The topic you requested could not be found.
Related topics are listed below.

Can other types of assessments be done such as FISMA?

MyCSF FAQ » Can other types of assessments be done such as FISMA?

Yes. Targeted assessments can be performed against any of the authoritative sources of the HITRUST CSF. Targeted assessments are not submitted to HITRUST for validation and will not result in a HITRUST assurance report. They will only generate the appropriate scorecard…

Where is the policy management module?

MyCSF FAQ » Where is the policy management module?

MyCSF no longer supports the Incident Management, Exception Management, or Policy Management modules. These modules will be sunset when all customers are migrated to MyCSF 2.0.

Frequently Asked Questions About the HITRUST® Risk Management Framework

Frequently Asked Questions About the HITRUST® Risk Management Framework

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In…

What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization?

Control Maturity and Continuous Monitoring and Assessment FAQ » What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization?

The level of maturity an organization wishes to pursue is a risk-based decision based on the needs of that organization. However, an industry-accepted level of due diligence and due care would be a fully implemented HITRUST CSF-based information protection program…

What types of questions are there, and what information will we need to provide?

Third Party Assurance FAQ » What types of questions are there, and what information will we need to provide?

The HITRUST CSF Assessment questionnaire will ask about your organization’s information security practices in 19 major topical domains such as information protection program, endpoint protection, portable media security, third party assurance and risk management.…

What is the HITRUST CSF Assurance Program?

CSF Assurance Program FAQ » What is the HITRUST CSF Assurance Program?

The HITRUST CSF Assurance program is a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and…

What is the HITRUST CSF Bridge Assessment?

HITRUST CSF Bridge Assessment and Certificate » What is the HITRUST CSF Bridge Assessment?

The HITRUST CSF Bridge Assessment results in a HITRUST CSF Bridge Certificate. The HITRUST CSF Bridge Certificate is a forward-looking, temporary certificate issued by HITRUST. It is valid for 90 days from the expiration date of the organization’s previous HITRUST…

What is the HITRUST CSF Assurance Program?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What is the HITRUST CSF Assurance Program?

The HITRUST CSF Assurance Program provides a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and…

What is the HITRUST QA process?

CSF Assurance Program FAQ » What is the HITRUST QA process?

The only change to the QA process is that the process will be performed in MyCSF. There are other changes that are being implemented to the QA process that are focused on ensuring the integrity and consistency of the assurance program. These changes will be announced…

Does NIST recognize HITRUST as a certifying organization?

HITRUST CSF and NIST CSF Frequently Asked Question » Does NIST recognize HITRUST as a certifying organization?

Although NIST does not have its own certification program for the Cybersecurity Framework, NIST does recognize and actually encourage third party programs that provide a “confidence mechanism” for an organization’s implementation of the Framework, which also…

What are the advantages of having a subscription to MyCSF?

MyCSF FAQ » What are the advantages of having a subscription to MyCSF?

To save time and costs A subscription enables clients to retain data, eliminating redundant (internal or assessor) data-entry tasks for the interim assessment and subsequent assessments saving organizations potentially hundreds of hours on a two-year assessment…

What do I receive if I only purchase a report?

MyCSF FAQ » What do I receive if I only purchase a report?

Those purchasing a report and not a subscription to MyCSF will only have access to the MyCSF Assessment and Reports for authoritative sources such as HIPAA, SOC2, and HITRUST. Also, report-only access is limited to 90 days. Extensions of access may be purchased for an…

What are the goals for the HITRUST CSF?

Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » What are the goals for the HITRUST CSF?

Through HITRUST, an organization seeks to adopt a control framework that is: relevant through regular maintenance of supporting authoritative sources and changes in the threat environment; scalable to various sizes and types of organizations or systems in a…

What is the cost to download the HITRUST CSF?

HITRUST CSF Framework FAQ » What is the cost to download the HITRUST CSF?

The HITRUST CSF framework is FREE for qualified organizations.

What are the various types of CSF Assessments?

CSF Assurance Program FAQ » What are the various types of CSF Assessments?

HITRUST offers two types of CSF Assessments: a self-assessment and a validated assessment. Self-assessment allows organizations to self-assess using the standard methodology, requirements, and tools provided under the CSF Assurance Program. HITRUST will then perform…

What are the costs associated with the Assessor program?

External Assessor Program FAQ » What are the costs associated with the Assessor program?

There are three costs associated with the HITRUST External Assessor Program: Application fee (one-time payment of $2,500) Training fee: Five people must complete the Certified CSF Practitioner (CCSFP) Training Course – $3,000 per individual. Additionally, two of…

Will it be the same level of access as we get for full assessment submission?

Interim Review FAQ » Will it be the same level of access as we get for full assessment submission?

Non-subscriber’s access will be the same as the “report only” option, currently set at 1 object and 3 users.

What is the best approach for implementing the NIST Cybersecurity Framework in the healthcare industry?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » What is the best approach for implementing the NIST Cybersecurity Framework in the healthcare industry?

The best approach for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity,or Cybersecurity Framework (CsF), is the approach outlined in the Healthcare Sector Cybersecurity Framework Implementation Guide,2 produced and published under the…

What is the role of continuous monitoring in the HITRUST scoring process?

Control Maturity and Continuous Monitoring and Assessment FAQ » What is the role of continuous monitoring in the HITRUST scoring process?

Information security continuous monitoring (ISCM) has been a part of the HITRUST CSF control maturity and scoring model since the inception of the HITRUST CSF Assurance Program in 2009. Typical assessment and audit approaches generally focus on policy and…

What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?

Control Maturity and Continuous Monitoring and Assessment FAQ » What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?

Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above an aggregated HITRUST CSF maturity score of 79, there is a very high…

What evidence do you have that controls with high maturity will not change or degrade?

Control Maturity and Continuous Monitoring and Assessment FAQ » What evidence do you have that controls with high maturity will not change or degrade?

HITRUST’s analysis of organizational assessment data over the past 10 years indicates that the more mature an organization’s information protection program, specifically their information security controls which demonstrate proficiency of operation, management, and…

What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?

HITRUST CSF and NIST CSF Frequently Asked Question » What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?

ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs…

What is the process for an organization to achieve HITRUST CSF Certification?

CSF Assurance Program FAQ » What is the process for an organization to achieve HITRUST CSF Certification?

Before starting the Certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the Certification process, please select a HITRUST Assessor. Once you select an…

What types of assessments are available in the HITRUST CSF Assurance Program?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What types of assessments are available in the HITRUST CSF Assurance Program?

HITRUST offers two types of CSF Assessments – a self-assessment and a validated assessment. Self-assessments allow organizations to assess themselves using HITRUST’s standard methodology, requirements, and tools provided under the CSF Assurance…

What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?

External Assessor Program FAQ » What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?

A Certified CSF Practitioner is an individual that has completed the required training, passed an exam, and meets the experience requirements for a practitioner. A HITRUST External Assessor is a firm that has met all the requirements to become authorized to perform…

What is the difference between a HITRUST practitioner and a HITRUST External Assessor?

External Assessor Program FAQ » What is the difference between a HITRUST practitioner and a HITRUST External Assessor?

HITRUST External Assessors are designated organizations qualified to provide assessments for clients seeking HITRUST Certification. HITRUST practitioners are either members of a HITRUST Assessor organization that have obtained this status through the HITRUST training…

What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?

HITRUST CSF Bridge Assessment and Certificate » What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?

HITRUST will evaluate changes on a case-by-case basis and is available to engage with assessed entities to discuss specifics. Examples of activities that might be considered significant changes include: Moving from an on-premise data center into a public cloud…

What methods are used to evaluate the effectiveness of CSF controls?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What methods are used to evaluate the effectiveness of CSF controls?

The HITRUST assessment methodology specifically requires: Authorized External Assessor Organizations to gather and examine documentation (e.g., policies, procedures, records, logs, vulnerability assessment reports, risk assessment reports) Examine configuration…

What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?

HITRUST Threat Catalogue FAQ » What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?

A HITRUST Implementation Advisory would be issued if there is additional clarification around how HITRUST CSF requirements should be implemented to effectively address one or more threats—or as an interim measure until more stringent or enhanced control requirements…

What is the process for an organization to achieve HITRUST CSF Certification?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What is the process for an organization to achieve HITRUST CSF Certification?

The organization should first determine the business drivers for attempting certification which should include identifying key stakeholders, defining scope, and selecting an Authorized External Assessor Organization. HITRUST recommends a Readiness Assessment be…

What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?

If an organization does not meet HITRUST CSF requirements for certification against the NIST Cybersecurity Framework, HITRUST will issue an assessment report with a Letter of Validation in lieu of a Letter of Certification.

In the questionnaire, can you select IT supplier, Healthcare, Payer, etc.? What are the other options?

MyCSF FAQ » In the questionnaire, can you select IT supplier, Healthcare, Payer, etc.? What are the other options?

The options are a function of the HITRUST CSF and will be updated to reflect more industry agnostic options with the release of HITRUST CSF v10.0.

