Policy/Program Change Details
This change adds CSF control 01.e, Review of User Access Rights, to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. Failure to include CSF control 01.e after the 2016 release will prevent organizations from submitting their assessments for HITRUST validation and certification. This addition increases the total number of CSF controls required for HITRUST CSF certification from 65 to 66 after the addition of 01.t, Session Time-out, per HAA 2016-003.
Rationale
HITRUST has received numerous inquiries from healthcare organizations over the past several years about including the review of user access rights in the controls required for certification. “Recertification” of user access is a common if not ubiquitous item on internal and external audits and an essential component of privilege management. Recertification helps prevent “access creep” for workforce members that transfer from one position to another within an organization, as well as provide the organization with another check on the validity of initial privileges granted to new workforce members and additional assurance that access for terminated workforce members has been revoked. Ensuring that only current workforce members have access helps reduce the overall attack surface for malicious cyber threat actors and further inhibits the ability of these malicious actors to escalate user privileges and subsequently maintain them if an account is successfully compromised.
Timetable for Implementation
Effective Date: Assessments generated with Version 8 of the HITRUST CSF
Enforcement Date: Assessments generated with Version 8 of the HITRUST CSF