HITRUST CSF v9.6 Framework FAQs

Will v9.6.0 and v9.5.2 both be in the HITRUST MyCSF platform?

Yes. Both v9.6.0 and v9.5.2 will be accessible in MyCSF.

What’s different between HITRUST CSF v9.6.0 and v9.5.2?

v9.6.0 incorporates modifications of certain requirement statements and illustrative procedures in anticipation of the HITRUST Implemented, 1-year (i1) Validated Assessment release, as well as a refreshed NIST SP 800-53 revision 4 mapping and the inclusion of NIST SP 800-53 revision 4 as a selectable compliance factor.

If an organization is in the process of starting an assessment in v9.5.2, should they re-evaluate and move to v9.6.0?

The reason an organization would move to v9.6.0 would be to incorporate the modifications made to support the introduction of the i1 Assessment type or to select NIST SP 800-53 revision 4 as a compliance factor.

How will this impact existing v9.5.2 assessments in process?

There will be no impact unless an organization and assessor firm determine the modifications to certain requirement statements and illustrative procedures in v9.6.0 is appropriate for the scope and requirements of the assessed entity. Assessments for v9.5.2 can still be generated despite the release of v9.6.0.

HITRUST Assessment Portfolio Expansion FAQs

Why did HITRUST need to add assessments to its portfolio? How do I know which one is appropriate to satisfy internal and external assurances and requests from third parties?

The HITRUST Risk-based, 2-year (r2) Validated Assessment (formerly the HITRUST CSF Validated Assessment) remains the most reliable information assurance report in the marketplace, primarily driven by transparency and consistency in selecting, scoring, and validating controls by qualified third-party External Assessors and the HITRUST Assurance Program. Not every environment or vendor relationship requires the same level of assurance, however each does need appropriate transparency, consistency, and integrity required for that level of assurance. The growing need for lower and moderate assurances is generally driven by considerations of time, budget, and purpose. To meet these needs, HITRUST is adding two new assessment options to address situations with a lower or moderate level of assurance that is easier and faster to perform while still providing a high level of transparency and reliability over comparable options on the market and adding significant efficiencies to reduce time, effort, and cost.

  • The new HITRUST Basic, Current-state (bC) is a self-assessment intended to provide a “good security hygiene” assessment.
  • The new Implemented, 1-year (i1) Validated Assessment is intended to address both “good security hygiene” and “cybersecurity best practices” while being threat-adaptive – designed to maintain relevance over time as threats evolve and new risks emerge.
  • The existing HITRUST CSF Validated Assessment will be renamed the Risk-based, 2-year (r2) Validated Assessment and will continue to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors.

What is a “cybersecurity best practices” assessment, and how is it different than a “good security hygiene” assessment?

“Good security hygiene” practices are table stakes in the industry. There are many situations, such as the bC, that focus just on this content make sense, such as quick internal evaluations of security controls, or conveying a low level of assurance to customers in low-risk situations. If stakeholders want a more reliable report, organizations will need to move to the Implemented i1 Validated Assessment which includes both “good security hygiene” and “cybersecurity best practices,” due to the authoritative sources the assessment’s requirement selection is based upon and due to its integration of threat intelligence data in the requirement selection process. The Risk-based, 2-year (r2) Validated Assessment (formerly named HITRUST CSF Validated Assessment) will continue to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors.

How do the new bC and i1 assessments compare in assurance and quality to the previous HITRUST CSF Validated Assessment (now called the r2)?

The HITRUST Basic, Current-state (bC) assessment and HITRUST Implemented, 1-year (i1) Validated Assessment are intended to address situations where a low or moderate level of assurance is warranted or appropriate. The HITRUST Risk-based, 2-year (r2) Validated Assessment (formerly the HITRUST CSF Validated Assessment) will continue to provide the highest level of assurance.

If I need to demonstrate compliance with HIPAA, which HITRUST assessment should I use?

  • The HIPAA Security Rule requires organizations to implement various security controls, perform a risk analysis, and establish reasonable and appropriate policies and procedures to comply with HIPAA standards and implementation specifications. To meet these requirements appropriately requires a HITRUST Risk-based, 2-year (r2) Validated Assessment (formerly the CSF Validated Assessment) because the comprehensive assurance methodology used in the r2 Validated Assessment includes a review of controls for implementation, processes, and procedures, whereas other assessments in the HITRUST portfolio do not.
  • However, there may be instances when an organization has only implemented or partially implemented controls and does not already have an appropriate set of established policies and procedures, so they want to evaluate progress and effort towards HIPAA compliance. In this instance, an Implemented, 1-year (i1) Validated Assessment could be suitable as an intermediate step towards an r2 Validated Assessment, which is designed to demonstrate full HIPAA compliance.

HITRUST Implemented, 1-year (i1) Validated Assessment + Certification FAQs

What is the new HITRUST Implemented, 1-year (i1) Validated Assessment + Certification?

The i1 Assessment is designed to address the need for a continuously-relevant cyber security assessment that aligns and incorporates best practices and leverages the latest threat intelligence to maintain applicability with information security risks and emerging cyber threats, such as ransomware and phishing. The design and selection of the controls for the i1 Assessment puts it in a new class of information security assessment that is “threat-adaptive” – developed to maintain relevance over time as threats evolve and new risks emerge, while retiring controls no longer deemed material. The i1 Assessment is intended for organizations needing a moderate level of assurance that delivers full transparency, accuracy, consistency, and integrity.

HITRUST indicates that the i1 Assessment is “threat-adaptive” – what does threat-adaptive mean?

The “threat-adaptive” innvovation in the HITRUST i1 Assessment is one of the most important benefits that makes it unique. Simply stated, threat-adaptive means that as the threat landscape evolves, the HITRUST CSF framework and i1 requirements will be updated to remain cyber relevant over time to reduce future risk. This threat-adaptive proactivity to adjust and refresh information security control requirements on a regular basis to meet the latest and emerging cyberthreat activity, such as ransomware and phishing, differs dramatically from most common frameworks, which often remain unchanged for many years.

How much does an i1 Assessment cost?

For current i1 pricing, contact your HITRUST Product Specialist by calling: 855-448-7878 or emailing: sales@hitrustalliance.net

When will HITRUST make the i1 Assessment available?

The ability to perform i1 Assessments in MyCSF is now available.

HITRUST Basic, Current-state (bC) Verified Self-Assessments FAQs

How do I start a Basic Current-state (bC) Assessment?

There are two ways:

  • As an Assessment Report Request (ARR) from the HITRUST Assessment XChange (HAX). If the request originates from HAX, it can have fewer requirements as specified by the Participating Organization (PO). For most assessed entities, the ability to reuse the bC Assessment answers for other Assessment Report Requests from other POs in the HITRUST Assessment XChange provides enormous value.
  • By choosing the Basic (bC) Assessment in MyCSF.

Can you do carve-outs with a bC Assessment?

Yes, if allowed at the assessed entity’s MyCSF access level.

How much does a bC Assessment cost?

For current bC pricing, contact your HITRUST Product Specialist by calling: 855-448-7878 or emailing: sales@hitrustalliance.net

Is the bC “tailorable?”

With the r2 Validated Assessment, it is possible to scale up or down based on the presence of a risk or regulatory inclusion factor. The bC Assessment allows for another type of tailoring where you can make the requirements disappear, which is different than indicating “NA,” and requires entering an explanation. When you remove requirements in the bC Assessment, it is like they were never there. This can only be done with the bC Assessment.

HITRUST Results Distribution System FAQs

When will the RDS be available?

RDS was released for General Availability in May of 2022.

What is the HITRUST Results Distribution System (RDS)?

The HITRUST RDS is an online portal that allows assessed entities to designate which parties they want to share their assessment results with, how the results can be accessed (via a PDF, web browser and/or API), and the specific assessment detail reports they want to share (such as: certification letter, expanded scope description, and findings). The relying party can review and search online for specific elements they are seeking such as: assessment date, scope, control requirements, scores, and corrective action plans.

To further enhance efficiency and leverage analytics, in the second half of 2022, HITRUST will begin offering RDS subscription packages that include advanced analytics and added API options.

What are the benefits the HITRUST Results Distribution System (RDS) delivers over the outdated process of sharing and consuming third-party assurance reports in PDF form?

Across the industry, third-party assurance reports are distributed almost entirely as PDF documents. These PDFs must then be manually reviewed by relying parties to confirm various elements that are contained within the results. The relying party often needs to re-enter data present in the PDF report into their vendor risk management (VRM) system, third-party risk management (TPRM) system, or governance, risk, and compliance (GRC) system. At present, this process is manual and labor-intensive and is generally repeated annually for every third-party vendor. The HITRUST Results Distribution System (RDS) enables assessment results to be sent electronically from a highly secure portal where the relying party can review and search online for the specific elements they are seeking and set up customizable views and alerts. In addition, relying parties can leverage an API to have the results sent directly to their VRM, TPRM, or GRC systems.

How will Relying Parties who use Vendor Risk Management (VRM) systems benefit?

For Relying Parties, RDS eliminates the need to manually review and re-enter information from an assessment report. RDS enables electronic receipt of assessment results and can enable a VRM system’s analytics capabilities to review results and provide alerts as specified. VRM integration will require the use of the RDS API.

HITRUST MyCSF Compliance and Reporting Pack for HIPAA FAQs

What is the MyCSF Compliance and Reporting Pack for HIPAA?

The MyCSF Compliance and Reporting Pack for HIPAA compiles and reports on information relevant to HIPAA that is collected during the HITRUST r2 Assessment process. The MyCSF Compliance and Reporting Pack for HIPAA cannot be used with HITRUST bc or i1 Assessments.

When will the MyCSF Compliance and Reporting Pack for HIPAA be available?

The release of HITRUST CSF v9.5.0 on September 3, 2021 can generate the MyCSF Compliance and Reporting Pack for HIPAA.

Which versions of the HITRUST CSF does an assessment need to use to take advantage of the MyCSF Compliance and Reporting Pack for HIPAA?

The MyCSF Compliance and Reporting Pack for HIPAA can only be generated for assessments using HITRUST CSF v9.5.0 (or higher), and only for objects created or refreshed on or after September 3, 2021.

Will the MyCSF Compliance and Reporting Pack for HIPAA work with any older versions of the CSF such as v9.1, v9.2, v9.3 or v9.4?

No, it is only available in HITRUST CSF v9.5.0.

HITRUST Quality Assurance Reservation System FAQs

Do I need to make a reservation for a Bridge, Interim, or Readiness Assessments?

No, reservations are only available for HITRUST i1 or r2 Validated Assessments.

Does the date of my Reservation represent the date that will appear on my Final Report and/or Certification?

No, the QA Block in your reservation represents the date that HITRUST will begin the QA process. All Final Reports and/or Certifications will continue to be dated using the date that appears on the Management Representation Letter.

Are reservations required for HITRUST Validated Assessments?

A reservation will be required for submitting any HITRUST i1 or r2 Validated Assessments to HITRUST.

Where do I make a reservation?

Within the MyCSF platform on the Reservations tab.

HITRUST Bridge Assessment and Certificate FAQs

What is the HITRUST Bridge Assessment?

The HITRUST Bridge Assessment results in a HITRUST Bridge Certificate. The HITRUST Bridge Certificate is a forward-looking, temporary certificate issued by HITRUST. It is valid for 90 days from the expiration date of the organization’s previous HITRUST Certification and allows organizations to maintain a form of HITRUST Certification status for an additional 90 days even if their validated assessment submission due date is missed.

Is a Bridge Assessment only available for an r2 certification?

Yes. HITRUST Bridge Assessments are available only for r2 Certifications. Since the HITRUST i1 certification expires after 1 year, there is no i1 Bridge Assessment available for an i1 assessment.

How does a Bridge Assessment affect the interim assessment due date?

The interim assessment is still due on the one-year anniversary of the certification date. A hypothetical timeline: An organization’s HITRUST Certification is set to expire on 5/31/22 and this organization is awarded a HITRUST Bridge Certificate. This organization submits a completed validated assessment to HITRUST prior to the Bridge Certificate’s expiration which results in a HITRUST Certification. The organization’s newly issued HITRUST Certification is dated 6/1/22, and the interim assessment would be due to HITRUST no later than 6/1/23.

Why is the three-month period of the HITRUST Bridge Certificate deducted from the organization’s next HITRUST Certification?

The HITRUST Bridge Certificate is designed to assist organizations who need to maintain HITRUST Certification but may be experiencing challenges in completing their next HITRUST Validated Assessment.

The HITRUST Bridge Assessment links the two HITRUST Validated Assessments by offering a limited level of assurance during the period when the next HITRUST Validated Assessment is being completed. This limited level of assurance is not sufficient to stand alone without the completion of a subsequent HITRUST Validated Assessment where the level of assurance can only be maintained for 24 months.

MyCSF FAQs

Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?

No. This functionality is part of the HITRUST Assessment XChange. For more information on the XChange, contact getinfo@hitrustax.com.

Can the tool link to supporting documents rather than copy?

Yes. MyCSF 2.0 maintains a library of documentation and relationships between the documentation and its related control requirements and maturity domains.

Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?

There are several changes that will be announced relating to the Assurance Program requirements. These are independent of the HITRUST CSF and MyCSF and are designed to increase the consistency and integrity of the assurance process.

The other types of assessments (GDPR, etc.) are only self-assessments and can’t be validated?

Yes. We do not generate any type of assurance report for targeted assessments. There are assessments that you can perform internally, and you can generate score cards within the tool.

Inheritance and Shared Responsibility Program FAQs

Is inheritance all or nothing for each requirement or can it be weighted?

You can assign a weight to the inherited score that will apply to a particular control requirement.

Does MyCSF allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?

No. When you inherit a control requirement, it inherits scores related to all maturity domains based on the weight given to each. If you inherit from an object that has only scored policy, you will also be inheriting the zeros for the remaining maturity domains.

Who will need to subscribe to HITRUST MyCSF for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?

Anyone that wishes to allow their assessments to be inherited will need to subscribe to the HITRUST MyCSF. This applies to internal as well as external inheritance. External inheritance is viewed as a service that is provided to customers making it easier to assess if they are working with a service provider that they can inherit from. This should encourage organizations to do business with those that provide this service.

Will companies still have to pay to allow their assessments to be inherited?

Yes. Inheritance will continue to be a premium feature in MyCSF and will require an appropriate subscription.

HITRUST Assurance Program FAQs

What is the HITRUST Assurance Program?

The HITRUST Assurance program is a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and cost-containment; and additional assurances around the accuracy, consistency and repeatability of assessments due to the use of pre-qualified professional services firms—all of which is designed to meet the unique regulatory and business needs of the healthcare industry. In short, it is a risk-based approach to selecting HITRUST CSF controls for assessment, including management oversight of the assessment. The HITRUST Assurance Program delivers simplified compliance assessment and reporting that addresses multiple federal, state and industry requirements for both covered entities and their business associates.

How can I confirm an organizations certification status?

If you are in possession of a HITRUST report or letter PDF and are seeking verification that the PDF is authentic please contact support@hitrustalliance.net. You will be asked to provide a copy of the PDF in question and evidence showing you received it from the organization.

What is the process for an organization to achieve HITRUST Certification?

Before starting the Certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the Certification process, please select a HITRUST Assessor. Once you select an Assessor, you will need to purchase a validated assessment from HITRUST. Complete the validated assessment using the MyCSF tool and then the Assessor will perform the validation/audit work. Please note access to the MyCSF is granted for 90 days. Once the Assessor work is complete, please submit to HITRUST for review. HITRUST will create a report and, depending on the scores in the report, will issue a letter of certification.

How many organizations have completed a HITRUST Assessment?

38,000 HITRUST Assessments have been performed in the last three years with 15,000 HITRUST Assessments in 2015 alone. HITRUST anticipates a continued demand for its Certifications due to third-party assurance requirements from several major health organizations and requests for combined SOC 2 + HITRUST reports.

Accepting HITRUST Certified Assessment Reports FAQs

What if my customer or vendor risk management outsourcer wants a proprietary questionnaire answered or assessment executed even though I am a HITRUST assessed entity?

A HITRUST Certification Report covers 40 authoritative sources. The HITRUST CSF provides comprehensive coverage of general security requirements and provides prescriptive controls (safeguards), i.e., the control requirements should be detailed enough to support implementation in the intended environment and adequately address relevant threat(s). In many cases where a customer is asking for a proprietary questionnaire to be filled out or an independent assessment performed, the areas of interest from that customer may have already been addressed and assessed through a HITRUST Assessment. In our experience, putting in some time to educate the customer on what is covered within the scope of a HITRUST assessment and providing them the authoritative source mapping will result in the customer accepting the HITRUST Assessment in place of their proprietary programs. In some instances, performing a cross-reference mapping of the customer’s questionnaire to the HITRUST Assessment that was performed, provides the customer with the necessary assurance requested and eliminates the need for a separate questionnaire. We suggest taking these actions first and if those are not successful you can reach out to HITRUST for additional support and suggestions.

Email HITRUST Support:
support@hitrustalliance.net

Reference Documents:
Leveraging the HITRUST CSF
Comparing the CSF, ISOIEC 27001 and NIST SP 800-53
HITRUST CSF and NIST OLIR Program

My customer is asking for an assessment scope different from what my organization currently has, either partially or fully. What do I do in this instance?

HITRUST recommends organizations start by performing a HITRUST i1 or r2 Readiness Assessment with their HITRUST Certified External Assessor over the missing scope to satisfy the customer demands while working on the remainder of the HITRUST Validated Assessment.

My customer has an issue with the perception of the assessor that performed my organization’s HITRUST Validated Assessment. How do I address their concern?

HITRUST Authorized External Assessors are organizations that have been approved by HITRUST for performing assessments and services associated with the HITRUST Assurance Program and the HITRUST CSF, a comprehensive risk management framework that incorporates the existing security and privacy requirements of organizations. Authorized External Assessors are critical to HITRUST’s efforts to provide trained resources to organizations of varying size and complexity to assess compliance with security and privacy control requirements and document corrective action plans that align with the HITRUST CSF. All Authorized External Assessors are treated equally by HITRUST. This means that every assessor, regardless of their size and portfolio of capabilities, must go through a rigorous onboarding and ongoing quality review process. As part of HITRUST’s due diligence, a review of each organization and individual practitioner is performed to ensure quality standards are met. Each individual must also attend a live virtual training course and pass an exam to become a Certified CSF Practitioner. Although some assessors may have performed more assessments than others, that does not mean that all assessors are not held to the same level of quality standards. As with any professional services firm relationship, each client’s experience may be different in the marketplace. We encourage organizations that find themselves in this position to direct their customers to the information regarding the HITRUST Assessor Program and direct them to HITRUST for any specific questions regarding the program or any concerns related to specific assessor through the HITRUST Ethics Hotline:

English: USA and Canada: 844-940-0033
Spanish: USA and Canada: 800-216-1288
Website: www.lighthouse-services.com/hitrustalliance

There are rare instances when customers may demand that an organization use a specific assessor or chose from a select list of assessors to perform their validated assessment. Unfortunately, this is outside of HITRUST’s control and will need to be negotiated directly with the customer.

HITRUST has an Assessor Council with whom HITRUST interacts as it relates to the CSF Assurance Program. Within the membership of the Assessor Council, there is a quality subcommittee that meets regularly to provide input regarding the requirements of assessors when performing assessments and help ensure the consistency and quality of the procedures being performed by assessors. This, combined with internal HITRUST quality assurance procedures, should provide some assurance that assessors are performing engagements in accordance with the Authorized External Assessor requirements.

Why does my customer want to perform on-site audits/assessment procedures even after accepting my HITRUST Assessment/Certification and what can I do to prevent or minimize the impact of this?

In most scenarios, a HITRUST Certification or Validated Assessment report is accepted in place of proprietary on-site audits and reporting requests. Scenarios do exist where contracts enable a customer to request a performance of its own on-site audit procedures. Often times the scope of these procedures or areas of focus may be on specific requirements outside the scope of a HITRUST Assessment. Other times, after a HITRUST Assessment has been received and reviewed, the customer may decide to dive further into certain areas covered by the assessment if corrective actions plan or gaps have been identified or if the maturity scores of a particular domain are below the customer’s expectations. In these scenarios, we have found that the scope of the procedures is more targeted at those areas of focus as opposed to a full audit. We encourage assessed entities to work with their customers to make sure that there is an understanding of what has been covered within the scope of the assessment. The scope of proprietary audit procedures should be negotiated only to extend to those areas of focus necessary for the customer to achieve the desired level of assurance.

Third-Party Assurance FAQs

If my Cloud Service Provider is HITRUST Certified, does that mean my environment is as well?

No. If a Cloud Service Provider (CSP) is HITRUST Certified, it does not mean your environment hosted by that CSP is also certified for the following reasons:

  • There could be control gaps, so it is still incumbent that you perform thorough due diligence to evaluate how the CSP’s HITRUST Certification addresses the security and privacy requirements associated with your own organization’s risk profile and/or regulatory and customer compliance needs.
  • While there are a subset of controls that only the CSP is responsible for (for example, environmental security within a production datacenter), there are controls that remain only your responsibility as the accountable party governing the data entrusted and how your users appropriately access and operate that cloud-hosted environment; further, there remain a significant portion of controls that are shared, and therefore you remain partially responsible for full coverage of control effectiveness.

For more information, you can download the HITRUST Shared Responsibility Matrix included in the HITRUST CSF download package and refer to the detailed set of common use-case scenarios defined in the HITRUST Shared Responsibility Model. For guidance on how to communicate the value of offering your cloud services hosted on a HITRUST Certified environment, please contact HITRUST Support at support@hitrustalliance.net.

Can I provide my ISO 27001 certification in lieu of HITRUST Certification for third-party assurance?

Organizations accepting ISO 27001 in lieu of HITRUST Certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular requirements of the CSF. While an improvement over custom assessment questionnaires and the now legacy SAS 70, the relying organization would still need to identify any gaps between the two reports (which will almost surely exist), go through the process of requesting additional information from the ISO-certified entity, and then evaluate the response(s).

While an organization could conceivably support ISO certification as a ‘first step” in the assurance process, it could not and should not rely solely on ISO certification. At some point the ISO-certified organization must demonstrate that the complete set of CSF control requirements relevant to their organization have been implemented appropriately if it is to ascertain what residual risk(s) remain. And since this is best accomplished through the HITRUST Assurance Program, it just makes sense—from both an economic and resource perspective—to simply require a HITRUST Validated or Certified Assessment from the onset.

References: Risk Management Frameworks, HITRUST Assurance Program Requirements, and Risk Analysis Guide

What types of questions are there, and what information will we need to provide?

The HITRUST Assessment questionnaire will ask about your organization’s information security practices in 19 major topical domains such as information protection program, endpoint protection, portable media security, third party assurance and risk management.

To gain an understanding of your organization’s risk profile, the questionnaire will ask you if:

  • Specific requirements are addressed in organizational policy and standards,
  • There are processes and procedures to support the implementation of the requirements,
  • The requirements have been implemented consistently across the organization,
  • The effectiveness of the controls are monitored (e.g., with a metric or other type of measurement), and
  • The controls are actively managed based on this monitoring.

Reference: HITRUST Assessment Process, HITRUST Assurance Program Requirements and Risk Analysis Guide

How do I understand the CSF Assessment report I have received?

HITRUST has created a document that explains the assessment report, how to interpret, and how it can be used to complement and enhance your current processes.

Reference: Leveraging HITRUST CSF Assessment Reports: A Guide for New Users

External Assessor Program FAQs

What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?

A Certified CSF Practitioner is an individual that has completed the required training, passed an exam, and meets the experience requirements for a practitioner. A HITRUST External Assessor is a firm that has met all the requirements to become authorized to perform HITRUST Validated Assessments.

Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

HITRUST practitioners will complete the onsite training during the first year. The second and third year they are required to complete a refresher. The CSF Practitioner Refresher Course is a self-paced online course available for download from the HITRUST Academy. The 4th year the process starts over with the onsite class.

What is the difference between a HITRUST practitioner and a HITRUST External Assessor?

HITRUST External Assessors are designated organizations qualified to provide assessments for clients seeking HITRUST Certification. HITRUST practitioners are either members of a HITRUST Assessor organization that have obtained this status through the HITRUST training class to assist organizations with certifications or independent consultants that have completed the HITRUST training class and assist organizations with self-assessments or implementing the CSF in their environment.

What are the costs associated with the Assessor program?

There are three costs associated with the HITRUST External Assessor Program:

  1. Application fee (one-time payment of $2,500)
  2. Training fee: Five people must complete the Certified CSF Practitioner (CCSFP) Training Course – $3,000 per individual. Additionally, two of those five people must complete the Certified HITRUST Quality Professional (CHQP) Course online – $2,000 per individual. Both the CCSFP and CHQP Courses are offered via the HITRUST Academy.
  3. Annual Program Fee (Tier rates based upon overall revenue from the prior year)

For exact pricing information and more details regarding the External Assessor Program, please contact csfassessor@hitrustalliance.net..

HITRUST Threat Catalogue FAQs

How often will the HITRUST Threat Catalogue be updated?

We anticipate updates to occur annually, shortly after each HITRUST CSF release, or when significant changes in the threat environment would warrant an interim release.

What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?

A HITRUST Implementation Advisory would be issued if there is additional clarification around how HITRUST CSF requirements should be implemented to effectively address one or more threats—or as an interim measure until more stringent or enhanced control requirements can be published in the next scheduled release of the HITRUST CSF.

How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?

The threat landscape is constantly changing, as are the technologies and tools that organizations rely upon to support their business missions. Consequently, an organization’s information protection program must change and adapt. Threat intelligence is one of several mechanisms by which HITRUST ensures the continued sufficiency of the HITRUST CSF.

How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?

By linking granular threats identified in active threat intelligence to higher-level threats contained in the HITRUST Threat Catalogue and related HITRUST CSF control specifications, organizations will gain greater insight into how well they are addressing extant and emerging threats by evaluating how well they’ve implemented related HITRUST CSF controls in their environment. More so, leveraging threat intelligence that can be correlated via the HITRUST Threat Catalogue’s mappings to the control specifications will allow organizations to determine likelihood and impact in order to further tailor their information protection program and manage their risk.

HITRUST Risk Management Framework FAQs

Does a HITRUST Assessment include NIST Reporting?

With each r2 Validated Assessment Report (formerly named the HITRUST CSF Validated Assessment Report) issued, HITRUST includes a scorecard detailing your organization’s compliance with NIST Cybersecurity Framework-related controls included in the HITRUST CSF framework. (The NIST Cybersecurity Framework Scorecard is not available with HITRUST i1 Assessment.)

Is an interim review required to maintain your HITRUST Certification for the NIST Cyber Security Framework?

No, the interim review requirement only applies to the HITRUST Certification.

What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?

ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs and produces the HITRUST CSF, the most commonly used information security controls standard in the healthcare industry. And, in its 2018 Report to Congress on the state of NIST Cybersecurity Framework Adoption, the GAO states Healthcare and Public Health (or “HPH”) Sector officials encourage alignment of the NIST Framework with existing cybersecurity guidelines and goes on to state, “the sector aligned the [HITRUST CSF] with the NIST Framework,” which “allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing [HITRUST] framework.” In fact, current HPH Sector guidance uses the HITRUST CSF as the underlying foundation for an organization’s implementation of the NIST Framework.

Refer to https://www.gao.gov/assets/700/690112.pdf for a copy of the GAO report.

Refer to the US-CERT Cybersecurity Framework Website at https://www.us-cert.gov/ccubedvp/cybersecurity-framework for a copy of the HPH Sector implementation guide, or download a copy directly using https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf.

Does a HITRUST Assurance assessment weight all controls equally?

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST Validated or Certified Report. This is consistent with NIST guidance that allows for focused assessments to address specific issues or answer specific questions. “Organizations have maximum flexibility on how risk assessments are conducted and are encouraged to apply the guidance in this document so that the various needs of organizations can be addressed and the risk assessment activities can be integrated into broader organizational risk management processes” (NIST SP 800-30 r1, Guide for Conducting Risk Assessments, pg. ix). For purposes of certification, control selection is based on an analysis of breach data, leading practices and regulatory requirements (e.g., the HIPAA Security Rule).

With respect to the way an assessment is conducted, one control does not have more weight or importance than another. This is because, by definition, all the controls that the organization has determined it must implement—regardless of whether they were designed from a custom risk analysis or tailored from a control baseline by a supplemental analysis—must be implemented in order to manage risk to an acceptable level. But the HITRUST Assurance Program only requires this level of “completeness” for purposes of certification and, even then, organizations can remove controls that do not apply to them or accept a small amount of risk for partial implementations of those that do.

HITRUST also encourages the prioritization of remediation activities based on relative risk by providing impact ratings and their relationship with each other with the inclusion of priority codes. Although examples have not yet been provided in the Risk Analysis Guide. HITRUST encourages organizations to modify the impact ratings based on an evaluation of their control environment and consider other factors, such as existing infrastructure, budget constraints and organizational culture when developing and prioritizing corrective actions.

For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors (new version coming soon).