What is the length of time it takes to become HITRUST CSF Certified?

CSF Assurance Program FAQ » What is the length of time it takes to become HITRUST CSF Certified?

CSF Certification can be achieved when the minimum compliance level (a score of 3+ or 3 with corrective action plans) is met for all 75 CSF controls required for certification (2019 CSF v9.2 requirement). The total amount of time it can take an organization to become…

Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

External Assessor Program FAQ » Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

HITRUST practitioners will complete the onsite training during the first year. The second and third year they are required to complete a refresher. The CSF Practitioner Refresher Course is a self-paced online course available for download from the HITRUST Academy. The…

What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?

Consistent with the certification requirements for the HITRUST CSF, an organization must achieve a minimum score for each NIST Cybersecurity Framework Core Category, which is aggregated from the scores for individual HITRUST CSF control requirements as they are mapped…

If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?

If you’re HITRUST CSF Certified, you can demonstrate compliance with the NIST Cybersecurity Framework in one of two ways. An organization can generate a NIST CsF scorecard based on the maturity of the HITRUST CSF control requirements that support each of the NIST…

What is the difference between the HITRUST Scorecard of the NIST Cybersecurity Framework and the HITRUST CSF Certification?

HITRUST CSF and NIST CSF Frequently Asked Question » What is the difference between the HITRUST Scorecard of the NIST Cybersecurity Framework and the HITRUST CSF Certification?

HITRUST CSF Certification is based on an organization meeting specific scoring criteria for the assessed requirements aggregated into 19 topical domains, e.g., access control and wireless network security. The scorecard HITRUST uses to support certification of an…

What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?

HITRUST CSF Framework FAQ » What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?

The simple answer is that there is no relationship between the HITRUST CSF control categories and the assessment domains. The HITRUST CSF control categories were derived from ISO and provide the structure for the framework. The assessment domains take the control…

What controls are included in both a HITRUST CSF Certification and HITRUST’s certification for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What controls are included in both a HITRUST CSF Certification and HITRUST’s certification for the NIST Cybersecurity Framework?

An organization selects an appropriate set of security control requirements for its information protection program based on its organizational, system and regulatory risk factors, and it is this set of control requirements that constitute its NIST Cybersecurity…

How can I use the CSF Assurance Program for third-party risk management?

Third Party Assurance FAQ » How can I use the CSF Assurance Program for third-party risk management?

The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…

How can I use the CSF Assurance Program for third-party risk management?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How can I use the CSF Assurance Program for third-party risk management?

The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…

What are examples of changes that are not alone typically significant enough to preclude performance of a HITRUST CSF Bridge Assessment?

HITRUST CSF Bridge Assessment and Certificate » What are examples of changes that are not alone typically significant enough to preclude performance of a HITRUST CSF Bridge Assessment?

Decommissioning servers, creating new user accounts, updating the business continuity plan, hiring a new CISO, patching endpoints, applying software enhancements through the organization’s SDLC, invoking a work-from-home strategy as part of business continuity…

Will the interim submission that will be conducted on the HITRUST portal be same/similar as full assessment or will it show only selected sample questions to be scored and validated?

Interim Review FAQ » Will the interim submission that will be conducted on the HITRUST portal be same/similar as full assessment or will it show only selected sample questions to be scored and validated?

The interim assessment will be performed against a random sample of requirements that will be selected at the time the interim assessment is generated. HITRUST will only process the selected sample but will verify, in cases where an object was recreated to ensure the…

Must the submission be performed by the assessed organization or the assessor firm as the full assessment or can the scores/comments be directly entered by one login and submitted?

Interim Review FAQ » Must the submission be performed by the assessed organization or the assessor firm as the full assessment or can the scores/comments be directly entered by one login and submitted?

The interim assessment must be completed by the assessed organization and then submitted to their assessor. The assessor must agree that all scores are accurate before generating the interim assessment. The assessor will submit the interim assessment to HITRUST once…

Is a HITRUST CSF assessment a requirement for certification against the NIST Cybersecurity Framework, or can I just obtain a HITRUST certification for the NIST Cybersecurity Framework? If so, what is the cost?

HITRUST CSF and NIST CSF Frequently Asked Question » Is a HITRUST CSF assessment a requirement for certification against the NIST Cybersecurity Framework, or can I just obtain a HITRUST certification for the NIST Cybersecurity Framework? If so, what is the cost?

Yes, a HITRUST CSF assessment is a requirement for certification against the NIST Cybersecurity Framework. This is because the HITRUST CSF provides the detailed requirements an organization should implement to adequately address the cybersecurity objectives—what…

What is the difference between a HITRUST CSF Certification and a service auditor’s report expressing an opinion on the fairness of the system description, suitability of design, and operating effectiveness of controls based on The HITRUST CSF?

HITRUST CSF and SOC 2® Frequently Asked Questions » What is the difference between a HITRUST CSF Certification and a service auditor’s report expressing an opinion on the fairness of the system description, suitability of design, and operating effectiveness of controls based on The HITRUST CSF?

See the question “In the future, it looks like the SOC 2 HITRUST certification will only assess 75 controls. Does that mean organizations will not have to certify?”

Does evidence always have to be referenced to the requirement for each assessed area (e.g., implementation, measured, managed) or can we say that we observed and explained what is being done?

MyCSF FAQ » Does evidence always have to be referenced to the requirement for each assessed area (e.g., implementation, measured, managed) or can we say that we observed and explained what is being done?

When possible, all evidence should be uploaded into MyCSF. This ensures a quick and consistent QA process. Failure to upload all evidence of testing will result in a “live” QA review by HITRUST via Webex.

Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?

Control Maturity and Continuous Monitoring and Assessment FAQ » Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?

HITRUST provides a common approach to triaging vendor risk by identifying the means and rigor of the assurances needed from a vendor based on the inherent information-related risks of a proposed or existing business relationship. This includes the information security…

Does MyCSF allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?

MyCSF FAQ » Does MyCSF allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?

No. When you inherit a control requirement, it inherits scores related to all maturity domains based on the weight given to each. If you inherit from an object that has only scored policy, you will also be inheriting the zeros for the remaining maturity…

Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?

MyCSF FAQ » Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?

There are several changes that will be announced relating to the Assurance Program requirements. These are independent of the HITRUST CSF and MyCSF and are designed to increase the consistency and integrity of the assurance process.

MyCSF FAQ

MyCSF FAQ

Subtopics Why should I purchase a MyCSF subscription if I just need a report? What is the difference between MyCSF and a GRC tool? What is the cost to my organization? What are the modules, and why would I be interested? Can I get a free trial subscription or…

Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?

The best discussion of why one would choose the HITRUST CSF over ISO 27001 and NIST SP 800-53 is provided in an earlier FAQ, but to address the question about accepting one in lieu of another, we’ll need to expand a little further. The biggest difference between the…

Why can’t I just adopt the NIST Cybersecurity Framework without leveraging additional guidance or frameworks?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Why can’t I just adopt the NIST Cybersecurity Framework without leveraging additional guidance or frameworks?

For an industry sector or organization to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity Framework), one must understand that it relies on existing standards, guidance, and leading practices to…

Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

HITRUST works closely with NIST and we constantly analyze their documentation to see what additional guidance can be utilized. Many guidelines—most often those that are very technical or technology-specific—are typically outside the scope of the HITRUST CSF;…

Can risk be calculated based on a control’s maturity level?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Can risk be calculated based on a control’s maturity level?

HITRUST evaluates likelihood based on an assessment of the control’s maturity level. To understand the approach, one must understand that a control framework is based on a broad risk analysis that considers threats to similar types of organizations for specific…

Control Maturity and Continuous Monitoring and Assessment FAQ

Control Maturity and Continuous Monitoring and Assessment FAQ

Subtopics How does the definition of a mature organization correspond to the scores required for HITRUST CSF® Certification? What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization? What evidence do you have…

Is a HITRUST certification assessment more expensive than comparable assessments?

CSF Assurance Program FAQ » Is a HITRUST certification assessment more expensive than comparable assessments?

No, and this is a common misconception and in many cases the overall assessment costs associated with information security and privacy assessments are less than other 3rd party assessments. The alignment between the HITRUST CSF and CSF Assurance programs allows a…

Is a HITRUST CSF Validated Assessment more expensive than comparable assessments?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Is a HITRUST CSF Validated Assessment more expensive than comparable assessments?

No, and this is a common misconception. In many cases the overall assessment costs associated with information security and privacy assessments conducted under the HITRUST CSF Assurance Program are less than other comparable third-party assessments. The alignment…

How is the HITRUST CSF structured?

HITRUST CSF Framework FAQ » How is the HITRUST CSF structured?

The HITRUST CSF’s core structure is based on ISO/IEC 27001:2005 and 27002:2005, published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), and incorporates more than 40 other security and privacy related…

How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?

HITRUST bases its framework on how risk management is defined, i.e., the process of managing risk to organizational operations, organizational assets or individuals resulting from the operation of an information system (the definition of which is quite broad), and…

Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Third Party Assurance FAQ » Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Organizations accepting ISO 27001 in lieu of CSF certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular…

How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

Control Maturity and Continuous Monitoring and Assessment FAQ » How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

While useful, the approach used to obtain reputational scores like Security Scorecard and Bitsight is limited (similar to a narrowly scoped external penetration test) and is arguably unique for each organization’s network. It is further recognized that each scorecard…

External Assessor Program FAQ

External Assessor Program FAQ

Subtopics How does my firm become a HITRUST Assessor? What are the costs associated with the Assessor program? What is the difference between a HITRUST practitioner and a HITRUST External Assessor? Do I need to attend HITRUST training every year to maintain my…

Do HITRUST Certification programs provide safe harbor in the event of a breach?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Do HITRUST Certification programs provide safe harbor in the event of a breach?

Certification is not required by any regulatory body, nor has any regulatory body sanctioned certification as a mechanism to provide safe harbor in the event of a breach. This is true not just for the HITRUST CSF but for other standards and frameworks as they apply to…

Third Party Assurance FAQ

Third Party Assurance FAQ

Subtopics How can I use the CSF Assurance Program for third-party risk management? How much does it cost to get a HITRUST CSF certification? How often do I need to get a report? How many questions, and how long will it take? How do I understand the CSF…

Why do organizations need a security & privacy framework?

Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Why do organizations need a security & privacy framework?

Information security and privacy laws are passed to regulate many industries and require that organizations that operate in such industries conduct thorough risk assessments to protect against the threats to the security and privacy of sensitive information.…

Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

Third Party Assurance FAQ » Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

No. While a CPA firm can perform a SOC 2 based on the HITRUST CSF, per the requirements of the HITRUST CSF Assurance Program, only authorized assessors can issue reports that grant HITRUST CSF certification. We currently have a growing list of over 75 assessor firms.…

If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

CSF Assurance Program FAQ » If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

In principle yes, but it is not black and white. To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of…

How does the definition of a mature organization correspond to the scores required for HITRUST CSF® Certification?

Control Maturity and Continuous Monitoring and Assessment FAQ » How does the definition of a mature organization correspond to the scores required for HITRUST CSF® Certification?

Mature organizations are defined as those organizations with ‘best-in-class’ information protection programs that not only have robust policies and procedures in place to support full implementation of their information security and privacy controls—a complete…

Does a CSF Assurance assessment weight all controls equally?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does a CSF Assurance assessment weight all controls equally?

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST CSF Validated or Certified Report. This is consistent with NIST…

CSF Assurance Program and Certification FAQ

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ

Subtopics What is the HITRUST CSF Assurance Program? What types of assessments are available in the HITRUST CSF Assurance Program? What is the process for an organization to achieve HITRUST CSF Certification? Is a HITRUST CSF Validated Assessment more expensive…

Is HITRUST’s certification for the NIST Cybersecurity Framework separate from HITRUST CSF Certification?

HITRUST CSF and NIST CSF Frequently Asked Question » Is HITRUST’s certification for the NIST Cybersecurity Framework separate from HITRUST CSF Certification?

Yes, one certification is for the organization’s implementation of the HITRUST CSF controls and is based on minimum scoring criteria for 19 topical control areas, such as access control and wireless network security. The other is a certification of an…

Why choose the HITRUST CSF over other frameworks (NIST, ISO, etc.)?

HITRUST CSF Framework FAQ » Why choose the HITRUST CSF over other frameworks (NIST, ISO, etc.)?

The HITRUST CSF integrates and harmonizes data protection requirements from many authoritative sources–such as ISO, NIST, PCI, HIPAA–and tailors the requirements to an organization based on specific organizational, system, and regulatory risk factors. The level of…

HITRUST CSF and NIST CSF Frequently Asked Question

HITRUST CSF and NIST CSF Frequently Asked Question

Subtopics Why should my organization get a certification relating to the NIST Cybersecurity Framework? How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework? Does NIST recognize HITRUST as a certifying…

Is the scope of the HITRUST CSF too large for most organizations?

Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Is the scope of the HITRUST CSF too large for most organizations?

Although HITRUST specifically provides for significant tailoring of the HITRUST CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. Given the relatively uncontrolled sprawl of sensitive information in many…

Are HITRUST assessments only useful for formal certification against the CSF?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Are HITRUST assessments only useful for formal certification against the CSF?

Certification is only one of the ways the HITRUST CSF can be used. Not all organizations need to pursue certification, and validation will provide assurances that specific controls are implemented, which ones are not or may have been changed, and how well they are…

If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST Cybersecurity Framework?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST Cybersecurity Framework?

