Control Maturity and Continuous Monitoring and Assessment FAQs
What is the role of continuous monitoring in the HITRUST scoring process?
Information security continuous monitoring (ISCM) has been a part of the HITRUST CSF control maturity and scoring model since the inception of the HITRUST CSF Assurance Program in 2009.
Typical assessment and audit approaches generally focus on policy and implementation of the controls needed to implement that policy. HITRUST takes a more robust approach by specifically looking at the implementation of the control, including how well the control is supported by policy and procedures, as well as how well the organization monitors the effectiveness of the control and whether it takes appropriate action should monitoring indicate a degradation in effectiveness or failure of the control.
As shown in the table below, continuous monitoring is addressed by the ‘Measured’ and ‘Managed’ maturity levels with a maximum of 15 and 10 points awarded for each level, respectively.
Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?
HITRUST provides a common approach to triaging vendor risk by identifying the means and rigor of the assurances needed from a vendor based on the inherent information-related risks of a proposed or existing business relationship. This includes the information security and privacy controls specified for the vendor as well as the maturity scores required for an acceptable level of assurance.
As shown in the table above, the HITRUST risk triage approach provides (1) specific organizational, compliance and technical factors that help identify the type and amount of inherent risk the business relationship with the vendor poses; (2) a simple risk scoring model to help quantify the risk; and (3) specific recommendations for the type and rigor of the assessment and the maturity of the organization’s information protection.
By providing a common set of risk factors independent of the security and privacy controls that may or may not implemented by a third party, an organization can readily assess inherent risk and determine a reasonable and appropriate mechanism for the assurances it needs at a reasonable cost. Broad adoption will also significantly reduce costs for any third party that needs to provide assurances to multiple customers or business partners.
What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?
Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above an aggregated HITRUST CSF maturity score of 79, there is a very high likelihood these controls will continue to operate in a similar manner going forward. And organizations that have mature information security continuous monitoring (ISCM) programs in place can also help ensure that any deficiencies that may arise in their protection programs are quickly identified and addressed. These organizations may qualify for the HITRUST CSF Ongoing Certification (OC) Program, which will allow these organizations to reduce the frequency of full, time-based recertification assessments, as shown in the graphic on the next page.
HITRUST plans to update the CSF Assurance Program to reward those organizations that have mature information protection programs as well as those that are actively implementing ISCM programs through a three-tiered certification program.
Organizations that demonstrate a ‘standard’ level of information protection, typically reflected in a CSF maturity score below 79, will undergo annual recertification assessments while those with higher scores striving to meet HITRUST requirements for ISCM would continue to undergo biannual recertification assessments with a targeted interim assessment.
Organizations that qualify for the ISCM-based HITRUST CSF Ongoing Certification (OC) program would conduct recertification assessments even less often, the frequency of which would be determined by its aggregated HITRUST CSF control maturity score and other criteria. Additional criteria will be developed by the HITRUST ISCM Working Group and integrated into the HITRUST CSF Assurance Program prior to its rollout, the timing of which is yet to be determined.
Benefits of the ISCM-based HITRUST CSF OC Program include:
- On-demand, near real-time insight into their security and compliance risk posture* (visibility into how well stuff is protected)
- The ability to make quick, risk-based decisions on system security in near real-time** (helps minimize the impact from bad things happening)
- Better prioritization of remediation activities and corrective actions*** (helps identify the problems that need to be fixed first)
- Consistent, continuous adoption of cybersecurity best practices**** (ensures extant and emerging threats continue to be addressed appropriately)
- A higher level of assurance that personal data and individual privacy will continue to be protected and risk appropriately managed in the future (management can sleep better at night)
- Longer periods between comprehensive control gap assessments (fewer interruptions at work)
- Reduced time and effort needed to maintain certification (ability to focus on the real work)
- Reduced lifecycle costs for maintaining certification (more money for other work)
- Higher levels of assurance and trust with and amongst external stakeholders such as regulators, business partners, and customers (everyone can sleep better at night)
*REFERENCE *: Eisensmith, J. (N.D.). Ongoing Authorization: Changing how Government does Security Compliance, CIO Review. Available from https://identity-governance-and-administration.cioreview.com/cxoinsight/ongoing-authorization-changing-how-government-does-security-compliance-nid-5608-cid-180.html.
*REFERENCE **: Eisensmith (N.D.).
*REFERENCE ***: Luu (2015). Implementing an Information Security Continuous Monitoring Solution—A Case Study. ISACA Journal
(1). Available from https://www.isaca.org/Journal/Blog/Lists/Posts/Post.aspx?ID=264.
*REFERENCE ****: Luu (2015).
How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?
While useful, the approach used to obtain reputational scores like Security Scorecard and Bitsight is limited (similar to a narrowly scoped external penetration test) and is arguably unique for each organization’s network. It is further recognized that each scorecard vendor uses a proprietary approach to collecting data as well as proprietary analytics when computing the scores or ratings. In addition to the challenges inherent in their opacity, any changes to these proprietary approaches can change an organization’s score, sometimes dramatically, when there has been no discernable change in their actual security posture.* This is because the type of evidence collected for these scorecards is circumstantial and statements made about the actual state of the organization’s security posture must be inferred rather than directly observed.
Simply put, security scorecards cannot replace the level of assurance provided by a thorough assessment of an organization’s information protection program, including its overall approach to risk and risk management as well as detailed reviews of its privacy and security controls.
*REFERENCE *: CSO Online (2016, Aug 4).
What evidence do you have that controls with high maturity will not change or degrade?
HITRUST’s analysis of organizational assessment data over the past 10 years indicates that the more mature an organization’s information protection program, specifically their information security controls which demonstrate proficiency of operation, management, and reporting, the more likely an organization will be to continue to operate those controls in a similar manner in the future. Further, it can also be shown that mature organizations are less likely to suffer a breach and, should a breach occur, are more likely to be able to contain it and minimize the impact. For example, Forrester Consulting has shown organizations that implement a CMM-based maturity model and have the highest level of maturity—even when limited to the area of identity and access management—incur roughly “half the number of breaches as the least mature … [and save] 40% in technology costs and an average of $5 million in breach costs.”*
*REFERENCE * : Forrester Consulting (2017, Feb). Stop the Breach: Reduce the likelihood of an Attack through an IAM Maturity Model: A Forrester Consulting Thought Leadership Paper, p. 1. Commissioned by Centrify. Available from https://www.centrify.com/media/4594046/stop-the-breach.pdf.
What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization?
The level of maturity an organization wishes to pursue is a risk-based decision based on the needs of that organization. However, an industry-accepted level of due diligence and due care would be a fully implemented HITRUST CSF-based information protection program that scores at around a 75 on HITRUST’s 100-point scale based on the first three HITRUST CSF control maturity levels: policy, procedure, and implemented. Organizations that wish to implement ‘best-in-class’ information protection programs and receive the benefits of information security continuous monitoring (ISCM) and ongoing certification (OC) should strive for aggregated average scores of 87 or more.
How does the definition of a mature organization correspond to the scores required for HITRUST CSF Certification?
Mature organizations are defined as those organizations with ‘best-in-class’ information protection programs that not only have robust policies and procedures in place to support full implementation of their information security and privacy controls—a complete set of which is determined by the information risk posed to their organization—but also monitor their controls extensively and take appropriate action when they receive indications these controls may no longer be operating as intended.
As the HITRUST CSF maturity model is based on five levels—policy, procedure, implemented, measured, and managed—a mature organization would score very high on the model’s 100-point scale, as shown in the figure above. For the purpose of qualifying for the HITRUST CSF Ongoing Certification (OC) Program, an organization would need to meet the current certification criteria for HITRUST CSF Certification, have fully implemented the controls related to their internal Information Security Continuous Monitoring (ISCM) Program, and received an overall average score of 87.