Streamlining Security Control Ownership and Responsibility with Cloud Service Providers

The HITRUST Shared Responsibility Program is an important initiative which addresses the top three challenges organizations face when engaging with their cloud service providers:

  • To ensure cloud service providers can communicate appropriate security and privacy assurances relating to the controls associated with the services a customer has contracted
  • To supply better guidance on the delineation of control ownership, including clarifying the more nuanced, partially shared controls that organizations rely upon
  • To simplify the process of a cloud customers’ own assurance processes by enabling and streamlining control inheritance while promoting full awareness and managed risk

Key Components

Shareable or inheritable controls that are supported for HITRUST CSF v9.x to distinguish control ownership and delineate responsibility between cloud service providers and their tenants, also serving as input on the design of HITRUST CSF v10.

HITRUST MyCSF Assessment Automation
A new cloud assessment process with enhanced MyCSF control inheritance features and functionality to ensure the HITRUST CSF Certification model is designed as “fit-for-purpose” for cloud service providers and their tenants.

HITRUST Shared Responsibility Matrix
A standard matrix template that can be customized by any SaaS, PaaS, IaaS, or Colo cloud service provider to inform their tenants of which HITRUST CSF v9.x controls are shareable or inheritable.

HITRUST Shared Assurance Program
A new cloud assessment assurance methodology for testing and scoring HITRUST CSF control requirements supported by more granular technology scoping parameters.

The new HITRUST Shared Responsibility Matrix includes two versions for download:

  • A publicly-available control summary version which is now included in the HITRUST CSF Version 9.3 download package
  • A subscriber-only full version which can be downloaded via the new “References” landing page within HITRUST MyCSF

The Shared Responsibility Matrix was reviewed and analyzed by the Shared Responsibility working group, which is comprised of assessors, cloud service providers, and other industry leaders throughout the cloud provider and assurance ecosystem

The HITRUST Shared Responsibility Matrix is designed to solve the challenge of the lack of a common language that is needed for organizations to have a productive dialogue around cloud supply chain risk, helping reach an agreement on how to parse out control responsibility and control inheritance between tenants and their cloud service providers while still maintaining confidence that nothing will fall through the cracks.

  • It is based on an industry-accepted model with a standard set of core principles and common terminology, which clarifies how compliance is shared for all cloud service model types (e.g., SaaS, PaaS, IaaS, and Colo).
  • It helps organizations navigate and more readily come to an agreement with their cloud service providers with significant clarity of multi-dimensional shared or delineated control requirement responsibility.
  • It supports an Assess Once, Inherit Many approach to ease the cloud assurance burden on tenants for their cloud-based workloads without introducing undue levels of risk.
  • It serves as the basis to further enhance the MyCSF control inheritance functionality and features, supporting full integration with HITRUST CSF v10.

If you are interested in joining the Shared Responsibility Working Group or participating in the Shared Responsibility Early-Adopter Program, please register below.

View Relevant Resources

Chat Now

This is where you can start a live chat with a member of our team