Recently, there has been a lot of discussion regarding cyber resilience. There is no question that the capacity to recover from a security incident is critical; but, all of the resilience talk appears to be at the expense of basic risk management methods. It is reasonable to assume that risk management is the road to resilience.
Risk management may be a difficult task. Too many security professionals have been caught off guard in meetings with a risk manager who indulges in crazy fantasies. These kinds of irrational catastrophe fantasies ignore the essence of sound risk management. A good assurance framework is one method to control these “journeys of the unexpected.”
What exactly is HITRUST?
Although many individuals in the healthcare business are aware with HITRUST, the method is not confined to health care. It is, in reality, industry agnostic. The many assurance approaches provided are beneficial to all industries that must address compliance and risk management. What distinguishes it from the other models on the market? The answer rests in how it interacts with an organization’s risk profile.
The HITRUST strategy, which is based on the Capability Maturity Model (CMM) and the NIST’s PRISMA, uses best-in-class components for a complete information risk management and compliance programmed that combines and aligns the following:
- HITRUST CSF Is a strong framework for privacy and security controls that aligns with hundreds of authoritative sources such as HIPAA, ISO 27001, and NIST 800-171.
- The HITRUST Assurance Program is a scalable and transparent method of providing trustworthy guarantees to internal and external stakeholders.
- HITRUST MyCSF – a platform for HITRUST CSF compliance operations and audit management used by enterprises implementing the HITRUST CSF, their external assessors, and HITRUST.
- HITRUST Shared Responsibility Program — a method for automatically importing earlier HITRUST control assessment testing findings and scoring from providers of internal shared IT services and external cloud-hosted services, backed up by a set of matrices that describe shared obligations.
- HITRUST Assessment XChange is a risk management solution provided by a third party.
- HITRUST Third Party Assurance Program – a process for managing third-party risk.
Many compliance gap assessments (such as HITRUST, ISO 27001, and others) now reflect a “point-in-time” evaluation to establish whether a certain benchmark of control implementation and operation is met. The evaluation activities are then access and repeat on a regular basis (e.g., annually). Unfortunately, this strategy necessitates assessors and certification authorities extrapolating over historical periods based on current-state assessment outcomes.
HITRUST is attempting to include notions of Information Security Continuous Monitoring into the methodology and products of its assurance programmed. The ultimate goal of HITRUST’s efforts is to shift traditional security assessments from a “point-in-time” to an ongoing, prospective nature by providing assessed entities, HITRUST assessors, and HITRUST itself with a view into the status of controls with a frequency sufficient to make ongoing, risk-based decisions.
The only thing worse than uncovering gaps in a security program is discovering controls that have been ignore to the point of re-opening an old gap. An ISCM technique avoids this by causing less deterioration over time than standard periodic reviews. Other concrete advantages include:
- Increased time between complete control gap evaluations.
- Reduced time and effort required to keep certification.
- Reduced lifespan expenses for certification maintenance.
- Increased certainty and trust among external stakeholders such as regulators, business partners, and customers.
Certification is significant because it provides objective confirmation that a security programmed is working within the boundaries specified in its design. This has ramifications that go beyond the satisfaction of a good audit cycle. The HITRUST Assurance Program, through ISCM, will enable the conclusions in the HITRUST Assessment Report to be really prospective.
Many security projects are seen as “cost centers,” with little add value to an enterprise. A HITRUST certification offers monetary value by not only assisting a firm in meeting cybersecurity insurability regulations. But it may also cut insurance costs. This is due to the industry’s strong regard for the HITRUST standard. This is also acknowledge by organizations such as the United States Government Accountability Office (GAO), which is entrust with saving taxpayer money.
