The HITRUST CSF FAQs
Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?
Many of the elements for the argument are presented in FAQs throughout this section. But more specifically, the HITRUST CSF is designed with certain highly-regulated industries in mind; however, it is a region- and industry-agnostic control framework that can be used globally by organizations across all industries. Furthermore, HITRUST is the only standards development organization with a framework, an assessment platform, and an independent assurance program.
The table below compares the HITRUST CSF with other leading information security and risk frameworks:
For more information on why one would choose the HITRUST CSF, refer to the Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53 brochure or, for a healthcare organization’s perspective, a joint presentation by HCSC and Children’s Health Selecting a Healthcare Information Security Risk Management Framework in a Cyber World.
Is the scope of the HITRUST CSF too large for most organizations?
Although HITRUST specifically provides for significant tailoring of the HITRUST CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. Given the relatively uncontrolled sprawl of sensitive information in many organizations, the HITRUST CSF can (and should) be applied as broadly as necessary to scope to the specific types of information, systems, and/or business units requiring protection. The scope can be minimized by ensuring that workflows requiring the use of sensitive information is understood and such uses are restricted to the minimum necessary, as required by many legal and regulatory bodies as well as best practice. Information assets and data flows with sensitive information can also be isolated from other assets and data flow types, e.g., through network segmentation.
For more information, refer to the CSF Assessment Methodology and the Risk Analysis Guide for HITRUST Organizations and Assessors.
Does the HITRUST CSF take a “one-size-fits-all” approach to information security?
The HITRUST CSF is actually one of the most flexible data protection frameworks ever developed. First, the HITRUST CSF was created by integrating multiple legislative, regulatory, and leading practice guidelines and frameworks, and tailoring the incorporated requirements specific to the industry, or industries, in which the organization operates. The resulting controls are then tailored further by selecting them based on specific organizational, system, and regulatory risk factors. But while this approach provides more granular tailoring ’out-of-the-box’ than any other framework, HITRUST understands that no two organizations—even similar ones—are exactly alike.
Although information may have a common classification (e.g., PII, ePHI), differences such as organizational culture, infrastructure, technology, and risk appetite could result in a slightly different set of controls. Subsequently, organizations leveraging a framework are expected to i) perform a risk analysis on threats it considers unique to it, and ii) select additional controls to address those threats. Organizations must also consider options for controls that may not be suitable for it to implement (e.g., based on constraints placed by existing or planned information architectures and infrastructure). Fortunately, this supplemental risk analysis addresses fewer threats and other issues considered unique to the organization and is subsequently more tractable. The result is something that is referred to as an overlay, which is a formally-documented set of justified modifications to a control baseline.
For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.
What are the goals for the HITRUST CSF?
Through HITRUST, an organization seeks to adopt a control framework that is:
- relevant through regular maintenance of supporting authoritative sources and changes in the threat environment;
- scalable to various sizes and types of organizations or systems in a controlled manner;
- tailorable through managed approvals of alternative (compensating) controls;
- based on compliance with control baselines intended to manage risk to an industry-accepted level;
- capable of providing certifiable risk assurances to internal and external stakeholders, including regulators; and
- supported by appropriate guidance and tools.
For more information on HITRUST and the CSF, refer to the HITRUST Key Programs and Services guide.
Why do organizations need a security and privacy framework?
Information security and privacy laws are passed to regulate many industries and require that organizations that operate in such industries conduct thorough risk assessments to protect against the threats to the security and privacy of sensitive information. Organizations in other industries—that are less-regulated (or even unregulated)—may also want to protect valuable business information for many reasons, such as protecting patents and trademarks, gaining competitive advantage, and protecting customer data. Unfortunately, there is no ‘one-size-fits-all’ approach to securing sensitive information, and conducting information security risk analyses is not something with which many organizations are intimately familiar. The textbook approach to risk analysis includes threat and vulnerability assessments, information asset valuation, and the selection of specific risk treatments for the enumerated threat-vulnerability pairs (a process sometimes referred to as threat modeling). This is all designed to support the selection of cost-effective controls that will manage risk at a level determined acceptable by the organization. From a quantitative viewpoint, this process is virtually impossible for most organizations due to the general lack of actuarial-type data for security- and privacy-related threats. One could take a semi- or quasi-quantitative approach, or even a purely qualitative approach; however, it would still be difficult for an organization to perform the analysis for a comprehensive set of risk responses.
Fortunately, HITRUST provides an alternative, easy to adopt, approach to effectively managing data, information risk and compliance through its HITRUST Approach. The HITRUST Approach is built around a risk management process that provides a consistent, managed methodology designed to meet the needs of many organizations operating in various industries. The HITRUST Approach takes a holistic route to effectively analyze the potential risks to data protection. From this, an organization may establish one or more sets of security and privacy safeguards, also referred to as control baselines, which are intended to address similar threats to common classes of information using similar technologies. Organizations can then easily select an appropriate control baseline to help protect against any reasonably anticipated threats or hazards to the security and privacy of information.
For more information on risk analysis and tailoring, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors and the ISSA Journal article entitled, Leveraging a Control-Based Framework to Simplify the Risk Analysis Process.