HITRUST CSF Additional Frequently Asked Questions FAQs

Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

The HITRUST CSF is designed with certain highly regulated industries in mind. However, it is a region- and industry-agnostic control framework that can be used globally by organizations across all industries. Furthermore, HITRUST is the only standards development organization with a framework, an assessment platform, and an independent assurance program. Other compelling benefits and considerations are presented in FAQs throughout this document.

The table below compares the HITRUST CSF with other leading information security and risk frameworks:

csftable

For more information on why one would choose the HITRUST CSF, refer to the Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53 brochure or, for a healthcare organization’s perspective, a joint presentation by HCSC and Children’s Health Selecting a Healthcare Information Security Risk Management Framework in a Cyber World.

Is the scope of the HITRUST CSF too large for most organizations?

Although HITRUST provides tailoring options for the HITRUST CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. Given the relatively uncontrolled sprawl of sensitive information in many organizations, the HITRUST CSF can (and should) be applied as broadly as necessary to scope to the specific types of information, systems, and/or business units requiring information asset protection.

Scope can be minimized by ensuring that workflows requiring the use of sensitive information are understood and such uses are restricted to the minimum necessary, as required by many legal and regulatory bodies, as well as best practices. In addition, information assets and data flows with sensitive information can be isolated from other assets and data flow types, e.g., through network segmentation.

For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.

Does the HITRUST CSF take a “one-size-fits-all” approach to information security?

The HITRUST CSF is one of the most flexible information protection frameworks available. The HITRUST CSF was created by harmonizing a myriad of standards, frameworks, and regulatory requirements with relevant leading best practices in the information protection space while collaborating with information security and privacy professionals in various industries with differing needs. The resulting controls can then be tailored based on specific organizational, system, and compliance risk factors. While this approach provides the ability for more granular tailoring out-of-the-box than any other framework, HITRUST understands that no two organizations are exactly alike. Although information may have a common classification (e.g., PII, ePHI), differences such as organizational culture, infrastructure, technology, and risk appetite may result in the need for a slightly different set of controls.

For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.

What are the goals for the HITRUST CSF?

Through HITRUST, the CSF provides organizations with a controls framework that is:

  • Relevant through regular maintenance of supporting authoritative sources and changes in the threat environment;
  • Scalable to various sizes and types of organizations or systems in a controlled manner;
  • Tailorable through managed approvals of alternative (compensating) controls;
  • Based on compliance with control baselines intended to manage risk to an industry-accepted level;
  • Capable of providing certifiable risk assurances to internal and external stakeholders, including regulators; and
  • Supported by appropriate guidance and tools along with regular updates.

For more information on HITRUST and the CSF, refer to the How HITRUST Helps Organizations Manage Risk guide.

HITRUST Assurance Program and Certification FAQs

Does a HITRUST Assurance assessment weight all controls equally?

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST Validated or Certified Report. This is consistent with NIST guidance that allows for focused assessments to address specific issues or answer specific questions. “Organizations have maximum flexibility on how risk assessments are conducted and are encouraged to apply the guidance in this document so that the various needs of organizations can be addressed and the risk assessment activities can be integrated into broader organizational risk management processes” (NIST SP 800-30 r1, Guide for Conducting Risk Assessments, pg. ix). For purposes of certification, control selection is based on an analysis of breach data, leading practices and regulatory requirements (e.g., the HIPAA Security Rule).

With respect to the way an assessment is conducted, one control does not have more weight or importance than another. This is because, by definition, all the controls that the organization has determined it must implement—regardless of whether they were designed from a custom risk analysis or tailored from a control baseline by a supplemental analysis—must be implemented in order to manage risk to an acceptable level. But the HITRUST Assurance Program only requires this level of “completeness” for purposes of certification and, even then, organizations can remove controls that do not apply to them or accept a small amount of risk for partial implementations of those that do.

HITRUST also encourages the prioritization of remediation activities based on relative risk by providing impact ratings and their relationship with each other with the inclusion of priority codes. Although examples have not yet been provided in the Risk Analysis Guide. HITRUST encourages organizations to modify the impact ratings based on an evaluation of their control environment and consider other factors, such as existing infrastructure, budget constraints and organizational culture when developing and prioritizing corrective actions.

For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors (new version coming soon).

Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST Validated or Certified Report?

The best discussion of why one would choose the HITRUST CSF over ISO 27001 and NIST SP 800-53 is provided in an earlier FAQ, but to address the question about accepting one in lieu of another, we’ll need to expand a little further.

The biggest difference between the two certifications is what they intend to certify.

In the case of ISO 27001, the focus of the certification is on the information security management system (ISMS), which includes an evaluation of the information security risk assessment and treatment processes. However, “organizations can design controls as required, or identify them from any source” (ISO 27001, § 6.1.3.b, p. 4). Further, although ISO 27001 Annex A contains a list of control objectives and controls, they are not exhaustive and additional control objectives and controls may be needed” (Ibid., § 6.1.3.c, p. 4). And although the ISO assessor must produce a “Statement of Applicability that contains the necessary controls (see 6.1.3 b and c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A” (Ibid., § 6.1.3.d, p. 4), it doesn’t extend beyond what’s required in Annex A. Subsequently, organizations have wide latitude in the controls they specify to address the risks they identify at a level suitable to their risk appetite. ISO certification assessors also have some latitude in how they assess the effectiveness of the controls, and there is no quality control of the assessments other than a general requirement that consultants that help organizations prepare for ISO certification do not perform the certification assessment.

In effect, we’re left with the same problems that existed before the creation and implementation of the HITRUST CSF—which is actually structured on ISO 27001 and contains additional guidance from ISO 27002 and multiple other relevant authoritative sources such as HIPAA, NIST SP 800-53, CMS IS ARS, PCI DSS and the NIST Cybersecurity Framework—and its assessment through the HITRUST Assurance Program: a lack of comprehensiveness and prescription in the control requirements; little or no U.S. healthcare industry context; lack of comprehensiveness related to regulations, legislation and other relevant requirements such as leading practice frameworks; and uncertain rigor and approach to the assessments including limited quality control.

