The topic you requested could not be found.
Related topics are listed below.

How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?

HITRUST CSF Validated Reports with Certification are valid for two years given the successful completion of an interim review (typically 12 months after the original assessment), that no breach and no significant changes have occurred relating to the scoped control…

If I am already HITRUST CSF Certified, how do I get a copy of my certification for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » If I am already HITRUST CSF Certified, how do I get a copy of my certification for the NIST Cybersecurity Framework?

A scorecard and certification for the NIST Cybersecurity Framework can be generated against a prior assessment against HITRUST CSF v9 and v9.1. Cost of the additional scorecard is $500. For more information, contact HITRUST by email at sales@hitrustalliance.net or by…

Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?

HITRUST CSF and SOC 2® Frequently Asked Questions » Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?

The answer to this question is either. HITRUST has updated the SOC 2 + HITRUST guidance to illustrate how a SOC 2 + HITRUST CSF opinion could be based upon all 135 security CSF Controls or only those security controls required for Certification. There are three (3)…

How does threat intelligence linked to the HITRUST CSF help me better protect health information?

HITRUST Threat Catalogue FAQ » How does threat intelligence linked to the HITRUST CSF help me better protect health information?

By linking granular threats identified in active threat intelligence to (1) higher-level threats contained in the HITRUST Threat Catalogue and (2) related HITRUST CSF controls, organizations will gain greater insight into how well they are addressing extant and…

How does the HITRUST Threat Catalogue make the HITRUST CSF better or improve its ability to help manage risk?

HITRUST Threat Catalogue FAQ » How does the HITRUST Threat Catalogue make the HITRUST CSF better or improve its ability to help manage risk?

By identifying and mapping threats to HITRUST CSF controls based on their specifications, HITRUST will have additional visibility into how the controls mitigate associated risk. This will help ensure the risks associated with specific threats are addressed…

How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework?

As part of the HIITRUST CSF Assurance Program, upon receiving a HITRUST CSF Assessment Report, organizations may request a Press Kit with details on how they may publicly communicate their HITRUST CSF Certification status, which also includes certification of its…

How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?

HITRUST bases its framework on how risk management is defined, i.e., the process of managing risk to organizational operations, organizational assets or individuals resulting from the operation of an information system (the definition of which is quite broad), and…

How many organizations have completed a HITRUST CSF assessment?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » How many organizations have completed a HITRUST CSF assessment?

38,000 CSF Assessments have been performed in the last three years with 15,000 CSF Assessments in 2015 alone. HITRUST anticipates a continued demand for CSF Certification due to third-party assurance requirements from several major health organizations and requests for…

Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?

HITRUST CSF and NIST CSF Frequently Asked Question » Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?

While it’s possible, the likelihood that an organization can be certified against the NIST Cybersecurity Framework without meeting the requirements for HITRUST CSF certification are very small. This is because each certification is based on a single assessment. …

How many organizations have completed a HITRUST CSF Assessment?

CSF Assurance Program FAQ » How many organizations have completed a HITRUST CSF Assessment?

38,000 CSF Assessments have been performed in the last three years with 15,000 CSF Assessments in 2015 alone. HITRUST anticipates a continued demand for CSF Certification due to third-party assurance requirements from several major health organizations and requests for…

What is the process for an organization to achieve HITRUST CSF Certification?

CSF Assurance Program FAQ » What is the process for an organization to achieve HITRUST CSF Certification?

Before starting the Certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the Certification process, please select a HITRUST Assessor. Once you select an…

What is the process for an organization to achieve HITRUST CSF Certification?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » What is the process for an organization to achieve HITRUST CSF Certification?

Before starting the certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the certification process, please select a HITRUST Assessor. Once you select an…

How will HITRUST use threat intelligence to update the requirements in the HITRUST CSF?

HITRUST Threat Catalogue FAQ » How will HITRUST use threat intelligence to update the requirements in the HITRUST CSF?

By understanding the control requirements in the HITRUST CSF that are intended to address specific threats identified in threat intelligence, HITRUST will gain greater insight into how they are adequately addressed based on current industry accepted (aka “best”)…

What controls are included in both a HITRUST CSF Certification and HITRUST’s certification for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What controls are included in both a HITRUST CSF Certification and HITRUST’s certification for the NIST Cybersecurity Framework?

An organization selects an appropriate set of security control requirements for its information protection program based on its organizational, system and regulatory risk factors, and it is this set of control requirements that constitute its NIST Cybersecurity…

How does my firm become a HITRUST Assessor?

CSF Assessor Program FAQ » How does my firm become a HITRUST Assessor?

To become a CSF Assessor, organizations must meet certain requirements set forth by HITRUST to ensure adequate knowledge, training and expertise. The process for becoming a CSF Assessor includes the following steps: 1. Complete and submit a CSF Assessor application…

What is the length of time it takes to become HITRUST CSF Certified?

CSF Assurance Program FAQ » What is the length of time it takes to become HITRUST CSF Certified?

CSF Certification can be achieved when all 64 required controls are fully implemented in the scoped environment (2015 CSF v7 requirement). The total amount of time it can take an organization to become certified is therefore dependent on its initial readiness level…

Is HITRUST’s certification for the NIST Cybersecurity Framework separate from HITRUST CSF Certification?

HITRUST CSF and NIST CSF Frequently Asked Question » Is HITRUST’s certification for the NIST Cybersecurity Framework separate from HITRUST CSF Certification?

Yes, one certification is for the organization’s implementation of the HITRUST CSF controls and is based on minimum scoring criteria for 19 topical control areas, such as access control and wireless network security. The other is a certification of an…

If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST CsF?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST CsF?

