Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST CSF Validated or Certified Report. This is consistent with NIST guidance that allows for focused assessments to address specific issues or answer specific questions. “Organizations have maximum flexibility on how risk assessments are conducted and are encouraged to apply the guidance in this document so that the various needs of organizations can be addressed and the risk assessment activities can be integrated into broader organizational risk management processes” (NIST SP 800-30 r1, Guide for Conducting Risk Assessments, pg. ix). For purposes of certification, control selection is based on an analysis of breach data, leading practices and regulatory requirements (e.g., the HIPAA Security Rule).
With respect to the way an assessment is conducted, one control does not have more weight or importance than another. This is because, by definition, all the controls that the organization has determined it must implement—regardless of whether they were designed from a custom risk analysis or tailored from a control baseline by a supplemental analysis—must be implemented in order to manage risk to an acceptable level. But the HITRUST CSF Assurance Program only requires this level of “completeness” for purposes of certification and, even then, organizations can remove controls that do not apply to them or accept a small amount of risk for partial implementations of those that do.
HITRUST also encourages the prioritization of remediation activities based on relative risk by providing impact ratings and their relationship with each other with the inclusion of priority codes. Although examples have not yet been provided in the Risk Analysis Guide. HITRUST encourages organizations to modify the impact ratings based on an evaluation of their control environment and consider other factors, such as existing infrastructure, budget constraints and organizational culture when developing and prioritizing corrective actions.
For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors.