Over the last 12 years, HITRUST has been expanding its products and services into multiple industries with the help of the HITRUST Approach, supporting information risk management and compliance for organizations globally. In that time, a number of questions and misconceptions about those programs and services have arisen. Below we share our most frequently asked questions and expose the most common misconceptions. Visit us shortly for new questions.
Did you know that when it comes to compliance and information risk management, it’s not just about the framework?
Effectively managing information security, privacy, and compliance risk is complex and ever-changing. There are many components and considerations in developing and implementing a robust program that encompasses and integrates all the elements needed to manage this risk and achieve one’s compliance objectives effectively. Many organizations believe selecting their control framework is the most complicated part of the process, and although important, it is just the beginning.
In developing an information security risk and compliance program, there are many considerations in addition to selecting the most appropriate framework, such as:
- Measuring the effectiveness of implementation
- Aligning threats to security controls
- Reporting your program’s approach to management and third parties
- Inheriting controls and responsibilities with service providers
- Integrating information risk and compliance controls into an assessment tool
- Aligning with your third-party risk management approach
You need so much more than a comprehensive information security and privacy control framework to effectively manage information risk and compliance, and we have developed the HITRUST Approach to streamline the process of getting there. To learn more about how HITRUST can help your organization structure and implement an information risk management program, click here.
Did you know HITRUST provides the only information protection risk management framework you really need?
HITRUST takes a rigorous and inclusive approach to the selection and assessment of controls by incorporating and harmonizing international, federal, and industry standards, regulations, and leading best practices that fully support the type of robust and comprehensive information protection program needed to adequately safeguard individual privacy and secure sensitive information. HITRUST also looks at underlying risk exposures to ensure the CSF, CSF Assurance Program, and supporting methodologies and tools align with industry requirements.
Business Requirements Change – Insightful businesses know that security is not simply a technical issue, but rather is about deciding how to allocate limited resources to best manage risk exposure. Consequently, most organizations naturally seek to ‘right size’ their security programs, which means controlling scope so controls only need be applied where appropriate. Likewise, organizations seek to limit the number of controls to the minimum necessary to achieve their objectives. The problem is that businesses are rarely, if ever, fixed environments. New opportunities emerge, customer expectations change, laws and regulations arise and, in return, the business innovates, adopting new technologies and entering additional markets. All of the aforementioned may cause a previously chosen framework to become stale, especially if it doesn’t speak to the control requirements, regulations, and risks to which the business is now exposed. So now the company finds itself in the undesirable situation of maintaining frameworks (i.e., they need to expand their current framework or migrate to another one), which is not core to their business and detracts from their primary goal of actually ‘doing security.’
By integrating and mapping to dozens of international, federal and state information security and privacy regulations, as well as standards and best practices, the HITRUST CSF allows organizations to streamline the assessment process. Specifically, as a “framework of frameworks” organizations need only adopt the HITRUST CSF to cover most, if not all, regulations, mandates, internal requirements, and/or customer expectations to which they might be subject. However, because HITRUST has harmonized like controls from different frameworks into a single set of rationalized control requirements, organizations do not need to answer more questions than necessary. The value in this is immediately apparent as this supports an efficient and effective ‘assess once, report many’ approach to information risk reporting for internal stakeholders, external parties, and regulators.
Equally important is the fact that the HITRUST CSF is customizable. Specifically, by virtue of the MyCSF’s comprehensive set of selectable risk factors, HITRUST defines the assessment controls organizations need to meet to appropriately manage information risk and compliance. In this way, organizations who are only concerned about a single requirement (e.g., HIPAA) realize value as they don’t need to assess themselves against controls which don’t apply. And this says nothing of the fact that they don’t have to do additional work in the future should they later become subject to additional requirements.
Quite often, organizations rightfully undertake security initiatives to answer a key business question such as: ”What is our current posture?” “ Is this where we need to be?” “What do we need to do to reach our goals?” This is where frameworks come in. By adopting the right framework, organizations can be confident that they are evaluating themselves against the full depth and breadth of safeguards necessary to comply with regulations, address their risk exposure, and enable their business operations. Of course, this presumes that in adopting a framework you intend to evaluate yourself against and pursue compliance with the controls referenced therein. In most cases organizations will neither want nor need to comply with every control in a framework, which is why it is critical to select a framework that can be customized.
The framework is only one part of the solution – Mindful that security is a program, not a project, let’s not forget that there is the actual work of setting policy, crafting procedures, implementing controls, measuring risk, and managing everything. Organizations need tools to manage the development, deployment, communication, and maintenance of controls, documents, standards, metrics, test results, and other supporting artifacts inherent to any good security, privacy, risk management, and governance program. This means that organizations must then build their own controls repository and/or go into the market to evaluate, select, and acquire a GRC tool, which may or may not align well with their chosen framework. Lastly, even when armed with the right framework and a suitable platform, there is still more needed. Not only must organizations answer security questions for their own purposes, all but a rare few must also answer these same questions and provide assurances to their upstream customers and business partners as well as obtain answers to these same questions from their downstream vendors and third parties. The problem is that due diligence requires that we do more than simply take our partner’s word when it comes to their security posture. Instead, what is needed is an independent and objective validation that provides us with the necessary confidence to decide to exchange sensitive information or provide access to our partners. So now organizations must engage independent auditors hoping that what they do is acceptable to their relying parties.
You can have confidence that the HITRUST CSF controls framework, MyCSF Platform, and CSF Assurance Program address all of these challenges and provides organizations with a single, comprehensive solution — as part of the HITRUST Approach. Learn more.
Did you know HITRUST does the heavy lifting so you don’t have to?
For many organizations, effectively managing information risk is a complex and ever-changing process, often met with confusion and stress.
There are many different steps in this process to consider:
- Find the best framework to suit your organization’s needs
- Leverage that framework to define a control set appropriate for your organization’s scope
- Assess your organization against this selected control set
- Find a reliable third party to validate your assessment
- Provide the assessment information and resulting report to applicable third parties
- Repeat this process for all third parties who require different scopes and regulatory factors to provide sufficient assurances that their data is effectively being managed by your organization
With all these considerations, the process of securing your organization’s data can easily become overwhelming if you go this route alone. However, HITRUST is here to streamline the process—from start to finish—as we strive to keep your organization’s risk management program running smoothly.
Our integrated HITRUST Approach ensures that all components are:
ALIGNED: Each aspect of the HITRUST Approach works together, eliminating the need to compile separate necessary components when building your information risk management program.
MAINTAINED: We constantly stay on top of new laws, regulations, and best practices as well as assess market dynamics and customer feedback to improve each component of the HITRUST Approach.
COMPREHENSIVE: Our portfolio of products and services includes everything your organization needs to develop and maintain a mature information risk management program.
HITRUST has a singular focus on continuously developing tools and products designed to improve information risk management and compliance, doing the heavy lifting so your organization can focus on the real task at hand: driving your business with the assurance that your data is effectively safeguarded.
Did you know MyCSF is a purposely built assessment platform?
As the best in class Software as a Service (SaaS) information risk management platform for assessing and reporting information risk and compliance, MyCSF makes it easy and cost-effective for an organization to manage information risk, as well as meet international, federal, and state regulations concerning security and privacy.
We’ve leveraged our experience—gained from evaluating hundreds of thousands of risk assessments—combined with our expertise in framework development, information risk management, and compliance to purposely build the MyCSF platform.
The most efficient solution for assessing, managing, and reporting information risk and compliance.
The HITRUST CSF Framework is integrated into the platform by design, eliminating the need to search for both a comprehensive framework and an accompanying platform, allowing you to get back to the task at hand: driving your business with the assurance that your data is effectively safeguarded.
With over 40 authoritative sources, such as HIPAA, FFIEC, NIST 800-53, NIST 800-171, PCI, GDPR, and CCPA*, mapped into the HITRUST CSF, you can tailor one assessment to address many authoritative sources, allowing your organization to provide sufficient assurances to multiple requesting customers using just one assessment and report. This eliminates the need for multiple proprietary assessments which often contain similar or duplicate questions.
Not planning on receiving a formal HITRUST CSF Report? Your organization can still benefit from utilizing the MyCSF platform to gain greater insight into your organization’s current information risks, policies, and procedures, helping your organization build a robust information protection program. Analytical functions allow you to see where your organization compares to similar organizations, helping to provide further assurances to requesting customers and internal leadership.
Planning to receive a HITRUST CSF Report at a future date? Creating your assessment in MyCSF prior to being ready to obtain a HITRUST CSF Report gives your organization valuable insight into the control requirement statements which will be in-scope for your organization, allowing for ample preparation.
- Efficiently manage and navigate your assessments
- Create customized charts and dashboards
- Simplify reporting with preconfigured analytics functions
- Apply scores from one assessment to another
- Build and maintain your comprehensive library of supporting documentation
- …and much more!
Interested in scheduling a MyCSF demo or want to learn more about MyCSF subscription options? CLICK HERE
Want to speak with our Product Specialists directly? Email email@example.com
*The above mentioned authoritative sources reference the HITRUST CSF v9.3
Did you know there are many benefits to getting a HITRUST CSF Assessment?
Organizations today face new challenges as managing risk, complying with a myriad of information security and privacy regulations, and providing related assurances to internal stakeholders, external partners, and regulators have become requirements of doing business.
A HITRUST CSF Assessment, built upon our comprehensive and scalable framework and assurance program, provides a highly accurate, comprehensive, and cost-effective approach to performing a single security and privacy assessment that reports the status of your organization’s information protection posture in various formats to internal stakeholders and external partners and regulators.
Whether your organization is looking for a self-attestation to help lead the development of your program or a robust validated assessment to provide assurances, HITRUST has you covered.
HITRUST CSF Assessments are unique in that they are built upon our HITRUST CSF, which incorporates and harmonizes 44 frameworks, standards, and regulations, and is paired with the most complete assurance program ensuring integrity, transparency, and consistency which together provides organizations an efficient and effective approach to understanding and reporting the effectiveness of their information controls and compliance with regulations.
With a HITRUST CSF Assessment, your organization can gain a prospective, holistic view of your information security risk management program and then relay findings to both internal and external stakeholders. Additionally, those organizations that meet or exceed scoring requirements on their validated assessment may be awarded a HITRUST CSF Certification.
As the most accurate, reliable, and transparent report available, the HITRUST CSF Certification has many benefits, including less resources wasted on duplicative proprietary questionnaires as well as potential cost savings on cybersecurity insurance.
Did you know HITRUST is a Standards Organization?
HITRUST is widely recognized as a standards organization and developer of the HITRUST CSF, an information security and privacy controls framework used by a variety of industry sectors. We operate similarly to ISACA, ISO and NIST, are governed by a Board of Directors, and receive guidance from multiple industry councils.
The work of HITRUST as a standards organization is also supported by multiple industry working groups to ensure the HITRUST CSF continues to address a constantly changing risk environment and meet the ever-evolving needs of organizations across the globe.
Start elevating your information risk management program today. The HITRUST CSF is a certifiable, risk-based framework with prescriptive security and privacy controls. Updated at least annually, it also serves as the foundation of the HITRUST Approach.
Did you know HITRUST delivers one framework, one assessment, globally?
Regardless of where in the world an organization operates, it will always be subject to risk—which will need to be managed. While every market has different threats and regulatory requirements, HITRUST’s comprehensive approach to risk management and compliance stretches across geographic boundaries. This global relevancy is particularly important for organizations that have business to conduct across borders; they need to provide assurances for their programs if they are to earn one another’s trust and gain entry into key business ecosystems.
HITRUST continues to expand and enhance its services and support as part of a global information protection approach to streamline information risk management and compliance for organizations of any type, size, or geography delivering services locally, nationally, or internationally.
By leveraging the HITRUST CSF and CSF Assurance program, your organization can satisfy all your information risk management and compliance requirements—locally, nationally, or internationally.
Some of these globally relevant authoritative sources include:
- The European Union General Data Protection Regulation (GDPR)
- Singapore’s Personal Data Protection Act
- International Standards Organization (ISO) 27001
- The Asia-Pacific Economic Cooperation (APEC) Privacy Framework
- The Organisation for Economic Co-operation and Development (OECD) Privacy Framework
- ISACA’s COBIT 5
- Center for Internet Security (CIS) Controls v7.1
- U.S. Health Insurance Portability and Accountability Act (HIPAA)
- U.S. DOD Cybersecurity Maturity Model Certification (CMMC)
Additionally, HITRUST has introduced the support of data localization within the HITRUST MyCSF platform and has made efforts to enhance its services and support in the Asia Pacific region to better streamline and improve global information protection compliance.
More recently, HITRUST has been designated as a U.S. accountability agent under the Asia Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rule (CBPR) System and Privacy Recognition for Processors (PRP) System by the International Trade Administration. Accountability agents serve as a third-party validation to ensure that the minimum privacy requirements are met, as well as ease the compliance burdens in the Asia Pacific region.
One framework. One assessment. Globally.
Did you know HITRUST serves organizations across multiple industries?
Compliance and risk are industry-agnostic concerns and the requirements to address these issues can be as many and varied as organizations themselves. Organizations which are active across multiple industries and/or sectors can benefit from HITRUST’s industry-agnostic approach, eliminating the need for siloed risk management and compliance programs.
No matter what size, industry, or sector your organization falls under, HITRUST has a solution for you.
The HITRUST CSF integrates and harmonizes the largest number of security- and privacy-related authoritative sources, many of which span across industries and sectors; some examples include International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), General Data Privacy Regulation (GDPR), and California Consumer Privacy Act (CCPA). Additionally, the Department of Defense’s (DoD’s) recently released Cybersecurity Maturity Model Certification (CMMC) framework has been integrated into the version 9.4 release of the HITRUST CSF framework, further bolstering the claim of Assess Once, Report Many™.
The HITRUST Threat Catalogue helps provide organizations further visibility into areas representing the greatest risk exposure, enhancing the underlying risk analysis used to develop the HITRUST CSF. This simplifies the risk analysis process and reduces some of the burden, costs, and confusion otherwise experienced when attempting to achieve an in-depth level of risk analysis.
Once risk and compliance needs are determined, HITRUST’s offerings can help your organization achieve its goals. HITRUST CSF Assessments, the primary mechanism by which organizations evaluate the rigor of their own programs and provide assurances to relying parties, are not a one size fits all model. Our Guide to Approaching a CSF Assessment can help you understand the various options and considerations in determining the approach that’s right for your organization.
The innovative HITRUST MyCSF platform makes it easy to scope your organization’s assessment so that it’s dynamically adapted to the nature and purpose of your systems environment. For example, requirement statements are included or excluded as appropriate based on factors such as mobile accessibility, geography, and third-party access.
To talk to one of our Product Specialists about how HITRUST can best help your organization, contact us at firstname.lastname@example.org.
HITRUST is committed to helping organizations globally and across industries manage information risk, and compliance. Whether in your own data center, in the cloud, or both, HITRUST is here to help, be it assessing the maturity of your program or helping determine what needs to be done. We do this all with the intent of helping you manage your information risk, demonstrate your compliance with any and all applicable regulations, earn and keep the trust of your partners and customers, and provide the assurances others expect of you.
One Framework, One Assessment, Globally.