One of the most comprehensive cybersecurity frameworks companies can implement is the HITRUST Alliance’s CSF. Full certification has many benefits, including streamlined compliance across other regulations and optimal security. Conducting a HITRUST Readiness Assessment, internally or with professional help, is one of the best ways to prepare for full implementation.
HITRUST CSF Readiness Assessment: Everything You Need to Know
The HITRUST CSF Readiness Assessment is one of a few types of HITRUST assessments companies can run. It is a preparatory step toward full HITRUST CSF certification. The other CSF assessments include Validated Assessments, assisted by a qualified third party, along with Interim Assessments and Bridge Assessments, which extend the period of official certification.
Below, we’ll cover the overall methodology required for a successful assessment, using HITRUST CSF tools, along with best practices and considerations to facilitate preparation.
HITRUST CSF Assessment Methodology for Readiness Assessments
The methodology used for HITRUST CSF assessments is nearly identical, no matter what kind of assessment you’re running. The assessor will compile information about your company and its cybersecurity systems, then systematically test for all the HITRUST CSF controls applicable to your company. See below for a list of all Control Categories and Control Objectives assessed.
One critical difference between methodology for readiness and other HITRUST assessments is that companies can undertake Readiness Assessments independently. You may assess your controls using the MyCSF platform without contracting the help of a managed security services provider (MSSP). The HITRUST Alliance can supply you with a readiness report directly.
However, many companies find significant value in working with a third party. MyCSF is robust, and it can be challenging to navigate, especially for large enterprises that operate more complex data environments. Legacy software and hardware also present challenges to CSF assessment.
How to Leverage the MyCSF Tool at All Stages of The Certification Process
Companies seeking HITRUST certification can run unofficial readiness or gap assessments internally—without making use of HITRUST resources. However, the MyCSF platform enables customized assessments and other efficiencies to streamline your entire certification process.
Some of the most impactful features of HITRUST’s MyCSF platform include the following:
- Customized Benchmarking – Companies can create custom populations and thresholds to test against for multiple controls, compliance needs, or other factors.
- Corrective Action Planning (CAP) – Companies can create and manage CAPs from a centralized dashboard, including integration with any non-HITRUST procedures.
- Regulatory Compliance Mapping – Companies can compile, optimize, and export compliance-related evidence to appropriate regulatory authorities, right from MyCSF.
- CSF v9.5 (September 2021) added a HIPAA compliance and reporting pack.
- Validated Assessment Reservations – Companies can also browse and schedule Validated Assessment appointments with qualified third pirates up to a year in advance.
MyCSF is available at multiple subscription levels, with different mapping and reporting features for companies with varying needs. Working with a HITRUST advisor maximizes ROI on MyCSF.
HITRUST Readiness Assessment Best Practices and Considerations
Businesses preparing for a HITRUST CSF Readiness Assessment, regardless of company size or industry, should first familiarize themselves with all tools and resources available directly from HITRUST. Then, they should begin identifying their potential assessor or advisor. Their chosen MSSP can facilitate the initial assessment, formal verification, and all other processes involved.
Next, companies should also compile as much data as possible about their IT and cybersecurity infrastructure. This includes inventorying all assets and threats to them, along with all specific characteristics of each. Current and foreseeable compliance requirements should be counted.
Companies should also consider their current and projected budget for the HITRUST Readiness Assessment and all future audits. This includes accounting for any systems that will need to be developed or acquired. The best way to identify what changes need to be made is to compare the inventory of current systems against the specific controls required by the HITRUST CSF.
Accounting for Control Categories and Objectives in the HITRUST CSF
The CSF comprises over 150 individual controls, with varying applicability based on business size and other factors. The better reference point for a Readiness Assessment is the list of 14 Control Categories and the 49 Control Objectives they house, which breaks down as follows:
- Control Category 0.0: Security Management Program – Comprising one Objective:
- Control Objective 0.01 – Implement a formal information security program
- Control Category 01.0: Access Control Practices – Comprising seven Objectives:
- Control Objective 01.01 – Establish business-specific access requirements
- Control Objective 01.02 – Establish identity authorization protocols for access
- Control Objective 01.03 – Identity and assign responsibilities for all users
- Control Objective 01.04 – Monitor and restrict access to sensitive networks
- Control Objective 01.05 – Monitor and restrict access to operating systems
- Control Objective 01.06 – Monitor and restrict access to apps and app data
- Control Objective 01.07 – Establish protocols for secure mobile- and telework
- Control Category 02.0: Human Resource Security – Comprising four Objectives:
- Control Objective 02.01 – Establish secure protocols for recruitment and hiring
- Control Objective 02.02 – Establish secure protocols for personnel onboarding
- Control Objective 02.03 – Ensure personnel security throughout employment
- Control Objective 02.04 – Secure processes of termination and other changes
- Control Category 03.0: Risk Management – Comprising one Objective:
- Control Objective 03.01 – Establish a comprehensive risk management program
- Control Category 04.0: Security Policies – Comprising one Objective:
- Control Objective 04.01 – Establish information security policies and procedures
- Control Category 05.0: Information Organization – Comprising two Objectives:
- Control Objective 05.01 – Manage all internal organization of sensitive data
- Control Objective 05.02 – Manage all external organization of sensitive data
- Control Category 06.0: Regulatory Compliance – Comprising three Objectives:
- Control Objective 06.01 – Comply with all applicable legal requirements
- Control Objective 06.02 – Comply with all applicable security standards
- Control Objective 06.03 – Audit systems regularly, per applicable regulations
- Control Category 07.0: IT Asset Management – Comprising two Objectives:
- Control Objective 07.01 – Establish clear responsibilities for all IT assets
- Control Objective 07.02 – Identify and safeguard all classified information
- Control Category 08.0: Environmental Security – Comprising two Objectives:
- Control Objective 08.01 – Secure areas containing sensitive information
- Control Objective 08.02 – Secure equipment containing sensitive information
- Control Category 09.0: Communications / Operations – Comprising 10 Objectives:
- Control Objective 09.01 – Document communication and operating procedures
- Control Objective 09.02 – Monitor and control third-party service deliveries
- Control Objective 09.03 – Establish secure system planning and acceptance
- Control Objective 09.04 – Protect security systems against malicious codes
- Control Objective 09.05 – Establish and secure backups of sensitive data
- Control Objective 09.06 – Ensure security across all company networks
- Control Objective 09.07 – Establish and enforce media handling controls
- Control Objective 09.08 – Monitor and control exchanges of information
- Control Objective 09.09 – Monitor and control all e-commerce transactions
- Control Objective 09.10 – Implement robust, system-wide auditing infrastructure
- Control Category 10.0: System Maintenance – Comprising six Objectives:
- Control Objective 10.01 – Establish requirements for information systems
- Control Objective 10.02 – Ensure correct processing across all systems
- Control Objective 10.03 – Utilize cryptographic controls to secure data
- Control Objective 10.04 – Ensure security of all files stored on systems
- Control Objective 10.05 – Secure development and support processes
- Control Objective 10.06 – Implement vulnerability management program
- Control Category 11.0: Incident Management – Comprising two Objectives
- Control Objective 11.01 – Report identified incidents and weaknesses
- Control Objective 11.02 – Manage identified incidents and weaknesses
- Control Category 12.0: Business Continuity – Comprising one Objective:
- Control Objective 12.01 – Ensure security of business continuity practices
- Control Category 13.0: Privacy Protocols – Comprising seven Objectives
- Control Objective 13.01 – Ensure privacy transparency and disclosures
- Control Objective 13.02 – Facilitate individual participation and choice
- Control Objective 13.03 – Establish purpose specifications (legitimacy)
- Control Objective 13.04 – Minimize collection and retention of all data
- Control Objective 13.05 – Minimize uses and disclosures of all data
- Control Objective 13.06 – Ensure quality and integrity across all data
- Control Objective 13.07 – Govern data accountability and auditing
If your company can’t account for all of these controls on its Readiness Assessment, you may wish to repeat the unofficial audit to make adjustments before formal testing and validation.
Prepare for, Achieve, and Maintain HITRUST Certification Long-term
All companies seeking HITRUST certification should conduct at least one preliminary audit before attempting a Validated Assessment. The best option for most companies is completing a MyCSF-aided HITRUST Readiness Assessment, whether independently or with the help of a HITRUST advisory partner.
To get started on your certification, contact RSI Security today!