By Dominic Boamah, Ph.D., Director, Office of Research & Analysis, HITRUST
The information security threat landscape is constantly changing. As the technologies and tools that organizations rely on to protect sensitive data and support their business missions evolve, information protection programs must be well-positioned to change and adapt. The HITRUST Threat Catalog is one of the many ways that HITRUST helps our community of partners stay prepared by ensuring the continued effectiveness of the HITRUST CSF.
HITRUST Releases New Version of HITRUST Threat Catalogue
The HITRUST Threat Catalogue provides a systematic reference that identifies and defines InfoSec threats and maps them by name and number to HITRUST CSF control references based on control specifications and/or control requirements.
“We do an annual risk assessment, and we were having a hard time finding guidance until we came across the HITRUST Threat Catalogue.”
Dr. Claude Council, Senior Manager of Cybersecurity at Shriners Hospitals for Children International
The HITRUST Threat Catalogue provides an excellent reference guide to help organizations evaluate and map how effectively and comprehensively their implemented control specifications meet the risk management needs of their environment. This disciplined approach to identify and implement appropriate controls allows organizations to further tailor their information program and mitigate risk by proactively recognizing and anticipating threats.
Why the HITRUST Threat Catalogue is Unique
Beginning in 2016, HITRUST invested years compiling a comprehensive set of threats at a level consistent with the controls in the HITRUST CSF framework used to address them. With significant input, comments, and observations from industry working groups, when HITRUST first developed the Threat Catalogue, our goal was to develop a comprehensive list of reasonably-anticipated cyber security threats and map those to controls in the HITRUST CSF.
The intent was and still is to cover a wide range of threats including: cyber threats, physical threats, logical threats, organizational threats, and environmental threats. In addition to mapping specific threats to HITRUST CSF controls, the Catalogue also combines and provides mapping to threats included in other frameworks, such as the National Institute of Standards and Technology (NIST) Special Publication 800-30, the European Network and Information Security Agency (ENISA) Threat Taxonomy, ISO, and other Authoritative Sources.
Provides Additional Ways to Mitigate Ransomware Threats
Using new guidelines from the Cybersecurity and Infrastructure Security Agency (CISA) and other reputable industry sources, the newest version of the HITRUST Threat Catalogue updates the list of HITRUST CSF controls to help better address the types of ransomware attacks organizations currently experience. In addition to identifying controls around secure data backup and restoration, the Catalogue also provides mappings to incident response, decision-support, and other risk mitigation controls.
Advantages of Using the Threat Catalogue
The HITRUST Threat Catalogue is a FREE resource to add visibility and assist in optimizing information risk management and compliance programs. Download Here.
Further Leverage the HITRUST CSF. Provides a comprehensive view of how best to use HITRUST CSF control requirements to address existing and emerging threats so your organization gets the most possible value from the CSF framework.
Risk Analysis. The Threat Catalogue helps organizations ease the burden of analyzing and managing security and privacy risk by mapping threats directly to the controls in the HITRUST CSF framework. “At Shriners Hospitals, we do an annual Risk Assessment, and we were having a hard time finding guidance until we came across the HITRUST Threat Catalogue,” said Dr. Claude Council, Senior Manager of Cybersecurity at Shriners Hospitals for Children International. “The beauty of the Catalogue is that it comes with instructions and a spread sheet as deliverables, which we can use as a framework to conduct an assessment tying threats to relevant controls [in the CSF]. The Catalogue did a good job of pointing us in the right direction and it was the only thing I could find that allowed us to pursue our threat assessment in the way that we wanted to.”
Executive Buy-In. There are very few sources that break down information security into easy-to-understand concepts. The HITRUST Threat Catalogue enumerates and defines common information security threats in a relevant and actionable context that helps executive leadership grasp how unaddressed threats can lead to real-world business, financial, and social consequences. Using the Threat Catalogue to support risk analysis across the organization can help inform decision-makers of the need for strong information protection so they become supportive and enthusiastic participants in wanting information risk management programs to succeed.
HITRUST Threat Catalogue Components
Threat Catalogue assets include 3 separate documents:
- Introductory Overview
- Enumerated Threat List
- Threat Catalogue spreadsheet
Regardless of organizational size or sector, using the HITRUST Threat Catalogue for guidance to evaluate HITRUST CSF controls optimizes efficiency to:
- Use the HITRUST CSF framework effectively
- Conduct targeted risk analyses
- Consume threat intelligence
New Risk Catalogue Underway
Building on content and concepts in the current Threat Catalogue, HITRUST has an important Risk Catalogue initiative underway that will significantly change how threat information can be leveraged by HITRUST Organizations. These changes include:
- Updating the enumerated threats and definitions based on industry feedback and ongoing changes in the threat environment;
- Mapping threats at the HITRUST CSF control requirement level to provide additional granularity;
- Assigning attributes to HITRUST CSF control requirements that convey how they address related threats;
- Relating threats and HITRUST CSF control requirements to relevant elements in the MITRE ATT&CK framework to support integration of active threat intelligence; and
- Providing additional information needed to help organizations estimate their financial exposure to specific threats such as ransomware, evaluate the cost benefit of remediating specific control deficiencies, and other types of quasi-quantitative residual risk analysis.
If you would like to participate in an active industry working group to contribute your thoughts and expertise to the upcoming HITRUST Risk Catalogue, please submit your candidacy via our Working Group Sign-up page.
About the Author
Dominic Boamah, Ph.D., Director, Office of Research and Analysis, HITRUST
Dr. Boamah has been in the Cybersecurity/IT industry for the past two decades; and has dedicated the past seven years to cybersecurity risk management. He has worked with different organizations, in different industries, on their cybersecurity risk management programs. He previously served as the head of Cybersecurity/IT programs at the University of Fairfax in Roanoke, VA, and Lindenwood University in St. Charles, MO. At HITRUST, Dr. Boamah is currently engaged in the enumeration of threat-based Mobile Application Environment (MAE) related controls. In addition, he will be leading the industry working group to further develop the HITRUST Threat Catalogue into a Risk Catalogue.