First, the decision to adopt the CSF should be made at the organizational level, after which organizations should perform an internal gap analysis of existing controls against the target controls in the CSF. This analysis can be done manually or in HITRUST’s online GRC-based assessment support tool, MyCSF. Once the information protection posture of the organization is understood, a risk management strategy and implementation timeline can be developed and communicated throughout the organization.

References: Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection and Healthcare Sector Cybersecurity Framework Implementation Guide


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment