Alternate (or compensating) controls, by definition, mitigate a similar type and amount of risk as the control it’s intended to replace. This is illustrated in the Risk Analysis Guide for HITRUST Organizations and Assessors by an example proposing the extension of password expiration to one year by increasing the complexity of the password. Part of that analysis is to evaluate the impact on related controls or other unintended consequences, such as the effect of extending password expiration on a key logger vulnerability. Although this is a quantitative example based on entropy calculations, other controls may require a quasi-quantitative or qualitative approach to the risk analysis.
Alternate controls may be developed and implemented by a single organization, or the alternative may be applied broadly across the industry if submitted and approved by the HITRUST Alternate Controls Review Committee. Review by the Committee ensures the control adequately addresses a similar type and amount of risk; however, alternate controls that are not approved must be evaluated by the assessor organization to verify the analysis, which is documented in the HITRUST assessment report. Thus, alternate controls provide organizations additional flexibility in selecting and implementing controls without impacting the organization’s overall risk posture or the value of CSF Certification.
For more information on alternate controls, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.