HITRUST CSF: One Framework

Similar documents
CSF to Support SOC 2 Repor(ng

Model Approach to Efficient and Cost-Effective Third-Party Assurance

HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Exploring Emerging Cyber Attest Requirements

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

HITRUST Common Security Framework - Are you prepared?

Leveraging HITRUST CSF Assessment Reports

Introduction to the HITRUST CSF. Version 8.1

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

SECURETexas Health Information Privacy & Security Certification Program

MANAGING CYBERSECURITY RISK IN A HIPAA-COMPLIANT WORLD ANDRE W HIC KS MB A, C IS A, C C M, CR IS C,

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Introduction to the HITRUST CSF. Version 9.1

Peer Collaboration The Next Best Practice for Third Party Risk Management

Risk Management Frameworks

Cybersecurity & Privacy Enhancements

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SOC Lessons Learned and Reporting Changes

SOC for cybersecurity

ISACA Cincinnati Chapter March Meeting

Data Security Standards

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

The NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Risk Analysis Guide for HITRUST Organizations & Assessors

Information Security Continuous Monitoring (ISCM) Program Evaluation

SOC 3 for Security and Availability

Iso Controls Checklist File Type S

IT Attestation in the Cloud Era

Achieving third-party reporting proficiency with SOC 2+

NCSF Foundation Certification

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Compliance & Security in Azure. April 21, 2018

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Protecting vital data with NIST Framework

Business Assurance for the 21st Century

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Altius IT Policy Collection Compliance and Standards Matrix

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Updates to the NIST Cybersecurity Framework

The SOC 2 Compliance Handbook:

Why you should adopt the NIST Cybersecurity Framework

Altius IT Policy Collection Compliance and Standards Matrix

A Framework-based Approach to HIPAA Compliance

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

Using Metrics to Gain Management Support for Cyber Security Initiatives

Security and Privacy Governance Program Guidelines

10 Considerations for a Cloud Procurement. March 2017

ACR 2 Solutions Compliance Tools

NCSF Foundation Certification

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

All Aboard the HIPAA Omnibus An Auditor s Perspective

Effective Strategies for Managing Cybersecurity Risks

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Information for entity management. April 2018

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Framework for Improving Critical Infrastructure Cybersecurity

SOLUTION BRIEF Virtual CISO

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

Four Deadly Traps of Using Frameworks NIST Examples

Certified Information Security Manager (CISM) Course Overview

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Understanding and Evaluating Service Organization Controls (SOC) Reports

Google Cloud & the General Data Protection Regulation (GDPR)

CYBERSECURITY MATURITY ASSESSMENT

The Future of HITRUST

CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

Auditing the Cloud. Paul Engle CISA, CIA

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

A Controls Factory Approach To Operationalizing a Cyber Security Program Based on the NIST Cybersecurity Framework

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

EU General Data Protection Regulation (GDPR) Achieving compliance

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Trust is not a Control... But you s1ll have to have it. (Or How I learned to Stop Worrying and (HI)TRUST Control Compliance Suite)

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Les joies et les peines de la transformation numérique

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

01.0 Policy Responsibilities and Oversight

Dear Mr. Games: Please see our submission attached. With kind regards, Aaron

FDA & Medical Device Cybersecurity

Transcription:

HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior Advisor, HITRUST Chris Halterman, CPA Executive Director, EY Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST 1

Topics to Cover Introduction NIST CsF Implementation for Healthcare Structure of the HITRUST CSF Leveraging the HITRUST CSF Q&A For ISO, HIPAA, & NIST Implementation and Compliance For SOC 2 Reports # 2 HITRUST One Framework

INTRODUCTION 3 3 HITRUST One Framework

Cybersecurity and Risk Management Frameworks Supported by threat intelligence, key components or functions of a robust and comprehensive cybersecurity program include Risk analysis (Identify) Control selection, implementation and maintenance (Protect) Monitor and audit (Detect) Incident management (Respond and Recover) Controls may be selected based on a traditional risk analysis, as described by NIST and DHHS, or selected and tailored from a control baseline contained in a suitable framework An information security risk management framework provides a set of principles, tools and practices to help: Ensure people, process and technology elements completely and comprehensively address risks consistent with their business objectives, including legislative, regulatory and best practice requirements Identify risks from the use of information by the organization s business units and facilitate the avoidance, transfer, reduction or acceptance of risk Support policy definition, enforcement, measurement, monitoring and reporting for each component of the security program are adequately addressed # 4 HITRUST One Framework

NIST CSF IMPLEMENTATION FOR HEALTHCARE 5 5 HITRUST One Framework

Federal Guidance for Improving Cybersecurity The NIST Framework for Critical Infrastructure Cybersecurity provides an overarching set of guidelines to critical infrastructure industries to provide a minimal level of consistency as well as depth, breadth and rigor Complements rather than replaces an organization s existing business or cybersecurity risk management process and cybersecurity program Organizations can leverage the NIST CsF to identify opportunities to improve management processes for cybersecurity risk, or if no cybersecurity program exists, use the it as a reference to establish one The NIST CsF provides critical infrastructure industries: A Framework Core set of cybersecurity activities, outcomes and references A model for the evaluation of an organization s maturity or readiness using Framework Implementation Tiers A common taxonomy and mechanism to: Describe their current and target cybersecurity posture using a Framework Profile Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process Assess progress toward the target state Communicate among internal and external stakeholders about cybersecurity risk # 6 HITRUST One Framework

A Model Implementation of the NIST Framework HITRUST CSF provides an implementation applicable to healthcare organizations leveraging the NIST Cybersecurity Framework HITRUST provides an RMF that is consistent with the NIST Cybersecurity Framework for the healthcare industry and either meets or exceeds the requirements, addresses non-cyber threats, and incorporates a robust assurance program. More specifically: NIST Cybersecurity Framework categorizes cybersecurity controls according to an incident response process (functions and sub-functions) as opposed to a traditional RMF HITRUST CSF provides an integrated, harmonized set of requirements specific to healthcare as compared to individual references to controls in NIST and other frameworks HITRUST CSF Assurance Program provides a harmonized set of tailorable requirements, which are fully supported by an integrated maturity model HITRUST CSF Assurance Program provides a pool of vetted assessor organizations and centralized quality assurance processes to ensure consistent and repeatable assessments # 7 HITRUST One Framework

STRUCTURE OF THE CSF 8 8 HITRUST One Framework

CSF Structure (1) The HITRUST CSF provides coverage across multiple healthcare specific standards and includes significant components from other well-respected IT security standards bodies and governance sources HIPAA Security, Data Breach Notification, & Privacy ISO/IEC 27001:2005 2013, 27002:2005, 2013, 27799:2008 CFR Part 11 COBIT 4.1 NIST SP 800-53 Revision 4 NIST Cybersecurity Framework (CsF) Scoping Factors Regulatory Federal, state and domain specific compliance requirements Organization Geographic factors Number of covered lives System Data stores External connections Number of users/transactions Included Standards NIST SP 800-66 PCI DSS version 3 FTC Red Flags Rule JCAHO IM 201 CMR 17.00 (State of Mass.) NRS 603A (State of Nev.) Analyzed, Rationalized & Consolidated Control Objectives (45) Control Categories (14) Control Specifications (149) CSA Cloud Controls Matrix version 1.1 CMS IS ARS version 2 Texas Health and Safety Code (THSC) 181 Title 1 Texas Administrative Code (TAC) 390.2 MARS-E version 1 IRS Pub 1075 (2014) Control Categories 0. Information Security Management Program 1. Access Control 2. Human Resources Security 3. Risk Management 4. Security Policy 5. Organization of Information Security 6. Compliance 7. Asset Management 8. Physical and Environmental Security 9. Communications and Operations Management 10. Information Systems Acquisition, Development & Maintenance 11. Information Security Incident Management 12. Business Continuity Management 13. Privacy Practices # 9 HITRUST One Framework

CSF Structure (2) The CSF structure based on ISO 27001:2005 Adds additional CSF Categories 0.0, 3.0 and 13.0 149 Controls, with up to three (3) levels per Control Multiple authoritative sources mapped to each Control by implementation level # 10 HITRUST One Framework

LEVERAGING THE HITRUST CSF FOR ISO, HIPAA & NIST IMPLEMENTATION AND COMPLIANCE 11 11 HITRUST One Framework

Multiple Requirements PCI, CSA, State Req ts, COBIT Meaningful Use HIPAA Omnibus Final Rule ISO 27001/2 Texas Health & Safety Code FTC Red Flags PCI Initial high-level ISO content reinforced with additional, often more prescriptive language from relevant authoritative sources, harmonized, and fully integrated into the CSF NIST, CMS, MARS-E HIPAA NIST ISO # 12 HITRUST One Framework

One Program COBIT Meaningful Use ISO 27001/2 HIPAA Omnibus HITRUST Final Rule CSF Texas Health & Safety Code FTC Red Flags PCI CSA CCM SA-08 HIPAA 164.308(a)(3)(ii)(A) HIPAA 164.308(a)(3)(ii)(B) HIPAA 164.310(b) IRS Pub 1075 9.4.10 PCI DSS 1.1. PCI DSS 1.1.4 1 TAC 390.2(a)(1) NIST # 13 HITRUST One Framework

Assess Once Assessing against the CSF necessarily implies one is assessing against the multiple regulations, standards and best practice frameworks upon which it s built The CSF s extensive mappings allow traceability from a CSF assessment to each of these multiple authoritative sources, which allows the control maturity and risk information from a single assessment to be parsed accordingly # 14 HITRUST One Framework

Report Many Standardized CSF-based reporting, e.g., CSF Certification Custom source-based reporting Roll up control maturity or risk based on authoritative sources Produce source-specific scorecards e.g., HIPAA, NIST CsF Support or produce sourcespecific reports e.g., NIST SSP, PCI SAQ, SecureTexas, SSAE 16 SOC 2 (Trust Principles) # 15 HITRUST One Framework

LEVERAGING THE HITRUST CSF FOR SOC 2 REPORTS 16 16 HITRUST One Framework

SOC 2 HITRUST CSF Owned by the American Institute of Certified Public Accountants (AICPA) Designed to provide information on processes and controls at a service organization, together with an independent service auditor s opinion Processes do not have to be related to financial statement processing unlike SOC1 (ISAE 3402 / SSAE 16) Criteria updated in early 2014 http://www.aicpa.org/interestareas/frc/ AssuranceAdvisoryServices/Pages/SORHome.aspx Owned by HITRUST Leverages and enhances existing standards and regulations to provide organizations of varying sizes and risk profiles with prescriptive implementation requirements Intended to be used by any and all organizations that create, access, store, or exchange protected health information (PHI) Two major components Information security implementation requirements Mapping and regulations Updated annually currently Version 7 https://hitrustalliance.net/hitrust-csf/ # 17 HITRUST One Framework

SOC 2 HITRUST CSF Trust Services Principles Security Availability Confidentiality Privacy Processing Integrity Select principles based on expected user needs Must then address ALL criteria for the selected principles Type 1 design Type 2 operating effectiveness CSF Framework 14 Control Categories, 45 Control Objectives 149 Control Specifications Risk factors drive control specification implementation requirements up to 3 levels Must meet all requirement specifications based on risk factors Assurance program Self Assessments Third-Party Assessments Certified Validated # 18 HITRUST One Framework

What Does SOC 2 / HITRUST Give Users? SOC 2 HITRUST CSF Management Assertion Independent service auditor s report Description fairly presents the in scope services Controls suitable designed to meet in scope criteria Controls have operated effectively to deliver criteria (Type 2) Description of System Description of Controls, Tests and Results of Tests Certified/validated report issued by HITRUST based on work of independent third party assessors Business/functional/organizational units that meet the associated criteria Assessment context and scope of systems included in assessment Breakdown of CSF control areas with a comparison to industry Includes maturity scores Testing summary, corrective action plans and completed questionnaire # 19 HITRUST One Framework

Benefits of Combining SOC 2 & CSF Assurance Leverage the HITRUST CSF controls in SOC 2 engagements Realize significant time efficiencies and cost savings by synergies between the CSF controls and Trust Services Principles and Criteria Reduce the inefficiencies and costs associated with multiple reporting requirements Service organizations controls can be considered both from the SOC2 criteria and HITRUST CSF # 20 HITRUST One Framework

HITRUST and AICPA Collaborating to develop and publish a set of recommendations to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting. Work products Mapping of CSF to Trust Services Principles and Criteria (security, confidentiality and availability) (Completed) Overview document with frequently asked questions (Draft under review) HITRUST + SOC 2 Reporting Template (Under development) # 21 HITRUST One Framework

Excerpt from the CSF Trust Principles Mapping # 22 HITRUST One Framework

Examples of FAQs Is it mandatory that I use the supplied mapping when completing a SOC 2 + HITRUST CSF opinion? If you have two opinions do they need to stand alone or can they use the same body of testing work? Are the control activities and specificity of control design and operating effectiveness in the Trust Services Principles and Criteria sufficient to meet the HITRUST CSF requirements? Should the maturity of controls be assessed when completing the SOC 2 + HITRUST report? How should a qualification in SOC 2 opinion be considered for impact to HITRUST and vice versa? How are exceptions addressed in the reporting option with an opinion on both the TSPs and the CSFs? Can any service auditor that is a member of the AICPA issue such a SOC 2 + HITRUST report? # 23 HITRUST One Framework

HITRUST + SOC 2 Reporting Template Report Sections Management Assertion Independent Service Auditor s Report Entity s Description of its System Trust Services Principles/CSF Controls Tested and Results of Tests Mapping of Applicable Trust Services Principles and Criteria to the CSF # 24 HITRUST One Framework

Draft of Opinion Wording In our opinion, in all material respects, based on the description criteria identified in Example Health Service Organization s assertion and the applicable trust services criteria and CSF criteria, a. the description fairly presents the system that was designed and implemented throughout the period January 1, 20X1, to December 31, 20X1; b. the controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria and CSF criteria would be met if the controls operated effectively throughout the period January 1, 20X1, to December 31, 20X1 # 25 HITRUST One Framework

Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior Advisor, HITRUST * Bryan.Cline@HITRUSTAlliance.net Chris Halterman, CPA Executive Director, EY * Chris.Halterman@EY.com Q&A Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST * Ken.VanderWal@HITRUSTAlliance.net 26 26 HITRUST One Framework

Visit www.hitrustalliance.net for more information To view our latest documents, visit the Content Spotlight # 27 HITRUST One Framework

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback