Compliance 101 HITRUST Update.pdf
- 1. WEBINAR: COMPLIANCE 101: HITRUST UPDATE 2023 Presented by: Omkar Salunkhe, Controlcase Partner, HITRUST Kishor Vaswani, ControlCase Chief Strategy Officer
- 2. Speakers © ControlCase. All Rights Reserved. 2 Omkar Salunkhe, ControlCase Partner, HITRUST Having worked for ControlCase for the past 8 years, Omkar is now the HITRUST Partner, a Subject Matter Expert who oversees all of ControlCase clients’ HITRUST Certifications globally. Kishor Vaswani, ControlCase Chief Strategy Officer Kishor founded ControlCase (an IT Security and Compliance company) in 2004 and scaled it through its expansion to more than 1,000 customers in 40 countries.
- 3. Agenda © ControlCase. All Rights Reserved. 3 A. Introduction to ControlCase B. What is HITRUST? C. Latest Updates to HITRUST D. Types of HITRUST Assessments E. HITRUST Domains F. ControlCase Methodology G. Q&A HITRUST Certification
- 4. A. © ControlCase. All Rights Reserved. 4 Introduction to ControlCase
- 5. ControlCase Snapshot CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost, and burden from becoming certified and maintaining IT compliance. © ControlCase. All Rights Reserved. 5 • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 300+ 10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS
- 6. Solution © ControlCase. All Rights Reserved. 6 Certification and Continuous Compliance Services “ I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center
- 7. Certification Services One Audit™ Assess Once. Comply to Many. © ControlCase. All Rights Reserved. 7 “You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant PCI DSS ISO 27001 & 27002 SOC 1,2,3 & SOC for Cybersecurity HITRUST CSF HIPAA PCI P2PE GDPR NIST CSF Risk Assessment PCI PIN PCI SSF FedRAMP PCI 3DS
- 8. WHAT IS HITRUST? B. © ControlCase. All Rights Reserved. 8
- 9. What is HITRUST? © ControlCase. All Rights Reserved. 9 Founded in 2007 to help companies safeguard sensitive data and manage risk. Established a certifiable framework for organizations that create, access, store, or exchange covered or sensitive information. Originated from the belief that information security is critical to the widespread utilization of and confidence in health information systems, medical technologies, and electronic exchanges of medical data. Now, the HITRUST CSF is industry agnostic.
- 10. What is the HITRUST CSF? © ControlCase. All Rights Reserved. 10 HITRUST CSF The HITRUST CSF Framework (CSF) rationalizes and harmonizes relevant data protection regulations and standards into a single overarching security and privacy framework. The HITRUST CSF: • Allows organizations the ability to tailor their security control baselines based on their specific information security requirements. • Incorporates both compliance and risk management principles. • Defines a process to effectively and efficiently evaluate compliance and security risk. • Supports HITRUST Certification.
- 11. Key components of the CSF assurance program © ControlCase. All Rights Reserved. 11 Standardized Tools & Processes Questionnaire • Focus assurance dollars to efficiently assess risk exposure • Measured approach based on risk and compliance • Ability to escalate assurance level based on risk Report • Output that is consistently interpreted across the industry Rigorous Assurance • Multiple assurance options based on risk • Quality control processes to ensure consistent quality and output across HITRUST External Assessors • Streamlined and measurable process within the HITRUST MyCSF tool • End User support
- 12. LATEST UPDATES TO HITRUST C. © ControlCase. All Rights Reserved. 12
- 13. What are the 2023 HITRUST Updates? © ControlCase. All Rights Reserved. 13 Summary of Changes v11 Moved evaluative elements from the Policy Illustrative Procedure to the Requirement Statement Added selectable Compliance factors and refreshed various mappings to authoritative sources Updated Illustrative Procedure Content Assorted errata updates consistent with the CSF Versioning Policy New Certification: e1 Assessment Basic cybersecurity hygiene Less than 50 requirement statements Annual certification Quicker assurance
- 14. TYPES OF HITRUST ASSESSMENTS D. © ControlCase. All Rights Reserved. 14
- 15. Types of HITRUST Assessments © ControlCase. All Rights Reserved. 15 Assessment Type # of HITRUST Requirements Subject Matter / Focus Control Maturity Levels HITRUST Essentials e1 Assessment (valid for 1 year) Less than 50 Requirements addressing: • Basic cybersecurity hygiene • The most critical cyber threats (e.g., ransomware, phishing, password stuffing) Implemented only But: Some requirements are P&P-focused HITRUST Implemented i1 Assessment (valid for 1 year) Approx. 180 (v11) 219 (v9.6.2) All requirements in the e1, PLUS: • Leading cybersecurity practices • Requirements mapping to the even more cyber threats Implemented only But: Some requirements are P&P-focused HITRUST Risk-Based r2 Assessment (valid for 2 years) Varied based on risk and compliance factors All requirements in the e1 and i1, PLUS: • Requirements addressing inherent risk factors • Requirements addressing added compliance factors (e.g., HICP, GDPR) Must: Policy, Procedure, Implemented Optional: Measured & Managed Assessment Sub-type Can Result in a Certification? Needs an External Assessor? QA’d by HITRUST? Share-able via RDS? Results in a HITRUST- issued PDF? Readiness No No No Yes Optional Validated Yes Yes Yes Yes Yes
- 16. Types of HITRUST Assessments © ControlCase. All Rights Reserved. 16 For v11, HITRUST has aligned the selection of requirement statements used for the e1 assessment, i1 assessment, and r2 assessment baseline, so that each assessment builds upon the core requirement statements that are included in the e1 assessment. CSF v11 e1 Assessment 3 months r2 Assessment 8 months i1 Assessment 5 months
- 17. HITRUST DOMAINS E. © ControlCase. All Rights Reserved. 17
- 18. What are the HITRUST domains? © ControlCase. All Rights Reserved. 18 1. Information Protection Program 2. Endpoint Protection 3. Portable Media Security 4. Mobile Device Security 5. Wireless Security 6. Configuration Management 7. Vulnerability Management 8. Network Protection 9. Transmission Protection 10. Password Management 11. Access Control 12. Audit Logging & Monitoring 13. Education, Training and Awareness 14. Third Party Assurance 15. Incident Management 16. Business Continuity & Disaster Recovery 17. Risk Management 18. Physical & Environmental Security 19. Data Protection & Privacy Information Protection Program Configuration Management Access Control Business Continuity & Disaster Recovery Endpoint Protection Vulnerability Management Audit Logging & Monitoring Risk Management Portable Media Security Network Protection Education, Training and Awareness Physical & Environmental Security Mobile Device Security Transmission Protection Third Party Assurance Data Protection & Privacy Wireless Security Password Management Incident Management
- 19. CONTROLCASE METHODOLOGY F. © ControlCase. All Rights Reserved. 19
- 20. • Customer purchases MyCSF Subscription. • ControlCase helps to finalize scope and build the assessment. • ControlCase assigns an independent readiness consultant to guide customer to provide required HITRUST evidence. • Based on the collected evidence, the consultant also helps the customer in scoring, as per HITRUST requirements. • Customer purchases validated assessment from HITRUST once ready. • ControlCase helps customer to identify a submission date and complete the reservation for HITRUST QA. • HITRUST Validated Assessment: Independent ControlCase auditor (HITRUST CCSFP) completes the validated assessment and required testing. • Documentation for CAPs. • ControlCase Quality Assurance • Engagement Executive Review • ControlCase moves evidence to MyCSF • Submit to HITRUST • HITRUST QA • Final Certified/ Validated Report 1 2 3 4 5 6 ControlCase will follow a 6-PHASE APPROACH for the HITRUST Assessment ControlCase Methodology for HITRUST Validated Assessment
- 21. Phase/Month Month 1 Month 2 Month 3 Month 4 Month 5 Month 6 Month 7 Month 8 onwards Phase 1 CC/Customer Phase 2 CC/Customer CC/Customer CC/Customer CC/Customer Phase 3 CC/Customer Phase 4 CC CC CC Phase 5 CC/Customer Phase 6 CC - Submission to HITRUST HITRUST Quality Assurance High-Level HITRUST Certification Plan (r2 Validated Assessment)
- 22. Phase/Month Month 1 Month 2 Month 3 Month 4 Month 5 Month 6 onwards Phase 1 CC/Customer Phase 2 CC/Customer CC/Customer CC/Customer Phase 3 CC/Customer Phase 4 CC CC Phase 5 CC/Customer Phase 6 CC - Submission to HITRUST HITRUST Quality Assurance High-Level HITRUST Certification Plan (i1 Validated Assessment)
- 23. Phase/Month Month 1 Month 2 Month 3 Month 4 onwards Phase 1 CC/Customer Phase 2 CC/Customer CC/Customer Phase 3 CC/Customer Phase 4 CC Phase 5 CC/Customer Phase 6 CC - Submission to HITRUST HITRUST Quality Assurance High-Level HITRUST Certification Plan (e1 Validated Assessment)
- 24. Q & A G. © ControlCase. All Rights Reserved. 24
- 25. THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com contact@controlcase.com