Cybersecurity Frameworks: NIST CsF is the “What,” and HITRUST is the “How”
When it comes to cybersecurity frameworks, NIST provides the “What” while HITRUST provides the “How?” The NIST Cybersecurity Framework is a great resource in managing cyber risks. NIST describes what an organization must do to protect against cyber threats, while the HITRUST CSF is a comprehensive information privacy and security framework. HITRUST CSF shows an organization how it can provide those protections, in addition to complying with other requirements such as HIPAA, PCI, FFIEC, and GDPR through one approach.
To understand why, one must understand the intent of the NIST Cybersecurity Framework, which is to provide an overarching set of guidelines to critical infrastructure industries and facilitate a minimal level of consistency, as well as depth, breadth and rigor of industry’s cybersecurity programs. These principles—what NIST refers to as objectives or “outcomes”—help organizations understand what it must do; however, while providing some examples, it doesn’t tell an organization how it can achieve the intended outcomes.
The HITRUST CSF provides a risk-based approach to the selection of an appropriate set of information security and privacy controls that help provide an industry-specific, acceptable level of due diligence and due care for the protection of sensitive information and fully address the outcomes specified by the NIST Cybersecurity Framework. Other components of the HITRUST Approach, such as the CSF Assurance Program, help address other aspects of the NIST Cybersecurity Framework such as the organization’s Current Profile and Implementation Tiers.
Discuss the roadmap to dual cybersecurity certifications, NIST and HITRUST, for your business with HITRUST expert, Ali Pabrai, at Pabrai@ecfirst.com.
Date: December 25, 2018