Yes, you’re well on your way as the HITRUST Risk Management Framework (RMF)—consisting of the HITRUST CSF, CSF Assurance Program and related method and tools—is the foundation for a model implementation of the NIST CsF in the private sector. Since the NIST…

CSF Assurance Program FAQ

CSF Assurance Program FAQ

Subtopics What is the HITRUST CSF Assurance Program? What are the various types of CSF Assessments? Is a HITRUST certification assessment more expensive than comparable assessments? What is the length of time it takes to become HITRUST CSF Certified? What is the…

Does the use of alternate controls diminish the value of HITRUST Certification?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does the use of alternate controls diminish the value of HITRUST Certification?

Alternate (or compensating) controls, by definition, mitigate a similar type and amount of risk as the control it’s intended to replace. This is illustrated in the Risk Analysis Guide for HITRUST Organizations and Assessors by an example proposing the extension of…

Does the HITRUST CSF take a “one-size-fits-all” approach to information security?

Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Does the HITRUST CSF take a “one-size-fits-all” approach to information security?

The HITRUST CSF is actually one of the most flexible data protection frameworks ever developed. First, the HITRUST CSF was created by integrating multiple legislative, regulatory, and leading practice guidelines and frameworks, and tailoring the incorporated…

Does CSF Assurance take a compliance-based approach to information protection?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does CSF Assurance take a compliance-based approach to information protection?

From its inception, HITRUST chose to use a risk-based rather than compliance-based approach to information protection and help mature the healthcare industry’s approach to safeguarding information. By integrating NIST’s moderate-level control baseline into the…

If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?

To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of ePHI against all reasonably anticipated threats.…

Why should I purchase a MyCSF subscription if I just need a report?

MyCSF FAQ » Why should I purchase a MyCSF subscription if I just need a report?

Purchasing a subscription will open access to the MyCSF assessment, authoritative source reporting and will include a full, customizable view of the HITRUST CSF, advanced analytics for managing risk posture, benchmarking data, ability to leverage the functionality to…

How does the RMF fit into the NIST Cybersecurity Framework?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » How does the RMF fit into the NIST Cybersecurity Framework?

The HITRUST RMF, which consists of the HITRUST CSF, CSF Assurance Program and supporting tools, methods and services, is actually a model implementation of the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity…

Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?

HITRUST CSF and SOC 2® Frequently Asked Questions » Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?

The answer to this question is either. HITRUST has updated the SOC 2 + HITRUST guidance to illustrate how a SOC 2 + HITRUST CSF opinion could be based upon all 135 security CSF Controls or only those security controls required for Certification. There are three (3)…

How do I get started adopting the HITRUST CSF framework?

HITRUST CSF Framework FAQ » How do I get started adopting the HITRUST CSF framework?

The decision to adopt the HITRUST CSF should be made at the organizational level, after which, the organization should perform an internal gap analysis of existing controls against the target controls in the HITRUST CSF. This analysis can be done manually or by…

Why should my organization get a certification relating to the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » Why should my organization get a certification relating to the NIST Cybersecurity Framework?

There has been a marked increase in the level of interest by corporate Boards and executive management in using the NIST Cybersecurity Framework [“Framework”], which can provide a “Rosetta Stone” for internal and external stakeholders, regardless of industry or…

HITRUST CSF Bridge Assessment and Certificate

HITRUST CSF Bridge Assessment and Certificate

Subtopics What is the HITRUST CSF Bridge Assessment? Will all of my relying parties accept the HITRUST CSF Bridge Certificate? Who qualifies for the HITRUST CSF Bridge Assessment and Certificate? When can I create the HITRUST CSF Bridge Assessment object in…

Does a subscription add value if I am not getting CSF Certified?

MyCSF FAQ » Does a subscription add value if I am not getting CSF Certified?

Yes, even if you are only completing an assessment. Purchasing a subscription will open access to the MyCSF assessment, authoritative source reporting and will include a full, customizable view of the HITRUST CSF, advanced analytics for managing risk posture,…

HITRUST and the NIST Cybersecurity Framework FAQ

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ

Subtopics Can risk be calculated based on a control’s maturity level? Do non-contextual impact ratings for controls provide any real value? How does the RMF fit into the NIST CsF? Why can’t I just adopt the NIST CsF without leveraging additional guidance or…

HITRUST CSF Framework FAQ

HITRUST CSF Framework FAQ

Subtopics Why choose the HITRUST CSF over other frameworks (NIST, ISO, etc.)? How do I get started adopting the HITRUST CSF framework? How can I obtain a copy of the HITRUST CSF? What is the cost to download the HITRUST CSF? How is the HITRUST CSF…

The HITRUST CSF FAQ

Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ

Subtopics Why do organizations need a security and privacy framework? What are the goals for the HITRUST CSF? Does the HITRUST CSF take a “one-size-fits-all” approach to information security? Is the scope of the HITRUST CSF too large for most…

Can I get involved in the working group and, if so, how?

HITRUST Threat Catalogue FAQ » Can I get involved in the working group and, if so, how?

The HITRUST Threat Catalogue is currently overseen by the HITRUST CSF Advisory Council and is supported by a dedicated Working Group (WG) to help continue the development and maintenance of the HITRUST Threat Catalogue. Although the WG is not currently accepting new…

Does HITRUST rely too heavily on the Authorized External Assessor Organization’s opinion of control effectiveness?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does HITRUST rely too heavily on the Authorized External Assessor Organization’s opinion of control effectiveness?

Authorized External Assessor Organizations and auditors generally determine control effectiveness regardless of what controls are specified, albeit there is usually a negotiation between them and the organization before the final report is issued. However, external…

Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

Many of the elements for the argument are presented in FAQs throughout this section. But more specifically, the HITRUST CSF is designed with certain highly-regulated industries in mind; however, it is a region- and industry-agnostic control framework that can be used…

HITRUST CSF and SOC 2® Frequently Asked Questions

HITRUST CSF and SOC 2® Frequently Asked Questions

Subtopics Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification? Do you have an ETA for when the updating of the Practitioner Document and Reporting Template to opine on meeting the 66 controls required for…

How will the interim assessment process be different from the interim review memorandum previously used?

Interim Review FAQ » How will the interim assessment process be different from the interim review memorandum previously used?

The interim assessment now requires full testing of the sampled control requirements and must undergo the same Quality Assurance process as a full assessment.

Who will need to subscribe for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?

MyCSF FAQ » Who will need to subscribe for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?

Anyone that wishes to allow their assessments to be inherited will need to subscribe. This applies to internal as well as external inheritance. External inheritance is viewed as a service that is provided to customers making it easier to assess if they are working with…

Will all the threats to personal data be listed in the HITRUST Threat Catalogue?

HITRUST Threat Catalogue FAQ » Will all the threats to personal data be listed in the HITRUST Threat Catalogue?

The HITRUST Threat Catalogue’s initial release is focused on providing as comprehensive a list as possible. However, users of the HITRUST Threat Catalogue should keep in mind that the threats are enumerated at a level consistent with the control specification in the…

Will the HITRUST Threat Catalogue help me with HIPAA compliance?

HITRUST Threat Catalogue FAQ » Will the HITRUST Threat Catalogue help me with HIPAA compliance?

By enumerating common threats and, when available, common vulnerabilities, an organization will have additional information to support a risk analysis consistent with NIST and HHS recommendations, which requires an “accurate and thorough assessment of the potential…

HITRUST Threat Catalogue FAQ

HITRUST Threat Catalogue FAQ

Subtopics How do I explain the HITRUST Threat Catalogue™ to my executives? Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x? How does the HITRUST Threat Catalogue make the HITRUST CSF better or improve its ability to help manage risk? Can…

My interim assessment is coming up, how do I get started?

Interim Review FAQ » My interim assessment is coming up, how do I get started?

MyCSF subscribers will automatically receive an interim assessment notice 90 days prior to the required submission date. Customers may begin the process 120 days before the submission date by manually generating the object. Non-subscribers will automatically receive…

Who will accept HITRUST CSF Assurance Reports?

CSF Assurance Program FAQ » Who will accept HITRUST CSF Assurance Reports?

Many organizations accept CSF Assurance reports as a means of evaluating a business partner’s privacy and security controls and in fact a growing number of organizations require their business partners obtain a CSF Certification.. Reference: HITRUST CSF Assurance…

Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x?

HITRUST Threat Catalogue FAQ » Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x?

HITRUST is developing the Threat Catalogue as part of the upcoming HITRUST CSF v10 release anticipated in Q1/Q2 2019. The Nov 2018 early release is being provided to the user community as part of a concerted effort to elicit feedback from the public and further…

How often do I need to get a report?

Third Party Assurance FAQ » How often do I need to get a report?

HITRUST CSF reports with Certification are valid for two years given the successful completion of an interim review, no breach has occurred and no significant changes have occurred relating to the scoped control environment. However, check with your business partner to…

How will the HITRUST Threat Catalogue evolve over time?

