An In-Depth Look at HITRUST CSF Controls

Compliance is one of cybersecurity’s most essential aspects. All the regulatory frameworks a company must follow can also be one of the most challenging elements. The HITRUST Alliance’s Common Security Framework (CSF) streamlines all of these controls and simplifies cyberdefense. Read on to learn all there is to know about HITRUST CSF controls.

 

An In-Depth Look at HITRUST CSF Controls

Depending on your company’s sectors, compliance with HIPAA, HITECH, CMMC, GDPR, and other frameworks may be needed. While HITRUST itself is not a legal requirement for any industry, it can help companies meet and surpass all legal requirements.

This guide will walk you through every control that constitutes the HITRUST framework, spanning all industries’ requirements. First, we’ll provide a general overview of how the framework operates, and we’ll follow up with resources to help you implement it.

 

HITRUST Common Security Framework 101

HITRUST CSF is currently in Version 9.4.1. It is available for download after signing the CSF licensing agreement with HITRUST. The subsections below, sourced from the CSF, are broken down according to three key terms that make up the core of the HITRUST framework:

• “Control Categories” are HITRUST’s general cybersecurity domains
• “Objective Names” are control groups within the Categories
• “Control References” are the actual controls themselves

Let’s dive right into a complete breakdown of all the HITRUST CSF controls.

 

Control Category 0.0: Information Management

Category 0.0 comprises just one Objective Name and one Control Reference:

• Objective Name 0.01: Information Security Management Program   
  • Control Reference 00.a: Create a management program

 

Assess your HITRUST certification

 

Control Category 01.0: Access Control

Category 0.1 comprises seven Objective Names and 25 Control References:

• • Objective Name 01.01: Access Controls for Business Requirements  
    • Control Reference 01.a: Create an access control policy

• Objective Name 01.02: Authorization for Access to Information Systems  
• • • Control Reference 01.b: Manage user registration
    • Control Reference 01.c: Manage user privileges
    • Control Reference 01.d: Manage user passwords
    • Control Reference 01.e: Monitor user access rights

• Objective Name 01.03: Access Control Responsibilities for Users  
• • • Control Reference 01.f: Self-monitor password use
    • Control Reference 01.g: Monitor unattended equipment
    • Control Reference 01.h: Keep workstations clear and secure

• Objective Name 01.04: Access Controls Regarding Network Traffic  
• • • Control Reference 01.i: Create a policy for network use
    • Control Reference 01.j: Authenticate external connections
    • Control Reference 01.k: Identify equipment on networks
    • Control Reference 01.l: Protect remote port configurations
    • Control Reference 01.m: Segregate networks logically
    • Control Reference 01.n: Controls network connections
    • Control Reference 01.o: Control routing to/from networks

• Objective Name 01.05: Access Controls for Operating Systems  
• • • Control Reference 01.p: Control logon protocols
    • Control Reference 01.q: Control user authentication
    • Control Reference 01.r: Manage password system(s)
    • Control Reference 01.s: Control system utilities
    • Control Reference 01.t: Require session timeouts
    • Control Reference 01.u: Limit access session length

• Objective Name 01.06: Access Controls for Application Information  
• • • Control Reference 01.v: Restrict access to sensitive data
    • Control Reference 01.w: Logically isolate sensitive systems

• Objective Name 01.07: Remote and Mobile Access Controls  
• • Control Reference 01.x: Control for mobile computing
  • Control Reference 01.y: Designate controls for telework

 

Control Category 02.0: Human Resources

Category 0.2 comprises four Objective Names and nine Control References:

• • Objective Name 02.01 HR: Controls Before Employment  
    • Control Reference 02.a: Define roles and responsibilities
    • Control Reference 02.b: Implement personnel screening

• Objective Name 02.02: HR Controls During Onboarding  
• • • Control Reference 02.c: Define terms and conditions

• Objective Name 02.03: HR Controls During Employment  
• • • Control Reference 02.d: Manage personnel security
    • Control Reference 02.e: Cultivate security awareness
    • Control Reference 02.f: Define disciplinary procedures

• Objective Name 02.04: HR Controls for Personnel Moves  
• • Control Reference 02.g: Define procedures for termination
  • Control Reference 02.h: Control return of assets after move(s)
  • Control Reference 02.i: Remove user access rights immediately

 

Control Category 03.0: Risk Management

Category 0.3 comprises just one Objective Name and four Control References:

• Objective Name 03.01: Risk Management Program Controls  
  • Control Reference 03.a: Develop risk management program
  • Control Reference 03.b: Regularly assess risk environment
  • Control Reference 03.c: Execute risk mitigation strategies
  • Control Reference 03.d: Evaluate risks and root causes

 

Control Category 04.0: Security Policies

Category 0.4 comprises just one Objective Name and two Control References:

• Objective Name 04.01: Information Security Policy Controls  
  • Control Reference 04.a: Document information security practices
  • Control Reference 04.b: Review information security policies

 

Control Category 05.0: Information Organization

Category 0.5 comprises two Objective Names and 11 Control References:

• • Objective Name 05.01: Controls for Internal Organization  
    • Control Reference 05.a: Commit management to information security
    • Control Reference 05.b: Coordinate management of information security
    • Control Reference 05.c: Allocate information security responsibilities
    • Control Reference 05.d: Authorize information assets and facilities
    • Control Reference 05.e: Draft and execute confidentiality agreements
    • Control Reference 05.f: Control contact to and with relevant authorities
    • Control Reference 05.g: Control contact with special interest groups
    • Control Reference 05.h: Review information security independently

• Objective Name 05.02: Controls for External Organization  
• • Control Reference 05.i: Identify risks related to all third parties
  • Control Reference 05.j: Implement customer and client security
  • Control Reference 05.k: Implement vendor and partner security

 

Control Category 06.0: Regulatory Compliance

Category 0.6 comprises three Objective Names and ten Control References:

• • Objective Name 06.01: Legal Regulatory Compliance Controls  
    • Control Reference 06.a: Identify applicable laws/regulations
    • Control Reference 06.b: Control intellectual property rights
    • Control Reference 06.c: Protect critical internal records
    • Control Reference 06.d: Protect “covered” data clases
    • Control Reference 06.e: Prevent misuse of protected data
    • Control Reference 06.f: Implement cryptographic controls

• Objective Name 06.02: Policy, Standard, and Technical Controls  
• • • Control Reference 06.g: Comply with security standards
    • Control Reference 06.h: Check for technical compliance

• Objective Name 06.03: Controls for Information System Audits  
• • Control Reference 06.i: Audit controls for compliance
  • Control Reference 06.j: Store and protect audit logs

 

Control Category 07.0: Asset Management

Category 0.7 comprises two Objective Names and five Control References:

• • Objective Name 07.01: Asset Responsibility Controls  
    • Control Reference 07.a: Define inventory responsibilities
    • Control Reference 07.b: Define ownership responsibilities
    • Control Reference 07.c: Define acceptable use responsibilities

• Objective Name 07.02: Information Classification Controls  
• • Control Reference 07.d: Define classification protocols
  • Control Reference 07.e: Define labeling/handling protocols

 

Control Category 08.0: Physical Security Management

Category 0.8 comprises two Objective Names and 13 Control References:

• • Objective Name 08.01: Controls to Secure Sensitive Areas  
    • Control Reference 08.a: Secure sensitive perimeter(s)
    • Control Reference 08.b: Restrict entry to protected spaces
    • Control Reference 08.c: Secure offices, storage, rooms, etc.
    • Control Reference 08.d: Safeguard against external threats
    • Control Reference 08.e: Restrict work to secured areas
    • Control Reference 08.f: Define and protect public areas

• Objective Name 08.02: Controls to Secure Sensitive Equipment  
• • Control Reference 08.g: Plan equipment protection
  • Control Reference 08.h: Support critical utilities
  • Control Reference 08.i: Secure sensitive cables
  • Control Reference 08.j: Maintain all sensitive equipment
  • Control Reference 08.k: Secure off-premise equipment
  • Control Reference 08.l: Control equipment reuse and disposal
  • Control Reference 08.m: Control removal of physical property

 

Control Category 09.0: Communications and Operations

Category 0.9 comprises ten Objective Names and 32 Control References:

• • Objective Name 09.01: Controls for Documenting Operations  
    • Control Reference 09.a: Document relevant procedures
    • Control Reference 09.b: Document management changes
    • Control Reference 09.c: Segregate duties and responsibilities
    • Control Reference 09.d: Segregate assessment environments

• Objective Name 09.02: Controls for Third-Party Services  
• • • Control Reference 09.e: Monitor and control delivery
    • Control Reference 09.f: Monitor and review services
    • Control Reference 09.g: Monitor changes to services

• Objective Name 09.03: Controls for System Planning  
• • • Control Reference 09.h: Manage relevant capacities
    • Control Reference 09.i: Manage system acceptance

• Objective Name 09.04: Safeguards Against Malicious Code  
• • • Control Reference 09.j: Control malicious code
    • Control Reference 09.k: Control mobile code

• Objective Name 09.05: Information Backup Controls  
• • • Control Reference 09.l: Perform routine data backups

• Objective Name 09.06: Controls Over Network Security  
• • • Control Reference 09.m: Monitor network traffic
    • Control Reference 09.n: Control network security

• Objective Name 09.07: Media Management Controls  
• • • Control Reference 09.o: Manage removable media
    • Control Reference 09.p: Control media disposal
    • Control Reference 09.q: Control handling of data
    • Control Reference 09.r: Secure system documentation
  • Objective Name 09.08: Controls for Information Exchange  
    • Control Reference 09.s: Create an information exchange policy
    • Control Reference 09.t: Execute exchange agreements, per policy
    • Control Reference 09.u: Control physical media in transit, per policy
    • Control Reference 09.v: Control electronic messaging, per policy
    • Control Reference 09.w: Control interconnected business systems

• Objective Name 09.09: Electronic Commerce Controls  
• • • Control Reference 09.x: Control eCommerce services
    • Control Reference 09.y: Monitor and control transactions
    • Control Reference 09.z: Control public access to information

• Objective Name 09.10: Controls for Overall Monitoring  
• • Control Reference 09.aa: Log all audit information
  • Control Reference 09.ab: Monitor all use of systems
  • Control Reference 09.ac: Protect audit log information
  • Control Reference 09.ad: Log all administrative audits
  • Control Reference 09.ae: Log all faults in the system(s)
  • Control Reference 09.af: Synchronize all timekeeping

 

Control Category 10.0: Data Systems Management

Category 10.0 comprises six Objective Names and 13 Control References:

• • Objective Name 10.01: Information Systems Security Controls  
    • Control Reference 10.a: Specify analysis requirements

• Objective Name 10.02: Application Processing Controls  
• • • Control Reference 10.b: Validate analysis input data
    • Control Reference 10.c: Control internal data processing
    • Control Reference 10.d: Ensure integrity of messages
    • Control Reference 10.e: Validate analysis output data

• Objective Name 10.03: Controls for Cryptography  
• • • Control Reference 10.f: Draft policy on cryptography
    • Control Reference 10.g: Manage cryptographic keys

• Objective Name 10.04: System File Security Controls  
• • • Control Reference 10.h: Control all operations software
    • Control Reference 10.i: Protect data related to system tests
    • Control Reference 10.j: Restrict program source code access

• Objective Name 10.05: Development and Support Controls  
• • • Control Reference 10.k: Change procedures for controls
    • Control Reference 10.l: Monitor outsourced development

• Objective Name 10.06: Vulnerability Management Controls  
• • Control Reference 10.m: Manage security vulnerabilities

 

Control Category 11.0: Incident Management

Category 11.0 comprises two Objective Names and five Control References:

• • Objective Name 11.01: Incident and Weakness Reporting Protocols  
    • Control Reference 11.a: Report on cybersecurity events
    • Control Reference 11.b: Report cybersecurity weaknesses

• Objective Name 11.02: Incident and Improvement Management Controls  
• • Control Reference 11.c: Define responsibilities and protocols
  • Control Reference 11.d: Mobilize data from past security events
  • Control Reference 11.e: Collect evidence from all security events

 

Control Category 12.0: Business Continuity

Category 12.0 comprises just one Objective Name and five Control References:

• Objective Name 12.01: Continuity and Information Security Controls  
  • Control Reference 12.a: Integrate security and continuity management
  • Control Reference 12.b: Assess risks before and during continuity
  • Control Reference 12.c: Integrate security and continuity implementation
  • Control Reference 12.d: Create a business continuity planning framework
  • Control Reference 12.e: Routinely assess the security of continuity plans

 

Control Category 13.0: Privacy Management

Category 13.0 comprises seven Objective Names and 21 Control References:

• • Objective Name 13.01: Controls to Ensure Transparency
    
    • Control Reference 13.a: Draft privacy notice(s)
    • Control Reference 13.b: Optimize openness
    • Control Reference 13.c: Account for disclosures

• Objective Name 13.02: Controls for Individual Participation  
• • • Control Reference 13.d: Ensure users’ consent
    • Control Reference 13.e: Maximize users’ choices
    • Control Reference 13.f: Define principles of access

• Objective Name 13.03: Controls for Specification Purposes  
• • • Control Reference 13.g: Define legitimacy of purposes
    • Control Reference 13.h: Define specifications of purposes

• Objective Name 13.04: Controls to Minimize Overall Data  
• • • Control Reference 13.i: Minimize collection of data
    • Control Reference 13.j: Minimize all uses of data

• Objective Name 13.05: Controls to Limit Overall Information Use  
• • • Control Reference 13.k: Limit uses and disclosures
    • Control Reference 13.l: Limit retention of information

• Objective Name 13.06: Controls to Maximize Quality and Integrity  
• • • Control Reference 13.m: Ensure accuracy of data
    • Control Reference 13.n: Optimize redress of data
    • Control Reference 13.o: Streamline compliance

• Objective Name 13.07: Controls for Accountability through Audits  
• • Control Reference 13.p: Define governance roles
  • Control Reference 13.q: Assess privacy and impact
  • Control Reference 13.r: Define third party privacy rights
  • Control Reference 13.s: Monitor and audit for privacy
  • Control Reference 13.t: Cultivate privacy awareness
  • Control Reference 13.u: Report on privacy protection

 

Compliance and Cyberdefense Made Simple

Although HITRUST streamlines many other regulatory frameworks, its matrix of controls can be challenging to implement. This is especially true for small to medium-sized businesses with over-burdened IT departments. 

RSI Security’s HITRUST compliance advisory services are designed to make compliance as easy as possible. From planning to execution and long-term maintenance, our team of experts will guide your company through the HITRUST CSF controls and any other cybersecurity architecture implementation you need. Contact RSI Security today to see how simple cybersecurity can be!

 

 

---

Download Our HITRUST Compliance Checklist

Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.