The HITRUST CSF is actually one of the most flexible data protection frameworks ever developed. First, the HITRUST CSF was created by integrating multiple legislative, regulatory, and leading practice guidelines and frameworks, and tailoring the incorporated requirements specific to the industry, or industries, in which the organization operates. The resulting controls are then tailored further by selecting them based on specific organizational, system, and regulatory risk factors. But while this approach provides more granular tailoring ’out-of-the-box’ than any other framework, HITRUST understands that no two organizations—even similar ones—are exactly alike.

Although information may have a common classification (e.g., PII, ePHI), differences such as organizational culture, infrastructure, technology, and risk appetite could result in a slightly different set of controls. Subsequently, organizations leveraging a framework are expected to i) perform a risk analysis on threats it considers unique to it, and ii) select additional controls to address those threats. Organizations must also consider options for controls that may not be suitable for it to implement (e.g., based on constraints placed by existing or planned information architectures and infrastructure). Fortunately, this supplemental risk analysis addresses fewer threats and other issues considered unique to the organization and is subsequently more tractable. The result is something that is referred to as an overlay, which is a formally-documented set of justified modifications to a control baseline.

For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment