SlideShare une entreprise Scribd logo
1  sur  25
Télécharger pour lire hors ligne
WEBINAR:
COMPLIANCE 101:
HITRUST UPDATE 2023
Presented by:
Omkar Salunkhe, Controlcase Partner, HITRUST
Kishor Vaswani, ControlCase Chief Strategy Officer
Speakers
© ControlCase. All Rights Reserved. 2
Omkar Salunkhe,
ControlCase Partner,
HITRUST
Having worked for ControlCase
for the past 8 years, Omkar is
now the HITRUST Partner, a
Subject Matter Expert who
oversees all of ControlCase
clients’ HITRUST
Certifications globally.
Kishor Vaswani,
ControlCase Chief Strategy
Officer
Kishor founded ControlCase
(an IT Security and
Compliance company) in 2004
and scaled it through its
expansion to more than 1,000
customers in 40 countries.
Agenda
© ControlCase. All Rights Reserved. 3
A. Introduction to ControlCase
B. What is HITRUST?
C. Latest Updates to HITRUST
D. Types of HITRUST Assessments
E. HITRUST Domains
F. ControlCase Methodology
G. Q&A
HITRUST Certification
A.
© ControlCase. All Rights Reserved. 4
Introduction to ControlCase
ControlCase Snapshot
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost, and burden from becoming certified and maintaining IT compliance.
© ControlCase. All Rights Reserved. 5
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
1,000+ 300+
10,000+
CLIENTS
IT SECURITY
CERTIFICATIONS
SECURITY
EXPERTS
Solution
© ControlCase. All Rights Reserved. 6
Certification and Continuous Compliance Services
“
I’ve worked on both sides of auditing. I
have not seen any other firm deliver
the same product and service with the
same value. No other firm provides that
continuous improvement and the level of
detail and responsiveness.
— Security and Compliance Manager,
Data Center
Certification Services
One Audit™
Assess Once. Comply to Many.
© ControlCase. All Rights Reserved. 7
“You have 27 seconds to make a first
impression. And after our initial
meeting, it became clear that they
were more interested in helping
our business and building a
relationship, not just getting the
business.
— Sr. Director, Information Risk & Compliance,
Large Merchant
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HITRUST CSF
HIPAA PCI P2PE GDPR NIST CSF Risk
Assessment
PCI PIN PCI SSF FedRAMP PCI 3DS
WHAT IS HITRUST?
B.
© ControlCase. All Rights Reserved. 8
What is HITRUST?
© ControlCase. All Rights Reserved. 9
Founded in 2007 to help
companies safeguard
sensitive
data and manage risk.
Established a certifiable
framework for
organizations that create,
access, store, or
exchange covered or
sensitive information.
Originated from the belief that
information security is critical to
the widespread utilization of and
confidence in health information
systems, medical technologies,
and electronic exchanges of
medical data. Now, the
HITRUST CSF is industry
agnostic.
What is the HITRUST CSF?
© ControlCase. All Rights Reserved. 10
HITRUST CSF
The HITRUST CSF Framework (CSF) rationalizes and harmonizes relevant data protection regulations and standards
into a single overarching security and privacy framework. The HITRUST CSF:
• Allows organizations the ability to tailor their security control baselines based on their specific information security
requirements.
• Incorporates both compliance and risk management principles.
• Defines a process to effectively and efficiently evaluate compliance and security risk.
• Supports HITRUST Certification.
Key components of the CSF assurance program
© ControlCase. All Rights Reserved. 11
Standardized Tools & Processes
Questionnaire
• Focus assurance dollars to efficiently
assess risk exposure
• Measured approach based on risk
and compliance
• Ability to escalate assurance level based
on risk
Report
• Output that is consistently interpreted across
the industry
Rigorous Assurance
• Multiple assurance options based on risk
• Quality control processes to ensure
consistent quality and output across
HITRUST External Assessors
• Streamlined and measurable process within
the HITRUST MyCSF tool
• End User support
LATEST UPDATES TO HITRUST
C.
© ControlCase. All Rights Reserved. 12
What are the 2023 HITRUST Updates?
© ControlCase. All Rights Reserved. 13
Summary of Changes v11
Moved evaluative
elements from the Policy
Illustrative Procedure to
the Requirement
Statement
Added selectable
Compliance factors
and refreshed
various mappings to
authoritative sources
Updated Illustrative
Procedure Content
Assorted errata
updates consistent
with the CSF
Versioning Policy
New Certification: e1 Assessment
Basic cybersecurity
hygiene
Less than 50
requirement statements
Annual certification Quicker assurance
TYPES OF HITRUST ASSESSMENTS
D.
© ControlCase. All Rights Reserved. 14
Types of HITRUST Assessments
© ControlCase. All Rights Reserved. 15
Assessment Type
# of HITRUST
Requirements
Subject Matter / Focus Control Maturity Levels
HITRUST Essentials
e1 Assessment
(valid for 1 year)
Less than 50
Requirements addressing:
• Basic cybersecurity hygiene
• The most critical cyber threats (e.g., ransomware,
phishing, password stuffing)
Implemented only
But: Some requirements are
P&P-focused
HITRUST Implemented
i1 Assessment
(valid for 1 year)
Approx. 180 (v11)
219 (v9.6.2)
All requirements in the e1, PLUS:
• Leading cybersecurity practices
• Requirements mapping to the even more cyber threats
Implemented only
But: Some requirements are
P&P-focused
HITRUST Risk-Based
r2 Assessment
(valid for 2 years)
Varied based on risk and
compliance factors
All requirements in the e1 and i1, PLUS:
• Requirements addressing inherent risk factors
• Requirements addressing added compliance factors (e.g.,
HICP, GDPR)
Must: Policy, Procedure, Implemented
Optional: Measured & Managed
Assessment
Sub-type
Can Result in a
Certification?
Needs an External
Assessor?
QA’d by HITRUST? Share-able via RDS?
Results in a HITRUST-
issued PDF?
Readiness No No No Yes Optional
Validated Yes Yes Yes Yes Yes
Types of HITRUST Assessments
© ControlCase. All Rights Reserved. 16
For v11, HITRUST has aligned the
selection of requirement statements used
for the e1 assessment, i1 assessment,
and r2 assessment baseline, so that
each assessment builds upon the core
requirement statements that are included
in the e1 assessment.
CSF v11
e1 Assessment
3 months
r2 Assessment
8 months
i1 Assessment
5 months
HITRUST DOMAINS
E.
© ControlCase. All Rights Reserved. 17
What are the HITRUST domains?
© ControlCase. All Rights Reserved. 18
1. Information Protection Program
2. Endpoint Protection
3. Portable Media Security
4. Mobile Device Security
5. Wireless Security
6. Configuration Management
7. Vulnerability Management
8. Network Protection
9. Transmission Protection
10. Password Management
11. Access Control
12. Audit Logging & Monitoring
13. Education, Training and Awareness
14. Third Party Assurance
15. Incident Management
16. Business Continuity & Disaster Recovery
17. Risk Management
18. Physical & Environmental Security
19. Data Protection & Privacy
Information Protection Program Configuration Management Access Control
Business Continuity & Disaster
Recovery
Endpoint Protection Vulnerability Management Audit Logging & Monitoring Risk Management
Portable Media Security Network Protection Education, Training and Awareness Physical & Environmental Security
Mobile Device Security Transmission Protection Third Party Assurance Data Protection & Privacy
Wireless Security Password Management Incident Management
CONTROLCASE METHODOLOGY
F.
© ControlCase. All Rights Reserved. 19
• Customer
purchases MyCSF
Subscription.
• ControlCase helps
to finalize scope
and build the
assessment.
• ControlCase assigns
an independent
readiness consultant
to guide customer to
provide required
HITRUST evidence.
• Based on the
collected evidence,
the consultant also
helps the customer
in scoring, as per
HITRUST
requirements.
• Customer
purchases validated
assessment from
HITRUST once
ready.
• ControlCase helps
customer to identify
a submission date
and complete the
reservation for
HITRUST QA.
• HITRUST
Validated
Assessment:
Independent
ControlCase
auditor (HITRUST
CCSFP)
completes the
validated
assessment and
required testing.
• Documentation for
CAPs.
• ControlCase
Quality Assurance
• Engagement
Executive Review
• ControlCase
moves evidence to
MyCSF
• Submit to
HITRUST
• HITRUST QA
• Final Certified/
Validated Report
1 2 3 4 5 6
ControlCase will follow a 6-PHASE APPROACH for the HITRUST Assessment
ControlCase Methodology for HITRUST Validated
Assessment
Phase/Month Month 1 Month 2 Month 3 Month 4 Month 5 Month 6 Month 7
Month 8
onwards
Phase 1 CC/Customer
Phase 2 CC/Customer CC/Customer CC/Customer CC/Customer
Phase 3 CC/Customer
Phase 4 CC CC CC
Phase 5 CC/Customer
Phase 6
CC - Submission
to HITRUST
HITRUST
Quality
Assurance
High-Level HITRUST Certification Plan (r2 Validated
Assessment)
Phase/Month Month 1 Month 2 Month 3 Month 4 Month 5 Month 6 onwards
Phase 1 CC/Customer
Phase 2 CC/Customer CC/Customer CC/Customer
Phase 3
CC/Customer
Phase 4 CC CC
Phase 5
CC/Customer
Phase 6
CC - Submission to
HITRUST
HITRUST Quality
Assurance
High-Level HITRUST Certification Plan (i1 Validated
Assessment)
Phase/Month Month 1 Month 2 Month 3 Month 4 onwards
Phase 1 CC/Customer
Phase 2 CC/Customer CC/Customer
Phase 3 CC/Customer
Phase 4 CC
Phase 5
CC/Customer
Phase 6
CC - Submission to
HITRUST
HITRUST Quality
Assurance
High-Level HITRUST Certification Plan (e1 Validated
Assessment)
Q & A
G.
© ControlCase. All Rights Reserved. 24
THANK YOU FOR THE OPPORTUNITY
TO CONTRIBUTE TO YOUR IT
COMPLIANCE PROGRAM.
www.controlcase.com
contact@controlcase.com

Contenu connexe

Tendances

ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
NQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 MappingNQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 MappingNQA
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesCertification Europe
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?Global Manager Group
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedJisc
 

Tendances (20)

ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
NQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 MappingNQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 Mapping
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and Challenges
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learned
 

Similaire à Compliance 101 HITRUST Update.pdf

Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxControlCase
 
Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Yasmin AbdelAziz
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...The Digital Insurer
 
What is the UK Cyber Essentials scheme?
What is the  UK Cyber Essentials scheme?What is the  UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?IT Governance Ltd
 
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...The Digital Insurer
 
Success Story - Healthcare Insurance Testing Services
Success Story - Healthcare Insurance Testing ServicesSuccess Story - Healthcare Insurance Testing Services
Success Story - Healthcare Insurance Testing ServicesIndium Software
 
HIPAA and HITRUST on AWS
HIPAA and HITRUST on AWSHIPAA and HITRUST on AWS
HIPAA and HITRUST on AWSLogicworksNY
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
How to Interpret and Plan for the 2014 CMS CEHRT Rule
How to Interpret and Plan for the 2014 CMS CEHRT Rule How to Interpret and Plan for the 2014 CMS CEHRT Rule
How to Interpret and Plan for the 2014 CMS CEHRT Rule Iatric Systems
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2   reporting 7-2014Gaining assurance over 3rd party soc 1 and soc 2   reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Accounting_Whitepapers
 
Charles Taylor InsureTech - InsurTech Innovation Award 2022
Charles Taylor InsureTech - InsurTech Innovation Award 2022Charles Taylor InsureTech - InsurTech Innovation Award 2022
Charles Taylor InsureTech - InsurTech Innovation Award 2022The Digital Insurer
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
SIEM, malware protection, deep data visibility — for free
SIEM, malware protection, deep data visibility — for freeSIEM, malware protection, deep data visibility — for free
SIEM, malware protection, deep data visibility — for freeElasticsearch
 

