The HITRUST CSF® is updated at least annually based on relevant new or updated authoritative sources, such as regulations, standards and best practices, as well as due to changes in technology or root causes of data losses and breaches. Even so, the CSF may not be as responsive to a changing threat environment as one would like, as the frequency of updates to the underlying authoritative sources can range from years—as with NIST SP 800-53—to almost a decade—as with ISO/IEC 27001. Subsequently any organization relying on the next release of any control framework, not just the CSF, will always be slightly more reactive than an organization that has the capability to conduct the ongoing analyses necessary to address unique, active or emergent threats.
Identifying threats is a major component of a comprehensive risk analysis process for any organization seeking to protect their sensitive data and helps determine what adverse events are relevant to the organization and must be controlled. For example, the increased frequency of ransomware attacks required organizations – of all types and sizes – to re-examine their controls around data backup and restoration and ensure they could successfully recover their data if such an attack occurred.
HITRUST ‘stands on the shoulders of giants’ and relies on the risk analyses performed by authors of the underlying control frameworks and other authoritative sources integrated in the CSF. However, understanding how the CSF controls address extant and emerging threats would not only help HITRUST make the framework more responsive, it would allow organizations leveraging the framework to be more responsive as well.
Unfortunately, a comprehensive threat list that could support risk analysis and help organizations better understand and mitigate threats to sensitive information was generally unavailable, so—given the significance, HITRUST set out to identify a complete set of threats at a level consistent with the HITRUST CSF control requirements used to address them.
The result is the HITRUST Threat Catalogue™, which consists of a PDF file listing what is intended to be a mutually exclusive and collectively exhaustive enumeration of threats, and an XLS file that provides a mapping of these threats to specific technical, physical and administrative controls in the HITRUST CSF v10 along with associated definitions. A mapping between the HITRUST CSF v10 controls and CSF v9.1 is also provided in the Catalog.
Threats have been categorized in what is thought to be a logical grouping of types, categories, and sub-categories. The Threat Catalog has three types of threats which are logical, physical, and organizational. Each type of threat will have categories such as intentional, unintentional, and force majeure. Sub-categories further refine the categories into specific descriptors of the threat activity. Each threat has a unique identifier consisting of the first character from the name of each hierarchical level combined with a numerical value; for example: logical, intentional, and conflict resulting in LIC and threats listed as 0, 1, and so on.
Users of the Threat Catalog are cautioned in that—as with any tool—it has certain limitations. For example, the Threat Catalog is not intended to address threats that do not impact the confidentiality, integrity or availability of sensitive information, nor is it intended to provide a list that is more granular than the control requirements in the HITRUST CSF. It also does not support threat modeling for specific applications or architectures, although it could be leveraged in the general threat modeling process.
Download full HITRUST CSF Threat Catalogue Here
Date: November 13, 2018