The current version of HITRUST is v9.1. From the previous version, CSF v9, the number of controls required for HITRUST CSF Certification was increased from 66 to 75. HITRUST removed 10 controls required for CSF v8.1 certification and added 19 controls for CSF certification.
How is HITRUST CSF Organized?
The HITRUST CSF is organized around:
- 14 Control Categories
- 46 Control Objectives
- 149 Control Specifications
HITRUST CSF is based on ISO/IEC 27001 and ISO/IEC 27002. Each Control Specification consists of as many as three implementation levels applied to organizations according to specific organizational, system and regulatory factors. The CSF Control Categories, accompanied with the number of objectives and specifications for each category, are:
- Information Security Management Program (1, 1)
- Access Control (7, 25)
- Human Resources Security (4, 9)
- Risk Management (1, 4)
- Security Policy (1, 2)
- Organization of Information Security (2, 11)
- Compliance (3, 10)
- Asset Management (2, 5)
- Physical and Environmental Security (2, 13)
- Communications and Operations Management (10, 32)
- Information Systems Acquisition, Development and Maintenance (6, 13)
- Information Security Incident Management (2, 5)
- Business Continuity Management (1, 5)
- Privacy Practices (3, 14)
Each Control Category contains the following:
- Control Reference: Control number and title.
- Control Objective: A statement of the desired result or purpose to be achieved by one or more controls within a HITRUST CSF Control Category
Each Control contains the following:
- Control Specification: The policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature, to meet the control objective.
- Risk Factor: Listing of organizational, system, and regulatory factors that drive requirements for a higher level of control.
- Implementation Requirement: Detailed information to support the implementation of the control and meeting the control objective. Up to three levels of requirements are defined based on the relevant organizational or system applicability factors. Level 1 provides the minimum baseline control requirements as determined by the industry. Each additional level encompasses the lower levels and includes additional requirements commensurate with increasing levels of risk.
- Control Assessment Guidance: Guidance in performing an assessment is included in the online version of the HITRUST CSF, available as Illustrative Procedures in MyCSF, to provide clarity to both assessor organizations and those adopting the HITRUST CSF (e.g., by compliance or internal audit) when validating the security controls implemented by the organization against the requirements of the HITRUST CSF. This guidance includes examination of documentation, interviewing of personnel, and testing of technical implementation. Although illustrative, these procedures should be the starting point when performing an assessment and developing a test plan.
- Standard Mapping: The cross-reference between each Implementation Requirement Level and the requirements and controls of other common standards and regulations.
HITRUST CSF Certification Controls: Examples
One of the controls that was added in the increase to 75 required for HITRUST CSF certification, was the Change Control Procedure, which requires the implementation of changes including patches, service packs, and other updates and mandates, and these to be controlled by the use of formal change control procedures.
Further, the control category 0.0, Information Security Management Program, includes a requirement that an organization’s Information Security Management Program shall be defined in terms of the characteristics of the business and established and managed using monitoring, maintenance and improvement.
Another example, relates to Monitoring and Review of Third Party Services, defined in the control category for 09.0, Communications and Operations Management. This requires organizations to ensure the services, reports and records provided by the third party shall be regularly monitored and reviewed, and audits shall be carried out regularly to govern and maintain compliance with the service delivery agreements.
Organizations should closely examine the 75 controls required for HITRUST CSF certification and evaluate their readiness to meet the minimal requirements.
For a complete list of the 75 controls required for HITRUST CSF certification, contact me at Pabrai@ecfirst.com.
Date: September 11, 2018