HITRUST Threat Catalogue FAQ » How will the HITRUST Threat Catalogue evolve over time?

HITRUST anticipates the HITRUST Threat Catalogue will be a “living document” due to the constantly changing threat environment, including planned improvements to better facilitate risk analyses and the consumption of threat intelligence. Changes will likely include…

Has the HITRUST CSF been adopted internationally?

HITRUST CSF Framework FAQ » Has the HITRUST CSF been adopted internationally?

Yes, organizations outside of the U.S. have implemented the HITRUST CSF. Moreover, additional countries have expressed an interest in HITRUST and we expect this interest to grow as adoption continues to increase within the U.S. For more information, refer to…

How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?

HITRUST Threat Catalogue FAQ » How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?

The threat landscape is constantly changing, as are the technologies and tools that organizations rely upon to support their business missions. Consequently, an organization’s information protection program must change and adapt. Threat intelligence is one of several…

How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework?

As part of the HIITRUST CSF Assurance Program, upon receiving a HITRUST CSF Assessment Report, organizations may request a Press Kit with details on how they may publicly communicate their HITRUST CSF Certification status, which also includes certification of its…

Does the 90-day rule for evidence apply for interim assessments

Interim Review FAQ » Does the 90-day rule for evidence apply for interim assessments

Yes, for control requirements that are not associated with required CAPs, they must have been in place for 90 days in order to be scored and they must have been tested within in the preceding 90 days from submission to HITRUST. This should not be an issue as the…

Interim Review FAQ

Interim Review FAQ

Subtopics My interim assessment is coming up, how do I get started? How is the existing validated assessment utilized for the interim review? Is there a fee for HITRUST to process the interim assessment? Do I have to perform my interim assessment in MyCSF? Will…

How can I obtain a copy of the HITRUST CSF?

HITRUST CSF Framework FAQ » How can I obtain a copy of the HITRUST CSF?

The latest version of the HITRUST CSF framework is available on our website for qualified organizations. A qualified organization is defined as any organization employing a function or activity involving data protection, provided said organization does not offer…

Will all of my relying parties accept the HITRUST CSF Bridge Certificate?

HITRUST CSF Bridge Assessment and Certificate » Will all of my relying parties accept the HITRUST CSF Bridge Certificate?

HITRUST believes that a HITRUST CSF Bridge Certificate adds value in demonstrating that an organization’s scoped control environment is unlikely to have degraded since the last validated assessment and that the organization has indicated its commitment to complete a…

Is the HITRUST CSF a compliance-based or risk-based framework?

HITRUST CSF Framework FAQ » Is the HITRUST CSF a compliance-based or risk-based framework?

The HITRUST CSF is both risk- and compliance-based, which allows organizations to tailor the security and privacy control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements. Whether the controls are a custom…

Is the HITRUST CSF Assurance Program a one-size-fits-all approach?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Is the HITRUST CSF Assurance Program a one-size-fits-all approach?

As we’ve seen in other FAQs, the CSF is not a one-size-fits-all approach due to (1) an organization’s ability to tailor the initial selection of the control baseline in accordance with defined risk factors and (2) the requirement for additional tailoring based on…

How does my firm become a HITRUST Assessor?

External Assessor Program FAQ » How does my firm become a HITRUST Assessor?

To become an External Assessor, organizations must meet certain requirements set forth by HITRUST to ensure adequate knowledge, training and expertise. The process for becoming an External Assessor includes the following steps: 1. Complete and submit an External…

How does the HITRUST Threat Catalogue help me perform a risk analysis?

HITRUST Threat Catalogue FAQ » How does the HITRUST Threat Catalogue help me perform a risk analysis?

By understanding how HITRUST CSF controls address specific threats to personal data and other sensitive information, an organization can demonstrate the results of the risk analyses used by the underlying control frameworks in the HITRUST CSF, e.g., ISO 27002, NIST SP…

Does the CSF Assurance Program support an “assess once, report many” approach?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does the CSF Assurance Program support an “assess once, report many” approach?

HITRUST has recognized for some time that the current model used in the industry for third-party Assurance is fraught with inefficiencies and unnecessary costs by requiring duplicative questionnaires and assessments, which tend to distract organizations from monitoring…

Do non-contextual impact ratings for controls provide any real value?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Do non-contextual impact ratings for controls provide any real value?

The term “non-contextual” is used to indicate that the rating does not consider the state of existing controls in a particular organization’s environment. The problem HITRUST is addressing with the non-contextual ratings is that many, if not most, organizations…