The HITRUST Threat Catalogue was designed to help organizations become more proactive and improve their information security posture by better aligning cyber threats with HITRUST CSF controls—a combination not currently found in other frameworks. This helps simplify the risk analysis process and subsequently reduces some of the burden, costs, and confusion otherwise experienced by organizations when conducting a risk analysis.

HITRUST will transition the HITRUST Threat Catalogue into a more comprehensive and rigorous risk management tool—the HITRUST Risk Catalogue—through the planned addition of metadata related to information assets, vulnerabilities, and other non-threat specific areas of risk analysis.

Objectives of the Risk Catalogue Working Group:
The objectives of the HITRUST Risk Catalogue Working Group are to support further development of the HITRUST Risk Catalogue as a comprehensive risk assessment tool that will enable organizations to conduct more meaningful risk analyses and better leverage active threat intelligence in their risk management programs.

HITRUST Risk Catalogue Working Group Members will advise and make recommendations to HITRUST in the following key areas:

• Updating the threat taxonomy and enumerated threats.
• Mapping HITRUST CSF control requirements to enumerated threats.
• Updating threat metadata in the Catalogue to support HITRUST’s work around quasi-quantitative risk analysis, which includes, but is not limited to:
  • Mobile Application Environment (MAE) assessment,
  • Quantitative and quasi-quantitative risk analysis, and
  • The MITRE ATT&CK framework.
• Providing additional risk information, such as asset and vulnerability types.
• Mapping this additional information to enumerated threats.

HITRUST launched a new Mobile Application Environment (MAE) Working Group (WG) to help solve the market need for organizations that employ mobile applications (apps) within their environment to ensure and provide interested stakeholders reasonable assurances that the internal development, distribution, implementation, and usage of apps are done securely.

The goal of the HITRUST MAE WG is to support the development and integration of organizational-level mobile app environment-related security and privacy control requirements into the HITRUST CSF and HITRUST CSF Assurance Program. The scope of the WG’s efforts may include an organization’s internal development, vetting, deployment, and operation of mobile apps and mobile devices, but does not currently include the technical testing and certification of the mobile apps themselves.

HITRUST MAE WG Members will advise and make recommendations to HITRUST in the following key areas:

• Formal definition of the term “mobile applications environment” consistent with public and private sector usage and its intended use for the purpose of HITRUST CSF Certification.
• Identification of security and privacy risks specific to an organization’s MAE, as defined, and the specification of structured HITRUST CSF control requirements to mitigate those risks, which may include but are not limited to:
  • Apps pushed to mobile devices and personal computers via a third party or organizational app store, and
  • Apps intended to run from a browser.

Specification of related changes, if any, to the HITRUST CSF Assurance Program to support the assessment and certification of an organization’s MAE, as defined.