Similaire à Compliance 101 HITRUST Update.pdf (20)

Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptx
 
Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
 
What is the UK Cyber Essentials scheme?
What is the  UK Cyber Essentials scheme?What is the  UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
 
Success Story - Healthcare Insurance Testing Services
Success Story - Healthcare Insurance Testing ServicesSuccess Story - Healthcare Insurance Testing Services
Success Story - Healthcare Insurance Testing Services
 
HIPAA and HITRUST on AWS
HIPAA and HITRUST on AWSHIPAA and HITRUST on AWS
HIPAA and HITRUST on AWS
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
How to Interpret and Plan for the 2014 CMS CEHRT Rule
How to Interpret and Plan for the 2014 CMS CEHRT Rule How to Interpret and Plan for the 2014 CMS CEHRT Rule
How to Interpret and Plan for the 2014 CMS CEHRT Rule
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2   reporting 7-2014Gaining assurance over 3rd party soc 1 and soc 2   reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
 
Charles Taylor InsureTech - InsurTech Innovation Award 2022
Charles Taylor InsureTech - InsurTech Innovation Award 2022Charles Taylor InsureTech - InsurTech Innovation Award 2022
Charles Taylor InsureTech - InsurTech Innovation Award 2022
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
SIEM, malware protection, deep data visibility — for free
SIEM, malware protection, deep data visibility — for freeSIEM, malware protection, deep data visibility — for free
SIEM, malware protection, deep data visibility — for free
 
Third Party Network Webinar Slide Deck 110718 FINAL
Third Party Network Webinar Slide Deck 110718 FINALThird Party Network Webinar Slide Deck 110718 FINAL
Third Party Network Webinar Slide Deck 110718 FINAL
 

Dernier

Benefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxBenefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxlibertyuae uae
 
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...hasimatwork
 
Generalities about NFT , as a new technology
Generalities about NFT , as a new technologyGeneralities about NFT , as a new technology
Generalities about NFT , as a new technologysoufianbouktaib1
 
SQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxSQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxJustineGarcia32
 
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?krc0yvm5
 
Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Eric Johnson
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
overview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualizationoverview of Virtualization, concept of Virtualization
overview of Virtualization, concept of VirtualizationRajan yadav
 
Google-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfGoogle-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfMaria Adalfio
 
Tungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondTungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondContinuent
 

Dernier (10)

Benefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxBenefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptx
 
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
 
Generalities about NFT , as a new technology
Generalities about NFT , as a new technologyGeneralities about NFT , as a new technology
Generalities about NFT , as a new technology
 
SQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxSQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptx
 
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
 
Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
overview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualizationoverview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualization
 
Google-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfGoogle-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdf
 
Tungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondTungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and Beyond
 

Compliance 101 HITRUST Update.pdf

  • 1. WEBINAR: COMPLIANCE 101: HITRUST UPDATE 2023 Presented by: Omkar Salunkhe, Controlcase Partner, HITRUST Kishor Vaswani, ControlCase Chief Strategy Officer
  • 2. Speakers © ControlCase. All Rights Reserved. 2 Omkar Salunkhe, ControlCase Partner, HITRUST Having worked for ControlCase for the past 8 years, Omkar is now the HITRUST Partner, a Subject Matter Expert who oversees all of ControlCase clients’ HITRUST Certifications globally. Kishor Vaswani, ControlCase Chief Strategy Officer Kishor founded ControlCase (an IT Security and Compliance company) in 2004 and scaled it through its expansion to more than 1,000 customers in 40 countries.
  • 3. Agenda © ControlCase. All Rights Reserved. 3 A. Introduction to ControlCase B. What is HITRUST? C. Latest Updates to HITRUST D. Types of HITRUST Assessments E. HITRUST Domains F. ControlCase Methodology G. Q&A HITRUST Certification
  • 4. A. © ControlCase. All Rights Reserved. 4 Introduction to ControlCase
  • 5. ControlCase Snapshot CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost, and burden from becoming certified and maintaining IT compliance. © ControlCase. All Rights Reserved. 5 • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 300+ 10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS
  • 6. Solution © ControlCase. All Rights Reserved. 6 Certification and Continuous Compliance Services “ I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center
  • 7. Certification Services One Audit™ Assess Once. Comply to Many. © ControlCase. All Rights Reserved. 7 “You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant PCI DSS ISO 27001 & 27002 SOC 1,2,3 & SOC for Cybersecurity HITRUST CSF HIPAA PCI P2PE GDPR NIST CSF Risk Assessment PCI PIN PCI SSF FedRAMP PCI 3DS
  • 8. WHAT IS HITRUST? B. © ControlCase. All Rights Reserved. 8
  • 9. What is HITRUST? © ControlCase. All Rights Reserved. 9 Founded in 2007 to help companies safeguard sensitive data and manage risk. Established a certifiable framework for organizations that create, access, store, or exchange covered or sensitive information. Originated from the belief that information security is critical to the widespread utilization of and confidence in health information systems, medical technologies, and electronic exchanges of medical data. Now, the HITRUST CSF is industry agnostic.
  • 10. What is the HITRUST CSF? © ControlCase. All Rights Reserved. 10 HITRUST CSF The HITRUST CSF Framework (CSF) rationalizes and harmonizes relevant data protection regulations and standards into a single overarching security and privacy framework. The HITRUST CSF: • Allows organizations the ability to tailor their security control baselines based on their specific information security requirements. • Incorporates both compliance and risk management principles. • Defines a process to effectively and efficiently evaluate compliance and security risk. • Supports HITRUST Certification.
  • 11. Key components of the CSF assurance program © ControlCase. All Rights Reserved. 11 Standardized Tools & Processes Questionnaire • Focus assurance dollars to efficiently assess risk exposure • Measured approach based on risk and compliance • Ability to escalate assurance level based on risk Report • Output that is consistently interpreted across the industry Rigorous Assurance • Multiple assurance options based on risk • Quality control processes to ensure consistent quality and output across HITRUST External Assessors • Streamlined and measurable process within the HITRUST MyCSF tool • End User support
  • 12. LATEST UPDATES TO HITRUST C. © ControlCase. All Rights Reserved. 12
  • 13. What are the 2023 HITRUST Updates? © ControlCase. All Rights Reserved. 13 Summary of Changes v11 Moved evaluative elements from the Policy Illustrative Procedure to the Requirement Statement Added selectable Compliance factors and refreshed various mappings to authoritative sources Updated Illustrative Procedure Content Assorted errata updates consistent with the CSF Versioning Policy New Certification: e1 Assessment Basic cybersecurity hygiene Less than 50 requirement statements Annual certification Quicker assurance
  • 14. TYPES OF HITRUST ASSESSMENTS D. © ControlCase. All Rights Reserved. 14
  • 15. Types of HITRUST Assessments © ControlCase. All Rights Reserved. 15 Assessment Type # of HITRUST Requirements Subject Matter / Focus Control Maturity Levels HITRUST Essentials e1 Assessment (valid for 1 year) Less than 50 Requirements addressing: • Basic cybersecurity hygiene • The most critical cyber threats (e.g., ransomware, phishing, password stuffing) Implemented only But: Some requirements are P&P-focused HITRUST Implemented i1 Assessment (valid for 1 year) Approx. 180 (v11) 219 (v9.6.2) All requirements in the e1, PLUS: • Leading cybersecurity practices • Requirements mapping to the even more cyber threats Implemented only But: Some requirements are P&P-focused HITRUST Risk-Based r2 Assessment (valid for 2 years) Varied based on risk and compliance factors All requirements in the e1 and i1, PLUS: • Requirements addressing inherent risk factors • Requirements addressing added compliance factors (e.g., HICP, GDPR) Must: Policy, Procedure, Implemented Optional: Measured & Managed Assessment Sub-type Can Result in a Certification? Needs an External Assessor? QA’d by HITRUST? Share-able via RDS? Results in a HITRUST- issued PDF? Readiness No No No Yes Optional Validated Yes Yes Yes Yes Yes
  • 16. Types of HITRUST Assessments © ControlCase. All Rights Reserved. 16 For v11, HITRUST has aligned the selection of requirement statements used for the e1 assessment, i1 assessment, and r2 assessment baseline, so that each assessment builds upon the core requirement statements that are included in the e1 assessment. CSF v11 e1 Assessment 3 months r2 Assessment 8 months i1 Assessment 5 months
  • 17. HITRUST DOMAINS E. © ControlCase. All Rights Reserved. 17
  • 18. What are the HITRUST domains? © ControlCase. All Rights Reserved. 18 1. Information Protection Program 2. Endpoint Protection 3. Portable Media Security 4. Mobile Device Security 5. Wireless Security 6. Configuration Management 7. Vulnerability Management 8. Network Protection 9. Transmission Protection 10. Password Management 11. Access Control 12. Audit Logging & Monitoring 13. Education, Training and Awareness 14. Third Party Assurance 15. Incident Management 16. Business Continuity & Disaster Recovery 17. Risk Management 18. Physical & Environmental Security 19. Data Protection & Privacy Information Protection Program Configuration Management Access Control Business Continuity & Disaster Recovery Endpoint Protection Vulnerability Management Audit Logging & Monitoring Risk Management Portable Media Security Network Protection Education, Training and Awareness Physical & Environmental Security Mobile Device Security Transmission Protection Third Party Assurance Data Protection & Privacy Wireless Security Password Management Incident Management
  • 20. • Customer purchases MyCSF Subscription. • ControlCase helps to finalize scope and build the assessment. • ControlCase assigns an independent readiness consultant to guide customer to provide required HITRUST evidence. • Based on the collected evidence, the consultant also helps the customer in scoring, as per HITRUST requirements. • Customer purchases validated assessment from HITRUST once ready. • ControlCase helps customer to identify a submission date and complete the reservation for HITRUST QA. • HITRUST Validated Assessment: Independent ControlCase auditor (HITRUST CCSFP) completes the validated assessment and required testing. • Documentation for CAPs. • ControlCase Quality Assurance • Engagement Executive Review • ControlCase moves evidence to MyCSF • Submit to HITRUST • HITRUST QA • Final Certified/ Validated Report 1 2 3 4 5 6 ControlCase will follow a 6-PHASE APPROACH for the HITRUST Assessment ControlCase Methodology for HITRUST Validated Assessment
  • 21. Phase/Month Month 1 Month 2 Month 3 Month 4 Month 5 Month 6 Month 7 Month 8 onwards Phase 1 CC/Customer Phase 2 CC/Customer CC/Customer CC/Customer CC/Customer Phase 3 CC/Customer Phase 4 CC CC CC Phase 5 CC/Customer Phase 6 CC - Submission to HITRUST HITRUST Quality Assurance High-Level HITRUST Certification Plan (r2 Validated Assessment)
  • 22. Phase/Month Month 1 Month 2 Month 3 Month 4 Month 5 Month 6 onwards Phase 1 CC/Customer Phase 2 CC/Customer CC/Customer CC/Customer Phase 3 CC/Customer Phase 4 CC CC Phase 5 CC/Customer Phase 6 CC - Submission to HITRUST HITRUST Quality Assurance High-Level HITRUST Certification Plan (i1 Validated Assessment)
  • 23. Phase/Month Month 1 Month 2 Month 3 Month 4 onwards Phase 1 CC/Customer Phase 2 CC/Customer CC/Customer Phase 3 CC/Customer Phase 4 CC Phase 5 CC/Customer Phase 6 CC - Submission to HITRUST HITRUST Quality Assurance High-Level HITRUST Certification Plan (e1 Validated Assessment)
  • 24. Q & A G. © ControlCase. All Rights Reserved. 24
  • 25. THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com contact@controlcase.com