HITRUST CSF Roadmap for 2018 and Beyond
HITRUST CSF Roadmap 2017 HITRUST CSF v9 Update 21 CFR Part 11 (FDA electronic signatures) Add FFIEC IT Examination (InfoSec), FedRAMP, DHS Critical Resilience Review Review OCR Audit Protocol v2 for potential changes to: CSF control requirements MyCSF illustrative procedures Revise controls required for CSF v9 certification (see next slide) HITRUST CSF v9.1 No interim release planned 2
HITRUST CSF Roadmap 2017 In addition to the ability to obtain a SOC 2 report if assessed by a CPA firm, assessments used for HITRUST CSF v9 certification will also provide a: NIST Cybersecurity Framework Scorecard, and NIST Cybersecurity Framework Certification (if scoring requirements are met) A NIST Cybersecurity Framework Scorecard will provide: Compliance ratings for each NIST CsF Core Subcategory Approximate NIST CsF Tiers by Core Subcategory, Category and Function Consistent reporting across all critical infrastructure industries 3
HITRUST Roadmap 2018 HITRUST CSF v10* Update NIST CsF v1.1 content/mappings Review and potentially update current COBIT 5 integration Add Baldrige Cybersecurity Assessment Potentially add NSA Adversary Obstruction Requirements Scrub terminology in the CSF (and publish new HITRUST CSF glossary) Identify and classify dependencies amongst CSF control requirements by level Develop CSF control RACI for IaaS providers (potential new assessment/cert) Potentially revise risk factors and control implementation levels** HITRUST CSF V10.1* No interim release planned * Subject to change based on HITRUST CSF Advisory Council recommendations **Based on an analysis leveraging the new HITRUST CSF Threat Catalogue 4
AICPA UPDATE
HITRUST and AICPA/SOC 2 Update Mapping of SOC 2 Trust Services Principles (TSPs) criteria to HITRUST CSF v8 has been completed for quite some time and should be posted this month to AICPA website Illustrative report for a SOC 2 + HITRUST report based on the 135 security controls or only the controls required for HITRUST CSF certification (currently 66) should also be finalized/posted this month, along with updated FAQ guidance For AICPA reporting geeks, it incorporates SSAE 18 Longer term goal is to post guidance/illustrative report/mappings on our site to be more agile and responsive Updated version of Trust Services Criteria (2017 version) released within past two weeks No longer use term principles in title rather criteria; 5 principles now called categories of criteria Align with 2013 COSO Better address cyber risks Increased flexibility in its application Required for reports issued on or after Dec 15, 2018; earlier adoption allowed HITRUST CSF Mapping Version 9 will be mapped to current version of TSPs (2016) Anticipate mapping version 10 to updated release of TSPs (2017)
AICPA Cyber-Risk Management Reporting Framework Key elements: voluntary, market driven, flexible and holistic Intended to communicate to stakeholders an organization s cybersecurity risk management programs Can address cybersecurity as a whole or specific business or product Separate controls framework still required as basis for reporting, e.g., HITRUST CSF Components Management description of cybersecurity risk management program Management assertion on description and operating effectiveness of the controls CPA/Practitioner report on management s description and operating effectiveness Two sets of criteria Description criteria Control criteria TSPs with Security, Confidentiality and Availability Available Resources include: Illustrative Cybersecurity Risk Management Report, Description Criteria for Management s Description of the Entity s Cybersecurity Risk Management Program, Practitioner Guide on Reporting (June 1)
MYCSF 2.0
What is MyCSF 2.0? The next generation of MyCSF incorporating new features and improved functionality designed to further streamline and enhance the risk assurance process Key areas of improvement include: Cleaner User Interface Streamlined Assessment Navigation Added Functionality
MyCSF 2.0 Single-Page Assessment View Linking of Artifacts Multiple Respondents Vendor Risk Management Analytics & Dashboards Mobility Certification Verification
HITRUST ASSESSMENT EXCHANGE
What is HITRUST Assessment Exchange (HAX)? HITRUST Assessment Exchange is a solution that provides the resources and oversight to ensure an organization s third parties are in compliance with the established requirements A subset of Vendor Risk Management (VRM) Leverages innovative technology to manage, track and report on the distribution and collection of vendor assurance information relating to security and privacy risks Provides education and support to vendors Provides status reporting and a unified view of vendors security and privacy compliance Supports importing of assessment reports into customer s vendor risk management system for enterprise risk management Leverages the HITRUST CSF and Third Party Assurance programs The most widely used programs for Business Associates (BA) in the healthcare industry
Challenges in Managing Vendor Security Risks Limited internal resources Identifying appropriate resources responsible for security and privacy at third parties Educating vendors on your process and expectation Follow-up to ensure risks are measured, adequately addressed and managed Developing and managing approach is cost intensive Inconsistent vendor security risk evaluation methodology Operational and labor intensive process
Challenges in Managing Customer Security Assessment Requests Limited internal resources Multiple requests for the same information Ambiguity of security requirements Challenges in providing timely updates Inconsistent customer security risk evaluation methodology Operational and labor intensive process
How Can HAX Help? Vendor Reduced number of assessments Reduced audit fatigue Consistent prescriptive criteria Assess once, report many Timely updates to business partners Customer Single source for HITRUST Assessment data and details Electronically consumable information can be integrated into native VRM/GRC solutions Reduces labor intensive efforts to educate vendors on processes and collect information and assurances
How is HAX Unique? Leverages the HITRUST CSF and HITRUST CSF Assurance Program assessment report data Facilitates exchange of assessment data Exchange information in electronically consumable form HITRUST CSF Control Requirements with Maturity Scores Gaps/Corrective Actions Plans Scoping (Risk Factor Configuration & Systems Efficient assess once, report many approach Share assessment data with multiple business partners simultaneously Granular configuration allows you to share only the information you want to share and only with those you choose to share it with. Integrates with leading GRC & VRM solutions VRM portal allows organizations to view their vendors in the Exchange without the need to integrate with a GRC or VRM solution