Model Approach to Efficient and Cost-Effective Third-Party Assurance

Similar documents
HITRUST CSF: One Framework

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

Leveraging HITRUST CSF Assessment Reports

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

SOC for cybersecurity

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Exploring Emerging Cyber Attest Requirements

Introduction to the HITRUST CSF. Version 9.1

Introduction to the HITRUST CSF. Version 8.1

HITRUST Common Security Framework - Are you prepared?

CSF to Support SOC 2 Repor(ng

Peer Collaboration The Next Best Practice for Third Party Risk Management

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Achieving third-party reporting proficiency with SOC 2+

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Risk Management Frameworks

SECURETexas Health Information Privacy & Security Certification Program

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

NCSF Foundation Certification

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

10 Considerations for a Cloud Procurement. March 2017

ISACA Cincinnati Chapter March Meeting

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Business Assurance for the 21st Century

Introduction to AWS GoldBase

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Information for entity management. April 2018

Google Cloud & the General Data Protection Regulation (GDPR)

SOLUTION BRIEF Virtual CISO

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Risk Analysis Guide for HITRUST Organizations & Assessors

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Data Security Standards

Cybersecurity & Privacy Enhancements

SOC 3 for Security and Availability

locuz.com SOC Services

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Compliance & Security in Azure. April 21, 2018

Security and Privacy Governance Program Guidelines

Designing and Building a Cybersecurity Program

MyCSF User Guide. Prepared By: HITRUST Frisco Square Blvd. Suite 327. Frisco, Texas P: (469) F: (469)

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

The value of visibility. Cybersecurity risk management examination

NCSF Foundation Certification

Information Technology General Control Review

Decoding security frameworks for effective cyber defense. David Allott McAfee

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Optimising cloud security, trust and transparency

Security Management Models And Practices Feb 5, 2008

Information Security Risk Strategies. By

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

GETTING STARTED WITH THE SIG 2014: A RESPONDENT S GUIDE By Shared Assessments

BHConsulting. Your trusted cybersecurity partner

MANAGING CYBERSECURITY RISK IN A HIPAA-COMPLIANT WORLD ANDRE W HIC KS MB A, C IS A, C C M, CR IS C,

FDIC InTREx What Documentation Are You Expected to Have?

Updates to the NIST Cybersecurity Framework

TEL2813/IS2820 Security Management

Demystifying GRC. Abstract

Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

ISO 27001:2013 certification

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Using Metrics to Gain Management Support for Cyber Security Initiatives

Best Practices & Lesson Learned from 100+ ITGRC Implementations

SOC Lessons Learned and Reporting Changes

Effective Strategies for Managing Cybersecurity Risks

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

HSCIC Audit of Data Sharing Activities:

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Protecting your data. EY s approach to data privacy and information security

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Why you should adopt the NIST Cybersecurity Framework

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

SYSTEMS ASSET MANAGEMENT POLICY

Cybersecurity The Evolving Landscape

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

Cloud First Policy General Directorate of Governance and Operations Version April 2017

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Certified Information Security Manager (CISM) Course Overview

Turning Risk into Advantage

A Working Paper of the EastWest Institute Breakthrough Group. Increasing the Global Availability and Use of Secure ICT Products and Services

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

The SOC 2 Compliance Handbook:

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

PROFESSIONAL SERVICES (Solution Brief)

Transcription:

Model Approach to Efficient and Cost-Effective Third-Party Assurance 1

CHALLENGES WITH THIRD-PARTY ASSURANCE 2

What s Driving Demand for Increased Assurance? Increasing risk posed by third parties Increasing cyber threat landscape Confusion What is reasonable, appropriate or adequate? Growing compliance risk and liability Breach and legal costs; regulatory penalties Compliance Effectiveness Cost of Compliance 3

Approach from Customer (Covered Entity) Request detailed information on the Business Associate Require appropriate assurances on or Vendor Security Program Scope of information they receive No consistency of request What was tested Self-attestation and questionnaires How the information was vetted Proprietary assessments Third-party audits Customer BusiBneussi ness PartnPear tner Customer Obtain assurances in a Business Partner Business Partner Customer Business Partner Business Partner format they can understand and consume 4

Response from Business Partners Negotiate requests they receive from their customers Suggest alternative approaches Complicates contracting process due to unique security requirements Customer Audit Report # Audit Report 2 Requirement s Business Partner (BP) Broad range and inconsistent expectations for responses to questionnaires inability to effectively leverage responses across organizations Dedicate staff and funding to those requiring unique approaches Customer Customer Audit Report Y Audit Report X Audit Report 1 Requirement s Requirement s Requirement s Requirement s Business Partner (BP) Business Partner (BP) 5

Implications of the Current Response Customers Requires significant resources to engage, negotiate and track assurances Business Partners Dedicates significant resources to respond to duplicative and redundant assurance requests Incurs costs to comply and satisfy requests and requirements Creates inconsistency around acceptable standards of due diligence and due care Distracts resources from other security-related programs Although addressed in many different ways, there are only so many privacy and security controls one can implement and assess 6

Universal Agreement that the Current Model is Broken There are no scenarios where performing 25, 50 or 250 or more unique assessments makes sense for a business partner to communicate their information privacy and security posture (on same scope) Nor does maintaining and supporting an organizational specific assessment methodology and performing assessments HITRUST has been working with organizations and business partners to identify a practical and implementable approach Common Requirements Uniform Assessment Process Simplified Reporting More Efficient and Effective Compliance Process 7

Section 4 HOW HITRUST FACILITATES THIRD-PARTY ASSURANCE 8

Approach Taken in Healthcare Industry To minimize the cost, time and effort around third-party assurance, initially five (5) of the largest U.S. health plans notified industry of updates to their business associate and partner agreements, specifically use of the HITRUST CSF Assurance Program HITRUST CSF certification or SOC 2 leveraging HITRUST CSF Controls is required 2-year implementation schedule Created the momentum to move the industry and vendor community 9

HITRUST CSF Assurance Program Provides a common set of information security and privacy requirements through the HITRUST CSF Provides a standardized assessment and reporting processes Improved efficiency Lowered costs Helps ensure organizations can trust that their business partners are adequately protecting sensitive information through HITRUST s oversight and governance of the program For more information, see https://hitrustalliance.net/csf/ and https://hitrustalliance.net/csf-assurance/ 10

A Win-Win for Customers and Vendors Established a uniform set of expectations for communicating information privacy and security posture Customer Business Partner (BP) Reduced time and expense on redundant audits, assessments, and HITRUST Assessment CSF Requirements onsite reviews Customer HITRUST Assessment HITRUST Common Business Partner Compliance Framework CSF Requirements Business Partner (BP) Reduced time and expense of procurement managing various assessment processes Facilitates a specific level of assurance around implemented controls Customer HITRUST Assessment CSF Requirements Business Partner (BP) 11

The HITRUST Vendor/Business Associate Council Provides healthcare vendors the opportunity to drive efficiency and effectiveness in third-party assurance. Arvato Digital Services Armor Availity Azure (Microsoft) Catalyze Change Healthcare Cognizant Dropbox Epic Systems Fiserv: Healthedge HMS PDHI RR Donnelley Salesforce West Corporation Xerox Corporation 12

Vendor / Market Support 13

KEY ELEMENTS OF THE APPROACH 14

Transparency The approach should be open and transparent. Requirements are agnostic for similar types of sensitive information Integrates relevant federal control baselines Incorporates industry leading practices Leverages threat-to-control relationships* Entire program is publicly available and commonly understandable Control framework / requirements Assessment methodology / procedures Scoring model *Leveraging HITRUST Threat Catalogue 15

Accuracy The approach should ensure accuracy in evaluation and reporting of the implemented controls. HITRUST uses a 5x5 control maturity and scoring model to evaluate the HITRUST CSF s control requirements 5 maturity levels for each control requirement 5 scoring levels for each control maturity level HITRUST also provides a scoring rubric for each maturity level 16

Consistency The approach should ensure consistency in evaluation and reporting regardless of the specific assessor used. Extensive assessment guidance General guidance for each maturity level Specific guidance for each control HITRUST quality assurance review process Applies to all third-party assessments Standardized reporting format 17

Scalability The approach should be scalable enough to address the needs of the entire industry, while maintaining consistency and accuracy. Formal HITRUST CSF Assessor Program HITRUST CSF trained staff Experience/capabilities vetted by HITRUST Choose from a pool of certified HITRUST CSF Assessors to ensure The best fit The best price Program is market-based As demand for assurances increase, so does the pool of HITRUST CSF Assessor organizations 18

Efficiency The approach should allow an organization to assess once and report many, i.e., an assessment must address multiple compliance and best practice requirements and support the reporting of assurances tailored to each requirement. HITRUST fully leverages the Assess Once, Report Many approach Multiple security requirements (e.g., legal, regulatory) One cybersecurity program One targeted, cost-effective assessment that provides a reasonable level of assurance at a reasonable cost Multiple reporting options from a single assessment 19

CSF Assurance - Degrees of Assurance CSF Self Assessments can be conducted by business associate CSF Validated or Certified requires third party engagement 20 20

Reporting Options Consideration HITRUST CSF Report SOC 2 Report with HITRUST CSF SOC 2 + HITRUST CSF Report Type of report (Relevant Standard) HITRUST CSF Assurance AT101 AT101 + HITRUST CSF Assurance Scope of report HITRUST CSF controls (may or may not be limited to those required for certification) Security, availability, confidentiality Trust Services Principles; HITRUST CSF controls (may or may not be limited to those required for certification) Security, availability, confidentiality Trust Services Principles; HITRUST CSF controls (may or may not be limited to those required for certification) Intended Users Unlimited distribution Limited distribution Limited distribution Resulting Deliverable HITRUST CSF report with background, mgmt. rep., scope, results of maturity scores, CAPs, NIST CsF scorecard/certification Attest Opinion with description of systems & service auditor test/ results against selected Trust Services Principles; HITRUST CSF controls (suitable criteria) Attest Opinion with description of systems & service auditor test/ results against selected Trust Services Principles, HITRUST CSF controls (suitable criteria); HITRUST CSF report with background, mgmt. rep., scope, scores, CAPs, NIST CsF scorecard/ certification Report issued by HITRUST Independent CPA firms Independent CPA firms, HITRUST Report Addresses HITRUST CSF, NIST CsF HITRUST CSF, AICPA Trust Services Principles HITRUST CSF, AICPA Trust Services Principles, NIST CsF 21

Reliability The approach should provide a high degree of assurance for relying parties, such as internal stakeholders (e.g., audit, management, Board of Directors) and external stakeholders (e.g., customers, business partners, vendors and regulators). Obtained through: Transparency Accuracy Consistency Scalability Accuracy RELIABILITY Transparency Provided by: HITRUST CSF HITRUST CSF Assurance Program HITRUST CSF Assessor Program Scalability Consistency 22

ASSESSMENT EXCHANGE 24

HITRUST Assessment Exchange Innovative way to request, manage, view and share HITRUST CSF assessment data in an electronically consumable format Supports integration with leading GRC/VRM platforms 24

Challenges in Managing Risk Assessments Limited internal resources Identifying appropriate resources responsible for security and privacy at third parties Educating vendors on your process and expectation Follow-up to ensure risks are measured, adequately addressed and managed Developing and managing approach is cost intensive Inconsistent vendor security risk evaluation methodology Operational and labor intensive process 25

Benefits to an Exchange Vendor outreach Contact vendor, and identify points of contact Deliver POC and contact information as part of vendor profile HITRUST can emphasize importance of assurance by contacting a vendor on behalf of many versus contact on behalf of one Centralized vendor population management and tracking ensures efficient outreach and emphasizes importance Vendor education Experienced HITRUST CSF Assurance personnel to explain the assessment & assurance processes Technical support for MyCSF and assessment-related questions Vendors can benchmark themselves against one or more populations to see where they stand Visibility into status of vendors / third-party assurance Provide a portal for unified view of vendor risk postures & tracking progress View all vendors in one central location View a vendor s progress through the assurance process Perform vendor analysis and comparison across your vendor population via pre-defined and ad hoc reporting capabilities Open API allows for easy import and export of data from HITRUST to an organization s native tools 26

Benefits to an Exchange (continued) Provide a means to track corrective actions Receive real-time updates on corrective actions of vendors Analysis of control gaps across your vendor population Define and enable business rule alerts that notify you when a vendor makes an update or changes the assessment results Provide the ability to export results in a format that is easy to import into local GRC or VRM solutions Map data elements to native systems quickly and with little effort Create and report on security metrics across a vendor population Understand vendor relationships & identify weak links in the chain 27

COMMON QUESTIONS 29

What does the HITRUST CSF Include? The HITRUST CSF provides coverage across multiple regulations and includes significant components from other well-respected IT security standards bodies and governance sources. It is scalable, risk based, industry agnostic and certifiable Legislative, Regulatory, and Best Practice Standards and Frameworks include, but are not limited to: ISO/IEC 27001:2005 2013, 27002:2005, 2013, 27799:2008 CFR Part 11 COBIT 4.1 NIST SP 800-53 Revision 4 NIST Cybersecurity Framework (CsF) DHS Cyber Resilience Review (in CSF v9) NIST SP 800-66 Revision 1 PCI DSS version 3 FTC Red Flags Rule FFIEC IT InfoSec Examination (in CSF v9) 201 CMR 17.00 (State of Mass.) NRS 603A (State of Nev.) CSA Cloud Controls Matrix version 3.1 CIS CSC version 6 (SANS Top 20) CMS IS ARS version 2 MARS-E version 2 IRS Pub 1075 v2014 FedRAMP (in CSF v9) Analyzed, Rationalized & Consolidated Scoping Factors Regulatory Federal, state and domain specific compliance requirements Organization Geographic factors Number of records processed or held System Data stores External connections Number of users/transactions Control Objectives (45) Control Categories (14) Control Specifications (149) Control Categories 1. Information Security Management Program 2. Access Control 3. Human Resources Security 4. Risk Management 5. Security Policy 6. Organization of Information Security 7. Compliance 8. Asset Management 9. Physical and Environmental Security 10. Communications and Operations Management 11. Information Systems Acquisition, Development & Maintenance 12. Information Security Incident Management 13. Business Continuity Management 14. Privacy Practices 29

Does this mean I have to redo my security program? The HITRUST CSF covers 100% of the: ISO 27002-2005 controls (mapping is trivial, as the HITRUST CSF is built on ISO 27001-2005) ISO 27002-2013 controls (depicted on the left) NIST SP 800-53 r4 controls, moderatelevel baseline (depicted on the left) To simplify the process of aligning from a standard like ISO or NIST to the HITRUST CSF, HITRUST provides a HITRUST CSF Standards & Regulations Cross-Reference (X-Ref) spreadsheet with detailed mappings (depicted by the examples on the right) *HITRUST CSF control category 0.0 addresses the original ISMS requirements in Section 4 of ISO 27001:2005 30

How does all this facilitate trust? 31

Why can t I just do a SOC 2? HITRUST CSF meets AICPA SOC 2 reporting requirements for suitable criteria Realize significant time efficiencies and cost savings Reduce inefficiencies/costs associated with multiple reporting requirements Provide additional detail around how an organization is addressing internal control Lack of uniform acceptable controls criteria results in a reduction of the following when viewed across multiple entities: Transparency Accuracy Consistency Reliability 32

