By Michael Parisi, Vice President of Adoption, HITRUST
Author’s Note: The discussion around creating a successful organizational culture supporting information risk management programs is a robust topic, so we are breaking the content into two blogs. Be on the look-out for Part 2 next week.
Some organizations view IT security audits as “check-the-box” exercises simply to comply with regulations and standards. They’re driven primarily by external factors, such as responding to a business partner who requires proof of the organization’s information security posture or perhaps their industry requires regulatory compliance to avoid fines or sanctions.
Reacting to these urgent requests, their InfoSec team—often working in isolation from the rest of the organization—answers questionnaires or responds to inquiries to document that all necessary security controls are in place. These organizations may not take the time to effectively evaluate the effectiveness of their security controls, and they often don’t consider if there are gaps that might put the organization’s data and digital assets—and perhaps those of its customers and business partners—at risk.
An alternative to this reactionary approach is to proactively adopt and implement best information protection and assessment methodologies as part of an ongoing program focused on continuous improvement. The latter approach helps ensure that an organization builds a strong culture around security and compliance.
HITRUST CSF Helps Build a Culture of Security
Leveraging security frameworks to assess security controls and build a culture of IT security compliance was a breakout session that I hosted at the HITRUST Collaborate conference. The “Creating a HITRUST Compliance Culture” session featured a panel of experts that included three independent HITRUST CSF assessors—Ryan Patrick of Intraprise Health, Greg Vetter of RSM US, and Michael Kanarellis of Wolf & Company.
The HITRUST CSF addresses security, privacy, and regulatory challenges by incorporating a risk-based approach along with a comprehensive and flexible framework of prescriptive and scalable security and privacy controls. The HITRUST CSF also harmonizes and cross-references global standards, regulations, and business requirements—including ISO, NIST, EU GDPR, PCI, and more.
A Stronger Alternative to “Check-the-Box” Audits
Many businesses turn to data security audits because they’ve been mandated by regulatory compliance factors. Or they see them as a market differentiator to help win a big deal with a new customer by demonstrating that they take data security seriously. However, evaluations that are only a single point-in-time assessment or a report that may not cover important data protection elements may not adequately address risk.
HITRUST provides an alternative to “check-the-box” security audits, that may oftentimes be handled by IT teams in isolation. The HITRUST CSF offers a foundational framework that facilitates the adoption of a comprehensive security and compliance culture across the entire organization.
“It’s much more important to adopt a culture of compliance that creates an environment of resilience where business leaders consider the security and compliance implications as systems and processes go through changes,” Patrick says. “By leveraging a framework like HITRUST, people begin to use the framework for guidance on what to do. Your security and compliance program will automatically apply best practices and become more mature rather than just meeting the criteria of an audit at a specific point in time.”
Adds Vetter, “The HITRUST approach is not an audit; it’s the adoption of a framework. Whether or not you’re getting certified, it’s a default framework you can lean on, and you can include relevant requirements from other programs in your framework (such as MARS-E from NIST, 21 CFR Part 11 from the FDA, and IRS Publication 1075) without having to do the research and the linking. And, even if you do not need to get certified, if you need to mature your security program, HITRUST is the ideal framework.”
How the Journey Changes Organizational Cultures
The need for strong information security goes well beyond the IT team – and for most organizations extends across departments such as Risk Management, Procurement, Operations, Finance, Human Resources, Sales, and others who have sensitive data to protect. In addition, your organization probably shares information with third-party service providers and other vendors across the supply chain ecosystem. It is equally important to factor these business partners into your data protection program. Applying the HITRUST CSF to your security controls helps you understand all areas of operational risk and how to address those risks. You may also discover there’s a need to formally appoint a risk officer or assign an internal audit function to mature the security posture.
“The HITRUST framework shows you where you need to spend money around security and privacy,” says Kanarellis. “You can identify the inherent risk of the technologies you have deployed as well as the strengths of the security controls relative to those risks, and then determine whether there is any residual risk. This transforms the organization from having a nascent understanding of risk to wielding an enterprise-level risk management function.”
Patrick followed up by saying, “Proactively establishing a culture by working with the HITRUST framework—and making it part of the organization’s daily routine—means you won’t run into the crunch of only having 60 days to pass an assessment required by a customer or vendor. The framework also forces you to look at all aspects of risk mitigation—from implementing controls to the policies that govern the controls and the processes that ensure the controls are in place. This gives you resilience and the ability to recover and continue business operations in the event of a security incident.”
The HITRUST CSF is an industry-leading information risk management and compliance framework organizations can rely on to provide reliable, high-quality results with transparency, integrity, and consistency.
To learn other important methods to enhance the success of your information asset protection program across your organization, watch for our next Blog—”Creating a Compliance Culture for IT Security Part 2: Earning Organizational Buy-in.”
About the Author
Michael Parisi, Vice President of Adoption, HITRUST
Michael Parisi has led over 500 controls-related engagements and has extensive experience with third-party assurance reporting including HITRUST readiness, HITRUST certification, SOC 1, SOC 2, SOC 3, Agreed Upon Procedure, and customized AT-101 engagements. Michael is deeply involved with helping customers leverage the advantages of the HITRUST Assessment XChange for third parties. He has extensive knowledge of financial reporting and regulatory standards through his external audit and consulting experience, including Sarbanes Oxley, HIPAA, NIST, CMS, and state-specific standards. He is an active member of ISACA and IAPP.