HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Similar documents
Model Approach to Efficient and Cost-Effective Third-Party Assurance

HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

Exploring Emerging Cyber Attest Requirements

CSF to Support SOC 2 Repor(ng

HITRUST Common Security Framework - Are you prepared?

HITRUST CSF: One Framework

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

SOC for cybersecurity

Cybersecurity & Privacy Enhancements

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Updates to the NIST Cybersecurity Framework

Introduction to the HITRUST CSF. Version 9.1

SECURETexas Health Information Privacy & Security Certification Program

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

SOC Reporting / SSAE 18 Update July, 2017

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

NCSF Foundation Certification

MyCSF User Guide. Prepared By: HITRUST Frisco Square Blvd. Suite 327. Frisco, Texas P: (469) F: (469)

ISACA Cincinnati Chapter March Meeting

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Introduction to the HITRUST CSF. Version 8.1

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Data Security Standards

Demystifying GRC. Abstract

Achieving third-party reporting proficiency with SOC 2+

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Cybersecurity Risk Management:

NCSF Foundation Certification

The NIST Cybersecurity Framework

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Framework for Improving Critical Infrastructure Cybersecurity

SOC Lessons Learned and Reporting Changes

Information for entity management. April 2018

Protecting vital data with NIST Framework

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

IT Attestation in the Cloud Era

Overview of the Cybersecurity Framework

Compliance & Security in Azure. April 21, 2018

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Leveraging HITRUST CSF Assessment Reports

Best Practices & Lesson Learned from 100+ ITGRC Implementations

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

GDPR Update and ENISA guidelines

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

Improving Cybersecurity through the use of the Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Information Security Continuous Monitoring (ISCM) Program Evaluation

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Why you should adopt the NIST Cybersecurity Framework

The value of visibility. Cybersecurity risk management examination

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

Exam Requirements v4.1

Building a Resilient Security Posture for Effective Breach Prevention

Risk Management Frameworks

Peer Collaboration The Next Best Practice for Third Party Risk Management

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Australian Energy Sector Cyber Security Framework. Frequently Asked Questions FINAL V1-0

The Future of HITRUST

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

10 Considerations for a Cloud Procurement. March 2017

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Credit Union Service Organization Compliance

IMPLEMENTING A RISK-BASE CYBER SECURITY FRAMEWORK FOR HEALTHCARE

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

ACR 2 Solutions Compliance Tools

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Taking a Business Risk Portfolio (BRP) Approach to Information Security

SOC 3 for Security and Availability

The SOC 2 Compliance Handbook:

Designing and Building a Cybersecurity Program

Healthcare Security Success Story

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

HCL GRC IT AUDIT & ASSURANCE SERVICES

Cyber Secure Dashboard Cyber Insurance Portfolio Analysis of Risk (CIPAR) Cyber insurance Legal Analytics Database (CLAD)

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

Towards an integrated regulation platform in Luxembourg. Information Security Education Day th of april

Medical Device Cybersecurity: FDA Perspective

A Working Paper of the EastWest Institute Breakthrough Group. Increasing the Global Availability and Use of Secure ICT Products and Services

Effective Strategies for Managing Cybersecurity Risks

White Paper. View cyber and mission-critical data in one dashboard

Building a BC/DR Control Library and Regulatory Response Program

Ontario Energy Board Cyber Security Framework

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Decoding security frameworks for effective cyber defense. David Allott McAfee

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

NIST RISK ASSESSMENT TEMPLATE

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Cognizant Cloud Security Solution

Transcription:

HITRUST CSF Roadmap for 2018 and Beyond

HITRUST CSF Roadmap 2017 HITRUST CSF v9 Update 21 CFR Part 11 (FDA electronic signatures) Add FFIEC IT Examination (InfoSec), FedRAMP, DHS Critical Resilience Review Review OCR Audit Protocol v2 for potential changes to: CSF control requirements MyCSF illustrative procedures Revise controls required for CSF v9 certification (see next slide) HITRUST CSF v9.1 No interim release planned 2

HITRUST CSF Roadmap 2017 In addition to the ability to obtain a SOC 2 report if assessed by a CPA firm, assessments used for HITRUST CSF v9 certification will also provide a: NIST Cybersecurity Framework Scorecard, and NIST Cybersecurity Framework Certification (if scoring requirements are met) A NIST Cybersecurity Framework Scorecard will provide: Compliance ratings for each NIST CsF Core Subcategory Approximate NIST CsF Tiers by Core Subcategory, Category and Function Consistent reporting across all critical infrastructure industries 3

HITRUST Roadmap 2018 HITRUST CSF v10* Update NIST CsF v1.1 content/mappings Review and potentially update current COBIT 5 integration Add Baldrige Cybersecurity Assessment Potentially add NSA Adversary Obstruction Requirements Scrub terminology in the CSF (and publish new HITRUST CSF glossary) Identify and classify dependencies amongst CSF control requirements by level Develop CSF control RACI for IaaS providers (potential new assessment/cert) Potentially revise risk factors and control implementation levels** HITRUST CSF V10.1* No interim release planned * Subject to change based on HITRUST CSF Advisory Council recommendations **Based on an analysis leveraging the new HITRUST CSF Threat Catalogue 4

AICPA UPDATE

HITRUST and AICPA/SOC 2 Update Mapping of SOC 2 Trust Services Principles (TSPs) criteria to HITRUST CSF v8 has been completed for quite some time and should be posted this month to AICPA website Illustrative report for a SOC 2 + HITRUST report based on the 135 security controls or only the controls required for HITRUST CSF certification (currently 66) should also be finalized/posted this month, along with updated FAQ guidance For AICPA reporting geeks, it incorporates SSAE 18 Longer term goal is to post guidance/illustrative report/mappings on our site to be more agile and responsive Updated version of Trust Services Criteria (2017 version) released within past two weeks No longer use term principles in title rather criteria; 5 principles now called categories of criteria Align with 2013 COSO Better address cyber risks Increased flexibility in its application Required for reports issued on or after Dec 15, 2018; earlier adoption allowed HITRUST CSF Mapping Version 9 will be mapped to current version of TSPs (2016) Anticipate mapping version 10 to updated release of TSPs (2017)

AICPA Cyber-Risk Management Reporting Framework Key elements: voluntary, market driven, flexible and holistic Intended to communicate to stakeholders an organization s cybersecurity risk management programs Can address cybersecurity as a whole or specific business or product Separate controls framework still required as basis for reporting, e.g., HITRUST CSF Components Management description of cybersecurity risk management program Management assertion on description and operating effectiveness of the controls CPA/Practitioner report on management s description and operating effectiveness Two sets of criteria Description criteria Control criteria TSPs with Security, Confidentiality and Availability Available Resources include: Illustrative Cybersecurity Risk Management Report, Description Criteria for Management s Description of the Entity s Cybersecurity Risk Management Program, Practitioner Guide on Reporting (June 1)

MYCSF 2.0

What is MyCSF 2.0? The next generation of MyCSF incorporating new features and improved functionality designed to further streamline and enhance the risk assurance process Key areas of improvement include: Cleaner User Interface Streamlined Assessment Navigation Added Functionality

MyCSF 2.0 Single-Page Assessment View Linking of Artifacts Multiple Respondents Vendor Risk Management Analytics & Dashboards Mobility Certification Verification

HITRUST ASSESSMENT EXCHANGE

What is HITRUST Assessment Exchange (HAX)? HITRUST Assessment Exchange is a solution that provides the resources and oversight to ensure an organization s third parties are in compliance with the established requirements A subset of Vendor Risk Management (VRM) Leverages innovative technology to manage, track and report on the distribution and collection of vendor assurance information relating to security and privacy risks Provides education and support to vendors Provides status reporting and a unified view of vendors security and privacy compliance Supports importing of assessment reports into customer s vendor risk management system for enterprise risk management Leverages the HITRUST CSF and Third Party Assurance programs The most widely used programs for Business Associates (BA) in the healthcare industry

Challenges in Managing Vendor Security Risks Limited internal resources Identifying appropriate resources responsible for security and privacy at third parties Educating vendors on your process and expectation Follow-up to ensure risks are measured, adequately addressed and managed Developing and managing approach is cost intensive Inconsistent vendor security risk evaluation methodology Operational and labor intensive process

Challenges in Managing Customer Security Assessment Requests Limited internal resources Multiple requests for the same information Ambiguity of security requirements Challenges in providing timely updates Inconsistent customer security risk evaluation methodology Operational and labor intensive process

How Can HAX Help? Vendor Reduced number of assessments Reduced audit fatigue Consistent prescriptive criteria Assess once, report many Timely updates to business partners Customer Single source for HITRUST Assessment data and details Electronically consumable information can be integrated into native VRM/GRC solutions Reduces labor intensive efforts to educate vendors on processes and collect information and assurances

How is HAX Unique? Leverages the HITRUST CSF and HITRUST CSF Assurance Program assessment report data Facilitates exchange of assessment data Exchange information in electronically consumable form HITRUST CSF Control Requirements with Maturity Scores Gaps/Corrective Actions Plans Scoping (Risk Factor Configuration & Systems Efficient assess once, report many approach Share assessment data with multiple business partners simultaneously Granular configuration allows you to share only the information you want to share and only with those you choose to share it with. Integrates with leading GRC & VRM solutions VRM portal allows organizations to view their vendors in the Exchange without the need to integrate with a GRC or VRM solution

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback