 2 acceptable for meeting the third-party assurance requirements?
It depends. The accepting organization will need to make a determination based on the scope of the examination and the trust service criteria being reported upon. While the current SOC 2 may be granted a waiver and accepted in the first year, it will be necessary to…
Do you have more information on the BASICs program? Can any organization participate or is there certain criteria that needs to be met?
MyCSF FAQ » Do you have more information on the BASICs program? Can any organization participate or is there certain criteria that needs to be met?
The BASICs program is targeted to lower risk organizations. We will be defining the criteria of lower risk and these criteria will need to be met to participate.
How will the interim assessment process be different from the interim review memorandum previously used?
Interim Review FAQ » How will the interim assessment process be different from the interim review memorandum previously used?
The interim assessment now requires full testing of the sampled control requirements and must undergo the same Quality Assurance process as a full assessment.
How does the HITRUST Threat Catalogue help me perform a risk analysis?
HITRUST Threat Catalogue FAQ » How does the HITRUST Threat Catalogue help me perform a risk analysis?
By understanding how HITRUST CSF controls address specific threats to personal data and other sensitive information, an organization can demonstrate the results of the risk analyses used by the underlying control frameworks in the HITRUST CSF, e.g., ISO 27002, NIST SP…
Does HITRUST rely too heavily on the Authorized External Assessor Organization’s opinion of control effectiveness?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does HITRUST rely too heavily on the Authorized External Assessor Organization’s opinion of control effectiveness?
Authorized External Assessor Organizations and auditors generally determine control effectiveness regardless of what controls are specified, albeit there is usually a negotiation between them and the organization before the final report is issued. However, external…
Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?
HITRUST CSF and NIST CSF Frequently Asked Question » Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?
While it’s possible, the likelihood that an organization can be certified against the NIST Cybersecurity Framework without meeting the requirements for HITRUST CSF certification are very small. This is because each certification is based on a single assessment. …
How many questions, and how long will it take?
Third Party Assurance FAQ » How many questions, and how long will it take?
The HITRUST CSF Security Assessment Questionnaire generally includes between 120 and 328 questions, depending on how the risk factors are configured for the organization being assessed. The amount of time it will take to complete the assessment varies depending on the…
What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?
Control Maturity and Continuous Monitoring and Assessment FAQ » What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?
Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above an aggregated HITRUST CSF maturity score of 79, there is a very high…
Is a HITRUST CSF assessment a requirement for certification against the NIST Cybersecurity Framework, or can I just obtain a HITRUST certification for the NIST Cybersecurity Framework? If so, what is the cost?
HITRUST CSF and NIST CSF Frequently Asked Question » Is a HITRUST CSF assessment a requirement for certification against the NIST Cybersecurity Framework, or can I just obtain a HITRUST certification for the NIST Cybersecurity Framework? If so, what is the cost?
Yes, a HITRUST CSF assessment is a requirement for certification against the NIST Cybersecurity Framework. This is because the HITRUST CSF provides the detailed requirements an organization should implement to adequately address the cybersecurity objectives—what…
Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?
Third Party Assurance FAQ » Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?
No. While a CPA firm can perform a SOC 2 based on the HITRUST CSF, per the requirements of the HITRUST CSF Assurance Program, only authorized assessors can issue reports that grant HITRUST CSF certification. We currently have a growing list of over 75 assessor firms.…
The HITRUST CSF FAQ
Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ
Subtopics Why do organizations need a security and privacy framework? What are the goals for the HITRUST CSF? Does the HITRUST CSF take a “one-size-fits-all” approach to information security? Is the scope of the HITRUST CSF too large for most…
How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?
HITRUST bases its framework on how risk management is defined, i.e., the process of managing risk to organizational operations, organizational assets or individuals resulting from the operation of an information system (the definition of which is quite broad), and…
What is the role of continuous monitoring in the HITRUST scoring process?
Control Maturity and Continuous Monitoring and Assessment FAQ » What is the role of continuous monitoring in the HITRUST scoring process?
Information security continuous monitoring (ISCM) has been a part of the HITRUST CSF control maturity and scoring model since the inception of the HITRUST CSF Assurance Program in 2009. Typical assessment and audit approaches generally focus on policy and…
What are examples of changes that are not alone typically significant enough to preclude performance of a HITRUST CSF Bridge Assessment?
HITRUST CSF Bridge Assessment and Certificate » What are examples of changes that are not alone typically significant enough to preclude performance of a HITRUST CSF Bridge Assessment?
Decommissioning servers, creating new user accounts, updating the business continuity plan, hiring a new CISO, patching endpoints, applying software enhancements through the organization’s SDLC, invoking a work-from-home strategy as part of business continuity…
What types of assessments are available in the HITRUST CSF Assurance Program?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What types of assessments are available in the HITRUST CSF Assurance Program?
HITRUST offers two types of CSF Assessments – a self-assessment and a validated assessment. Self-assessments allow organizations to assess themselves using HITRUST’s standard methodology, requirements, and tools provided under the CSF Assurance…
If I am already HITRUST CSF Certified, how do I get a copy of my certification for the NIST Cybersecurity Framework?
HITRUST CSF and NIST CSF Frequently Asked Question » If I am already HITRUST CSF Certified, how do I get a copy of my certification for the NIST Cybersecurity Framework?
A scorecard and certification for the NIST Cybersecurity Framework can be generated against a prior assessment against HITRUST CSF v9 and v9.1. Cost of the additional scorecard is $500. For more information, contact HITRUST by email at sales@hitrustalliance.net or by…
When can I create the HITRUST CSF Bridge Assessment object in MyCSF?
HITRUST CSF Bridge Assessment and Certificate » When can I create the HITRUST CSF Bridge Assessment object in MyCSF?
The HITRUST CSF Bridge Assessment object can be created no more than 60 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.
HITRUST and the NIST Cybersecurity Framework FAQ
Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ
Subtopics Can risk be calculated based on a control’s maturity level? Do non-contextual impact ratings for controls provide any real value? How does the RMF fit into the NIST CsF? Why can’t I just adopt the NIST CsF without leveraging additional guidance or…
How do I explain the HITRUST Threat Catalogue™ to my executives?
HITRUST Threat Catalogue FAQ » How do I explain the HITRUST Threat Catalogue™ to my executives?
The HITRUST Threat Catalogue is a comprehensive list of threats, including events, sources, actions, or inactions that could potentially lead to harm to your organization’s information assets. HITRUST’s Threat Catalogue allows organizations to pursue their…
What’s included in HITRUST’s certification report for the NIST Cybersecurity Framework?
HITRUST CSF and NIST CSF Frequently Asked Question » What’s included in HITRUST’s certification report for the NIST Cybersecurity Framework?
HITRUST will issue a Letter of Certification for the NIST Cybersecurity Framework with a NIST CSF scorecard in the HITRUST CSF Assessment Report. HITRUST will also issue a separate Letter of Certification and scorecard that can be distributed separately from the…
Frequently Asked Questions About the HITRUST® Risk Management Framework
Frequently Asked Questions About the HITRUST® Risk Management Framework
Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In…
What is the HITRUST CSF Bridge Assessment?
HITRUST CSF Bridge Assessment and Certificate » What is the HITRUST CSF Bridge Assessment?
The HITRUST CSF Bridge Assessment results in a HITRUST CSF Bridge Certificate. The HITRUST CSF Bridge Certificate is a forward-looking, temporary certificate issued by HITRUST. It is valid for 90 days from the expiration date of the organization’s previous HITRUST…
What is the HITRUST CSF Assurance Program?
CSF Assurance Program FAQ » What is the HITRUST CSF Assurance Program?
The HITRUST CSF Assurance program is a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and…
Is there a fee for HITRUST to process the interim assessment?
Interim Review FAQ » Is there a fee for HITRUST to process the interim assessment?
Yes, there is a fee of $2,900 but this is waived for active MyCSF subscribers. The fee includes 60 days of access to MyCSF for non-subscribers to recreate and submit their interim assessment, processing of the interim assessment and, upon successful completion,…
In the questionnaire, can you select IT supplier, Healthcare, Payer, etc.? What are the other options?
MyCSF FAQ » In the questionnaire, can you select IT supplier, Healthcare, Payer, etc.? What are the other options?
The options are a function of the HITRUST CSF and will be updated to reflect more industry agnostic options with the release of HITRUST CSF v10.0.
Has the HITRUST CSF been adopted internationally?
HITRUST CSF Framework FAQ » Has the HITRUST CSF been adopted internationally?
Yes, organizations outside of the U.S. have implemented the HITRUST CSF. Moreover, additional countries have expressed an interest in HITRUST and we expect this interest to grow as adoption continues to increase within the U.S. For more information, refer to…
What are the goals for the HITRUST CSF?
Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » What are the goals for the HITRUST CSF?
Through HITRUST, an organization seeks to adopt a control framework that is: relevant through regular maintenance of supporting authoritative sources and changes in the threat environment; scalable to various sizes and types of organizations or systems in a…
If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?
Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?
If you’re HITRUST CSF Certified, you can demonstrate compliance with the NIST Cybersecurity Framework in one of two ways. An organization can generate a NIST CsF scorecard based on the maturity of the HITRUST CSF control requirements that support each of the NIST…
Why should my organization get a certification relating to the NIST Cybersecurity Framework?
HITRUST CSF and NIST CSF Frequently Asked Question » Why should my organization get a certification relating to the NIST Cybersecurity Framework?
There has been a marked increase in the level of interest by corporate Boards and executive management in using the NIST Cybersecurity Framework [“Framework”], which can provide a “Rosetta Stone” for internal and external stakeholders, regardless of industry or…
How is the HITRUST CSF structured?
HITRUST CSF Framework FAQ » How is the HITRUST CSF structured?
The HITRUST CSF’s core structure is based on ISO/IEC 27001:2005 and 27002:2005, published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), and incorporates more than 40 other security and privacy related…
Who do I contact to better understand HITRUST’s certification for the NIST Cybersecurity Framework?
HITRUST CSF and NIST CSF Frequently Asked Question » Who do I contact to better understand HITRUST’s certification for the NIST Cybersecurity Framework?
Contact HITRUST by email at sales@hitrustalliance.net or by phone at 1.855.448.7878.
What is the HITRUST CSF Assurance Program?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What is the HITRUST CSF Assurance Program?
The HITRUST CSF Assurance Program provides a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and…
What is the difference between a HITRUST practitioner and a HITRUST External Assessor?
External Assessor Program FAQ » What is the difference between a HITRUST practitioner and a HITRUST External Assessor?
HITRUST External Assessors are designated organizations qualified to provide assessments for clients seeking HITRUST Certification. HITRUST practitioners are either members of a HITRUST Assessor organization that have obtained this status through the HITRUST training…
What is the HITRUST QA process?
CSF Assurance Program FAQ » What is the HITRUST QA process?
The only change to the QA process is that the process will be performed in MyCSF. There are other changes that are being implemented to the QA process that are focused on ensuring the integrity and consistency of the assurance program. These changes will be announced…
Is an interim review required to maintain your HISTRUST CSF Certification for the NIST Cyber Security Framework?
HITRUST CSF and NIST CSF Frequently Asked Question » Is an interim review required to maintain your HISTRUST CSF Certification for the NIST Cyber Security Framework?
No, the interim review requirement only applies to the HITRUST Certification.
What types of questions are there, and what information will we need to provide?
Third Party Assurance FAQ » What types of questions are there, and what information will we need to provide?
The HITRUST CSF Assessment questionnaire will ask about your organization’s information security practices in 19 major topical domains such as information protection program, endpoint protection, portable media security, third party assurance and risk management.…
What methods are used to evaluate the effectiveness of CSF controls?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What methods are used to evaluate the effectiveness of CSF controls?
The HITRUST assessment methodology specifically requires: Authorized External Assessor Organizations to gather and examine documentation (e.g., policies, procedures, records, logs, vulnerability assessment reports, risk assessment reports) Examine configuration…
How do I get started adopting the HITRUST CSF framework?
HITRUST CSF Framework FAQ » How do I get started adopting the HITRUST CSF framework?
The decision to adopt the HITRUST CSF should be made at the organizational level, after which, the organization should perform an internal gap analysis of existing controls against the target controls in the HITRUST CSF. This analysis can be done manually or by…
Who qualifies for the HITRUST CSF Bridge Assessment and Certificate?
HITRUST CSF Bridge Assessment and Certificate » Who qualifies for the HITRUST CSF Bridge Assessment and Certificate?
Any organization that (a) has a HITRUST CSF Validated Report with Certification, (b) will miss their validated assessment submission due-date, and © hasn’t missed that due date by more than 30 days.
How can I obtain a copy of the HITRUST CSF?
HITRUST CSF Framework FAQ » How can I obtain a copy of the HITRUST CSF?
The latest version of the HITRUST CSF framework is available on our website for qualified organizations. A qualified organization is defined as any organization employing a function or activity involving data protection, provided said organization does not offer…
Is the HITRUST CSF an industry standard for healthcare?
HITRUST CSF Framework FAQ » Is the HITRUST CSF an industry standard for healthcare?
The HITRUST CSF is a data protection standard not only for healthcare, but can effectively be used by organizations across all sectors. The HITRUST CSF provides a consensus-driven standard of due care and due diligence for the protection of electronic protected health…
Do I have to perform my interim assessment in MyCSF?
Interim Review FAQ » Do I have to perform my interim assessment in MyCSF?
HITRUST is granting an exception for certifications obtained against HITRUST CSF v9.0 or earlier. Since CSF v9.0 and prior versions are not in the MyCSF tool, the assessment object cannot be recreated. Interim assessments meeting this criterion will be performed…
How does the RMF fit into the NIST Cybersecurity Framework?
Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » How does the RMF fit into the NIST Cybersecurity Framework?
The HITRUST RMF, which consists of the HITRUST CSF, CSF Assurance Program and supporting tools, methods and services, is actually a model implementation of the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity…
How can I confirm an organizations certification status?
CSF Assurance Program FAQ » How can I confirm an organizations certification status?
If you are in possession of a HITRUST report or letter PDF and are seeking verification that the PDF is authentic please contact support@hitrustalliance.net. You will be asked to provide a copy of the PDF in question and evidence showing you received it from the…
Are the 19 randomly selected HITRUST CSF requirement statements picked during the HITRUST CSF Bridge Assessment object creation?
HITRUST CSF Bridge Assessment and Certificate » Are the 19 randomly selected HITRUST CSF requirement statements picked during the HITRUST CSF Bridge Assessment object creation?
Yes.
What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?
HITRUST CSF and NIST CSF Frequently Asked Question » What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?
If an organization does not meet HITRUST CSF requirements for certification against the NIST Cybersecurity Framework, HITRUST will issue an assessment report with a Letter of Validation in lieu of a Letter of Certification.
When is the HITRUST CSF v10.0 being released?
MyCSF FAQ » When is the HITRUST CSF v10.0 being released?
HITRUST CSF v10.0 will be released 4Q 2020.
Does NIST recognize HITRUST as a certifying organization?
HITRUST CSF and NIST CSF Frequently Asked Question » Does NIST recognize HITRUST as a certifying organization?
Although NIST does not have its own certification program for the Cybersecurity Framework, NIST does recognize and actually encourage third party programs that provide a “confidence mechanism” for an organization’s implementation of the Framework, which also…
Is the HITRUST CSF Assurance Program a one-size-fits-all approach?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Is the HITRUST CSF Assurance Program a one-size-fits-all approach?
As we’ve seen in other FAQs, the CSF is not a one-size-fits-all approach due to (1) an organization’s ability to tailor the initial selection of the control baseline in accordance with defined risk factors and (2) the requirement for additional tailoring based on…
Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?
The best discussion of why one would choose the HITRUST CSF over ISO 27001 and NIST SP 800-53 is provided in an earlier FAQ, but to address the question about accepting one in lieu of another, we’ll need to expand a little further. The biggest difference between the…
If I am HITRUST CSF Certified, am I also certified for the NIST Cybersecurity Framework?
HITRUST CSF and NIST CSF Frequently Asked Question » If I am HITRUST CSF Certified, am I also certified for the NIST Cybersecurity Framework?
HITRUST CSF Certification will generally result in certification of an organization’s information security program against the NIST Cybersecurity Framework because the control requirements for both frameworks are essentially the same; they’re just mapped and…
Is a HITRUST certification assessment more expensive than comparable assessments?
CSF Assurance Program FAQ » Is a HITRUST certification assessment more expensive than comparable assessments?
No, and this is a common misconception and in many cases the overall assessment costs associated with information security and privacy assessments are less than other 3rd party assessments. The alignment between the HITRUST CSF and CSF Assurance programs allows a…
Is the HITRUST CSF a compliance-based or risk-based framework?
HITRUST CSF Framework FAQ » Is the HITRUST CSF a compliance-based or risk-based framework?
The HITRUST CSF is both risk- and compliance-based, which allows organizations to tailor the security and privacy control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements. Whether the controls are a custom…
Why choose the HITRUST CSF over other frameworks (NIST, ISO, etc.)?
HITRUST CSF Framework FAQ » Why choose the HITRUST CSF over other frameworks (NIST, ISO, etc.)?
The HITRUST CSF integrates and harmonizes data protection requirements from many authoritative sources–such as ISO, NIST, PCI, HIPAA–and tailors the requirements to an organization based on specific organizational, system, and regulatory risk factors. The level of…
How does my firm become a HITRUST Assessor?
External Assessor Program FAQ » How does my firm become a HITRUST Assessor?
To become an External Assessor, organizations must meet certain requirements set forth by HITRUST to ensure adequate knowledge, training and expertise. The process for becoming an External Assessor includes the following steps: 1. Complete and submit an External…
What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?
External Assessor Program FAQ » What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?
A Certified CSF Practitioner is an individual that has completed the required training, passed an exam, and meets the experience requirements for a practitioner. A HITRUST External Assessor is a firm that has met all the requirements to become authorized to perform…
How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?
Control Maturity and Continuous Monitoring and Assessment FAQ » How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?
While useful, the approach used to obtain reputational scores like Security Scorecard and Bitsight is limited (similar to a narrowly scoped external penetration test) and is arguably unique for each organization’s network. It is further recognized that each scorecard…
How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?
HITRUST CSF and NIST CSF Frequently Asked Question » How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?
HITRUST’s certification of the organization’s implementation of the NIST Cybersecurity Framework is for two (2) years, commensurate with the HITRUST CSF Assessment Report.
How do I understand the CSF Assessment report I have received?
Third Party Assurance FAQ » How do I understand the CSF Assessment report I have received?
HITRUST has created a document that explains the assessment report, how to interpret, and how it can be used to complement and enhance your current processes. Reference: Leveraging HITRUST CSF Assessment Reports: A Guide for New Users
Does a CSF Assurance assessment weight all controls equally?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does a CSF Assurance assessment weight all controls equally?
Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST CSF Validated or Certified Report. This is consistent with NIST…
What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?
HITRUST CSF and NIST CSF Frequently Asked Question » What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?
Consistent with the certification requirements for the HITRUST CSF, an organization must achieve a minimum score for each NIST Cybersecurity Framework Core Category, which is aggregated from the scores for individual HITRUST CSF control requirements as they are mapped…
How does a bridge assessment affect the interim assessment due date?
HITRUST CSF Bridge Assessment and Certificate » How does a bridge assessment affect the interim assessment due date?
The interim assessment is still due on the one-year anniversary of the certification date. A hypothetical timeline: An organization’s HITRUST CSF Certification is set to expire on 5/31/20 and this organization is awarded a HITRUST CSF Bridge Certificate. This…
Does the 90-day rule for evidence apply for interim assessments
Interim Review FAQ » Does the 90-day rule for evidence apply for interim assessments
Yes, for control requirements that are not associated with required CAPs, they must have been in place for 90 days in order to be scored and they must have been tested within in the preceding 90 days from submission to HITRUST. This should not be an issue as the…
What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?
HITRUST CSF Bridge Assessment and Certificate » What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?
HITRUST will evaluate changes on a case-by-case basis and is available to engage with assessed entities to discuss specifics. Examples of activities that might be considered significant changes include: Moving from an on-premise data center into a public cloud…
What is the best approach for implementing the NIST Cybersecurity Framework in the healthcare industry?
Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » What is the best approach for implementing the NIST Cybersecurity Framework in the healthcare industry?
The best approach for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity,or Cybersecurity Framework (CsF), is the approach outlined in the Healthcare Sector Cybersecurity Framework Implementation Guide,2 produced and published under the…
How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?
Interim Review FAQ » How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?
Since the controls are selected randomly by MyCSF, there is not a way to provide an advance notice. However, for MyCSF subscribers, interim assessments can be generated up to 120 days in advance of their due date.
When can I submit a completed HITRUST CSF Bridge Assessment to HITRUST?
HITRUST CSF Bridge Assessment and Certificate » When can I submit a completed HITRUST CSF Bridge Assessment to HITRUST?
The HITRUST CSF Bridge Assessment object can be submitted to HITRUST no more than 30 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.
What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?
HITRUST Threat Catalogue FAQ » What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?
A HITRUST Implementation Advisory would be issued if there is additional clarification around how HITRUST CSF requirements should be implemented to effectively address one or more threats—or as an interim measure until more stringent or enhanced control requirements…
Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?
Third Party Assurance FAQ » Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?
Organizations accepting ISO 27001 in lieu of CSF certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular…
The other types of assessments (GDPR, etc.) are only self-assessments and can’t be validated?
MyCSF FAQ » The other types of assessments (GDPR, etc.) are only self-assessments and can’t be validated?
Yes. We do not generate any type of assurance report for targeted assessments. There are assessments that you can perform internally, and you can generate score cards within the tool.
Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?
External Assessor Program FAQ » Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?
HITRUST practitioners will complete the onsite training during the first year. The second and third year they are required to complete a refresher. The CSF Practitioner Refresher Course is a self-paced online course available for download from the HITRUST Academy. The…
What are the advantages of having a subscription to MyCSF?
MyCSF FAQ » What are the advantages of having a subscription to MyCSF?