What does acceptable controls criteria mean? The SOC 2 guide and Appendix C of TSP section 100 require an organization to establish controls that meet all applicable trust services criteria The control objectives must align with the applicable trust services criteria, and the controls must address all of the applicable trust services criteria AICPA requirements for suitable criteria Objectivity Measurability Completeness Relevance 33

Why can t I just use the NIST Cybersecurity Framework? The HITRUST CSF provides the foundation needed to implement the NIST Cybersecurity Framework. Although scalable, the NIST CSF lacks prescription in: Requirements Assessment methodology Subsequently lacks: Transparency Accuracy Consistency Reliability 34

Why can t I just do the AICPA Cyber Examination? AICPA Cyber Examination consists of two major components: A description of an entity s program based on new description criteria An assessment of control effectiveness based on its control criteria As with the AICPA Trust Services Principles, additional information (specificity) is needed to address the criteria, and the Cyber Examination would result in a reduction of the following when viewed across multiple entities: Transparency Accuracy Consistency Reliability 35

How do I know what was in place and tested? HITRUST CSF Validated and Certified Report Letter of Certification Representation Letter Assessment Context Assessment Scope Security Program Analysis Assessment Results Overall Security Program Summary Breakdown of Controls Required for Certification Testing Summary Corrective Action Plan Questionnaire Results (Detailed) System Profile 36

How do I benefit from all this? Redundant, inconsistent assessments result in lost productivity, additional costs A more efficient, streamlined approach benefits the Plan and the Plan Sponsor Recommended approach leverages: A single controls framework for context A strong assessment methodology that provides high assurance and consistency A single assessment to provide efficient reporting HITRUST CSF control maturity scoring SOC 2 HITRUST CSF provides SOC 2 the necessary prescriptiveness and transparency for availability, confidentiality and security criteria NIST Cybersecurity Framework HITRUST CSF provides basis for consistency, HITRUST CSF Assurance enables transparency and assurance, and scorecard enables reporting on NIST CsF Core Subcategories 37

Questions 38

Visit for more information To view our latest do cuments, visit the Content Spotlight 39

HITRUST Resources Healthcare Sector CsF Implementation Guide Risk vs. Compliancebased Protection Risk Analysis Guide MyCSF vs. GRC Tools CSF Assessment Methodology CSF Assurance Program Requirements Discusses healthcare s implementation of the NIST Cybersecurity Framework based on the HITRUST CSF and CSF Assurance Program https://hitrustalliance.net/document s/cybersecurity/hitrust_healthc are_sector_cybersecurity_frame work_implementation_guide.pdf Discusses the difference between compliance and risk-based information protection programs and shows how controls are selected based on a risk analysis, after which their implementation becomes a compliance exercise https://hitrustalliance.net/document s/csf_rmf_related/riskvscomplian cewhitepaper.pdf Provides a detailed discussion of HITRUST s NIST-based control implementation maturity model, HITRUST s scoring model, and additional information on risk treatments, including remediation planning for control deficiencies https://hitrustalliance.net/document s/csf_rmf_related/riskanalysisgui de.pdf Provides a discussion of the differences between a typical GRC tool and MyCSF, which was primarily designed to automate HITRUST s assessment validation and certification process https://hitrustalliance.net/document s/content/mycsfvsgrctool.pdf Discusses HITRUST s NIST-based approach to conducting CSF assessments, including information on how to determine organizational and system scope https://hitrustalliance.net/document s/assurance/csf/csfassessmentm ethodology.pdf Provides an overview of the CSDF Assurance Program, the various types of assessments available, and the process of obtaining and maintaining certification https://hitrustalliance.net/document s/assurance/csf/csfassurancepro gramrequirements.pdf 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback