By Bryan Cline, Ph.D. Chief Research Officer
Independently, the HITRUST Approach and FAIR Methodology provide value but together, these approaches promise to help more organizations achieve risk management success. In a jointly written strategy whitepaper, HITRUST and the FAIR Institute outline the planned integration and the many benefits of the recently announced collaboration.
The premise behind the effort is that FAIR and HITRUST are complementary: FAIR covers risk, HITRUST covers controls.
Aligning the Factor Analysis of Information Risk (FAIR)™ methodology with the HITRUST Approach will enable organizations across industries to make more knowledgeable risk management decisions, ensuring limited resources are deployed more efficiently. By wielding the strengths of both the HITRUST CSF framework and the FAIR methodology, organizations will be well-suited to tackle the many challenges related to regulatory compliance and the protection of sensitive information, as well as improving communication of risk to senior management, board members, and other stakeholders, and ultimately prioritizing and optimizing information risk management investments.
Real-World Use Case
Highmark, Inc. (Highmark) is a health and wellness organization located in Pittsburgh that operates health insurance plans in multiple states. Highmark has maintained HITRUST CSF Certification since 2017 and began its FAIR journey at the end of the same year. Since that time, Highmark’s Information Security and Risk Management department has been defining an effective marriage between the two methodologies and leveraging their unique strengths with the ultimate goal of making measured, informed cybersecurity decisions to achieve an acceptable level of risk. The full story of how Highmark prioritizes efforts and investments to improve controls with the largest risk reduction impact is available in the whitepaper here.
The FAIR Institute and HITRUST will be developing and publishing predefined integration methods, processes, and mappings. Integration activities currently being considered include:
- Quantitative analysis of the excessive risk incurred due to gaps in the implementation of specified HITRUST CSF control requirements to support the design/development and prioritization of corrective actions.
- Quantitative analysis of alternate HITRUST CSF controls to confirm a commensurate reduction in the amount and type of risk prior to accepting an alternate to a specified control.
- Quantitative risk-based decisions around operational portfolio management and resource allocation.
- Mapping of HITRUST CSF controls to the FAIR ontology.
- Initial selection (specification) of HITRUST CSF control requirements based on the inherent risk of specific activities or technologies.
The results of this work will be published in future technical whitepapers and the expectation is that organizations can take the results of a HITRUST CSF Assessment and use them to support risk calculations and comparisons using the FAIR methodology, allowing for enhanced HITRUST-informed decision-making.
Stay tuned for exciting future updates on the collaboration between FAIR and HITRUST.