Understanding HITRUST Control Categories: A Complete Overview

In recent years, one of the most advanced and comprehensive cybersecurity frameworks available is the Common Security Framework (CSF) from HITRUST Alliance. This framework consolidates various industry-specific guidelines into a single, all-encompassing document. While CSF certification isn’t mandatory for most businesses, adopting its controls and pursuing certification can significantly enhance your organization’s security posture. How many HITRUST control categories are there? And what’s the best approach to implementing them to achieve HITRUST compliance? This article will provide you with all the information you need to navigate these questions confidently.

 

How Many HITRUST Controls Are There?

The HITRUST CSF encompasses over 150 individual requirements. However, the specific number of controls your company needs to implement for compliance and security will vary based on the applicability of these controls and your unique compliance requirements.

Navigating these 150+ requirements can be complex due to the layered system of control categories and objectives. To simplify things, this article will provide a clear breakdown of everything you need to know about HITRUST controls:

• A detailed overview of all the controls and their requirements
• A comprehensive guide and resources for achieving HITRUST compliance across all controls

By the end of this article, you’ll have a thorough understanding of the controls, how they function, and what’s required to implement them effectively. Plus, we’ll explore how professional services can support you in this process.

 

 

Full Breakdown of the HITRUST CSF Controls

The HITRUST CSF’s control structure can vary depending on how your company defines “controls.” At its core, HITRUST is organized into 14 “Control Categories,” numbered 0.0 through 0.13. These categories are further divided into 49 “Objectives.” Drilling down even further, each Objective is detailed by 156 “References,” which are essentially the practical elements most organizations consider as “controls.”

Technically, each Reference is broken down into specific requirements, which can vary depending on the business.  In practice, there are 156 HITRUST CSF controls all companies must implement. However, for most organizations, it’s simpler to think of the controls in terms of the 14 Objectives. In the sections below, we’ll provide a clear overview of each Objective, exploring one Category at a time, to help you navigate and implement these controls effectively.

Category 0.0: Information Security Management 

There is one objective, with one corresponding reference, in category 0.0:

• Objective 0.01 – Implement information security management program (one Reference)

 

Category 0.1: Access Control Security

There are seven objectives, with 25 corresponding references, in category 0.1:

• Objective 1.01 – Define business requirements for access control (one Reference)
• Objective 1.02 – Authorize access to information systems (four References)
• Objective 1.03 – Define user roles and responsibilities (three References)
• Objective 1.04 – Control network access (seven References)
• Objective 1.05 – Control operating system access (six References)
• Objective 1.06 – Control application and information access (two References)
• Objective 1.07 – Optimize mobile computing security (two References)

 

Category 0.2: Human Resources Security

There are four objectives, with nine corresponding references, in category 0.2: 

• Objective 2.01 – Secure personnel before hiring (two References)
• Objective 2.02 – Secure personnel during onboarding (one Reference)
• Objective 2.03 – Secure personnel during employment (three References)
• Objective 2.04 – Secure personnel through termination (three References)

 

Category 0.3: Risk Management Policy

There is just one objective, with four corresponding references, in category 0.3:

• Objective 3.01 – Implement risk management program (four References)

 

Category 0.4: Information Security Policy

There is just one objective, with two corresponding references, in category 0.4:

• Objective 4.01 – Implement information security policy (three References)

 

Category 0.5: Information Security Organization

There are two objectives, with 11 corresponding references, in category 0.5:

• Objective 5.01 – Optimize internal organization (eight References)
• Objective 5.02 – Optimize organization of third parties (three References)

 

Category 0.6: Regulatory Framework Compliance

There are three objectives, with ten corresponding references, in category 0.6:

• Objective 6.01 – Comply with legally mandated requirements (six References)
• Objective 6.02 – Comply with technical and security standards (two References)
• Objective 6.03 – Consider information system audit requirements (two References)

 

Category 0.7: Asset Management Security 

There are two objectives, with five corresponding references, in category 0.7:

• Objective 7.01 – Designate inventory responsibilities (three References)
• Objective 7.02 – Optimize classification of information (two References)

 

Category 0.8: Physical and Environmental Security

There are two objectives, with 13 corresponding references, in category 0.8:

• Objective 8.01 – Secure physical areas (six References)
• Objective 8.02 – Secure physical equipment (seven References)

 

Category 0.9: Communications and Operations Security

There are ten objectives, with 32 corresponding references, in category 0.9:

• Objective 9.01 – Document operational procedures (four References)
• Objective 9.02 – Control delivery of third party services (three References)
• Objective 9.03 – Optimize system planning procedures (two References)
• Objective 9.04 – Protect against malicious or mobile code (two References)
• Objective 9.05 – Back up sensitive information regularly (one Reference)
• Objective 9.06 – Manage network security (two References)
• Objective 9.07 – Manage handling of media (four References)
• Objective 9.08 – Secure exchange of information (five References)
• Objective 9.09 – Secure electronic commerce services (three References)
• Objective 9.10 – Monitor systems and log audits (six References)

 

Category 0.10: Information Systems Management

There are six objectives, with 13 corresponding references, in category 0.10:

• Objective 10.01 – Define information system security requirements (one Reference)
• Objective 10.02 – Optimize processing across applications (four References)
• Objective 10.03 – Optimize cryptographic controls (two References)
• Objective 10.04 – Ensure security of system files (three References)
• Objective 10.05 – Secure development and support processes (two References)
• Objective 10.06 – Manage technical vulnerabilities (one Reference)

 

Category 0.11: Security Incident Management

There are two objectives, with five corresponding references, in category 0.11

• Objective 11.01 – Report on security weaknesses and incidents (two References)
• Objective 11.02 – Manage incident response and recovery (three References)

 

Category 0.12: Business Continuity Management

There is one objective, with five corresponding references, in category 0.12:

• Objective 12.01 – Integrate security and business continuity (five References)

 

Category 0.13: Privacy Security Practices 

There are seven control objectives, with 21 corresponding references, in category 0.13:

• Objective 13.01 – Implement transparency policies (three References)
• Objective 13.02 – Implement participation policies (three References)
• Objective 13.03 – Optimize purpose specifications (two References)
• Objective 13.04 – Minimize the scope of data collection (two References)
• Objective 13.05 – Limit scope of data utilization (two References)
• Objective 13.06 – Optimize data quality and integrity (three References)
• Objective 13.07 – Assure accountability through audits (six References)

 

 

 

Implementation of HITRUST CSF Security Controls

Achieving compliance with HITRUST CSF involves more than just understanding the 156 controls. It also requires verifying that these controls are implemented correctly, whether through self-assessment or external validation by a qualified assessor. Here’s a breakdown of the CSF Assessment levels:

• Self-Assessment: Complete a questionnaire through the MyCSF toolkit to gauge your compliance.
• CSF Validation or Certification: Obtain formal validation with the help of a qualified CSF Assessor.
• HITRUST CSF Bridge Assessment: For companies seeking recertification, this assessment helps maintain your compliance status.

At RSI Security, we offer a comprehensive suite of HITRUST certification and advisory services to guide you through every step. From preparing your internal IT team for self-assessment to achieving full certification or validation, we’re here to support you. Think of us as your all-in-one cybersecurity partner, dedicated to helping you reach and maintain compliance with ease.

 

Professional Compliance and Security

At RSI Security, we understand that compliance is crucial for businesses of all sizes. However, we also recognize that compliance is only one element of a comprehensive cybersecurity strategy needed to protect your employees and clients. That’s why, for over a decade, we’ve been providing robust managed IT and security services to ensure your entire cybersecurity architecture is strong and effective.

To take the next step in your cybersecurity journey, contact RSI Security today!

 

Discover how RSI Security can help your organization. Request a complimentary consultation: