CSF Assurance Program Requirements
January 12, 2016
Ken Vander Wal, Chief Compliance Officer, HITRUST
Policy/Program Change Details
This change adds CSF control 01.t Session Time-out to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. Failure to include CSF control 01.t after the 2016 release will prevent organizations from submitting their assessments for HITRUST validation and certification. This addition increases the total number of CSF controls required for HITRUST CSF certification from 64 to 65.
HIPAA § 164.312(a)(2)(iii), an addressable implementation specification that requires organizations to “implement electronic procedures that terminate an electronic session after a pre-determined time of inactivity,” is currently supported by CSF control 01.h, Clear Desk and Clear Screen Policy, for the purpose of HITRUST CSF certification. Although CSF control 01.h requires the use of a protected screen and keyboard locking mechanism if a user is logged into a computer or terminal, CSF control 01.t more specifically addresses the intent of the language in the HIPAA specification.
Timetable for Implementation
Effective Date: Assessments generated with Version 8 of the HITRUST CSF
Enforcement Date: Assessments generated with Version 8 of the HITRUST CSF