Model Approach to Efficient and Cost-Effective Third-Party Assurance 1
CHALLENGES WITH THIRD-PARTY ASSURANCE 2
What s Driving Demand for Increased Assurance? Increasing risk posed by third parties Increasing cyber threat landscape Confusion What is reasonable, appropriate or adequate? Growing compliance risk and liability Breach and legal costs; regulatory penalties Compliance Effectiveness Cost of Compliance 3
Approach from Customer (Covered Entity) Request detailed information on the Business Associate Require appropriate assurances on or Vendor Security Program Scope of information they receive No consistency of request What was tested Self-attestation and questionnaires How the information was vetted Proprietary assessments Third-party audits Customer BusiBneussi ness PartnPear tner Customer Obtain assurances in a Business Partner Business Partner Customer Business Partner Business Partner format they can understand and consume 4
Response from Business Partners Negotiate requests they receive from their customers Suggest alternative approaches Complicates contracting process due to unique security requirements Customer Audit Report # Audit Report 2 Requirement s Business Partner (BP) Broad range and inconsistent expectations for responses to questionnaires inability to effectively leverage responses across organizations Dedicate staff and funding to those requiring unique approaches Customer Customer Audit Report Y Audit Report X Audit Report 1 Requirement s Requirement s Requirement s Requirement s Business Partner (BP) Business Partner (BP) 5
Implications of the Current Response Customers Requires significant resources to engage, negotiate and track assurances Business Partners Dedicates significant resources to respond to duplicative and redundant assurance requests Incurs costs to comply and satisfy requests and requirements Creates inconsistency around acceptable standards of due diligence and due care Distracts resources from other security-related programs Although addressed in many different ways, there are only so many privacy and security controls one can implement and assess 6
Universal Agreement that the Current Model is Broken There are no scenarios where performing 25, 50 or 250 or more unique assessments makes sense for a business partner to communicate their information privacy and security posture (on same scope) Nor does maintaining and supporting an organizational specific assessment methodology and performing assessments HITRUST has been working with organizations and business partners to identify a practical and implementable approach Common Requirements Uniform Assessment Process Simplified Reporting More Efficient and Effective Compliance Process 7
Section 4 HOW HITRUST FACILITATES THIRD-PARTY ASSURANCE 8
Approach Taken in Healthcare Industry To minimize the cost, time and effort around third-party assurance, initially five (5) of the largest U.S. health plans notified industry of updates to their business associate and partner agreements, specifically use of the HITRUST CSF Assurance Program HITRUST CSF certification or SOC 2 leveraging HITRUST CSF Controls is required 2-year implementation schedule Created the momentum to move the industry and vendor community 9
HITRUST CSF Assurance Program Provides a common set of information security and privacy requirements through the HITRUST CSF Provides a standardized assessment and reporting processes Improved efficiency Lowered costs Helps ensure organizations can trust that their business partners are adequately protecting sensitive information through HITRUST s oversight and governance of the program For more information, see https://hitrustalliance.net/csf/ and https://hitrustalliance.net/csf-assurance/ 10
A Win-Win for Customers and Vendors Established a uniform set of expectations for communicating information privacy and security posture Customer Business Partner (BP) Reduced time and expense on redundant audits, assessments, and HITRUST Assessment CSF Requirements onsite reviews Customer HITRUST Assessment HITRUST Common Business Partner Compliance Framework CSF Requirements Business Partner (BP) Reduced time and expense of procurement managing various assessment processes Facilitates a specific level of assurance around implemented controls Customer HITRUST Assessment CSF Requirements Business Partner (BP) 11
The HITRUST Vendor/Business Associate Council Provides healthcare vendors the opportunity to drive efficiency and effectiveness in third-party assurance. Arvato Digital Services Armor Availity Azure (Microsoft) Catalyze Change Healthcare Cognizant Dropbox Epic Systems Fiserv: Healthedge HMS PDHI RR Donnelley Salesforce West Corporation Xerox Corporation 12
Vendor / Market Support 13
KEY ELEMENTS OF THE APPROACH 14
Transparency The approach should be open and transparent. Requirements are agnostic for similar types of sensitive information Integrates relevant federal control baselines Incorporates industry leading practices Leverages threat-to-control relationships* Entire program is publicly available and commonly understandable Control framework / requirements Assessment methodology / procedures Scoring model *Leveraging HITRUST Threat Catalogue 15
Accuracy The approach should ensure accuracy in evaluation and reporting of the implemented controls. HITRUST uses a 5x5 control maturity and scoring model to evaluate the HITRUST CSF s control requirements 5 maturity levels for each control requirement 5 scoring levels for each control maturity level HITRUST also provides a scoring rubric for each maturity level 16
Consistency The approach should ensure consistency in evaluation and reporting regardless of the specific assessor used. Extensive assessment guidance General guidance for each maturity level Specific guidance for each control HITRUST quality assurance review process Applies to all third-party assessments Standardized reporting format 17
Scalability The approach should be scalable enough to address the needs of the entire industry, while maintaining consistency and accuracy. Formal HITRUST CSF Assessor Program HITRUST CSF trained staff Experience/capabilities vetted by HITRUST Choose from a pool of certified HITRUST CSF Assessors to ensure The best fit The best price Program is market-based As demand for assurances increase, so does the pool of HITRUST CSF Assessor organizations 18
Efficiency The approach should allow an organization to assess once and report many, i.e., an assessment must address multiple compliance and best practice requirements and support the reporting of assurances tailored to each requirement. HITRUST fully leverages the Assess Once, Report Many approach Multiple security requirements (e.g., legal, regulatory) One cybersecurity program One targeted, cost-effective assessment that provides a reasonable level of assurance at a reasonable cost Multiple reporting options from a single assessment 19
CSF Assurance - Degrees of Assurance CSF Self Assessments can be conducted by business associate CSF Validated or Certified requires third party engagement 20 20
Reporting Options Consideration HITRUST CSF Report SOC 2 Report with HITRUST CSF SOC 2 + HITRUST CSF Report Type of report (Relevant Standard) HITRUST CSF Assurance AT101 AT101 + HITRUST CSF Assurance Scope of report HITRUST CSF controls (may or may not be limited to those required for certification) Security, availability, confidentiality Trust Services Principles; HITRUST CSF controls (may or may not be limited to those required for certification) Security, availability, confidentiality Trust Services Principles; HITRUST CSF controls (may or may not be limited to those required for certification) Intended Users Unlimited distribution Limited distribution Limited distribution Resulting Deliverable HITRUST CSF report with background, mgmt. rep., scope, results of maturity scores, CAPs, NIST CsF scorecard/certification Attest Opinion with description of systems & service auditor test/ results against selected Trust Services Principles; HITRUST CSF controls (suitable criteria) Attest Opinion with description of systems & service auditor test/ results against selected Trust Services Principles, HITRUST CSF controls (suitable criteria); HITRUST CSF report with background, mgmt. rep., scope, scores, CAPs, NIST CsF scorecard/ certification Report issued by HITRUST Independent CPA firms Independent CPA firms, HITRUST Report Addresses HITRUST CSF, NIST CsF HITRUST CSF, AICPA Trust Services Principles HITRUST CSF, AICPA Trust Services Principles, NIST CsF 21
Reliability The approach should provide a high degree of assurance for relying parties, such as internal stakeholders (e.g., audit, management, Board of Directors) and external stakeholders (e.g., customers, business partners, vendors and regulators). Obtained through: Transparency Accuracy Consistency Scalability Accuracy RELIABILITY Transparency Provided by: HITRUST CSF HITRUST CSF Assurance Program HITRUST CSF Assessor Program Scalability Consistency 22
ASSESSMENT EXCHANGE 24
HITRUST Assessment Exchange Innovative way to request, manage, view and share HITRUST CSF assessment data in an electronically consumable format Supports integration with leading GRC/VRM platforms 24
Challenges in Managing Risk Assessments Limited internal resources Identifying appropriate resources responsible for security and privacy at third parties Educating vendors on your process and expectation Follow-up to ensure risks are measured, adequately addressed and managed Developing and managing approach is cost intensive Inconsistent vendor security risk evaluation methodology Operational and labor intensive process 25
Benefits to an Exchange Vendor outreach Contact vendor, and identify points of contact Deliver POC and contact information as part of vendor profile HITRUST can emphasize importance of assurance by contacting a vendor on behalf of many versus contact on behalf of one Centralized vendor population management and tracking ensures efficient outreach and emphasizes importance Vendor education Experienced HITRUST CSF Assurance personnel to explain the assessment & assurance processes Technical support for MyCSF and assessment-related questions Vendors can benchmark themselves against one or more populations to see where they stand Visibility into status of vendors / third-party assurance Provide a portal for unified view of vendor risk postures & tracking progress View all vendors in one central location View a vendor s progress through the assurance process Perform vendor analysis and comparison across your vendor population via pre-defined and ad hoc reporting capabilities Open API allows for easy import and export of data from HITRUST to an organization s native tools 26
Benefits to an Exchange (continued) Provide a means to track corrective actions Receive real-time updates on corrective actions of vendors Analysis of control gaps across your vendor population Define and enable business rule alerts that notify you when a vendor makes an update or changes the assessment results Provide the ability to export results in a format that is easy to import into local GRC or VRM solutions Map data elements to native systems quickly and with little effort Create and report on security metrics across a vendor population Understand vendor relationships & identify weak links in the chain 27
COMMON QUESTIONS 29
What does the HITRUST CSF Include? The HITRUST CSF provides coverage across multiple regulations and includes significant components from other well-respected IT security standards bodies and governance sources. It is scalable, risk based, industry agnostic and certifiable Legislative, Regulatory, and Best Practice Standards and Frameworks include, but are not limited to: ISO/IEC 27001:2005 2013, 27002:2005, 2013, 27799:2008 CFR Part 11 COBIT 4.1 NIST SP 800-53 Revision 4 NIST Cybersecurity Framework (CsF) DHS Cyber Resilience Review (in CSF v9) NIST SP 800-66 Revision 1 PCI DSS version 3 FTC Red Flags Rule FFIEC IT InfoSec Examination (in CSF v9) 201 CMR 17.00 (State of Mass.) NRS 603A (State of Nev.) CSA Cloud Controls Matrix version 3.1 CIS CSC version 6 (SANS Top 20) CMS IS ARS version 2 MARS-E version 2 IRS Pub 1075 v2014 FedRAMP (in CSF v9) Analyzed, Rationalized & Consolidated Scoping Factors Regulatory Federal, state and domain specific compliance requirements Organization Geographic factors Number of records processed or held System Data stores External connections Number of users/transactions Control Objectives (45) Control Categories (14) Control Specifications (149) Control Categories 1. Information Security Management Program 2. Access Control 3. Human Resources Security 4. Risk Management 5. Security Policy 6. Organization of Information Security 7. Compliance 8. Asset Management 9. Physical and Environmental Security 10. Communications and Operations Management 11. Information Systems Acquisition, Development & Maintenance 12. Information Security Incident Management 13. Business Continuity Management 14. Privacy Practices 29
Does this mean I have to redo my security program? The HITRUST CSF covers 100% of the: ISO 27002-2005 controls (mapping is trivial, as the HITRUST CSF is built on ISO 27001-2005) ISO 27002-2013 controls (depicted on the left) NIST SP 800-53 r4 controls, moderatelevel baseline (depicted on the left) To simplify the process of aligning from a standard like ISO or NIST to the HITRUST CSF, HITRUST provides a HITRUST CSF Standards & Regulations Cross-Reference (X-Ref) spreadsheet with detailed mappings (depicted by the examples on the right) *HITRUST CSF control category 0.0 addresses the original ISMS requirements in Section 4 of ISO 27001:2005 30
How does all this facilitate trust? 31
Why can t I just do a SOC 2? HITRUST CSF meets AICPA SOC 2 reporting requirements for suitable criteria Realize significant time efficiencies and cost savings Reduce inefficiencies/costs associated with multiple reporting requirements Provide additional detail around how an organization is addressing internal control Lack of uniform acceptable controls criteria results in a reduction of the following when viewed across multiple entities: Transparency Accuracy Consistency Reliability 32
What does acceptable controls criteria mean? The SOC 2 guide and Appendix C of TSP section 100 require an organization to establish controls that meet all applicable trust services criteria The control objectives must align with the applicable trust services criteria, and the controls must address all of the applicable trust services criteria AICPA requirements for suitable criteria Objectivity Measurability Completeness Relevance 33
Why can t I just use the NIST Cybersecurity Framework? The HITRUST CSF provides the foundation needed to implement the NIST Cybersecurity Framework. Although scalable, the NIST CSF lacks prescription in: Requirements Assessment methodology Subsequently lacks: Transparency Accuracy Consistency Reliability 34
Why can t I just do the AICPA Cyber Examination? AICPA Cyber Examination consists of two major components: A description of an entity s program based on new description criteria An assessment of control effectiveness based on its control criteria As with the AICPA Trust Services Principles, additional information (specificity) is needed to address the criteria, and the Cyber Examination would result in a reduction of the following when viewed across multiple entities: Transparency Accuracy Consistency Reliability 35
How do I know what was in place and tested? HITRUST CSF Validated and Certified Report Letter of Certification Representation Letter Assessment Context Assessment Scope Security Program Analysis Assessment Results Overall Security Program Summary Breakdown of Controls Required for Certification Testing Summary Corrective Action Plan Questionnaire Results (Detailed) System Profile 36
How do I benefit from all this? Redundant, inconsistent assessments result in lost productivity, additional costs A more efficient, streamlined approach benefits the Plan and the Plan Sponsor Recommended approach leverages: A single controls framework for context A strong assessment methodology that provides high assurance and consistency A single assessment to provide efficient reporting HITRUST CSF control maturity scoring SOC 2 HITRUST CSF provides SOC 2 the necessary prescriptiveness and transparency for availability, confidentiality and security criteria NIST Cybersecurity Framework HITRUST CSF provides basis for consistency, HITRUST CSF Assurance enables transparency and assurance, and scorecard enables reporting on NIST CsF Core Subcategories 37
Questions 38
Visit for more information To view our latest do cuments, visit the Content Spotlight 39
HITRUST Resources Healthcare Sector CsF Implementation Guide Risk vs. Compliancebased Protection Risk Analysis Guide MyCSF vs. GRC Tools CSF Assessment Methodology CSF Assurance Program Requirements Discusses healthcare s implementation of the NIST Cybersecurity Framework based on the HITRUST CSF and CSF Assurance Program https://hitrustalliance.net/document s/cybersecurity/hitrust_healthc are_sector_cybersecurity_frame work_implementation_guide.pdf Discusses the difference between compliance and risk-based information protection programs and shows how controls are selected based on a risk analysis, after which their implementation becomes a compliance exercise https://hitrustalliance.net/document s/csf_rmf_related/riskvscomplian cewhitepaper.pdf Provides a detailed discussion of HITRUST s NIST-based control implementation maturity model, HITRUST s scoring model, and additional information on risk treatments, including remediation planning for control deficiencies https://hitrustalliance.net/document s/csf_rmf_related/riskanalysisgui de.pdf Provides a discussion of the differences between a typical GRC tool and MyCSF, which was primarily designed to automate HITRUST s assessment validation and certification process https://hitrustalliance.net/document s/content/mycsfvsgrctool.pdf Discusses HITRUST s NIST-based approach to conducting CSF assessments, including information on how to determine organizational and system scope https://hitrustalliance.net/document s/assurance/csf/csfassessmentm ethodology.pdf Provides an overview of the CSDF Assurance Program, the various types of assessments available, and the process of obtaining and maintaining certification https://hitrustalliance.net/document s/assurance/csf/csfassurancepro gramrequirements.pdf 40