The topic you requested could not be found.
Related topics are listed below.

Third Party Assurance FAQ

Third Party Assurance FAQ

Subtopics How can I use the CSF Assurance Program for third-party risk management? How much does it cost to get a HITRUST CSF certification? How often do I need to get a report? How many questions, and how long will it take? How do I understand the CSF…

How can I use the CSF Assurance Program for third-party risk management?

Third Party Assurance FAQ » How can I use the CSF Assurance Program for third-party risk management?

The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…

How is HITRUST and covered entities engaging with the HITRUST Third Party Assurance?

Third Party Assurance FAQ » How is HITRUST and covered entities engaging with the HITRUST Third Party Assurance?

HITRUST formed a Business Associate Council in March 2016. The Council was established to ensure healthcare industry business associates and other key vendors are able to influence and directly engage with HITRUST, healthcare organization relating to the HITRUST Third…

Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Third Party Assurance FAQ » Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Organizations accepting ISO 27001 in lieu of CSF certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular…

How can I use the CSF Assurance Program for third-party risk management?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How can I use the CSF Assurance Program for third-party risk management?

The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…

Is a current SOC 2 acceptable for meeting the third-party assurance requirements?

Third Party Assurance FAQ » Is a current SOC 2 acceptable for meeting the third-party assurance requirements?

It depends. The accepting organization will need to make a determination based on the scope of the examination and the trust service criteria being reported upon. While the current SOC 2 may be granted a waiver and accepted in the first year, it will be necessary to…

How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?

HITRUST CSF Validated Reports with Certification are valid for two years given the successful completion of an interim review (12 months after the date of the original assessment), and that no breach or significant changes have occurred relating to the scoped control…

Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?

Control Maturity and Continuous Monitoring and Assessment FAQ » Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?

HITRUST provides a common approach to triaging vendor risk by identifying the means and rigor of the assurances needed from a vendor based on the inherent information-related risks of a proposed or existing business relationship. This includes the information security…

CSF Assurance Program FAQ

CSF Assurance Program FAQ

Subtopics What is the HITRUST CSF Assurance Program? What are the various types of CSF Assessments? Is a HITRUST certification assessment more expensive than comparable assessments? What is the length of time it takes to become HITRUST CSF Certified? Who will…

Who will accept HITRUST CSF Assurance Reports?

CSF Assurance Program FAQ » Who will accept HITRUST CSF Assurance Reports?

Many organizations accept CSF Assurance reports as a means of evaluating a business partner’s privacy and security controls and in fact a growing number of organizations require their business partners obtain a CSF Certification.. Reference: HITRUST CSF Assurance…

CSF Assurance Program and Certification FAQ

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ

Subtopics What is the HITRUST CSF Assurance Program? What types of assessments are available in the HITRUST CSF Assurance Program? What is the process for an organization to achieve HITRUST CSF Certification? Is a HITRUST CSF Validated Assessment more expensive…

What is the HITRUST CSF Assurance Program?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What is the HITRUST CSF Assurance Program?

The HITRUST CSF Assurance Program provides a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and…

What is the HITRUST CSF Assurance Program?

CSF Assurance Program FAQ » What is the HITRUST CSF Assurance Program?

The HITRUST CSF Assurance program is a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and…

Does a CSF Assurance assessment weight all controls equally?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does a CSF Assurance assessment weight all controls equally?

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST CSF Validated or Certified Report. This is consistent with NIST…

Does the CSF Assurance Program support an “assess once, report many” approach?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does the CSF Assurance Program support an “assess once, report many” approach?

HITRUST has recognized for some time that the current model used in the industry for third-party Assurance is fraught with inefficiencies and unnecessary costs by requiring duplicative questionnaires and assessments, which tend to distract organizations from monitoring…

Is the HITRUST CSF Assurance Program a one-size-fits-all approach?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Is the HITRUST CSF Assurance Program a one-size-fits-all approach?

As we’ve seen in other FAQs, the CSF is not a one-size-fits-all approach due to (1) an organization’s ability to tailor the initial selection of the control baseline in accordance with defined risk factors and (2) the requirement for additional tailoring based on…

Does CSF Assurance take a compliance-based approach to information protection?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Does CSF Assurance take a compliance-based approach to information protection?

From its inception, HITRUST chose to use a risk-based rather than compliance-based approach to information protection and help mature the healthcare industry’s approach to safeguarding information. By integrating NIST’s moderate-level control baseline into the…

What types of assessments are available in the HITRUST CSF Assurance Program?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What types of assessments are available in the HITRUST CSF Assurance Program?

HITRUST offers two types of CSF Assessments – a self-assessment and a validated assessment. Self-assessments allow organizations to assess themselves using HITRUST’s standard methodology, requirements, and tools provided under the CSF Assurance…

Frequently Asked Questions About the HITRUST® Risk Management Framework

Frequently Asked Questions About the HITRUST® Risk Management Framework

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In…

How many organizations have completed a HITRUST CSF Assessment?

CSF Assurance Program FAQ » How many organizations have completed a HITRUST CSF Assessment?

38,000 CSF Assessments have been performed in the last three years with 15,000 CSF Assessments in 2015 alone. HITRUST anticipates a continued demand for CSF Certification due to third-party assurance requirements from several major health organizations and requests for…

How many organizations have completed a HITRUST CSF assessment?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How many organizations have completed a HITRUST CSF assessment?

38,000 CSF assessments have been performed in the last three years with 15,000 CSF assessments in 2015 alone. HITRUST anticipates a continued demand for CSF Certification due to third-party assurance requirements from several major health organizations and requests for…

Is a HITRUST CSF Validated Assessment more expensive than comparable assessments?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Is a HITRUST CSF Validated Assessment more expensive than comparable assessments?

No, and this is a common misconception. In many cases the overall assessment costs associated with information security and privacy assessments conducted under the HITRUST CSF Assurance Program are less than other comparable third-party assessments. The alignment…

What types of questions are there, and what information will we need to provide?

Third Party Assurance FAQ » What types of questions are there, and what information will we need to provide?

The HITRUST CSF Assessment questionnaire will ask about your organization’s information security practices in 19 major topical domains such as information protection program, endpoint protection, portable media security, third party assurance and risk management.…

Is a HITRUST certification assessment more expensive than comparable assessments?

CSF Assurance Program FAQ » Is a HITRUST certification assessment more expensive than comparable assessments?

No, and this is a common misconception and in many cases the overall assessment costs associated with information security and privacy assessments are less than other 3rd party assessments. The alignment between the HITRUST CSF and CSF Assurance programs allows a…

What methods are used to evaluate the effectiveness of CSF controls?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What methods are used to evaluate the effectiveness of CSF controls?

The HITRUST assessment methodology specifically requires: Authorized External Assessor Organizations to gather and examine documentation (e.g., policies, procedures, records, logs, vulnerability assessment reports, risk assessment reports) Examine configuration…

Control Maturity and Continuous Monitoring and Assessment FAQ

Control Maturity and Continuous Monitoring and Assessment FAQ

Subtopics How does the definition of a mature organization correspond to the scores required for HITRUST CSF® Certification? What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization? What evidence do you have…

Does NIST recognize HITRUST as a certifying organization?

HITRUST CSF and NIST CSF Frequently Asked Question » Does NIST recognize HITRUST as a certifying organization?

Although NIST does not have its own certification program for the Cybersecurity Framework, NIST does recognize and actually encourage third party programs that provide a “confidence mechanism” for an organization’s implementation of the Framework, which also…

How will the interim assessment process be different from the interim review memorandum previously used?

Interim Review FAQ » How will the interim assessment process be different from the interim review memorandum previously used?

The interim assessment now requires full testing of the sampled control requirements and must undergo the same Quality Assurance process as a full assessment.

What are the various types of CSF Assessments?

CSF Assurance Program FAQ » What are the various types of CSF Assessments?

HITRUST offers two types of CSF Assessments: a self-assessment and a validated assessment. Self-assessment allows organizations to self-assess using the standard methodology, requirements, and tools provided under the CSF Assurance Program. HITRUST will then perform…

Can I get a HIPAA specific report?

MyCSF FAQ » Can I get a HIPAA specific report?

Yes. In MyCSF 2.0 there is the ability to generate a targeted assessment against any one of the authoritative sources. Targeted assessments will only generate scorecards within MyCSF and will not result in a HITRUST Assurance Report.

The other types of assessments (GDPR, etc.) are only self-assessments and can’t be validated?

MyCSF FAQ » The other types of assessments (GDPR, etc.) are only self-assessments and can’t be validated?

Yes. We do not generate any type of assurance report for targeted assessments. There are assessments that you can perform internally, and you can generate score cards within the tool.

How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?

HITRUST bases its framework on how risk management is defined, i.e., the process of managing risk to organizational operations, organizational assets or individuals resulting from the operation of an information system (the definition of which is quite broad), and…

Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

Third Party Assurance FAQ » Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

No. While a CPA firm can perform a SOC 2 based on the HITRUST CSF, per the requirements of the HITRUST CSF Assurance Program, only authorized assessors can issue reports that grant HITRUST CSF certification. We currently have a growing list of over 75 assessor firms.…

How often do I need to get a report?

Third Party Assurance FAQ » How often do I need to get a report?

HITRUST CSF reports with Certification are valid for two years given the successful completion of an interim review, no breach has occurred and no significant changes have occurred relating to the scoped control environment. However, check with your business partner to…

What is the MyCSF 2.0 QA process? How will the new process be different from the current process?

MyCSF FAQ » What is the MyCSF 2.0 QA process? How will the new process be different from the current process?

The only change to the QA process is that the process will be performed in MyCSF. There are other changes that are being implemented to the QA process that are focused on ensuring the integrity and consistency of the assurance program. These changes will be announced…

Can other types of assessments be done such as FISMA?

MyCSF FAQ » Can other types of assessments be done such as FISMA?

Yes. Targeted assessments can be performed against any of the authoritative sources of the HITRUST CSF. Targeted assessments are not submitted to HITRUST for validation and will not result in a HITRUST assurance report. They will only generate the appropriate scorecard…

How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework?

As part of the HIITRUST CSF Assurance Program, upon receiving a HITRUST CSF Assessment Report, organizations may request a Press Kit with details on how they may publicly communicate their HITRUST CSF Certification status, which also includes certification of its…

Why choose the HITRUST CSF over other frameworks (NIST, ISO, etc.)?

HITRUST CSF Framework FAQ » Why choose the HITRUST CSF over other frameworks (NIST, ISO, etc.)?

The HITRUST CSF integrates and harmonizes data protection requirements from many authoritative sources–such as ISO, NIST, PCI, HIPAA–and tailors the requirements to an organization based on specific organizational, system, and regulatory risk factors. The level of…

What is the process for an organization to achieve HITRUST CSF Certification?

CSF Assurance Program FAQ » What is the process for an organization to achieve HITRUST CSF Certification?

Before starting the Certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the Certification process, please select a HITRUST Assessor. Once you select an…

What is the process for an organization to achieve HITRUST CSF Certification?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » What is the process for an organization to achieve HITRUST CSF Certification?

The organization should first determine the business drivers for attempting certification which should include identifying key stakeholders, defining scope, and selecting an Authorized External Assessor Organization. HITRUST recommends a Readiness Assessment be…

Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

External Assessor Program FAQ » Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

HITRUST practitioners will complete the onsite training during the first year. The second and third year they are required to complete a refresher. The CSF Practitioner Refresher Course is a self-paced online course available for download from the HITRUST Academy. The…

What is the role of continuous monitoring in the HITRUST scoring process?

Control Maturity and Continuous Monitoring and Assessment FAQ » What is the role of continuous monitoring in the HITRUST scoring process?

Information security continuous monitoring (ISCM) has been a part of the HITRUST CSF control maturity and scoring model since the inception of the HITRUST CSF Assurance Program in 2009. Typical assessment and audit approaches generally focus on policy and…

What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?

Control Maturity and Continuous Monitoring and Assessment FAQ » What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?

Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above an aggregated HITRUST CSF maturity score of 79, there is a very high…

Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

Frequently Asked Questions About the HITRUST® Risk Management Framework » The HITRUST CSF FAQ » Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

Many of the elements for the argument are presented in FAQs throughout this section. But more specifically, the HITRUST CSF is designed with certain highly-regulated industries in mind; however, it is a region- and industry-agnostic control framework that can be used…

What is the length of time it takes to become HITRUST CSF Certified?

CSF Assurance Program FAQ » What is the length of time it takes to become HITRUST CSF Certified?

CSF Certification can be achieved when the minimum compliance level (a score of 3+ or 3 with corrective action plans) is met for all 75 CSF controls required for certification (2019 CSF v9.2 requirement). The total amount of time it can take an organization to become…

If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?

If you’re HITRUST CSF Certified, you can demonstrate compliance with the NIST Cybersecurity Framework in one of two ways. An organization can generate a NIST CsF scorecard based on the maturity of the HITRUST CSF control requirements that support each of the NIST…

If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST Cybersecurity Framework?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST Cybersecurity Framework?

Yes, you’re well on your way as the HITRUST Risk Management Framework (RMF)—consisting of the HITRUST CSF, CSF Assurance Program and related method and tools—is the foundation for a model implementation of the NIST CsF in the private sector. Since the NIST…

Are HITRUST assessments only useful for formal certification against the CSF?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Are HITRUST assessments only useful for formal certification against the CSF?

Certification is only one of the ways the HITRUST CSF can be used. Not all organizations need to pursue certification, and validation will provide assurances that specific controls are implemented, which ones are not or may have been changed, and how well they are…

What is the best approach for implementing the NIST Cybersecurity Framework in the healthcare industry?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » What is the best approach for implementing the NIST Cybersecurity Framework in the healthcare industry?

The best approach for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity,or Cybersecurity Framework (CsF), is the approach outlined in the Healthcare Sector Cybersecurity Framework Implementation Guide,2 produced and published under the…

How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

Control Maturity and Continuous Monitoring and Assessment FAQ » How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

While useful, the approach used to obtain reputational scores like Security Scorecard and Bitsight is limited (similar to a narrowly scoped external penetration test) and is arguably unique for each organization’s network. It is further recognized that each scorecard…

How does the RMF fit into the NIST Cybersecurity Framework?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » How does the RMF fit into the NIST Cybersecurity Framework?

The HITRUST RMF, which consists of the HITRUST CSF, CSF Assurance Program and supporting tools, methods and services, is actually a model implementation of the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity…

Do non-contextual impact ratings for controls provide any real value?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Do non-contextual impact ratings for controls provide any real value?

The term “non-contextual” is used to indicate that the rating does not consider the state of existing controls in a particular organization’s environment. The problem HITRUST is addressing with the non-contextual ratings is that many, if not most, organizations…

If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

CSF Assurance Program FAQ » If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

In principle yes, but it is not black and white. To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of…

Do HITRUST Certification programs provide safe harbor in the event of a breach?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » Do HITRUST Certification programs provide safe harbor in the event of a breach?

Certification is not required by any regulatory body, nor has any regulatory body sanctioned certification as a mechanism to provide safe harbor in the event of a breach. This is true not just for the HITRUST CSF but for other standards and frameworks as they apply to…

Can risk be calculated based on a control’s maturity level?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Can risk be calculated based on a control’s maturity level?

HITRUST evaluates likelihood based on an assessment of the control’s maturity level. To understand the approach, one must understand that a control framework is based on a broad risk analysis that considers threats to similar types of organizations for specific…

Why can’t I just adopt the NIST Cybersecurity Framework without leveraging additional guidance or frameworks?

Frequently Asked Questions About the HITRUST® Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Why can’t I just adopt the NIST Cybersecurity Framework without leveraging additional guidance or frameworks?

For an industry sector or organization to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity Framework), one must understand that it relies on existing standards, guidance, and leading practices to…

If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?

Frequently Asked Questions About the HITRUST® Risk Management Framework » CSF Assurance Program and Certification FAQ » If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?

To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of ePHI against all reasonably anticipated threats.…