What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?
Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above an aggregated HITRUST CSF maturity score of 79, there is a very high likelihood these controls will continue to operate in a similar manner going forward. And organizations that have mature information security continuous monitoring (ISCM) programs in place can also help ensure that any deficiencies that may arise in their protection programs are quickly identified and addressed. These organizations may qualify for the HITRUST CSF Ongoing Certification (OC) Program, which will allow these organizations to reduce the frequency of full, time-based recertification assessments, as shown in the graphic on the next page.
HITRUST plans to update the CSF Assurance Program to reward those organizations that have mature information protection programs as well as those that are actively implementing ISCM programs through a three-tiered certification program.
Organizations that demonstrate a ‘standard’ level of information protection, typically reflected in a CSF maturity score below 79, will undergo annual recertification assessments while those with higher scores striving to meet HITRUST requirements for ISCM would continue to undergo biannual recertification assessments with a targeted interim assessment.
Organizations that qualify for the ISCM-based HITRUST CSF Ongoing Certification (OC) program would conduct recertification assessments even less often, the frequency of which would be determined by its aggregated HITRUST CSF control maturity score and other criteria. Additional criteria will be developed by the HITRUST ISCM Working Group and integrated into the HITRUST CSF Assurance Program prior to its rollout, the timing of which is yet to be determined.
Benefits of the ISCM-based HITRUST CSF OC Program include:
- On-demand, near real-time insight into their security and compliance risk posture* (visibility into how well stuff is protected)
- The ability to make quick, risk-based decisions on system security in near real-time** (helps minimize the impact from bad things happening)
- Better prioritization of remediation activities and corrective actions*** (helps identify the problems that need to be fixed first)
- Consistent, continuous adoption of cybersecurity best practices**** (ensures extant and emerging threats continue to be addressed appropriately)
- A higher level of assurance that personal data and individual privacy will continue to be protected and risk appropriately managed in the future (management can sleep better at night)
- Longer periods between comprehensive control gap assessments (fewer interruptions at work)
- Reduced time and effort needed to maintain certification (ability to focus on the real work)
- Reduced lifecycle costs for maintaining certification (more money for other work)
- Higher levels of assurance and trust with and amongst external stakeholders such as regulators, business partners, and customers (everyone can sleep better at night)