Although HITRUST specifically provides for significant tailoring of the HITRUST CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. Given the relatively uncontrolled sprawl of sensitive information in many organizations, the HITRUST CSF can (and should) be applied as broadly as necessary to scope to the specific types of information, systems, and/or business units requiring protection. The scope can be minimized by ensuring that workflows requiring the use of sensitive information is understood and such uses are restricted to the minimum necessary, as required by many legal and regulatory bodies as well as best practice. Information assets and data flows with sensitive information can also be isolated from other assets and data flow types, e.g., through network segmentation.
For more information, refer to the CSF Assessment Methodology and the Risk Analysis Guide for HITRUST Organizations and Assessors.