HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

Transcription

1 HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

2 Topics 1. HITRUST s Approach to CSF v10 2. Changes to the CSF Assurance Program 3. What to Expect with MyCSF Considerations & Benefits 2

3 1 HITRUST s Approach to CSF v10 3

4 Current CSF Structure (1) Built on ISO 27001/2:2005 Adds 3 Control Categories Contains 00.0 Infosec Program Mgmt Risk Management 13.0 Privacy Practices 14 Control Categories 46 Control Objectives 149 Controls Includes healthcare and HIPAAspecific requirements in CSF Control Implementation Level 1 4

5 Current CSF Structure (2) Industry Segments Unique to an organization or data type Brought in by a single risk factor Implementation Levels Level 3 More prescriptive or restrictive than Level 2 Applicable to one or more risk factors Level 2 More prescriptive or restrictive than Level 1 Applicable to one or more risk factors Level 1 Basic due diligence Applicable to most organizations Implementation Levels (Up to 3) Address a variety of organizational, system and regulatory risk factors Contain most of the CSF requirements applicable to any one organization Industry Segments (Multiple) Are generally brought in by a single regulatory risk factor (regulation, law or framework) Provide additional prescription to cover requirements that are unique to the organization and/or data type addressed by the risk factor Contains some of the CSF requirements applicable to any one organization 5

6 Proposed CSF Structure (1) Build on ISO 27001/2:2013 Add 2 Control Categories 00.0 Information Protection Program 15.0 Privacy Anticipated to Contain 16 Control Categories 41* Control Objectives 123* Controls Will move healthcare and HIPAAspecific requirements to one or more segments * Known gaps exist between ISO 27001:2013 and NIST SP r5 (draft), which may require additional controls and control objectives to ensure complete coverage of the NIST SP and the various authoritative sources that rely on NIST SP (e.g., MARS-E or IRS Pub 1075); may also be necessary to provide complete coverage of the NIST CsF Subcategories; rework needed to support a comprehensive treatment of non-healthcare-specific privacy practices in CSF Control Category 15 may also require additional control objectives and/or controls 6

7 Proposed CSF Structure (2) Control Implementation Core (1 Level) Control Segments Unique to an organization or data type Brought in by a single risk factor Control Core Basic due diligence Applicable to most organizations Will address a variety of organizational, system and regulatory risk factors Will contain most of the CSF requirements commonly applicable to any one organization Control Implementation Segments (Multiple) Will be applied based on all types of risk factors: organizational, system and regulatory Will provide additional prescription or rigor to cover requirements not addressed in the Core Will contain a significant number of requirements applicable to any one organization 7

8 Impact of Proposed Changes Structural Element Impact Control Core* Provides an industry-accepted, minimum level of due diligence for mid-size, low-risk organizations Cost-effective assessment across all CSF controls provide betters assurances for stakeholders Excellent coverage of security & privacy outcomes specified in high-level frameworks, such as the NIST Cybersecurity Framework and the AICPA Trust Services Criteria used for SOC2 reporting Moving healthcare/hipaa-specific requirements out of the CSF Core facilitates use across all industries, both nationally and internationally Control Segments Adds requirements to the Core based on all risk factors (not just regulatory factors) Supports better tailoring of CSF control requirements to the organization Reduces cost & effort for implementation and assessment of CSF controls Facilitates more granular mapping of requirements beyond the Core Provides better traceability to relevant authoritative sources, such as HIPAA or GDPR Supports more cost-effective reporting against multiple requirements (e.g., via MyCSF dashboards or HITRUST CSF Assessment Report scorecards) New segment(s) for healthcare/hipaa ensures minimal impact to existing HPH Sector users * Transition from ISO 27001:2005 to ISO 27001:2013 for the overall structure of the HITRUST CSF will allow organizations that use ISO or another framework like NIST SP that has been mapped to ISO to more transition to (adopt) the HITRUST CSF or otherwise integrate the HITRUST CSF into their existing organizational information protection programs 8

9 2 Changes to the CSF Assurance Program 9

10 Validation in CSF v10 Validation procedure remains the same 5 x 5 scoring model Threshold for certification remains 3+ or 3 with corrective actions Certification will no longer be based on a subset of CSF controls Focus approach on Core controls across all 135 CSF controls Certification no longer based on a subset of controls Risk factors generate Core+ assessments allowing a more tailored approach HIPAA is no longer implied, it will become a regulatory factor that must be selected if applicable 10

11 3 MyCSF v2.0 11

12 MyCSF 2.0 Enhanced assessment navigation Interim assessments performed in MyCSF Assessor QA performed in MyCSF Ad Hoc reporting capability Enhanced analytics Granular association of artifacts to control requirements 12

13 4 Considerations & Benefits 13

14 v10 Benefits to New and Existing Users Easy for non-healthcare entities to adopt the HITRUST CSF due to the industry-agnostic Control Core Easy for international entities to adopt the HITRUST CSF due to consistency with ISO 27001:2013 Easy for healthcare entities to adopt the HITRUST CSF by selecting HIPAA Ability to apply a highly tailored set of baseline controls out-of-the-box due to increased granularity in how all risk factors are able to drive control selection Tight mappings to CSF requirements in the Control Segments Support the production of very precise regulatory scorecards (e.g., HIPAA, GDPR) and Provide the ability to easily document assurances in other reporting formats (e.g., PCI SAQs) 14

15 MyCSF 2.0 Benefits Enhanced performance and response time Ability to predefine scoring responses to control statements Fewer navigation screens Control statements listed sequentially versus one statement per screen Visual display of Control Statement, e.g., complete, CAP required Ability to import administrative information (e.g., facilities, systems) from one assessment to another Multiple reporting options Supportive of the HITRUST Shared Responsibility Program 15

16 Visit for more information To view our latest documents, visit the Content Spotlight 16