The topic you requested could not be found.
Related topics are listed below.

Will HITRUST Assessors be assessing against the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » Will HITRUST Assessors be assessing against the NIST Cybersecurity Framework?

Yes, this is done automatically because the same control requirements evaluated by the HITRUST Assessor for HITRUST CSF Certification are also used for certification of the organization’s NIST Cybersecurity Framework implementation. The control requirements are…

Will HITRUST provide a webinar specifically for assessors and practitioners? How do practitioners see customer comments, the evidence cited and how will assessors and practitioners provide comments?

MyCSF FAQ » Will HITRUST provide a webinar specifically for assessors and practitioners? How do practitioners see customer comments, the evidence cited and how will assessors and practitioners provide comments?

Yes. We will be revising the full and refresher training courses. These can be taken through our LMS and will walk assessors through the process. We intend to make this module available to all CCSFPs.

How often will the HITRUST Threat Catalogue be updated?

HITRUST Threat Catalogue FAQ » How often will the HITRUST Threat Catalogue be updated?

We anticipate updates to occur annually, shortly after each HITRUST CSF release, or when significant changes in the threat environment would warrant an interim release.

Will the interim submission that will be conducted on the HITRUST portal be same/similar as full assessment or will it show only selected sample questions to be scored and validated?

Interim Review FAQ » Will the interim submission that will be conducted on the HITRUST portal be same/similar as full assessment or will it show only selected sample questions to be scored and validated?

The interim assessment will be performed against a random sample of requirements that will be selected at the time the interim assessment is generated. HITRUST will only process the selected sample but will verify, in cases where an object was recreated to ensure the…

How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?

Interim Review FAQ » How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?

Since the controls are selected randomly by MyCSF, there is not a way to provide an advance notice. However, for MyCSF subscribers, interim assessments can be generated up to 120 days in advance of their due date.

Will companies still have to pay to allow their assessments to be inherited?

MyCSF FAQ » Will companies still have to pay to allow their assessments to be inherited?

Yes. Inheritance will continue to be a premium feature in MyCSF and will require an appropriate subscription.

How will the interim assessment process be different from the interim review memorandum previously used?

Interim Review FAQ » How will the interim assessment process be different from the interim review memorandum previously used?

The interim assessment now requires full testing of the sampled control requirements and must undergo the same Quality Assurance process as a full assessment.

Will it be the same level of access as we get for full assessment submission?

Interim Review FAQ » Will it be the same level of access as we get for full assessment submission?

Non-subscriber’s access will be the same as the “report only” option, currently set at 1 object and 3 users.

When will cyber threat intelligence be linked to the threats in the catalogue?

HITRUST Threat Catalogue FAQ » When will cyber threat intelligence be linked to the threats in the catalogue?

Once the mappings between threats and HITRUST CSF controls is completed, HITRUST will begin exploring ways to relate these mappings to the more granular threats identified in active threat intelligence. HITRUST anticipates this work will begin in…

Will all the threats to personal data be listed in the HITRUST Threat Catalogue?

HITRUST Threat Catalogue FAQ » Will all the threats to personal data be listed in the HITRUST Threat Catalogue?

The HITRUST Threat Catalogue’s initial release is focused on providing as comprehensive a list as possible. However, users of the HITRUST Threat Catalogue should keep in mind that the threats are enumerated at a level consistent with the control specification in the…

Will the validation of all maturity scores and related evidence be examined by HITRUST or will that only apply to scores that are measured and managed scores?

Interim Review FAQ » Will the validation of all maturity scores and related evidence be examined by HITRUST or will that only apply to scores that are measured and managed scores?

The interim assessment is performed against a random sample of control requirements. They will be assessed against all maturity domains and HITRUST will review all maturity domains of the sampled control requirements. In addition, control requirements that generated…

Will you be able to produce the targeted assessment, i.e., PCI from the HITRUST assessment, for the questions that are the same?

MyCSF FAQ » Will you be able to produce the targeted assessment, i.e., PCI from the HITRUST assessment, for the questions that are the same?

No. A targeted assessment will be generated from the CSF library by pulling all requirements related to the targeted authoritative source. It will be a stand-alone assessment, but it can inherit from other assessments with the appropriate subscription…

Can organizations select which assessment version they use? Will you now be able to grandfather organizations into a previous assessment version if they completed their self-assessment on that version?

MyCSF FAQ » Can organizations select which assessment version they use? Will you now be able to grandfather organizations into a previous assessment version if they completed their self-assessment on that version?

MyCSF 2.0 will be launched with CSF v9.1 in its library. It will have the feature to maintain multiple CSF versions and you will be able to take advantage of this once CSF v10.0 is released.

Can assessors use sampling to improve the efficiency of the assessment?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Can assessors use sampling to improve the efficiency of the assessment?

Yes, provided it follows the guidance outlined in the HITRUST CSF Assessment Methodology brochure.

Who will accept HITRUST CSF Assurance Reports?

CSF Assurance Program FAQ » Who will accept HITRUST CSF Assurance Reports?

Many organizations accept CSF Assurance reports as a means of evaluating a business partner’s privacy and security controls and in fact a growing number of organizations require their business partners obtain a CSF Certification.. Reference: HITRUST CSF Assurance…

How will the HITRUST Threat Catalogue evolve over time?

HITRUST Threat Catalogue FAQ » How will the HITRUST Threat Catalogue evolve over time?

HITRUST anticipates the HITRUST Threat Catalogue will be a “living document” due to the constantly changing threat environment, including planned improvements to better facilitate risk analyses and the consumption of threat intelligence. Changes will likely include…

Will the HITRUST Threat Catalogue help me with HIPAA compliance?

HITRUST Threat Catalogue FAQ » Will the HITRUST Threat Catalogue help me with HIPAA compliance?

By enumerating common threats and, when available, common vulnerabilities, an organization will have additional information to support a risk analysis consistent with NIST and HHS recommendations, which requires an “accurate and thorough assessment of the potential…

How many questions, and how long will it take?

Third Party Assurance FAQ » How many questions, and how long will it take?

The HITRUST CSF Security Assessment Questionnaire generally includes between 120 and 328 questions, depending on how the risk factors are configured for the organization being assessed. The amount of time it will take to complete the assessment varies depending on the…

Can risk be calculated based on a control’s maturity level?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Can risk be calculated based on a control’s maturity level?

HITRUST evaluates likelihood based on an assessment of the control’s maturity level. To understand the approach, one must understand that a control framework is based on a broad risk analysis that considers threats to similar types of organizations for specific…

Can other types of assessments be done such as FISMA?

MyCSF FAQ » Can other types of assessments be done such as FISMA?

Yes. Targeted assessments can be performed against any of the authoritative sources of the HITRUST CSF. Targeted assessments are not submitted to HITRUST for validation and will not result in a HITRUST assurance report. They will only generate the appropriate scorecard…

Will all of my relying parties accept the HITRUST CSF Bridge Certificate?

HITRUST CSF Bridge Assessment and Certificate » Will all of my relying parties accept the HITRUST CSF Bridge Certificate?

HITRUST believes that a HITRUST CSF Bridge Certificate adds value in demonstrating that an organization’s scoped control environment is unlikely to have degraded since the last validated assessment and that the organization has indicated its commitment to complete a…

What types of questions are there, and what information will we need to provide?

Third Party Assurance FAQ » What types of questions are there, and what information will we need to provide?

The HITRUST CSF Assessment questionnaire will ask about your organization’s information security practices in 19 major topical domains such as information protection program, endpoint protection, portable media security, third party assurance and risk management.…

Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

HITRUST works closely with NIST and we constantly analyze their documentation to see what additional guidance can be utilized. Many guidelines—most often those that are very technical or technology-specific—are typically outside the scope of the HITRUST CSF;…

What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?

Control Maturity and Continuous Monitoring and Assessment FAQ » What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?

Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above an aggregated HITRUST CSF maturity score of 79, there is a very high…

What evidence do you have that controls with high maturity will not change or degrade?

Control Maturity and Continuous Monitoring and Assessment FAQ » What evidence do you have that controls with high maturity will not change or degrade?

HITRUST’s analysis of organizational assessment data over the past 10 years indicates that the more mature an organization’s information protection program, specifically their information security controls which demonstrate proficiency of operation, management, and…

How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?

HITRUST Threat Catalogue FAQ » How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?

The threat landscape is constantly changing, as are the technologies and tools that organizations rely upon to support their business missions. Consequently, an organization’s information protection program must change and adapt. Threat intelligence is one of several…

APIs – which GRC tools will the APIs connect to? Will it allow the import of controls into the GRC tool and export from GRC response fulfillment into MyCSF 2.0?

MyCSF FAQ » APIs – which GRC tools will the APIs connect to? Will it allow the import of controls into the GRC tool and export from GRC response fulfillment into MyCSF 2.0?

The API allows use by many GRC tools. We are working with the largest players in the GRC market to develop guidance for the integration process. The current API deployment will allow for information to be extracted from MyCSF. In the future, you will be able to place…

The other types of assessments (GDPR, etc.) are only self-assessments and can’t be validated?

MyCSF FAQ » The other types of assessments (GDPR, etc.) are only self-assessments and can’t be validated?

Yes. We do not generate any type of assurance report for targeted assessments. There are assessments that you can perform internally, and you can generate score cards within the tool.

Is inheritance all or nothing for each requirement or can it be weighted?

MyCSF FAQ » Is inheritance all or nothing for each requirement or can it be weighted?

You can assign a weight to the inherited score that will apply to a particular control requirement.

Must the submission be performed by the assessed organization or the assessor firm as the full assessment or can the scores/comments be directly entered by one login and submitted?

Interim Review FAQ » Must the submission be performed by the assessed organization or the assessor firm as the full assessment or can the scores/comments be directly entered by one login and submitted?

The interim assessment must be completed by the assessed organization and then submitted to their assessor. The assessor must agree that all scores are accurate before generating the interim assessment. The assessor will submit the interim assessment to HITRUST once…

Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?

Control Maturity and Continuous Monitoring and Assessment FAQ » Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?

HITRUST provides a common approach to triaging vendor risk by identifying the means and rigor of the assurances needed from a vendor based on the inherent information-related risks of a proposed or existing business relationship. This includes the information security…

Do you have more information on the BASICs program? Can any organization participate or is there certain criteria that needs to be met?

MyCSF FAQ » Do you have more information on the BASICs program? Can any organization participate or is there certain criteria that needs to be met?

The BASICs program is targeted to lower risk organizations. We will be defining the criteria of lower risk and these criteria will need to be met to participate.

How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?

HITRUST bases its framework on how risk management is defined, i.e., the process of managing risk to organizational operations, organizational assets or individuals resulting from the operation of an information system (the definition of which is quite broad), and…

Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late

Interim Review FAQ » Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late

Interim assessments need to be submitted by the one-year anniversary of the certification date. Exceptions may be requested prior to the anniversary date to account for extraordinary circumstances that prohibit completion.

Who will need to subscribe for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?

MyCSF FAQ » Who will need to subscribe for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?

Anyone that wishes to allow their assessments to be inherited will need to subscribe. This applies to internal as well as external inheritance. External inheritance is viewed as a service that is provided to customers making it easier to assess if they are working with…

Does evidence always have to be referenced to the requirement for each assessed area (e.g., implementation, measured, managed) or can we say that we observed and explained what is being done?

MyCSF FAQ » Does evidence always have to be referenced to the requirement for each assessed area (e.g., implementation, measured, managed) or can we say that we observed and explained what is being done?

When possible, all evidence should be uploaded into MyCSF. This ensures a quick and consistent QA process. Failure to upload all evidence of testing will result in a “live” QA review by HITRUST via Webex.

Does MyCSF allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?

MyCSF FAQ » Does MyCSF allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?

No. When you inherit a control requirement, it inherits scores related to all maturity domains based on the weight given to each. If you inherit from an object that has only scored policy, you will also be inheriting the zeros for the remaining maturity…

Can you export assessments into a spreadsheet or CSV document?

MyCSF FAQ » Can you export assessments into a spreadsheet or CSV document?

Organizations that have the appropriate subscription are able to export assessment data. Assessors’ test objects will not have this capability.

Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

Third Party Assurance FAQ » Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

No. While a CPA firm can perform a SOC 2 based on the HITRUST CSF, per the requirements of the HITRUST CSF Assurance Program, only authorized assessors can issue reports that grant HITRUST CSF certification. We currently have a growing list of over 75 assessor firms.…

MyCSF FAQ

MyCSF FAQ

Subtopics Why should I purchase a MyCSF subscription if I just need a report? What is the difference between MyCSF and a GRC tool? What is the cost to my organization? What are the modules, and why would I be interested? Can I get a free trial subscription or…

Does the use of alternate controls diminish the value of HITRUST Certification?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does the use of alternate controls diminish the value of HITRUST Certification?

Alternate (or compensating) controls, by definition, mitigate a similar type and amount of risk as the control it’s intended to replace. This is illustrated in the Risk Analysis Guide for HITRUST Organizations and Assessors by an example proposing the extension of…

HITRUST CSF and NIST CSF Frequently Asked Question

HITRUST CSF and NIST CSF Frequently Asked Question

Subtopics Why should my organization get a certification relating to the NIST Cybersecurity Framework? How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework? Does NIST recognize HITRUST as a certifying…

Is the scope of the HITRUST CSF too large for most organizations?

Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Is the scope of the HITRUST CSF too large for most organizations?

Although HITRUST specifically provides for significant tailoring of the HITRUST CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. Given the relatively uncontrolled sprawl of sensitive information in many…

Does HITRUST rely too heavily on the Authorized External Assessor Organization’s opinion of control effectiveness?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does HITRUST rely too heavily on the Authorized External Assessor Organization’s opinion of control effectiveness?

Authorized External Assessor Organizations and auditors generally determine control effectiveness regardless of what controls are specified, albeit there is usually a negotiation between them and the organization before the final report is issued. However, external…

Why do organizations need a security & privacy framework?

Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Why do organizations need a security & privacy framework?

Information security and privacy laws are passed to regulate many industries and require that organizations that operate in such industries conduct thorough risk assessments to protect against the threats to the security and privacy of sensitive information.…

Does the HITRUST CSF take a “one-size-fits-all” approach to information security?

Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Does the HITRUST CSF take a “one-size-fits-all” approach to information security?

The HITRUST CSF is actually one of the most flexible data protection frameworks ever developed. First, the HITRUST CSF was created by integrating multiple legislative, regulatory, and leading practice guidelines and frameworks, and tailoring the incorporated…

What is the difference between a HITRUST practitioner and a HITRUST External Assessor?

External Assessor Program FAQ » What is the difference between a HITRUST practitioner and a HITRUST External Assessor?

HITRUST External Assessors are designated organizations qualified to provide assessments for clients seeking HITRUST Certification. HITRUST practitioners are either members of a HITRUST Assessor organization that have obtained this status through the HITRUST training…

Do non-contextual impact ratings for controls provide any real value?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Do non-contextual impact ratings for controls provide any real value?

The term “non-contextual” is used to indicate that the rating does not consider the state of existing controls in a particular organization’s environment. The problem HITRUST is addressing with the non-contextual ratings is that many, if not most, organizations…

Does CSF Assurance take a compliance-based approach to information protection?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does CSF Assurance take a compliance-based approach to information protection?

From its inception, HITRUST chose to use a risk-based rather than compliance-based approach to information protection and help mature the healthcare industry’s approach to safeguarding information. By integrating NIST’s moderate-level control baseline into the…

CSF Assurance Program and Certification FAQ

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ

Subtopics What is the HITRUST CSF Assurance Program? What types of assessments are available in the HITRUST CSF Assurance Program? What is the process for an organization to achieve HITRUST CSF Certification? Is a HITRUST CSF Validated Assessment more expensive…

Does a CSF Assurance assessment weight all controls equally?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does a CSF Assurance assessment weight all controls equally?

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST CSF Validated or Certified Report. This is consistent with NIST…

Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?

The best discussion of why one would choose the HITRUST CSF over ISO 27001 and NIST SP 800-53 is provided in an earlier FAQ, but to address the question about accepting one in lieu of another, we’ll need to expand a little further. The biggest difference between the…

When is the HITRUST CSF v10.0 being released?

MyCSF FAQ » When is the HITRUST CSF v10.0 being released?

HITRUST CSF v10.0 will be released 4Q 2020.

In the questionnaire, can you select IT supplier, Healthcare, Payer, etc.? What are the other options?

MyCSF FAQ » In the questionnaire, can you select IT supplier, Healthcare, Payer, etc.? What are the other options?

The options are a function of the HITRUST CSF and will be updated to reflect more industry agnostic options with the release of HITRUST CSF v10.0.

What is the HITRUST QA process?

CSF Assurance Program FAQ » What is the HITRUST QA process?

The only change to the QA process is that the process will be performed in MyCSF. There are other changes that are being implemented to the QA process that are focused on ensuring the integrity and consistency of the assurance program. These changes will be announced…

Where is the policy management module?

MyCSF FAQ » Where is the policy management module?

MyCSF no longer supports the Incident Management, Exception Management, or Policy Management modules. These modules will be sunset when all customers are migrated to MyCSF 2.0.

Interim Review FAQ

Interim Review FAQ

Subtopics My interim assessment is coming up, how do I get started? How is the existing validated assessment utilized for the interim review? Is there a fee for HITRUST to process the interim assessment? Do I have to perform my interim assessment in MyCSF? Will…

Is a current SOC 2 acceptable for meeting the third-party assurance requirements?

Third Party Assurance FAQ » Is a current SOC 2 acceptable for meeting the third-party assurance requirements?

It depends. The accepting organization will need to make a determination based on the scope of the examination and the trust service criteria being reported upon. While the current SOC 2 may be granted a waiver and accepted in the first year, it will be necessary to…

Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?

MyCSF FAQ » Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?

There are several changes that will be announced relating to the Assurance Program requirements. These are independent of the HITRUST CSF and MyCSF and are designed to increase the consistency and integrity of the assurance process.

Do I have to perform my interim assessment in MyCSF?

Interim Review FAQ » Do I have to perform my interim assessment in MyCSF?

HITRUST is granting an exception for certifications obtained against HITRUST CSF v9.0 or earlier. Since CSF v9.0 and prior versions are not in the MyCSF tool, the assessment object cannot be recreated. Interim assessments meeting this criterion will be performed…

What’s included in HITRUST’s certification report for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What’s included in HITRUST’s certification report for the NIST Cybersecurity Framework?

HITRUST will issue a Letter of Certification for the NIST Cybersecurity Framework with a NIST CSF scorecard in the HITRUST CSF Assessment Report. HITRUST will also issue a separate Letter of Certification and scorecard that can be distributed separately from the…

How do you submit an assessment if you were certified against CSF v9.0 or prior versions?

Interim Review FAQ » How do you submit an assessment if you were certified against CSF v9.0 or prior versions?

HITRUST is granting exceptions for certifications obtained against HITRUST CSF v9.0. Since CSF v9.0 is not in the MyCSF tool, the assessment object cannot be recreated. Interim assessments meeting this criterion will be performed outside MyCSF, but non-subscribers…

What is the process for an organization to achieve HITRUST CSF Certification?

CSF Assurance Program FAQ » What is the process for an organization to achieve HITRUST CSF Certification?

Before starting the Certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the Certification process, please select a HITRUST Assessor. Once you select an…

HITRUST Threat Catalogue FAQ

HITRUST Threat Catalogue FAQ

Subtopics How do I explain the HITRUST Threat Catalogue™ to my executives? Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x? How does the HITRUST Threat Catalogue make the HITRUST CSF better or improve its ability to help manage risk? Can…

My interim assessment is coming up, how do I get started?

Interim Review FAQ » My interim assessment is coming up, how do I get started?

MyCSF subscribers will automatically receive an interim assessment notice 90 days prior to the required submission date. Customers may begin the process 120 days before the submission date by manually generating the object. Non-subscribers will automatically receive…

HITRUST CSF and SOC 2® Frequently Asked Questions

HITRUST CSF and SOC 2® Frequently Asked Questions

Subtopics Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification? Do you have an ETA for when the updating of the Practitioner Document and Reporting Template to opine on meeting the 66 controls required for…

What do I receive if I only purchase a report?

MyCSF FAQ » What do I receive if I only purchase a report?

Those purchasing a report and not a subscription to MyCSF will only have access to the MyCSF Assessment and Reports for authoritative sources such as HIPAA, SOC2, and HITRUST. Also, report-only access is limited to 90 days. Extensions of access may be purchased for an…

How can I confirm an organizations certification status?

CSF Assurance Program FAQ » How can I confirm an organizations certification status?

If you are in possession of a HITRUST report or letter PDF and are seeking verification that the PDF is authentic please contact support@hitrustalliance.net. You will be asked to provide a copy of the PDF in question and evidence showing you received it from the…

If we use the API, is there a development environment available?

MyCSF FAQ » If we use the API, is there a development environment available?

Deployment of the API focuses on getting information out of MyCSF and into your native toolsets. The API also allows getting information into MyCSF. Customers who subscribe at a level that includes this feature will be provided a test instance for integration…

What is the process for an organization to achieve HITRUST CSF Certification?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What is the process for an organization to achieve HITRUST CSF Certification?

The organization should first determine the business drivers for attempting certification which should include identifying key stakeholders, defining scope, and selecting an Authorized External Assessor Organization. HITRUST recommends a Readiness Assessment be…

How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?

HITRUST Threat Catalogue FAQ » How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?

By linking granular threats identified in active threat intelligence to higher-level threats contained in the HITRUST Threat Catalogue and related HITRUST CSF control specifications, organizations will gain greater insight into how well they are addressing extant and…

What is the length of time it takes to become HITRUST CSF Certified?

CSF Assurance Program FAQ » What is the length of time it takes to become HITRUST CSF Certified?

CSF Certification can be achieved when the minimum compliance level (a score of 3+ or 3 with corrective action plans) is met for all 75 CSF controls required for certification (2019 CSF v9.2 requirement). The total amount of time it can take an organization to become…

What are the various types of CSF Assessments?

CSF Assurance Program FAQ » What are the various types of CSF Assessments?

HITRUST offers two types of CSF Assessments: a self-assessment and a validated assessment. Self-assessment allows organizations to self-assess using the standard methodology, requirements, and tools provided under the CSF Assurance Program. HITRUST will then perform…

How can my organization utilize the CSF framework for an AICPA SOC 2 report?

CSF Assurance Program FAQ » How can my organization utilize the CSF framework for an AICPA SOC 2 report?

HITRUST and AICPA collaborated on the mapping of HITRUST CSF controls to AICPA Trust Principles and Criteria for Security, Confidentiality, and Availability. Subsequently, any AICPA firm can perform a SOC 2 examination leveraging the CSF framework. This allows the…

HITRUST and the NIST Cybersecurity Framework FAQ

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ

Subtopics Can risk be calculated based on a control’s maturity level? Do non-contextual impact ratings for controls provide any real value? How does the RMF fit into the NIST CsF? Why can’t I just adopt the NIST CsF without leveraging additional guidance or…

What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?

HITRUST CSF Bridge Assessment and Certificate » What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?

HITRUST will evaluate changes on a case-by-case basis and is available to engage with assessed entities to discuss specifics. Examples of activities that might be considered significant changes include: Moving from an on-premise data center into a public cloud…

If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?

If you’re HITRUST CSF Certified, you can demonstrate compliance with the NIST Cybersecurity Framework in one of two ways. An organization can generate a NIST CsF scorecard based on the maturity of the HITRUST CSF control requirements that support each of the NIST…

Does NIST recognize HITRUST as a certifying organization?

HITRUST CSF and NIST CSF Frequently Asked Question » Does NIST recognize HITRUST as a certifying organization?

Although NIST does not have its own certification program for the Cybersecurity Framework, NIST does recognize and actually encourage third party programs that provide a “confidence mechanism” for an organization’s implementation of the Framework, which also…

How does the HITRUST Threat Catalogue help me perform a risk analysis?

HITRUST Threat Catalogue FAQ » How does the HITRUST Threat Catalogue help me perform a risk analysis?

By understanding how HITRUST CSF controls address specific threats to personal data and other sensitive information, an organization can demonstrate the results of the risk analyses used by the underlying control frameworks in the HITRUST CSF, e.g., ISO 27002, NIST SP…

What is the difference between a HITRUST CSF Certification and a service auditor’s report expressing an opinion on the fairness of the system description, suitability of design, and operating effectiveness of controls based on The HITRUST CSF?

HITRUST CSF and SOC 2® Frequently Asked Questions » What is the difference between a HITRUST CSF Certification and a service auditor’s report expressing an opinion on the fairness of the system description, suitability of design, and operating effectiveness of controls based on The HITRUST CSF?

See the question “In the future, it looks like the SOC 2 HITRUST certification will only assess 75 controls. Does that mean organizations will not have to certify?”

What are the advantages of having a subscription to MyCSF?

MyCSF FAQ » What are the advantages of having a subscription to MyCSF?

To save time and costs A subscription enables clients to retain data, eliminating redundant (internal or assessor) data-entry tasks for the interim assessment and subsequent assessments saving organizations potentially hundreds of hours on a two-year assessment…

Are HITRUST assessments only useful for formal certification against the CSF?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Are HITRUST assessments only useful for formal certification against the CSF?

Certification is only one of the ways the HITRUST CSF can be used. Not all organizations need to pursue certification, and validation will provide assurances that specific controls are implemented, which ones are not or may have been changed, and how well they are…

Can I get a HIPAA specific report?

MyCSF FAQ » Can I get a HIPAA specific report?

Yes. In MyCSF 2.0 there is the ability to generate a targeted assessment against any one of the authoritative sources. Targeted assessments will only generate scorecards within MyCSF and will not result in a HITRUST Assurance Report.

How does my firm become a HITRUST Assessor?

External Assessor Program FAQ » How does my firm become a HITRUST Assessor?

To become an External Assessor, organizations must meet certain requirements set forth by HITRUST to ensure adequate knowledge, training and expertise. The process for becoming an External Assessor includes the following steps: 1. Complete and submit an External…

If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?

To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of ePHI against all reasonably anticipated threats.…

Do you have to submit complete scoring for each requirement statement?

Interim Review FAQ » Do you have to submit complete scoring for each requirement statement?

Yes, complete scoring must be submitted for each selected control requirement.

What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?

HITRUST Threat Catalogue FAQ » What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?

A HITRUST Implementation Advisory would be issued if there is additional clarification around how HITRUST CSF requirements should be implemented to effectively address one or more threats—or as an interim measure until more stringent or enhanced control requirements…

Why should I purchase a MyCSF subscription if I just need a report?

MyCSF FAQ » Why should I purchase a MyCSF subscription if I just need a report?

Purchasing a subscription will open access to the MyCSF assessment, authoritative source reporting and will include a full, customizable view of the HITRUST CSF, advanced analytics for managing risk posture, benchmarking data, ability to leverage the functionality to…

When can I start a HITRUST CSF Bridge Assessment?

HITRUST CSF Bridge Assessment and Certificate » When can I start a HITRUST CSF Bridge Assessment?

A HITRUST CSF Bridge Assessment object can be created in MyCSF up to 60 days prior to the existing HITRUST CSF Certification’s expiration.

Control Maturity and Continuous Monitoring and Assessment FAQ

Control Maturity and Continuous Monitoring and Assessment FAQ

Subtopics How does the definition of a mature organization correspond to the scores required for HITRUST CSF® Certification? What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization? What evidence do you have…

What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?

If an organization does not meet HITRUST CSF requirements for certification against the NIST Cybersecurity Framework, HITRUST will issue an assessment report with a Letter of Validation in lieu of a Letter of Certification.

How do I get started adopting the HITRUST CSF framework?

HITRUST CSF Framework FAQ » How do I get started adopting the HITRUST CSF framework?

The decision to adopt the HITRUST CSF should be made at the organizational level, after which, the organization should perform an internal gap analysis of existing controls against the target controls in the HITRUST CSF. This analysis can be done manually or by…

Does a subscription add value if I am not getting CSF Certified?

MyCSF FAQ » Does a subscription add value if I am not getting CSF Certified?

Yes, even if you are only completing an assessment. Purchasing a subscription will open access to the MyCSF assessment, authoritative source reporting and will include a full, customizable view of the HITRUST CSF, advanced analytics for managing risk posture,…

Who qualifies for the HITRUST CSF Bridge Assessment and Certificate?

HITRUST CSF Bridge Assessment and Certificate » Who qualifies for the HITRUST CSF Bridge Assessment and Certificate?

Any organization that (a) has a HITRUST CSF Validated Report with Certification, (b) will miss their validated assessment submission due-date, and © hasn’t missed that due date by more than 30 days.

Is the HITRUST certification for the NIST Cybersecurity Framework just for healthcare?

HITRUST CSF and NIST CSF Frequently Asked Question » Is the HITRUST certification for the NIST Cybersecurity Framework just for healthcare?

No, HITRUST certification of an organization’s implementation of the NIST Cybersecurity Framework—just like HITRUST CSF certification—can be obtained by any organization, regardless of industry or whether they are US-based or international.

Third Party Assurance FAQ

Third Party Assurance FAQ

Subtopics How can I use the CSF Assurance Program for third-party risk management? How much does it cost to get a HITRUST CSF certification? How often do I need to get a report? How many questions, and how long will it take? How do I understand the CSF…

When can I create the HITRUST CSF Bridge Assessment object in MyCSF?

HITRUST CSF Bridge Assessment and Certificate » When can I create the HITRUST CSF Bridge Assessment object in MyCSF?

The HITRUST CSF Bridge Assessment object can be created no more than 60 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.

When can I submit a completed HITRUST CSF Bridge Assessment to HITRUST?

HITRUST CSF Bridge Assessment and Certificate » When can I submit a completed HITRUST CSF Bridge Assessment to HITRUST?

The HITRUST CSF Bridge Assessment object can be submitted to HITRUST no more than 30 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.

Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

External Assessor Program FAQ » Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

HITRUST practitioners will complete the onsite training during the first year. The second and third year they are required to complete a refresher. The CSF Practitioner Refresher Course is a self-paced online course available for download from the HITRUST Academy. The…

How do I understand the CSF Assessment report I have received?

Third Party Assurance FAQ » How do I understand the CSF Assessment report I have received?

HITRUST has created a document that explains the assessment report, how to interpret, and how it can be used to complement and enhance your current processes. Reference: Leveraging HITRUST CSF Assessment Reports: A Guide for New Users

Does the 90-day rule for evidence apply for interim assessments

Interim Review FAQ » Does the 90-day rule for evidence apply for interim assessments

Yes, for control requirements that are not associated with required CAPs, they must have been in place for 90 days in order to be scored and they must have been tested within in the preceding 90 days from submission to HITRUST. This should not be an issue as the…

Can I get involved in the working group and, if so, how?

HITRUST Threat Catalogue FAQ » Can I get involved in the working group and, if so, how?

The HITRUST Threat Catalogue is currently overseen by the HITRUST CSF Advisory Council and is supported by a dedicated Working Group (WG) to help continue the development and maintenance of the HITRUST Threat Catalogue. Although the WG is not currently accepting new…

Is a HITRUST CSF assessment a requirement for certification against the NIST Cybersecurity Framework, or can I just obtain a HITRUST certification for the NIST Cybersecurity Framework? If so, what is the cost?

HITRUST CSF and NIST CSF Frequently Asked Question » Is a HITRUST CSF assessment a requirement for certification against the NIST Cybersecurity Framework, or can I just obtain a HITRUST certification for the NIST Cybersecurity Framework? If so, what is the cost?

Yes, a HITRUST CSF assessment is a requirement for certification against the NIST Cybersecurity Framework. This is because the HITRUST CSF provides the detailed requirements an organization should implement to adequately address the cybersecurity objectives—what…

Is HITRUST’s certification for the NIST Cybersecurity Framework separate from HITRUST CSF Certification?

HITRUST CSF and NIST CSF Frequently Asked Question » Is HITRUST’s certification for the NIST Cybersecurity Framework separate from HITRUST CSF Certification?

Yes, one certification is for the organization’s implementation of the HITRUST CSF controls and is based on minimum scoring criteria for 19 topical control areas, such as access control and wireless network security. The other is a certification of an…

Can I get a free trial subscription or demo?

MyCSF FAQ » Can I get a free trial subscription or demo?

HITRUST does offer a free 2-week trial access in the MyCSF tool. This access is provided in a sandbox environment. This environment does not contain all of the functionality found in the production version of MyCSF and information input into this system will not…

Is the HITRUST CSF an industry standard for healthcare?

HITRUST CSF Framework FAQ » Is the HITRUST CSF an industry standard for healthcare?

The HITRUST CSF is a data protection standard not only for healthcare, but can effectively be used by organizations across all sectors. The HITRUST CSF provides a consensus-driven standard of due care and due diligence for the protection of electronic protected health…

Why is the three-month period of the HITRUST CSF Bridge Certificate deducted from the organization’s next HITRUST CSF Certification?

HITRUST CSF Bridge Assessment and Certificate » Why is the three-month period of the HITRUST CSF Bridge Certificate deducted from the organization’s next HITRUST CSF Certification?

The HITUST CSF Bridge Certificate is designed to assist organizations who need to maintain HITRUST CSF Certification but may be experiencing challenges in completing their next HITRUST CSF Validated Assessment. The HITRUST CSF Bridge Assessment links the two HITRUST…

If I am already HITRUST CSF Certified, how do I get a copy of my certification for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » If I am already HITRUST CSF Certified, how do I get a copy of my certification for the NIST Cybersecurity Framework?

A scorecard and certification for the NIST Cybersecurity Framework can be generated against a prior assessment against HITRUST CSF v9 and v9.1. Cost of the additional scorecard is $500. For more information, contact HITRUST by email at sales@hitrustalliance.net or by…

CSF Assurance Program FAQ

CSF Assurance Program FAQ

Subtopics What is the HITRUST CSF Assurance Program? What are the various types of CSF Assessments? Is a HITRUST certification assessment more expensive than comparable assessments? What is the length of time it takes to become HITRUST CSF Certified? What is the…

Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?

HITRUST CSF and SOC 2® Frequently Asked Questions » Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?

The answer to this question is either. HITRUST has updated the SOC 2 + HITRUST guidance to illustrate how a SOC 2 + HITRUST CSF opinion could be based upon all 135 security CSF Controls or only those security controls required for Certification. There are three (3)…

What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?

HITRUST CSF Framework FAQ » What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?

The simple answer is that there is no relationship between the HITRUST CSF control categories and the assessment domains. The HITRUST CSF control categories were derived from ISO and provide the structure for the framework. The assessment domains take the control…

If I am HITRUST CSF Certified, am I also certified for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » If I am HITRUST CSF Certified, am I also certified for the NIST Cybersecurity Framework?

HITRUST CSF Certification will generally result in certification of an organization’s information security program against the NIST Cybersecurity Framework because the control requirements for both frameworks are essentially the same; they’re just mapped and…

Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?

HITRUST CSF and NIST CSF Frequently Asked Question » Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?

While it’s possible, the likelihood that an organization can be certified against the NIST Cybersecurity Framework without meeting the requirements for HITRUST CSF certification are very small. This is because each certification is based on a single assessment. …

What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization?

Control Maturity and Continuous Monitoring and Assessment FAQ » What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization?

The level of maturity an organization wishes to pursue is a risk-based decision based on the needs of that organization. However, an industry-accepted level of due diligence and due care would be a fully implemented HITRUST CSF-based information protection program…

How can I obtain a copy of the HITRUST CSF?

HITRUST CSF Framework FAQ » How can I obtain a copy of the HITRUST CSF?

The latest version of the HITRUST CSF framework is available on our website for qualified organizations. A qualified organization is defined as any organization employing a function or activity involving data protection, provided said organization does not offer…

HITRUST CSF Bridge Assessment and Certificate

HITRUST CSF Bridge Assessment and Certificate

Subtopics What is the HITRUST CSF Bridge Assessment? Will all of my relying parties accept the HITRUST CSF Bridge Certificate? Who qualifies for the HITRUST CSF Bridge Assessment and Certificate? When can I create the HITRUST CSF Bridge Assessment object in…

How does a bridge assessment affect the interim assessment due date?

HITRUST CSF Bridge Assessment and Certificate » How does a bridge assessment affect the interim assessment due date?

The interim assessment is still due on the one-year anniversary of the certification date. A hypothetical timeline: An organization’s HITRUST CSF Certification is set to expire on 5/31/20 and this organization is awarded a HITRUST CSF Bridge Certificate. This…

How does the definition of a mature organization correspond to the scores required for HITRUST CSF® Certification?

Control Maturity and Continuous Monitoring and Assessment FAQ » How does the definition of a mature organization correspond to the scores required for HITRUST CSF® Certification?

Mature organizations are defined as those organizations with ‘best-in-class’ information protection programs that not only have robust policies and procedures in place to support full implementation of their information security and privacy controls—a complete…

Is the HITRUST CSF Assurance Program a one-size-fits-all approach?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Is the HITRUST CSF Assurance Program a one-size-fits-all approach?

As we’ve seen in other FAQs, the CSF is not a one-size-fits-all approach due to (1) an organization’s ability to tailor the initial selection of the control baseline in accordance with defined risk factors and (2) the requirement for additional tailoring based on…

Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

Many of the elements for the argument are presented in FAQs throughout this section. But more specifically, the HITRUST CSF is designed with certain highly-regulated industries in mind; however, it is a region- and industry-agnostic control framework that can be used…

Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Third Party Assurance FAQ » Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Organizations accepting ISO 27001 in lieu of CSF certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular…

How can I use the CSF Assurance Program for third-party risk management?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How can I use the CSF Assurance Program for third-party risk management?

The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…

How can I use the CSF Assurance Program for third-party risk management?

Third Party Assurance FAQ » How can I use the CSF Assurance Program for third-party risk management?

The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…

Is a HITRUST CSF Validated Assessment more expensive than comparable assessments?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Is a HITRUST CSF Validated Assessment more expensive than comparable assessments?

No, and this is a common misconception. In many cases the overall assessment costs associated with information security and privacy assessments conducted under the HITRUST CSF Assurance Program are less than other comparable third-party assessments. The alignment…

What is the best approach for implementing the NIST Cybersecurity Framework in the healthcare industry?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » What is the best approach for implementing the NIST Cybersecurity Framework in the healthcare industry?

The best approach for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity,or Cybersecurity Framework (CsF), is the approach outlined in the Healthcare Sector Cybersecurity Framework Implementation Guide,2 produced and published under the…

Is a HITRUST certification assessment more expensive than comparable assessments?

CSF Assurance Program FAQ » Is a HITRUST certification assessment more expensive than comparable assessments?

No, and this is a common misconception and in many cases the overall assessment costs associated with information security and privacy assessments are less than other 3rd party assessments. The alignment between the HITRUST CSF and CSF Assurance programs allows a…

How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

Control Maturity and Continuous Monitoring and Assessment FAQ » How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

While useful, the approach used to obtain reputational scores like Security Scorecard and Bitsight is limited (similar to a narrowly scoped external penetration test) and is arguably unique for each organization’s network. It is further recognized that each scorecard…

Frequently Asked Questions About the HITRUST® Risk Management Framework

Frequently Asked Questions About the HITRUST® Risk Management Framework

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In…

If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

CSF Assurance Program FAQ » If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

In principle yes, but it is not black and white. To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of…

Why can’t I just adopt the NIST Cybersecurity Framework without leveraging additional guidance or frameworks?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Why can’t I just adopt the NIST Cybersecurity Framework without leveraging additional guidance or frameworks?

For an industry sector or organization to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity Framework), one must understand that it relies on existing standards, guidance, and leading practices to…