Yes, you’re well on your way as the HITRUST Risk Management Framework (RMF)—consisting of the HITRUST CSF, CSF Assurance Program and related method and tools—is the foundation for a model implementation of the NIST CsF in the private sector.1 Since the NIST…

How does the HITRUST Threat Catalogue help me perform a risk analysis?

HITRUST Threat Catalogue FAQ » How does the HITRUST Threat Catalogue help me perform a risk analysis?

By understanding how HITRUST CSF controls address specific threats to personal data and other sensitive information, an organization can demonstrate the results of the risk analyses used by the underlying control frameworks in the HITRUST CSF, e.g., ISO 27002, NIST SP…

Does the CSF take a “one-size-fits-all” approach to information security?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » Does the CSF take a “one-size-fits-all” approach to information security?

The CSF is actually one of the most flexible information protection frameworks ever developed. First, the CSF was created by integrating multiple legislative, regulatory and leading practice guidelines and frameworks and tailoring the integrated requirements…

Does CSF Assurance take a compliance-based approach to information protection?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Does CSF Assurance take a compliance-based approach to information protection?

From its inception, HITRUST chose to use a risk-based rather than compliance-based approach to information protection and help mature the healthcare industry’s approach to safeguarding information. By integrating NIST’s moderate-level control baseline into the…

Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x?

HITRUST Threat Catalogue FAQ » Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x?

HITRUST is developing the Threat Catalogue as part of the upcoming HITRUST CSF v10 release anticipated in Q1/Q2 2019. The Nov 2018 early release is being provided to the user community as part of a concerted effort to elicit feedback from the public and further…

Are HITRUST assessments only useful for formal certification against the CSF?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Are HITRUST assessments only useful for formal certification against the CSF?

Certification is only one of the ways the HITRUST CSF can be used. Not all organizations need to pursue certification, and validation will provide assurances that specific controls are implemented, which ones are not or may have been changed, and how well they are…

What is the difference between a HITRUST practitioner and a HITRUST CSF Assessor?

CSF Assessor Program FAQ » What is the difference between a HITRUST practitioner and a HITRUST CSF Assessor?

HITRUST CSF Assessors are designated organizations qualified to provide assessments for clients seeking HITRUST Certification. HITRUST practitioners are either members of a HITRUST Assessor organization that have obtained this status through the HITRUST training class…

What is the difference between the HITRUST Scorecard of the NIST Cybersecurity Framework and the HITRUST CSF Certification?

HITRUST CSF and NIST CSF Frequently Asked Question » What is the difference between the HITRUST Scorecard of the NIST Cybersecurity Framework and the HITRUST CSF Certification?

HITRUST CSF Certification is based on an organization meeting specific scoring criteria for the assessed requirements aggregated into 19 topical domains, e.g., access control and wireless network security. The scorecard HITRUST uses to support certification of an…

What is the difference between a HITRUST CSF Assessor and a Certified CSF Practitioner (CCSFP)?

CSF Assessor Program FAQ » What is the difference between a HITRUST CSF Assessor and a Certified CSF Practitioner (CCSFP)?

A Certified CSF Practitioner is an individual that has completed the required training, passed an exam, and meets the experience requirements for a practitioner. A HITRUST CSF Assessor is a firm that has met all the requirements to become authorized to perform HITRUST…

If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

CSF Assurance Program FAQ » If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

In principle yes, but it is not black and white. To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of…

Why should my organization get a certification relating to the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » Why should my organization get a certification relating to the NIST Cybersecurity Framework?

There has been a marked increase in the level of interest by corporate Boards and executive management in using the NIST Cybersecurity Framework [“Framework”], which can provide a “Rosetta Stone” for internal and external stakeholders, regardless of industry or…

How long does it take to migrate from MyCSF 1.0 to 2.0?

MyCSF FAQ » How long does it take to migrate from MyCSF 1.0 to 2.0?

Migrations will occur over a weekend, well in advance, and a migration specialist will communicate the timing and answer any questions.

If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?

To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of ePHI against all reasonably anticipated threats.…

HITRUST CSF Framework FAQ

HITRUST CSF Framework FAQ

Subtopics Why choose the CSF over other frameworks (NIST, ISO, etc.)? How do I get started adopting the CSF framework? How can I obtain a copy of the CSF? What is the cost to download the framework? How is the CSF structured? Is the CSF an industry standard for…

Does the use of alternate controls diminish the value of HITRUST Certification?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Does the use of alternate controls diminish the value of HITRUST Certification?

Alternate (or compensating) controls, by definition, mitigate a similar type and amount of risk as the control it’s intended to replace. This is illustrated in the Risk Analysis Guide for HITRUST Organizations and Assessors by an example proposing the extension of…

Is a HITRUST certification assessment more expensive than comparable assessments?

CSF Assurance Program FAQ » Is a HITRUST certification assessment more expensive than comparable assessments?

No, and this is a common misconception and in many cases the overall assessment costs associated with information security and privacy assessments are less than other 3rd party assessments. The alignment between the HITRUST CSF and CSF Assurance programs allows a…

What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?

HITRUST Threat Catalogue FAQ » What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?

A HITRUST Implementation Advisory would be issued if there is additional clarification around how HITRUST CSF requirements should be implemented to effectively address one or more threats—or as an interim measure until more stringent or enhanced control requirements…

The HITRUST CSF FAQ

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ

Subtopics Why does healthcare need a security framework? What were the industry’s goals for the CSF? Does the CSF take a “one-size-fits-all” approach to information security? Is the scope of the CSF too large for most healthcare organizations? Why choose…

How often do I need to get a report?

Third Party Assurance FAQ » How often do I need to get a report?

HITRUST CSF reports with Certification are valid for two years given the successful completion of an interim review, no breach has occurred and no significant changes have occurred relating to the scoped control environment. However, check with your business partner to…

How do I get started adopting the CSF framework?

HITRUST CSF Framework FAQ » How do I get started adopting the CSF framework?

First, the decision to adopt the CSF should be made at the organizational level, after which organizations should perform an internal gap analysis of existing controls against the target controls in the CSF. This analysis can be done manually or in HITRUST’s online…

Does NIST recognize HITRUST as a certifying organization?

HITRUST CSF and NIST CSF Frequently Asked Question » Does NIST recognize HITRUST as a certifying organization?

Although NIST does not have its own certification program for the Cybersecurity Framework, NIST does recognize and actually encourage third party programs that provide a “confidence mechanism” for an organization’s implementation of the Framework, which also…

What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?

HITRUST CSF and NIST CSF Frequently Asked Question » What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?

ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs…

How does the RMF fit into the NIST CsF?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » How does the RMF fit into the NIST CsF?

The HITRUST RMF, which consists of the HITRUST CSF, CSF Assurance Program and supporting tools, methods and services, is actually a model implementation of the _NIST Framework for Improving Critical Infrastructure Cybersecurity _(also known as the NIST Cybersecurity…

How can my organization utilize the HITRUST CSF framework for an AICPA SOC 2 report?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » How can my organization utilize the HITRUST CSF framework for an AICPA SOC 2 report?

HITRUST and AICPA collaborated on the mapping of HITRUST CSF controls to AICPA Trust Principles and Criteria for Security, Confidentiality and Availability. Subsequently, any AICPA firm can perform a SOC 2 examination leveraging the CSF framework. This allows the…

If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST CsF?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST CsF?

If you’re HITRUST CSF Certified, you can demonstrate compliance with the NIST CsF in one of two ways. An organization can generate a NIST CsF scorecard based on the maturity1 of the HITRUST CSF control requirements that support each of the NIST CsF Core…

Does a CSF Assurance assessment weight all controls equally?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Does a CSF Assurance assessment weight all controls equally?

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST CSF Validated or Certified Report. This is consistent with NIST…

HITRUST CSF and NIST CSF Frequently Asked Question

HITRUST CSF and NIST CSF Frequently Asked Question

Subtopics Why should my organization get a certification relating to the NIST Cybersecurity Framework? How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework? Does NIST recognize HITRUST as a certifying…

Is a HITRUST CSF validated assessment more expensive than comparable assessments?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Is a HITRUST CSF validated assessment more expensive than comparable assessments?

No, and this is a common misconception. In many cases the overall assessment costs associated with information security and privacy assessments conducted under the HITRUST CSF Assurance Program are less than other third-party assessments. The alignment between the…

Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

Third Party Assurance FAQ » Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

No. While a CPA firm can perform a SOC 2 based on the HITRUST CSF, per the requirements of the HITRUST CSF Assurance Program, only authorized assessors can issue reports that grant HITRUST CSF certification. We currently have a growing list of over 75 assessor firms.…

Is the HITRUST CSF Assurance Program a one-size-fits-all approach?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Is the HITRUST CSF Assurance Program a one-size-fits-all approach?

As we’ve seen, the CSF is not a one-size-fits-all approach due to (1) an organization’s ability to tailor the initial selection of the control baseline in accordance with defined risk factors and (2) the requirement for additional tailoring based on unique threats,…

Who will accept HITRUST CSF Assurance Reports?

CSF Assurance Program FAQ » Who will accept HITRUST CSF Assurance Reports?

Many organizations accept CSF Assurance reports as a means of evaluating a business partner’s privacy and security controls and in fact a growing number of organizations require their business partners obtain a CSF Certification.. Reference: HITRUST CSF Assurance…

Does a subscription add value if I am not getting CSF Certified?

MyCSF FAQ » Does a subscription add value if I am not getting CSF Certified?

Yes, even if you are only completing an assessment. Purchasing a subscription will open access to the MyCSF assessment, authoritative source reporting and will include a full, customizable view of the HITRUST CSF, advanced analytics for managing risk posture,…

Do HITRUST Certification programs provide safe harbor in the event of a breach?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Do HITRUST Certification programs provide safe harbor in the event of a breach?

Certification is not required by any regulatory body, nor has any regulatory body sanctioned certification as a mechanism to provide safe harbor in the event of a breach. This is true not just for the HITRUST CSF but for other standards and frameworks as they apply to…

CSF Assurance Program and Certification FAQ

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ

Subtopics What is the HITRUST CSF Assurance Program? What types of assessments are available in the CSF Assurance Program? What is the process for an organization to achieve HITRUST CSF Certification? Is a HITRUST CSF validated assessment more expensive than…

What is the HITRUST CSF Assurance Program?

CSF Assurance Program FAQ » What is the HITRUST CSF Assurance Program?

The HITRUST CSF Assurance program is a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and…

What is the HITRUST CSF Assurance Program?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » What is the HITRUST CSF Assurance Program?

Designed to meet the unique regulatory and business needs of the healthcare industry, the HITRUST CSF Assurance Program provides a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and…

How can I obtain a copy of the CSF?

HITRUST CSF Framework FAQ » How can I obtain a copy of the CSF?

The latest version of the CSF framework is available on our website for qualified organizations. A qualified organization is defined as any organization employing a function or activity involving the use or disclosure of individually identifiable health information,…

HITRUST CSF and SOC 2® Frequently Asked Questions

HITRUST CSF and SOC 2® Frequently Asked Questions

Subtopics Currently, a SOC 2 + HITRUST assesses all 135 HITRUST controls. Does a SOC 2 + HITRUST CSF Certification assess all 135 or only the 66 required for HITRUST certification? Do you have an ETA for when the updating of the Practitioner Document and Reporting…

Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

CSF Assessor Program FAQ » Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

HITRUST practitioners will complete the onsite training during the first year. The second and third year they are required to complete a refresher. The CSF Practitioner Refresher Course is a self-paced online course available for download from the HITRUST Academy. The…

How can my organization utilize the CSF framework for a SOC 2 report?

HITRUST CSF Framework FAQ » How can my organization utilize the CSF framework for a SOC 2 report?

HITRUST and AICPA collaborated on the mapping of HITRUST CSF controls to AICPA Trust Principles and Criteria for Security, Confidentiality, and Availability. Subsequently, any AICPA firm can perform a SOC 2 examination leveraging the CSF framework which allows the…

How do I explain the HITRUST Threat Catalogue™ to my executives?

HITRUST Threat Catalogue FAQ » How do I explain the HITRUST Threat Catalogue™ to my executives?

The HITRUST Threat Catalogue provides a comprehensive list of threats to ePHI and other types of PII and maps these threats to the HITRUST CSF® v10 control specifications intended to address them. It allows HITRUST® to better align HITRUST CSF requirements with…

Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Third Party Assurance FAQ » Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Organizations accepting ISO 27001 in lieu of CSF certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular…

How is the CSF structured?

HITRUST CSF Framework FAQ » How is the CSF structured?

HITRUST recognized the global nature of healthcare and the need to gain assurances around the protection of covered information from non-U.S. business associates, which led to the International Organization for Standardization and International Electrotechnical…

Frequently Asked Questions About the HITRUST Risk Management Framework

Frequently Asked Questions About the HITRUST Risk Management Framework

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In…

If I am HITRUST CSF Certified, am I also certified for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » If I am HITRUST CSF Certified, am I also certified for the NIST Cybersecurity Framework?

HITRUST CSF Certification will generally result in certification of an organization’s information security program against the NIST Cybersecurity Framework because the control requirements for both frameworks are essentially the same; they’re just mapped and…

How many organizations have adopted the CSF? Do you have a breakdown by type, size, location, etc.?

HITRUST CSF Framework FAQ » How many organizations have adopted the CSF? Do you have a breakdown by type, size, location, etc.?

The HITRUST CSF is the most widely adopted security framework in the healthcare industry: 81 percent of hospitals and 80 percent of health plans have adopted the framework in some way, either as a best practices resource or as the basis for their information protection…

How many organizations have adopted the CSF? Do you have a breakdown by type, size, location, etc.?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » How many organizations have adopted the CSF? Do you have a breakdown by type, size, location, etc.?

The HITRUST CSF is the most widely adopted security framework in the healthcare industry: 83 percent of hospitals and 82 percent of health plans with over 500,000 members have adopted the framework. HITRUST can provide detailed benchmarking data by request. If you have…

Is the HITRUST certification for the NIST Cybersecurity Framework just for healthcare?

HITRUST CSF and NIST CSF Frequently Asked Question » Is the HITRUST certification for the NIST Cybersecurity Framework just for healthcare?

No, HITRUST certification of an organization’s implementation of the NIST Cybersecurity Framework—just like HITRUST CSF certification—can be obtained by any organization, regardless of industry or whether they are US-based or international.

Does HITRUST rely too heavily on the Assessor’s opinion of control effectiveness?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Does HITRUST rely too heavily on the Assessor’s opinion of control effectiveness?

Assessors and auditors generally determine control effectiveness regardless of what controls are specified, albeit there is usually a negotiation between the auditor/assessor and the organization before the final report is issued. However, assessors actually have more…

Does the CSF Assurance Program support an “assess once, report many” approach?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Does the CSF Assurance Program support an “assess once, report many” approach?

HITRUST has recognized for some time that the current model used in the industry for Third-Party Assurance is fraught with inefficiencies and unnecessary costs by requiring duplicative questionnaires and assessments, which tend to distract organizations from monitoring…

How is HITRUST and covered entities engaging with the HITRUST Third Party Assurance?

Third Party Assurance FAQ » How is HITRUST and covered entities engaging with the HITRUST Third Party Assurance?

HITRUST formed a Business Associate Council in March 2016. The Council was established to ensure healthcare industry business associates and other key vendors are able to influence and directly engage with HITRUST, healthcare organization relating to the HITRUST Third…

What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?

HITRUST CSF Framework FAQ » What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?

The simple answer is that there is no relationship between the HITRUST CSF control categories and the assessment domains. The HITRUST CSF control categories were derived from ISO and provide the structure for the framework. The assessment domains take the control…

How often will the HITRUST Threat Catalogue be updated?

HITRUST Threat Catalogue FAQ » How often will the HITRUST Threat Catalogue be updated?

We anticipate updates to occur annually, shortly after each HITRUST CSF release, or when significant changes in the threat environment would warrant an interim release.

How will the HITRUST Threat Catalogue evolve over time?

HITRUST Threat Catalogue FAQ » How will the HITRUST Threat Catalogue evolve over time?

HITRUST anticipates the HITRUST Threat Catalogue will be a “living document” due to the constantly changing threat environment, including planned improvements to better facilitate risk analyses and the consumption of threat intelligence. Changes will likely include…

How can I confirm an organizations certification status?

CSF Assurance Program FAQ » How can I confirm an organizations certification status?

To confirm an organizations certification status, please complete and submit the Certification Status Request form. HITRUST will validate the request release information with the approval of the certified organization.

How many questions, and how long will it take?

Third Party Assurance FAQ » How many questions, and how long will it take?

The HITRUST CSF Security Assessment Questionnaire generally includes between 120 and 328 questions, depending on how the risk factors are configured for the organization being assessed. The amount of time it will take to complete the assessment varies depending on the…

Is the CSF a compliance-based or risk-based framework?

HITRUST CSF Framework FAQ » Is the CSF a compliance-based or risk-based framework?

The CSF is a risk-based framework. To understand why, one must understand the intent of selecting and implementing any specified set of controls, whether it’s a custom set developed from a traditional risk analysis or one tailored from a pre-defined control baseline…

Can I get a HIPAA specific report?

MyCSF FAQ » Can I get a HIPAA specific report?

Yes. In MyCSF 2.0 there is the ability to generate a targeted assessment against any one of the authoritative sources. Targeted assessments will only generate scorecards within MyCSF and will not result in a HITRUST Assurance Report.

How do I understand the CSF Assessment report I have received?

Third Party Assurance FAQ » How do I understand the CSF Assessment report I have received?

HITRUST has created a document that explains the assessment report, how to interpret, and how it can be used to compliment and enhance your current processes. Reference: Leveraging HITRUST CSF Assessment Reports: A Guide for New Users

How can my organization utilize the CSF framework for an AICPA SOC 2 report?

CSF Assurance Program FAQ » How can my organization utilize the CSF framework for an AICPA SOC 2 report?

HITRUST and AICPA collaborated on the mapping of HITRUST CSF controls to AICPA Trust Principles and Criteria for Security, Confidentiality, and Availability. Subsequently, any AICPA firm can perform a SOC 2 examination leveraging the CSF framework. This allows the…

Why does healthcare need a security framework?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » Why does healthcare need a security framework?

For better or worse, the HIPAA Security Rule (HSR) applies to all covered entities and business associates regardless of their size, location or resources. Fortunately, the federal government recognized there is no ‘one-size-fits-all’ approach to securing sensitive…

Will all the threats to personal data be listed in the HITRUST Threat Catalogue?

HITRUST Threat Catalogue FAQ » Will all the threats to personal data be listed in the HITRUST Threat Catalogue?

The HITRUST Threat Catalogue’s initial release is focused on providing as comprehensive a list as possible. However, users of the HITRUST Threat Catalogue should keep in mind that the threats are enumerated at a level consistent with the control specification in the…

How can I use the CSF Assurance Program for third-party risk management?

Third Party Assurance FAQ » How can I use the CSF Assurance Program for third-party risk management?

The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…

CSF Assurance Program FAQ

CSF Assurance Program FAQ

Subtopics What is the HITRUST CSF Assurance Program? What are the various types of CSF Assessments? Is a HITRUST certification assessment more expensive than comparable assessments? What is the length of time it takes to become HITRUST CSF Certified? Who will…

Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?

MyCSF FAQ » Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?

The only way to efficiently tailor an assessment and generate the control requirements is in MyCSF. Organizations that are undergoing a SOC2 that is based on the HITRUST CSF can leverage MyCSF to make the process more efficient. This is the case even if only pursuing…

How can I use the CSF Assurance Program for third-party risk management?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » How can I use the CSF Assurance Program for third-party risk management?

The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…

Can I get a free trial subscription or demo?

MyCSF FAQ » Can I get a free trial subscription or demo?

HITRUST does offer a free 2-week trial access in the MyCSF tool. This access is provided in a sandbox environment. This environment does not contain all of the functionality found in the production version of MyCSF and information input into this system will not…

How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?

HITRUST CSF and NIST CSF Frequently Asked Question » How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?

HITRUST’s certification of the organization’s implementation of the NIST Cybersecurity Framework is for two (2) years, commensurate with the HITRUST CSF Assessment Report.

CSF Assessor Program FAQ

CSF Assessor Program FAQ

Subtopics How does my firm become a HITRUST Assessor? What are the costs associated with the Assessor program? What is the difference between a HITRUST practitioner and a HITRUST CSF Assessor? Do I need to attend HITRUST training every year to maintain my status…

What methods are used to evaluate the effectiveness of CSF controls?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » What methods are used to evaluate the effectiveness of CSF controls?

The HITRUST assessment methodology specifically requires: Assessors to gather and examine documentation (e.g., policies, procedures, records, logs, vulnerability assessment reports, risk assessment reports) Examine configuration settings, physical surroundings,…

HITRUST Threat Catalogue FAQ

HITRUST Threat Catalogue FAQ

Subtopics How do I explain the HITRUST Threat Catalogue™ to my executives? Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x? How does the HITRUST Threat Catalogue make the HITRUST CSF better or improve its ability to help manage risk? Can…

Can I get involved in the working group and, if so, how?

HITRUST Threat Catalogue FAQ » Can I get involved in the working group and, if so, how?

The HITRUST Threat Catalogue is currently overseen by the HITRUST CSF Advisory Council and is supported by a dedicated Working Group (WG) to help continue the development and maintenance of the HITRUST Threat Catalogue. Although the WG is not currently accepting new…

HITRUST and the NIST Cybersecurity Framework FAQ

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ

Subtopics Can risk be calculated based on a control’s maturity level? Do non-contextual impact ratings for controls provide any real value? How does the RMF fit into the NIST CsF? Why can’t I just adopt the NIST CsF without leveraging additional guidance or…

Will you be able to produce the targeted assessment, i.e., PCI from the HITRUST assessment, for the questions that are the same?

MyCSF FAQ » Will you be able to produce the targeted assessment, i.e., PCI from the HITRUST assessment, for the questions that are the same?

No. A targeted assessment will be generated from the CSF library by pulling all requirements related to the targeted authoritative source. It will be a stand-alone assessment, but it can inherit from other assessments with the appropriate subscription…

Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

HITRUST works closely with NIST and we constantly analyze their documentation to see what additional guidance can be utilized. Many guidelines—most often those that are very technical or technology-specific—are typically outside the scope of the HITRUST CSF;…

What are the various types of CSF Assessments?

CSF Assurance Program FAQ » What are the various types of CSF Assessments?

HITRUST offers two types of CSF Assessments: a self-assessment and a validated assessment. Self-assessment allows organizations to self-assess using the standard methodology, requirements, and tools provided under the CSF Assurance Program. HITRUST will then perform…

Has the CSF been adopted internationally?

HITRUST CSF Framework FAQ » Has the CSF been adopted internationally?

Yes, organizations outside of the U.S.—typically business associates providing services to U.S. healthcare organizations—have implemented the CSF. However, other countries have expressed an interest in HITRUST in the past, and we expect this interest to grow as…

Will HITRUST Assessors be assessing against the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » Will HITRUST Assessors be assessing against the NIST Cybersecurity Framework?

Yes, this is done automatically because the same control requirements evaluated by the HITRUST Assessor for HITRUST CSF Certification are also used for certification of the organization’s NIST Cybersecurity Framework implementation. The control requirements are…

Why choose the CSF over other frameworks (NIST, ISO, etc.)?

HITRUST CSF Framework FAQ » Why choose the CSF over other frameworks (NIST, ISO, etc.)?

The CSF integrates and harmonizes requirements from many authoritative sources such as ISO, NIST, PCI, HIPAA and others, and tailors the requirements to a healthcare organization based on specific organizational, system and regulatory risk factors. The level of…

What were the industry’s goals for the CSF?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » What were the industry’s goals for the CSF?

Through HITRUST, the healthcare industry sought to create a control framework that was: Built specifically for the unique needs of healthcare Relevant through regular maintenance of supporting authoritative sources and changes in the threat environment Scalable to…

What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?

If an organization does not meet HITRUST CSF requirements for certification against the NIST Cybersecurity Framework, HITRUST will issue an assessment report with a Letter of Validation in lieu of a Letter of Certification.

Will the HITRUST Threat Catalogue help me with HIPAA compliance?

HITRUST Threat Catalogue FAQ » Will the HITRUST Threat Catalogue help me with HIPAA compliance?

By enumerating common threats and, when available, common vulnerabilities, an organization will have additional information to support a risk analysis consistent with NIST and HHS recommendations, which requires an “accurate and thorough assessment of the potential…

What are the advantages of having a subscription to MyCSF?

MyCSF FAQ » What are the advantages of having a subscription to MyCSF?

To save time and costs A subscription enables clients to retain data, eliminating redundant (internal or assessor) data-entry tasks for the interim assessment and subsequent assessments saving organizations potentially hundreds of hours on a two-year assessment…

Why can’t I just adopt the NIST CsF without leveraging additional guidance or frameworks?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Why can’t I just adopt the NIST CsF without leveraging additional guidance or frameworks?

For an industry sector or organization to implement the _NIST Framework for Improving Critical Infrastructure Cybersecurity _(also known as the NIST Cybersecurity Framework, or NIST CsF), one must understand that it relies on existing standards, guidance, and leading…

What is the best approach for implementing the NIST CsF in the healthcare industry?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » What is the best approach for implementing the NIST CsF in the healthcare industry?

The best approach for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity,1 or Cybersecurity Framework (CsF), is the approach outlined in the Healthcare Sector Cybersecurity Framework Implementation Guide,2 produced and published under…

What types of assessments are available in the CSF Assurance Program?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » What types of assessments are available in the CSF Assurance Program?

HITRUST offers two types of CSF Assessments – a self-assessment and a validated assessment. Self-assessments allow organizations to assess themselves using HITRUST’s standard methodology, requirements, and tools provided under the CSF Assurance Program. HITRUST…

What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?

Consistent with the certification requirements for the HITRUST CSF, an organization must achieve a minimum score for each NIST Cybersecurity Framework Core Category, which is aggregated from the scores for individual HITRUST CSF control requirements as they are mapped…

What’s included in HITRUST’s certification report for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What’s included in HITRUST’s certification report for the NIST Cybersecurity Framework?

HITRUST will issue a Letter of Certification for the NIST Cybersecurity Framework with a NIST CSF scorecard in the HITRUST CSF Assessment Report. HITRUST will also issue a separate Letter of Certification and scorecard that can be distributed separately from the…

Is the CSF an industry standard for healthcare?

HITRUST CSF Framework FAQ » Is the CSF an industry standard for healthcare?

The CSF is not a standard in the same sense as ISO/IEC 27001:2013 and other, similar security standards given the CSF is a derivative work based on such standards. However, the CSF provides a consensus-driven standard of due care and due diligence for the protection of…

Who will need to subscribe for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?

MyCSF FAQ » Who will need to subscribe for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?

Anyone that wishes to allow their assessments to be inherited will need to subscribe. This applies to internal as well as external inheritance. External inheritance is viewed as a service that is provided to customers making it easier to assess if they are working with…

Will HITRUST be incorporating the NIST Cybersecurity Practice Guides on Security Electronic Health Records on Mobile Devices?

HITRUST CSF Framework FAQ » Will HITRUST be incorporating the NIST Cybersecurity Practice Guides on Security Electronic Health Records on Mobile Devices?

HITRUST works closely with NIST and we constantly analyze their documentation to see what additional guidance can be utilized. Many guidelines—most often those that are very technical or technology-specific—are typically outside the scope of the HITRUST CSF,…

APIs – which GRC tools will the APIs connect to? Will it allow the import of controls into the GRC tool and export from GRC response fulfillment into MyCSF 2.0?

MyCSF FAQ » APIs – which GRC tools will the APIs connect to? Will it allow the import of controls into the GRC tool and export from GRC response fulfillment into MyCSF 2.0?

The API allows use by many GRC tools. We are working with the largest players in the GRC market to develop guidance for the integration process. The current API deployment will allow for information to be extracted from MyCSF. In the future, you will be able to place…

Is the scope of the CSF too large for most healthcare organizations?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » Is the scope of the CSF too large for most healthcare organizations?

Although HITRUST specifically provides for significant tailoring of the CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. An organization should not apply the CSF broadly unless it is scoped and tailored to the…

If we decide to use the API, how will MyCSF development environments (QA/UAT) be available?

MyCSF FAQ » If we decide to use the API, how will MyCSF development environments (QA/UAT) be available?

Initial deployment of the API will focus on getting information out of MyCSF and into your native toolsets. The API will eventually allow getting information into MyCSF. Customers who subscribe at a level that includes this feature will be provided a test instance for…

Is there a limit to the number of active assessments?

MyCSF FAQ » Is there a limit to the number of active assessments?

Yes. The number of assessments that an organization can have is limited by the level of access they have in MyCSF. Subscribing customers can purchase additional assessment objects in MyCSF if necessary.

Why choose the CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » Why choose the CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

Many of the elements for the argument are presented in FAQs throughout this section. But more specifically, the HITRUST CSF is specific to the healthcare industry, built and maintained by the healthcare industry, and simply better for the healthcare industry. Many of…

In the questionnaire, can you select IT supplier, Healthcare, Payer, etc.? What are the other options?

MyCSF FAQ » In the questionnaire, can you select IT supplier, Healthcare, Payer, etc.? What are the other options?

The options are a function of the HITRUST CSF and will be updated to reflect more industry agnostic options with the release of HITRUST CSF v10.0.

Third Party Assurance FAQ

Third Party Assurance FAQ

Subtopics How can I use the CSF Assurance Program for third-party risk management? How much does it cost to get a HITRUST CSF certification? How often do I need to get a report? How many questions, and how long will it take? How do I understand the CSF…

Will a similar demo be done for assessors to understand the capabilities for assessors?

MyCSF FAQ » Will a similar demo be done for assessors to understand the capabilities for assessors?

Yes. We will be providing a demonstration targeted to assessors. Also, we will be making an online learning module available to all CCSFPs through the HITRUST Academy.

Will those that just purchased a self-assessment then purchased the validated assessment be in the old version to start and the new version when they switch to the validated assessment?

MyCSF FAQ » Will those that just purchased a self-assessment then purchased the validated assessment be in the old version to start and the new version when they switch to the validated assessment?

Assess-only users should complete their assessments in the current environment. Keep in mind that if you have not purchased a subscription or access & retention with your assessment, your data will not be migrated and will be deleted 60 days after assessment access…

Is inheritance all or nothing for each requirement or can it be weighted?

MyCSF FAQ » Is inheritance all or nothing for each requirement or can it be weighted?

You will be able to assign a weight to the inherited score that will apply to a particular control requirement.

Why should I purchase a MyCSF subscription if I just need a report?

MyCSF FAQ » Why should I purchase a MyCSF subscription if I just need a report?

Purchasing a subscription will open access to the MyCSF assessment, authoritative source reporting and will include a full, customizable view of the HITRUST CSF, advanced analytics for managing risk posture, benchmarking data, ability to leverage the functionality to…

Can assessors use sampling to improve the efficiency of the assessment?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Can assessors use sampling to improve the efficiency of the assessment?

Sampling methodologies can be a bit arcane, but sampling is actually very commonly used in the healthcare industry, especially by auditors. HITRUST also provides guidance to CSF Assessor organizations on the use of sampling in the HITRUST CSF Assessment Methodology…

Will the number of requirements change from 1.0 to 2.0?

MyCSF FAQ » Will the number of requirements change from 1.0 to 2.0?

No. The number of controls required for CSF Certification is a function of the version of the CSF you are assessing against and not the version of MyCSF you are using.

When will cyber threat intelligence be linked to the threats in the catalogue?

HITRUST Threat Catalogue FAQ » When will cyber threat intelligence be linked to the threats in the catalogue?

Once the mappings between threats and HITRUST CSF controls is completed, HITRUST will begin exploring ways to relate these mappings to the more granular threats identified in active threat intelligence. HITRUST anticipates this work will begin in…

Will companies still have to pay to allow their assessments to be inherited?

MyCSF FAQ » Will companies still have to pay to allow their assessments to be inherited?

Yes. Inheritance will continue to be a premium feature in MyCSF and will require an appropriate subscription.

Is a current SOC 2 acceptable for meeting the third-party assurance requirements?

Third Party Assurance FAQ » Is a current SOC 2 acceptable for meeting the third-party assurance requirements?

It depends. The accepting organization will need to make a determination based on the scope of the examination and the trust service criteria being reported upon. While the current SOC 2 may be granted a waiver and accepted in the first year, it will be necessary to…

What types of questions are there, and what information will we need to provide?

Third Party Assurance FAQ » What types of questions are there, and what information will we need to provide?

The HITRUST CSF Assessment questionnaire will ask about your organization’s information security practices in 19 major topical domains such as information protection program, endpoint protection, portable media security, third party assurance and risk management.…

Can risk be calculated based on a control’s maturity level?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Can risk be calculated based on a control’s maturity level?

HITRUST evaluates likelihood based on an assessment of the control’s maturity level. To understand the approach, one must understand that a control framework is based on a broad risk analysis that considers threats to similar types of organizations for specific…

What do I receive if I only purchase a report?

MyCSF FAQ » What do I receive if I only purchase a report?

Those purchasing a report and not a subscription to MyCSF will only have access to the MyCSF Assessment and Reports for authoritative sources such as HIPAA, SOC2, and HITRUST. Also, report-only access is limited to 90 days. Extensions of access may be purchased for…

Will we have the option to convert before subscription renewal?

MyCSF FAQ » Will we have the option to convert before subscription renewal?

Yes. If you are interested in migrating early, contact support@hitrustalliance.net and they will get you into the queue for migration.

Can the tool link to supporting documents rather than copy?

MyCSF FAQ » Can the tool link to supporting documents rather than copy?

Yes. MyCSF 2.0 maintains a library of documentation and relationships between the documentation and its related control requirements and maturity domains.

What is the MyCSF 2.0 QA process? How will the new process be different from the current process?

MyCSF FAQ » What is the MyCSF 2.0 QA process? How will the new process be different from the current process?

The only change to the QA process is that the process will be performed in MyCSF. There are other changes that are being implemented to the QA process that are focused on ensuring the integrity and consistency of the assurance program. These changes will be announced…

MyCSF FAQ

MyCSF FAQ

Subtopics Why should I purchase a MyCSF subscription if I just need a report? Can I get a trial subscription or demo? What do I receive if I only purchase a report? What are the advantages of having a subscription to MyCSF? Does a subscription add value if I’m…

What will be different for the tool administrator in comparison to MyCSF 1.0?

MyCSF FAQ » What will be different for the tool administrator in comparison to MyCSF 1.0?

The only change is that it is fully integrated into MyCSF versus being its own application. There are no changes to how you administer MyCSF.

Will assessors be provided access to MyCSF 1.0 for interim reviews beyond 3/31/19?

MyCSF FAQ » Will assessors be provided access to MyCSF 1.0 for interim reviews beyond 3/31/19?

No. Interim assessments that are performed for Certifications that were obtained in MyCSF 1.0 do not require access to MyCSF. However, once all accounts are converted, all interim assessments will be required to be performed in MyCSF 2.0.

Will the documents and commenting from MyCSF 1.0 be transferred to MyCSF 2.0?

MyCSF FAQ » Will the documents and commenting from MyCSF 1.0 be transferred to MyCSF 2.0?

Yes. Customers who have a MyCSF subscription or access & retention will have their data migrated from MyCSF 1.0 to MyCSF 2.0.

Will we be able to perform at-will assessment exports into an excel document or CSV?

MyCSF FAQ » Will we be able to perform at-will assessment exports into an excel document or CSV?

Organizations that have the appropriate subscription will be able to export assessment data. Assessors’ test objects will not have this capability.

Can other types of assessments be done such as FISMA?

MyCSF FAQ » Can other types of assessments be done such as FISMA?

Yes. Targeted assessments can be performed against any of the authoritative sources of the HITRUST CSF. Targeted assessments are not submitted to HITRUST for validation and will not result in a HITRUST assurance report. They will only generate the appropriate…

Is there a release plan for customers who aren’t subscribers, but who just purchase assessment objects as needed?

MyCSF FAQ » Is there a release plan for customers who aren’t subscribers, but who just purchase assessment objects as needed?

No. For assess-only users, new assessment objects will be provisioned in MyCSF 2.0. Your data in MyCSF 1.0 will not be migrated and will be deleted 60 days after your assessment is complete. If you wish to maintain your data, you will need to purchase a subscription or…

Do non-contextual impact ratings for controls provide any real value?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Do non-contextual impact ratings for controls provide any real value?

The term “non-contextual” is used to indicate that the rating does not consider the state of existing controls in a particular organization’s environment. The problem HITRUST is addressing with the non-contextual ratings is that many, if not most, organizations…

What are the costs associated with the Assessor program?

CSF Assessor Program FAQ » What are the costs associated with the Assessor program?

The initial costs to join the Assessor program is a one-time application fee of $2,500, onsite training for 5 practitioners at $3,000 per student and the first annual fee ranging between $30,000-$115,000 (fee outlined in the CSF Assessor Agreement and determined by the…

Are there any performance improvements with MyCSF 2.0?

MyCSF FAQ » Are there any performance improvements with MyCSF 2.0?

Yes. We have minimized the number of clicks required to navigate an assessment. Also, we have tuned all queries and optimized caching to improve overall performance.

Will assessors be converted?

MyCSF FAQ » Will assessors be converted?

Yes. Assessors will maintain access in both versions of MyCSF until all accounts are converted so that they can continue to serve their clients.

What about modules such as policy management?

MyCSF FAQ » What about modules such as policy management?

MyCSF 2.0 will not provide the modules of Incident Management, Exception Management, or Policy Management. These modules will be sunset when all customers are migrated to MyCSF 2.0.