The HITRUST CSF on the other hand provides a minimal baseline of comprehensive, prescriptive control requirements tailored to a healthcare organization’s specific organizational, system and regulatory risk factors. And the specific focus of HITRUST Certification is on the maturity of this control baseline’s implementation using a specific, rigorous assessment approach and scoring model in order to gauge the level of excessive residual risk to ePHI in the organization. HITRUST also provides detailed assessment procedures for each control requirement, and ensures assessments are performed by an Authorized External Assessor Organization and requires each assessment undergo a quality assurance review to ensure accuracy and completeness before awarding certification.

As an example of how high-level control requirements can benefit from the context, comprehensiveness and rigor of the HITRUST CSF and Assurance Program, one only has to look at the joint initiative between AICPA and HITRUST on using the HITRUST CSF to support SOC 2 assessments against the Trust Principles and Criteria. This ensures a standardized set of industry-relevant control requirements are identified for each criterion, and the assessment of these controls are conducted with a specific approach and level of rigor that provides relying entities, including regulators and other third parties, with accurate, consistent and repeatable assurances.

The best treatment on why one would choose the HITRUST CSF over ISO can be found in the risk framework analysis presented by HCSC and Children’s Health Dallas Selecting a Healthcare Information Security Risk Management Framework in a Cyber World. For more information on the HITRUST RMF, refer to the HITRUST RMF Whitepaper.

How often do I need to get a HITRUST Assessment report to support my third-party assurance requirements?

HITRUST Validated Reports with Certification are valid for two years given the successful completion of an interim review (12 months after the date of the original assessment), and that no breach or significant changes have occurred relating to the scoped control environment. Validated Reports not resulting in certification are point-in-time reports.

How can I use the HITRUST Assurance Program for third-party risk management?

The HITRUST Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in multiple ways, e.g., to support PCI SAQ development, the issuance of SOC 2 reports against specific AICPA Trust Services Criteria, or scorecards of HIPAA or NIST Cybersecurity Framework compliance. Organizations using the HITRUST Assurance Program for third-party risk management experience significant reductions in cost and level of effort required to evaluate third-party reports or issue their own reports to their own stakeholders, including business partners and regulators. This is the fundamental reason why several large healthcare entities have moved from simply accepting HITRUST Validated and Certified Reports to requiring them.

HITRUST and the NIST Cybersecurity Framework FAQs

Does a HITRUST Assessment include NIST Reporting?

With each r2 Validated Assessment Report (formerly named the HITRUST CSF Validated Assessment Report) issued, HITRUST includes a scorecard detailing your organization’s compliance with NIST Cybersecurity Framework-related controls included in the HITRUST CSF framework. (The NIST Cybersecurity Framework Scorecard is not available with HITRUST i1 Assessment.)

Is an interim review required to maintain your HITRUST Certification for the NIST Cyber Security Framework?

No, the interim review requirement only applies to the HITRUST Certification.

What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?

ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs and produces the HITRUST CSF, the most commonly used information security controls standard in the healthcare industry. And, in its 2018 Report to Congress on the state of NIST Cybersecurity Framework Adoption, the GAO states Healthcare and Public Health (or “HPH”) Sector officials encourage alignment of the NIST Framework with existing cybersecurity guidelines and goes on to state, “the sector aligned the [HITRUST CSF] with the NIST Framework,” which “allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing [HITRUST] framework.” In fact, current HPH Sector guidance uses the HITRUST CSF as the underlying foundation for an organization’s implementation of the NIST Framework.

Refer to https://www.gao.gov/assets/700/690112.pdf for a copy of the GAO report.

Refer to the US-CERT Cybersecurity Framework Website at https://www.us-cert.gov/ccubedvp/cybersecurity-framework for a copy of the HPH Sector implementation guide, or download a copy directly using https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf.

Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

HITRUST works closely with NIST and we constantly analyze their documentation to see what additional guidance can be utilized. Many guidelines—most often those that are very technical or technology-specific—are typically outside the scope of the HITRUST CSF; however, HITRUST will review these practice guides, determine how HITRUST CSF adopters can best leverage this type of documentation, and provide supporting guidance to the healthcare community, e.g., through HITRUST Implementation Advisories, as needed.

For more information on the HITRUST approach to risk management, refer to the HITRUST Risk Management Frameworks and Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochures.

HITRUST CSF and NIST CSF FAQs

What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?

Consistent with the certification requirements for the HITRUST CSF, an organization must achieve a minimum score for each NIST Cybersecurity Framework Core Category, which is aggregated from the scores for individual HITRUST CSF control requirements as they are mapped to each Core Subcategory within a Category. However, no additional Corrective Action Plans (CAPs) are needed to support HITRUST’s certification of the NIST Cybersecurity Framework beyond what is required for HITRUST CSF certification.

What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?

If an organization does not meet HITRUST CSF requirements for certification against the NIST Cybersecurity Framework, HITRUST will issue an assessment report with a Letter of Validation in lieu of a Letter of Certification.

Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?

While it’s possible, the likelihood that an organization can be certified against the NIST Cybersecurity Framework without meeting the requirements for HITRUST CSF certification are very small. This is because each certification is based on a single assessment. While the individual scores for each control requirement are the same, the scores are aggregated differently to support reporting against the HITRUST CSF Assessment Report domains and the NIST Cybersecurity Framework Core Categories.

How long is HITRUST Certification for the NIST Cybersecurity Framework valid?

The HITRUST Certification of the organization’s implementation of the NIST Cybersecurity Framework is for two (2) years, commensurate with the HITRUST Assessment Report.

Interim Review FAQs

When is an Interim Assessment for an r2 Certification due?

An r2 Interim Assessment needs to be submitted by the one-year anniversary of the certification date. Exceptions may be requested prior to the anniversary date to account for extraordinary circumstances that prohibit completion. Since the i1 Certification is valid for one year, there is no Interim Assessment (or Bridge Assessment).

What type of MyCSF access do non-subscribers receive when purchasing an Interim Assessment?

Non-subscriber’s access will be the same as the “report only” option, currently set at 1 object and 3 users.

How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?

The requirements are randomly selected by MyCSF upon creation of the Interim Assessment. MyCSF subscribers may create their Interim Assessments up to 120 days in advance of their due date.

Do you have to score each requirement statement selected in an Interim Assessment?

Yes.

Control Maturity and Continuous Monitoring and Assessment FAQs

What is the role of continuous monitoring in the HITRUST scoring process?

Information security continuous monitoring (ISCM) has been a part of the HITRUST control maturity and scoring model since the inception of the HITRUST Assurance Program.

Typical assessment and audit approaches generally focus on policy and implementation of the controls needed to implement that policy. HITRUST takes a more robust approach by specifically looking at the implementation of the control, including how well the control is supported by policy and procedures, as well as how well the organization monitors the effectiveness of the control and whether it takes appropriate action should monitoring indicate a degradation in effectiveness or failure of the control.

As shown in the table below, continuous monitoring is addressed by the ‘Measured’ and ‘Managed’ maturity levels with a maximum of 15 and 10 points awarded for each level, respectively.

figure2b

Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?

HITRUST provides a common approach to triaging vendor risk by identifying the means and rigor of the assurances needed from a vendor based on the inherent information-related risks of a proposed or existing business relationship. This includes the information security and privacy controls specified for the vendor as well as the maturity scores required for an acceptable level of assurance.

figure1b

As shown in the table above, the HITRUST risk triage approach provides (1) specific organizational, compliance and technical factors that help identify the type and amount of inherent risk the business relationship with the vendor poses; (2) a simple risk scoring model to help quantify the risk; and (3) specific recommendations for the type and rigor of the assessment and the maturity of the organization’s information protection.

By providing a common set of risk factors independent of the security and privacy controls that may or may not implemented by a third party, an organization can readily assess inherent risk and determine a reasonable and appropriate mechanism for the assurances it needs at a reasonable cost. Broad adoption will also significantly reduce costs for any third party that needs to provide assurances to multiple customers or business partners.

What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?

Based on an analysis of HITRUST Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a HITRUST Assessment are operated at or above an aggregated HITRUST CSF maturity score of 79, there is a very high likelihood these controls will continue to operate in a similar manner going forward. And organizations that have mature information security continuous monitoring (ISCM) programs in place can also help ensure that any deficiencies that may arise in their protection programs are quickly identified and addressed. These organizations may qualify for the HITRUST CSF Ongoing Certification (OC) Program, which will allow these organizations to reduce the frequency of full, time-based recertification assessments, as shown in the graphic on the next page.

HITRUST plans to update the Assurance Program to reward those organizations that have mature information protection programs as well as those that are actively implementing ISCM programs through a three-tiered certification program.

Organizations that demonstrate a ‘standard’ level of information protection, typically reflected in a CSF maturity score below 79, will undergo annual recertification assessments while those with higher scores striving to meet HITRUST requirements for ISCM would continue to undergo biannual recertification assessments with a targeted interim assessment.

Organizations that qualify for the ISCM-based HITRUST CSF Ongoing Certification (OC) program would conduct recertification assessments even less often, the frequency of which would be determined by its aggregated HITRUST CSF control maturity score and other criteria. Additional criteria will be developed by the HITRUST ISCM Working Group and integrated into the HITRUST CSF Assurance Program prior to its rollout, the timing of which is yet to be determined.

>Benefits of the ISCM-based HITRUST CSF OC Program include:

  • On-demand, near real-time insight into their security and compliance risk posture* (visibility into how well stuff is protected)
  • The ability to make quick, risk-based decisions on system security in near real-time** (helps minimize the impact from bad things happening)
  • Better prioritization of remediation activities and corrective actions*** (helps identify the problems that need to be fixed first)
  • Consistent, continuous adoption of cybersecurity best practices**** (ensures extant and emerging threats continue to be addressed appropriately)
  • A higher level of assurance that personal data and individual privacy will continue to be protected and risk appropriately managed in the future (management can sleep better at night)
  • Longer periods between comprehensive control gap assessments (fewer interruptions at work)
  • Reduced time and effort needed to maintain certification (ability to focus on the real work)
  • Reduced lifecycle costs for maintaining certification (more money for other work)
  • Higher levels of assurance and trust with and amongst external stakeholders such as regulators, business partners, and customers (everyone can sleep better at night)

figure2

*REFERENCE *: Eisensmith, J. (N.D.). Ongoing Authorization: Changing how Government does Security Compliance, CIO Review. Available from https://identity-governance-and-administration.cioreview.com/cxoinsight/ongoing-authorization-changing-how-government-does-security-compliance-nid-5608-cid-180.html.

*REFERENCE **: Eisensmith (N.D.).

*REFERENCE ***: Luu (2015). Implementing an Information Security Continuous Monitoring Solution—A Case Study. ISACA Journal
(1). Available from https://www.isaca.org/Journal/Blog/Lists/Posts/Post.aspx?ID=264.

*REFERENCE ****: Luu (2015).

How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

While useful, the approach used to obtain reputational scores like Security Scorecard and Bitsight is limited (similar to a narrowly scoped external penetration test) and is arguably unique for each organization’s network. It is further recognized that each scorecard vendor uses a proprietary approach to collecting data as well as proprietary analytics when computing the scores or ratings. In addition to the challenges inherent in their opacity, any changes to these proprietary approaches can change an organization’s score, sometimes dramatically, when there has been no discernable change in their actual security posture.* This is because the type of evidence collected for these scorecards is circumstantial and statements made about the actual state of the organization’s security posture must be inferred rather than directly observed.

Simply put, security scorecards cannot replace the level of assurance provided by a thorough assessment of an organization’s information protection program, including its overall approach to risk and risk management as well as detailed reviews of its privacy and security controls.

*REFERENCE *: CSO Online (2016, Aug 4).

Chat Now

This is where you can start a live chat with a member of our team