The HITRUST CSF is actually one of the most flexible data protection frameworks ever developed. First, the HITRUST CSF was created by integrating multiple legislative, regulatory, and leading practice guidelines and frameworks, and tailoring the incorporated requirements specific to the industry, or industries, in which the organization operates. The resulting controls are then tailored further by selecting them based on specific organizational, system, and regulatory risk factors. But while this approach provides more granular tailoring ’out-of-the-box’ than any other framework, HITRUST understands that no two organizations—even similar ones—are exactly alike.
Although information may have a common classification (e.g., PII, ePHI), differences such as organizational culture, infrastructure, technology, and risk appetite could result in a slightly different set of controls. Subsequently, organizations leveraging a framework are expected to i) perform a risk analysis on threats it considers unique to it, and ii) select additional controls to address those threats. Organizations must also consider options for controls that may not be suitable for it to implement (e.g., based on constraints placed by existing or planned information architectures and infrastructure). Fortunately, this supplemental risk analysis addresses fewer threats and other issues considered unique to the organization and is subsequently more tractable. The result is something that is referred to as an overlay, which is a formally-documented set of justified modifications to a control baseline.
For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.