To save time and costs A subscription enables clients to retain data, eliminating redundant (internal or assessor) data-entry tasks for the interim assessment and subsequent assessments saving organizations potentially hundreds of hours on a two-year assessment…
Can assessors use sampling to improve the efficiency of the assessment?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Can assessors use sampling to improve the efficiency of the assessment?
Yes, provided it follows the guidance outlined in the HITRUST CSF Assessment Methodology brochure.
How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?
HITRUST CSF Validated Reports with Certification are valid for two years given the successful completion of an interim review (12 months after the date of the original assessment), and that no breach or significant changes have occurred relating to the scoped control…
Does a subscription add value if I am not getting CSF Certified?
MyCSF FAQ » Does a subscription add value if I am not getting CSF Certified?
Yes, even if you are only completing an assessment. Purchasing a subscription will open access to the MyCSF assessment, authoritative source reporting and will include a full, customizable view of the HITRUST CSF, advanced analytics for managing risk posture,…
Is there a limit to the number of active assessments?
MyCSF FAQ » Is there a limit to the number of active assessments?
Yes. The number of assessments that an organization can have is limited by the level of access they have in MyCSF. Subscribing customers can purchase additional assessment objects in MyCSF if necessary.
Can the tool link to supporting documents rather than copy?
MyCSF FAQ » Can the tool link to supporting documents rather than copy?
Yes. MyCSF 2.0 maintains a library of documentation and relationships between the documentation and its related control requirements and maturity domains.
Can I get involved in the working group and, if so, how?
HITRUST Threat Catalogue FAQ » Can I get involved in the working group and, if so, how?
The HITRUST Threat Catalogue is currently overseen by the HITRUST CSF Advisory Council and is supported by a dedicated Working Group (WG) to help continue the development and maintenance of the HITRUST Threat Catalogue. Although the WG is not currently accepting new…
CSF Assurance Program and Certification FAQ
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ
Subtopics What is the HITRUST CSF Assurance Program? What types of assessments are available in the HITRUST CSF Assurance Program? What is the process for an organization to achieve HITRUST CSF Certification? Is a HITRUST CSF Validated Assessment more expensive…
HITRUST CSF Framework FAQ
HITRUST CSF Framework FAQ
Subtopics Why choose the HITRUST CSF over other frameworks (NIST, ISO, etc.)? How do I get started adopting the HITRUST CSF framework? How can I obtain a copy of the HITRUST CSF? What is the cost to download the HITRUST CSF? How is the HITRUST CSF…
HITRUST Threat Catalogue FAQ
HITRUST Threat Catalogue FAQ
Subtopics How do I explain the HITRUST Threat Catalogue™ to my executives? Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x? How does the HITRUST Threat Catalogue make the HITRUST CSF better or improve its ability to help manage risk? Can…
Does CSF Assurance take a compliance-based approach to information protection?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does CSF Assurance take a compliance-based approach to information protection?
From its inception, HITRUST chose to use a risk-based rather than compliance-based approach to information protection and help mature the healthcare industry’s approach to safeguarding information. By integrating NIST’s moderate-level control baseline into the…
HITRUST CSF Bridge Assessment and Certificate
HITRUST CSF Bridge Assessment and Certificate
Subtopics What is the HITRUST CSF Bridge Assessment? Will all of my relying parties accept the HITRUST CSF Bridge Certificate? Who qualifies for the HITRUST CSF Bridge Assessment and Certificate? When can I create the HITRUST CSF Bridge Assessment object in…
Do you have to submit complete scoring for each requirement statement?
Interim Review FAQ » Do you have to submit complete scoring for each requirement statement?
Yes, complete scoring must be submitted for each selected control requirement.
HITRUST CSF and NIST CSF Frequently Asked Question
HITRUST CSF and NIST CSF Frequently Asked Question
Subtopics Why should my organization get a certification relating to the NIST Cybersecurity Framework? How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework? Does NIST recognize HITRUST as a certifying…
Why do organizations need a security & privacy framework?
Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Why do organizations need a security & privacy framework?
Information security and privacy laws are passed to regulate many industries and require that organizations that operate in such industries conduct thorough risk assessments to protect against the threats to the security and privacy of sensitive information.…
What are the costs associated with the Assessor program?
External Assessor Program FAQ » What are the costs associated with the Assessor program?
There are three costs associated with the HITRUST External Assessor Program: Application fee (one-time payment of $2,500) Training fee: Five people must complete the Certified CSF Practitioner (CCSFP) Training Course – $3,000 per individual. Additionally, two of…
What are the various types of CSF Assessments?
CSF Assurance Program FAQ » What are the various types of CSF Assessments?
HITRUST offers two types of CSF Assessments: a self-assessment and a validated assessment. Self-assessment allows organizations to self-assess using the standard methodology, requirements, and tools provided under the CSF Assurance Program. HITRUST will then perform…
Is a HITRUST CSF Validated Assessment more expensive than comparable assessments?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Is a HITRUST CSF Validated Assessment more expensive than comparable assessments?
No, and this is a common misconception. In many cases the overall assessment costs associated with information security and privacy assessments conducted under the HITRUST CSF Assurance Program are less than other comparable third-party assessments. The alignment…
CSF Assurance Program FAQ
CSF Assurance Program FAQ
Subtopics What is the HITRUST CSF Assurance Program? What are the various types of CSF Assessments? Is a HITRUST certification assessment more expensive than comparable assessments? What is the length of time it takes to become HITRUST CSF Certified? What is the…
Must the submission be performed by the assessed organization or the assessor firm as the full assessment or can the scores/comments be directly entered by one login and submitted?
Interim Review FAQ » Must the submission be performed by the assessed organization or the assessor firm as the full assessment or can the scores/comments be directly entered by one login and submitted?
The interim assessment must be completed by the assessed organization and then submitted to their assessor. The assessor must agree that all scores are accurate before generating the interim assessment. The assessor will submit the interim assessment to HITRUST once…
Where is the policy management module?
MyCSF FAQ » Where is the policy management module?
MyCSF no longer supports the Incident Management, Exception Management, or Policy Management modules. These modules will be sunset when all customers are migrated to MyCSF 2.0.
How can I use the CSF Assurance Program for third-party risk management?
Third Party Assurance FAQ » How can I use the CSF Assurance Program for third-party risk management?
The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…
How can I use the CSF Assurance Program for third-party risk management?
Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How can I use the CSF Assurance Program for third-party risk management?
The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…
When can I start a HITRUST CSF Bridge Assessment?
HITRUST CSF Bridge Assessment and Certificate » When can I start a HITRUST CSF Bridge Assessment?
A HITRUST CSF Bridge Assessment object can be created in MyCSF up to 60 days prior to the existing HITRUST CSF Certification’s expiration.
How is the existing validated assessment utilized for the interim review?
Interim Review FAQ » How is the existing validated assessment utilized for the interim review?
The interim review is generated from the original certified assessment object.
What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization?
Control Maturity and Continuous Monitoring and Assessment FAQ » What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization?
The level of maturity an organization wishes to pursue is a risk-based decision based on the needs of that organization. However, an industry-accepted level of due diligence and due care would be a fully implemented HITRUST CSF-based information protection program…
Why can’t I just adopt the NIST Cybersecurity Framework without leveraging additional guidance or frameworks?
Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Why can’t I just adopt the NIST Cybersecurity Framework without leveraging additional guidance or frameworks?
For an industry sector or organization to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity Framework), one must understand that it relies on existing standards, guidance, and leading practices to…
Do non-contextual impact ratings for controls provide any real value?
Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Do non-contextual impact ratings for controls provide any real value?
The term “non-contextual” is used to indicate that the rating does not consider the state of existing controls in a particular organization’s environment. The problem HITRUST is addressing with the non-contextual ratings is that many, if not most, organizations…
Do you need evidence for every requirement statement and domain like on a validated assessment?
Interim Review FAQ » Do you need evidence for every requirement statement and domain like on a validated assessment?
Yes, evidence is required for each selected control requirement in the interim assessment.
What do I receive if I only purchase a report?
MyCSF FAQ » What do I receive if I only purchase a report?
Those purchasing a report and not a subscription to MyCSF will only have access to the MyCSF Assessment and Reports for authoritative sources such as HIPAA, SOC2, and HITRUST. Also, report-only access is limited to 90 days. Extensions of access may be purchased for an…
MyCSF FAQ
MyCSF FAQ
Subtopics Why should I purchase a MyCSF subscription if I just need a report? What is the difference between MyCSF and a GRC tool? What is the cost to my organization? What are the modules, and why would I be interested? Can I get a free trial subscription or…
If we use the API, is there a development environment available?
MyCSF FAQ » If we use the API, is there a development environment available?
Deployment of the API focuses on getting information out of MyCSF and into your native toolsets. The API also allows getting information into MyCSF. Customers who subscribe at a level that includes this feature will be provided a test instance for integration…
Third Party Assurance FAQ
Third Party Assurance FAQ
Subtopics How can I use the CSF Assurance Program for third-party risk management? How much does it cost to get a HITRUST CSF certification? How often do I need to get a report? How many questions, and how long will it take? How do I understand the CSF…
Control Maturity and Continuous Monitoring and Assessment FAQ
Control Maturity and Continuous Monitoring and Assessment FAQ
Subtopics How does the definition of a mature organization correspond to the scores required for HITRUST CSF® Certification? What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization? What evidence do you have…
Is inheritance all or nothing for each requirement or can it be weighted?
MyCSF FAQ » Is inheritance all or nothing for each requirement or can it be weighted?
You can assign a weight to the inherited score that will apply to a particular control requirement.
Interim Review FAQ
Interim Review FAQ
Subtopics My interim assessment is coming up, how do I get started? How is the existing validated assessment utilized for the interim review? Is there a fee for HITRUST to process the interim assessment? Do I have to perform my interim assessment in MyCSF? Will…
Can I get a free trial subscription or demo?
MyCSF FAQ » Can I get a free trial subscription or demo?
HITRUST does offer a free 2-week trial access in the MyCSF tool. This access is provided in a sandbox environment. This environment does not contain all of the functionality found in the production version of MyCSF and information input into this system will not…
Can risk be calculated based on a control’s maturity level?
Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Can risk be calculated based on a control’s maturity level?
HITRUST evaluates likelihood based on an assessment of the control’s maturity level. To understand the approach, one must understand that a control framework is based on a broad risk analysis that considers threats to similar types of organizations for specific…
How often do I need to get a report?
Third Party Assurance FAQ » How often do I need to get a report?
HITRUST CSF reports with Certification are valid for two years given the successful completion of an interim review, no breach has occurred and no significant changes have occurred relating to the scoped control environment. However, check with your business partner to…
Can other types of assessments be done such as FISMA?
MyCSF FAQ » Can other types of assessments be done such as FISMA?
Yes. Targeted assessments can be performed against any of the authoritative sources of the HITRUST CSF. Targeted assessments are not submitted to HITRUST for validation and will not result in a HITRUST assurance report. They will only generate the appropriate scorecard…
Can I get a HIPAA specific report?
MyCSF FAQ » Can I get a HIPAA specific report?
Yes. In MyCSF 2.0 there is the ability to generate a targeted assessment against any one of the authoritative sources. Targeted assessments will only generate scorecards within MyCSF and will not result in a HITRUST Assurance Report.
Can you export assessments into a spreadsheet or CSV document?
MyCSF FAQ » Can you export assessments into a spreadsheet or CSV document?
Organizations that have the appropriate subscription are able to export assessment data. Assessors’ test objects will not have this capability.
External Assessor Program FAQ
External Assessor Program FAQ
Subtopics How does my firm become a HITRUST Assessor? What are the costs associated with the Assessor program? What is the difference between a HITRUST practitioner and a HITRUST External Assessor? Do I need to attend HITRUST training every year to maintain my…
How do you submit an assessment if you were certified against CSF v9.0 or prior versions?
Interim Review FAQ » How do you submit an assessment if you were certified against CSF v9.0 or prior versions?
HITRUST is granting exceptions for certifications obtained against HITRUST CSF v9.0. Since CSF v9.0 is not in the MyCSF tool, the assessment object cannot be recreated. Interim assessments meeting this criterion will be performed outside MyCSF, but non-subscribers…
Why should I purchase a MyCSF subscription if I just need a report?
MyCSF FAQ » Why should I purchase a MyCSF subscription if I just need a report?
Purchasing a subscription will open access to the MyCSF assessment, authoritative source reporting and will include a full, customizable view of the HITRUST CSF, advanced analytics for managing risk posture, benchmarking data, ability to leverage the functionality to…
My interim assessment is coming up, how do I get started?
Interim Review FAQ » My interim assessment is coming up, how do I get started?
MyCSF subscribers will automatically receive an interim assessment notice 90 days prior to the required submission date. Customers may begin the process 120 days before the submission date by manually generating the object. Non-subscribers will automatically receive…
Are there any performance improvements with MyCSF 2.0?
MyCSF FAQ » Are there any performance improvements with MyCSF 2.0?
Yes. We have minimized the number of clicks required to navigate an assessment. Also, we have tuned all queries and optimized caching to improve overall performance.
Is there a fee associated with API integration? Or a subscription level?
MyCSF FAQ » Is there a fee associated with API integration? Or a subscription level?
Yes. This feature is only available with certain subscription levels.
