The CSF is actually one of the most flexible information protection frameworks ever developed. First, the CSF was created by integrating multiple legislative, regulatory and leading practice guidelines and frameworks and tailoring the integrated requirements specifically for the healthcare industry. The resulting controls are then tailored further by selecting them based on specific organizational, system and regulatory risk factors. But while this approach provides more granular tailoring ’out of the box’ than any other framework, HITRUST understands that no two organizations— even (quote) similar ones—are exactly alike.
Although information may have a common classification (e.g., ePHI), differences such as organizational culture, infrastructure, technology and risk appetite could result in a slightly different set of controls, had the organizations conducted a textbook risk analysis and designed its controls from the beginning. Subsequently, organizations leveraging a framework are expected (1) to perform a risk analysis on threats it considers unique to it and (2) select additional controls to address those threats. Organizations must also consider options for controls that may not be suitable for it to implement (e.g., based on constraints placed by existing or planned information architectures and infrastructure). Fortunately, this supplemental risk analysis addresses fewer threats and other issues considered unique to the organization and is subsequently more tractable. The end result is something NIST SP 800-53 r4 refers to as an overlay, which is a formally documented set of justified modifications to a control baseline.
For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.