By Maurice Uenuma, Vice President, Federal and Enterprise, Tripwire
There has been a lot of talk recently about cyber resilience. There is no doubt that the ability to bounce back from a security event is important, however, all of the resiliency banter seems to be happening at the peril of sound risk management processes. It is safe to say that the path to resilience is paved with risk management. Risk management can be a tricky endeavor. Too many security professionals have been ambushed in meetings with a risk manager who drifts into wild flights of fancy. These types of unbridled catastrophic imaginings miss the point of solid risk management. One way to reign in these “journeys of the unlikely” is with the use of a solid assurance framework. One of the most notable assurance frameworks for risk management is offered by HITRUST.
What is HITRUST?
Many people in the healthcare industry are familiar with HITRUST, but the approach is not specific, or limited to health care. In fact, it is industry agnostic. The different assurance approach offered is useful for all industries that need to address compliance and risk management. What makes it superior to the other available models? The answer lies in the way that it engages an organization’s risk profile.
Building upon the Capability Maturity Model (CMM), and NIST’s PRISMA, the HITRUST approach leverages best in class components for a comprehensive information risk management and compliance program that integrates and aligns the following:
- HITRUST CSF – a robust privacy and security controls framework which harmonizes dozens of authoritative sources such as HIPAA, ISO 27001, and NIST 800-171.
- HITRUST Assurance Program — a scalable and transparent means to provide reliable assurances to internal and external stakeholders.
- HITRUST MyCSF — a HITRUST CSF compliance operations and audit management platform used by organizations adopting the HITRUST CSF, their external assessors, and HITRUST.
- HITRUST Shared Responsibility Program — a means to automatically import prior HITRUST control assessment testing results and scoring that are available from providers of internal shared IT services and external cloud-hosted services, supported by a suite of matrices that clarify shared responsibilities.
- HITRUST Assessment XChange — a third-party risk management solution.
- HITRUST Third Party Assurance Program — a third-party risk management process.
Today, many compliance gap assessments (including HITRUST, ISO 27001, etc.) represent a “point-in-time” evaluation to determine whether a particular benchmark of control implementation and operation is achieved. The assessment activities are then reviewed and re-performed periodically (e.g., annually). Unfortunately, this method requires assessors and certification bodies to extrapolate across a future time period based on current-state assessment results.
HITRUST is working to incorporate concepts of Information Security Continuous Monitoring into their assurance program’s methodology and offerings. The end goal of HITRUST’s efforts is to change the “point-in-time” nature of traditional security assessments to one of an ongoing, prospective nature by providing assessed entities, HITRUST assessors, and HITRUST itself a view into the status of controls with a frequency sufficient to make ongoing, risk-based decisions. The end result is even greater rely-ability of HITRUST as well as the possibility of ongoing HITRUST certifications valid for much longer than today’s HITRUST certification offerings.
The only thing worse than discovering gaps in a security program is finding controls that have gone neglected to the point that an old gap is re-opened. An ISCM approach prevents this by creating less degradation over time than the traditional periodic review. Other tangible benefits include:
- Longer periods between comprehensive control gap assessments.
- Reduced time and effort needed to maintain certification.
- Reduced lifecycle costs for maintaining certification.
- Higher levels of assurance and trust with and amongst external stakeholders such as regulators, business partners, and customers.
Certification is important, as it offers objective verification that a security program is operating within the parameters of its intended design. This has implications beyond the comfort of a successful audit cycle. Through ISCM, the HITRUST Assurance Program will allow the findings in the HITRUST Assessment Report to be truly prospective.
Many security initiatives are viewed as “cost centers,” not adding value to an organization. From a monetary perspective, a HITRUST certification adds value by not only helping a company to meet cybersecurity insurability standards, but it can also lower those insurance premiums. This is because the HITRUST standard holds high confidence in the industry. This is also recognized by entities such as the US Government Accountability Office (GAO), which is tasked with saving taxpayer money.
HITRUST & Tripwire
Continuous monitoring is not an entirely new concept, however, the challenge of achieving it requires tools that can facilitate this ideal. The HITRUST ISCM methodology integrates perfectly with Tripwire to move an organization towards this state of constant compliance and security. Whether it is monitoring, or configuration management, these all add to a near real-time awareness of an organization’s risk profile.
With HITRUST ISCM, coupled with Tripwire, an organization can move away from the annual “heavy assessment”, to a baseline of understanding and continual compliance throughout the period of time to understand if a control stops functioning. Tripwire can help an organization change the way assurance is obtained, maintained, and communicated.
Security assurance and compliance can be achieved and maintained with the HITRUST ISCM approach, coupled with Tripwire. This also transforms security into a measurable, metric-based discipline, which is a vital stepping-stone towards security resiliency.
For more than 20 years, Tripwire has protected the world’s leading organizations against the most damaging cyberattacks, keeping pace with rapidly changing tech complexities to defend against ever-evolving threats. We’re here to help organizations build strong foundations for security, compliance, and operational excellence.
Download the HITRUST CSF
The HITRUST Approach is built upon the comprehensive and scalable HITRUST CSF framework, which helps organizations of all sizes implement and enhance information risk management and compliance programs. For eligible organizations, the HITRUST CSF is available to download free of charge.
About the Author
Maurice Uenuma, Vice President, Federal and Enterprise Tripwire
Maurice is responsible for supporting state governments and large enterprises in the United States. Prior to joining Tripwire, Maurice was Vice President at the Center for Internet Security (CIS), and currently serves as Workforce Management co-chair of the National Initiative for Cybersecurity Education (NICE) Working Group at NIST. Maurice holds a Master’s degree in National Security Studies from Georgetown University, graduated from the U.S. Naval Academy, and is a GIAC-certified Global Industrial Cyber Security Professional (GICSP).