SlideShare une entreprise Scribd logo

HITRUST Certification

Télécharger en tant que PPTX, PDF
ControlCase
ControlCase

ControlCase CSO, Kishor Vaswani, and HITRUST VP of Adoption, Mike Parisi take a deep dive into HITRUST. This webinar covers the basics of HITRUST and introduces the new updates including; HITRUST Basic Assessment, HITRUST i1 Validated Assessment and HITRUST R2 Validated Assessment. The webinar agenda includes the following: - What is HITRUST - What is HITRUST CSF? - What are the HITRUST Implementation levels? - What are the HITRUST Domains? - What is a HITRUST Report? - What is the HITRUST bC Assessment - What is the HITRUST I1 Assessment? - What is the HITRUST r2 Assessment? - What can go wrong with a HITRUST Assessment? - ControlCase methodology for HITRUST Compliance

Business
1  sur  31
1 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) © 2021 HITRUST Alliance www.HITRUSTAlliance.net HITRUST Brings Rely-Ability and Efficiency to All Levels of Information Assurance l
2 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) AGENDA • INTRODUCTIONS • ABOUT CONTROLCASE • WHAT IS HITRUST? • WHAT ARE THE OBJECTIVES OF HITRUST? • WHAT IS HITRUST CSF? • KEY COMPONENTS OF THE HITRUST CSF ASSURANCE PROGRAM • WHAT ARE THE HITRUST DOMAINS • HITRUST PRESENTATION • CONTROLCASE METHODOLOGY FOR HITRUST • HITRUST RESULTS DISTRIBUTION SYSTEM • Q&A
3 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) ABOUT CONTROLCASE HITRUST EXTERNAL ASSESSOR SINCE 2014 Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 50+ 15+ 200+ HITRUST CLIENTS HITRUST CERTIFICATIONS GLOBALLY HITRUST EXTERNAL ASSESSORS
4 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) WHAT IS HITRUST? Founded in 2007 to help companies safeguard sensitive data and manage risk. Established a certifiable framework for organizations that create, access, store or exchange personal health and financial information to implement and be certified against. Born out of the belief that information security is critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information.
5 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) WHAT ARE THE OBJECTIVES OF HITRUST? HITRUST aims to establish a fundamental and holistic change in the way organizations manage information security risk by: • Rationalizing regulations and standards into a single overarching framework tailored for each organization. • Deliver a prescriptive, scalable and certifiable process. • Address inconsistent approaches to certification, risk acceptance and adoption of compensating controls to eliminate ambiguity in the processes. • Enable the ability to cost-effectively monitor compliance of organizational, business partner and governmental requirements. • Provide support and facilitate sharing of ideas, feedback and experiences within the industry. • Establish trust between organizations. • Develop an approach for the practical, efficient and consistent adoption of security by organizations across multiple industries.
6 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) WHAT IS THE HITRUST CSF? HITRUST CSF The HITRUST CSF is a certifiable framework built upon other standards and authoritative sources relevant to the healthcare industry • Harmonizes the requirements of existing standards and regulations – HIPAA, SOC, GDPR, ISO 27001, NIST 800- 53 .etc. • Allows organizations the ability to tailor their security control baselines based on their specific information security requirements. • Incorporates both compliance and risk management principles • Defines a process to effectively and efficiently evaluate compliance and security risk • Supports HITRUST Certification
7 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) KEY COMPONENTS OF THE CSF ASSURANCE PROGRAM STANDARDIZED TOOLS & PROCESSES Questionnaire • Focus assurance dollars to efficiently assess risk exposure • Measured approach based on risk and compliance • Ability to escalate assurance level based on risk Report • Output that is consistently interpreted across the industry RIGOROUS ASSURANCE • Multiple assurance options based on risk • Quality control processes to ensure consistent quality and output across HITRUST External Assessors • Streamlined and measurable process within the HITRUST MyCSF tool • End User support
8 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) WHAT ARE THE HITRUST DOMAINS 1. Information Protection Program 2. Endpoint Protection 3. Portable Media Security 4. Mobile Device Security 5. Wireless Security 6. Configuration Management 7. Vulnerability Management 8. Network Protection 9. Transmission Protection 10. Password Management 11. Access Control 12. Audit Logging & Monitoring 13. Education, Training and Awareness 14. Third Party Assurance 15. Incident Management 16. Business Continuity & Disaster Recovery 17. Risk Management 18. Physical & Environmental Security 19. Data Protection & Privacy
9 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) HITRUST PRESENTATION
10 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) Learning Objectives • Why the Need for Information Protection Assurances • Not all Assurances are Created Equal • New HITRUST Assessment Portfolio • The Inefficient Method of Authenticating, Requesting, Sharing, and Analyzing Assessment Results • New HITRUST Results Distribution System
11 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) Why the Need for Quality Information Protection Assurances Assessed Entities Need… • To provide credible and reliable Information risk management assurances to internal and external stakeholders and relying parties • Board of Directors • Management • Customers • Regulators • Shareholders and Investors • Cyber Insurers •To stop wasting time performing duplicative assessments and filling out proprietary questionnaires they receive from customers •To save time and money in performing assessments Relying Parties Need… • Assurance results they can actually rely upon • Understanding of the suitability of the controls • Full transparency on how the controls were scored and evaluated • Consistency in testing and evaluation so that different assessors reviewing the same evidence would come to the same result/conclusion. • Eliminate subjectivity or variability to bring integrity to the report • Increased levels of impartiality from a centralized quality assurance program over independent auditor •To send proprietary questionnaires to their vendors asking for specific information they need in the absence of a reliable report •To effectively manage third-party risk across hundreds or thousands of vendors in the most efficient way.
12 Self-Assessment with No Outside QA LOW MEDIUM HIGH SUITABILITY OF INFORMATION PROTECTION CONTROLS CONSIDERED RIGOR OF ASSESSMENT APPROACH & ASSURANCE PROGRAM LOW MEDIUM HIGH THE LANDSCAPE OF INFORMATION PROTECTION ASSESSMENTS Greater number of controls Robust approach based on formal maturity model Certification Body report Robust, comprehensive, prescriptive controls Consistent methodology and reliable approach to meet regulations Certification Body report Industry recognized controls and good hygiene practices May use a risk-based, targeted approach Self-selected controls with limited depth and breadth Ad hoc scoping approach often uses a simple Yes/No checklist Industry recognized controls selection with greater depth Ad hoc scoping approach may not be risk-based Greater number of controls Approach is more prescriptive and comprehensive Produces Varying Levels of Assurance, based on… • Suitability of information protection controls • Rigor of assessment approach and assurance program Third- Party Assessment with Some Level of QA & Final Report Issued by Assessor Third-Party Assessment, often with Certification Body QA Review and Final Report Limited controls Formal maturity model Certification Body report Greater number of targeted and prescriptive controls for Authoritative Sources Comprehensive, prescriptive scope based on formal maturity model Self-selected controls with limited depth and breadth Ad hoc scoping approach often uses simple Yes/No checklist KEY Level of Controls: Approach: Certification Body Report: Impartiality: QA & Review: Self........................... Self & Assessor............... Self/Assessor/Cert Body.............
13 Self-Assessment with No Outside QA LOW MEDIUM HIGH LOW MEDIUM HIGH Greater number of controls Robust approach based on formal maturity model Certification Body report Robust, comprehensive, prescriptive controls Consistent methodology and reliable approach to meet regulations Certification Body report Industry recognized controls and good hygiene practices May use a risk-based, targeted approach Self-selected controls with limited depth and breadth Ad hoc scoping approach often uses a simple Yes/No checklist Industry recognized controls selection with greater depth Ad hoc scoping approach may not be risk-based Greater number of controls Approach is more prescriptive and comprehensive Third- Party Assessment with Some Level of QA & Final Report Issued by Assessor Third-Party Assessment, often with Certification Body QA Review and Final Report Limited controls Formal maturity model Certification Body report Greater number of targeted and prescriptive controls for Authoritative Sources Comprehensive, prescriptive scope based on formal maturity model Self-selected controls with limited depth and breadth Ad hoc scoping approach often uses simple Yes/No checklist RIGOR OF ASSESSMENT APPROACH & ASSURANCE PROGRAM ASSURANCE LEVELS ARE CORRELATED WITH CONTROLS CONSIDERED, RIGOR OF ASSESSMENT APPROACH, AND EFFORT SUITABILITY OF INFORMATION PROTECTION CONTROLS CONSIDERED Level of Effort Characteristics of Each High Level Assurances • Robust Control Requirements • Comprehensive and Prescriptive • Formal Risk-Based Maturity Model • Validation by Third-Party and QA by Certifying body. Moderate Level Assurances • Industry-Recognized Targeted Control Requirements • Tested and Validated by a Third-Party Assessor • Provide a general assurance of an organization’s cyber preparedness and resilience Low Level Assurances: • Self-Selected Controls/ Limited Breadth • Simple /Basic Approach • Self-attested
14 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) Need for a broader range of assurances • By design, today’s HITRUST certification offers a gold-standard level of assurance due to the comprehensive control requirements and assurance program requirements. • As a result: It’s a heavy lift. • A broader range of options to address varying assurance requirements and needs is necessary. • HITRUST will soon offer new assessments and a new certification: • Requiring less effort than today’s validated assessment. • While still living up to the gold-standard level of quality for which HITRUST certifications are known. Assurance Level H M L L M H Validated Assessment Readiness Assessment Rapid Assessment Unaddressed Assessment Effort
15 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) Current Assessment and Certification Portfolio • Today, the HITRUST assessment portfolio consists of the following offerings: o HITRUST CSF Rapid Assessment: A self-assessed, security-only questionnaire facilitated through the HITRUST Assessment Exchange (low level of assurance) o HITRUST CSF Readiness Assessment: Assessment performed in preparation for a validated assessment (low level of assurance) o HITRUST CSF Validated Assessment: Assessment leading to HITRUST CSF Certification, can optionally be tailored to include one or more authoritative source (very high level of assurance) • HITRUST currently offers entities only one certification (the HITRUST CSF Validated Assessment Report with Certification) at a very high level of assurance
16 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) HITRUST Expanded Assurance Portfolio Basic, Current-state (“bC”) Assessment • Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirements Implemented, 1-year (“i1”) Assessment • Focus on leading security practices with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements Risk-based, 2-year (“r2”) Assessment • Renames our current “validated assessment”, otherwise unchanged • Focus on a comprehensive risk-based specification of controls with a very rigorous approach to evaluation, which is suitable for high assurance requirement Assurance Level H M L L M H r2 Validated Assessment r2 Readiness Assessment Basic Assessment Assessment Effort i1 Validated Assessment i1 Readiness Assessment When The Basic and i1 assessments will be available by the end of this calendar year
17 NOT ALL ASSURANCES ARE CREATED EQUAL: BUYER BEWARE! TRANSPARENCY Transparency is needed for internal and external stakeholders to understand the framework your organization uses to satisfy compliance objectives. The framework should be publicly available, widely adopted, and well-understood so that report recipients understand how the controls were selected, evaluated, and scored. Key Questions: • Where do the assessed Controls come from? • How do you know the control requirements are suitable? ACCURACY Many other frameworks and assurance programs are qualitative, judgment-based, and devoid of any quantitative measurements Key Questions: • How granular is the scoring / evaluation model to evaluate the control environment? • What infrastructure exists to inherit assessment results from vendor-performed controls? . CONSISTENCY When frameworks are vague, subjective, or free of maturity levels and scoring methodologies, it becomes difficult to gauge an organization’s posture against that of another framework or even an industry baseline. This problem is compounded when assessment activities are not subject to quality and integrity reviews by an independent third-party assessor or certification body. Key Questions: • Can the effort result in a Certification? • How many entities issue these certifications or opinions? INTEGRITY Simply put, the integrity of your assessment reports and assurances to internal and external stakeholders depends upon an audit and validation process during which trained external assessors evaluate your control requirements one by one and say things like: "Prove to me you're doing this," or “Show me where it's documented." Key Questions: • Is the Assessor's methodology, testing, and deliverables peer-reviewed by other firms? • Are the assessor's methodology, testing, and deliverables reviewed by an accreditation and/or standards-enforcement body? RELY-ABILITY TRANSPARENCY + CONSISTENCY + ACCURACY + INTEGRITY
18 Guide to Selecting the Right HITRUST Assessment for Your Organization’s Needs: r2 Validated Assessment (Former Name: CSF Validated Assessment) Comprehensive, Risk-based i1 Validated Assessment Good Security Hygiene and Leading Security Practices bC Assessment Good Security Hygiene r2 Features: • High level of effort and assurance • Varies from 198 – 2000 requirements, based on inherent risk factors and included authoritative sources (optional) • Scores: Policies, Procedures, Implemented, Measured, and Managed • Full 5x5 PRISMA evaluation using a comprehensive scoring rubric • Able to demonstrate regulatory compliance against authoritative sources such as HIPAA and the NIST Cybersecurity Framework • Can be bridged by a HITRUST CSF Bridge Certificate • Readiness Assessment available • 2-year certification i1 Features: • Moderate level of effort and assurance • Approx. 200 HITRUST CSF requirements (static / fixed) • Provides strong coverage of NIST 800-171, the GDPR Safeguards Rule, much of the HIPAA Security Rule, and portions of AICPA TSC • 1 maturity level (Implemented) • 1-year certification • Uses an external assessor’s annual evaluation of control implementation along with HITRUST review and QA • Readiness Assessment available bC Features: • Low level of effort and assurance • Self-assessment only; verified by HITRUST Assurance Intelligence Engine • 71 HITRUST CSF requirements • 1 maturity level (Implemented) • Provide coverage against NISTIR 7621, Small Business Information Security: The Fundamentals HITRUST Assessment Attributes Higher Quality and Reliability at Every Level of Assurance Each HITRUST CSF Assessment Offers Unique, Industry-Leading Advantages, Including: • Single Control Framework • Best in Class MyCSF® SaaS Assessment Platform • Consistent Approach • Common Assurance Methodology • Standard Report Formatting • Supports Inheritance • HITRUST Assurance Intelligence EngineTM (AIE) identifies errors, omissions, and potential deceit • HITRUST Results Distribution System (RDS) shares assessment results with relying parties • And More...
19 PREVIEW: Expanded HITRUST Assessment Portfolio HITRUST CSF Basic, Current State Assessment (bC) (NEW) HITRUST CSF Implemented, 1-year (i1) Assessment (NEW) HITRUST CSF Risk-based, 2-year (r2) Assessment (Former Name: HITRUST CSF Validated Assessment) Description Verified Self-Assessment Validated Assessment + Certification Validated Assessment + Risk-Based Certification Purpose (Use Case) Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirements Focus on leading security practices in medium- sized and larger organizations with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements Focus on a comprehensive risk-based specification of controls suitable for most organizations with a very rigorous approach to evaluation, which is suitable for high assurance requirement Number of Control Requirement Statements 71 Static 215 Static 2000+ based on Tailoring (360 average in scope of assessments) Specificity of Control Granular Requirements Granular Requirements Granular Requirements Flexibility of Control Selection No Tailoring No Tailoring Tailoring Evaluation Approach 1x3: Control Implementation 1x5: Control Implementation 3×5 or 5×5: Control Maturity assessment against either 3 or 5 maturity levels Targeted Coverage* NISTIR 7621: Small Business Information Security Fundamentals NIST SP 800-171, HIPAA Security Rule NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others Level of Assurance** Low Moderate High Relative Level of Effort 0.5 1.0 5.0 Certifiable Assessment No Yes, 1 Year Yes, 2 Year Complementary Assessments None Readiness Readiness, Interim, Bridge Leverages Results Distribution System (RDS) to Share Results Yes Yes Yes Leverages the AI Engine to Prevent Omissions, Errors, or Deceit Yes Yes Yes *Targeted Coverage means substantial coverage is intended ** A particular level of assurance (e.g., low, medium/moderate, or high) is generally characterized by the relative level of suitability, impartiality, and rigor in the approach used to specify, assess, and report on the effectiveness of information security and privacy controls and the risks they are intended to manage.
20 CONTROLCASE METHODOLOGY FOR HITRUST r2 ASSESSMENT • MyCSF Subscription • Customer purchases MyCSF Subscription • ControlCase helps build the assessment • Readiness Assistance • ControlCase assigns an independent readiness consultant to guide customer to provide required HITRUST evidence • Customer purchases validated assessment from HITRUST Portal once ready • ControlCase helps the customer to identify a submission date and complete the reservation for HITRUST QA • HITRUST Validated Assessment • Independent ControlCase auditor (HITRUST CCSFP) completes the validated assessment and required testing. • ControlCase Quality Assurance • Engagement Executive Review • ControlCase moves evidence to MyCSF • Submit to HITRUST • HITRUST QA • Final Certified / Validated Report 1 2 3 4 5 6 ControlCase will follow a 6-PHASE APPROACH for the HITRUST Assessment
21 HIGH-LEVEL HITRUST CERTIFICATION PLAN (r2 VALIDATED ASSESSMENT) Phase/Month Month 1 Month 2 Month 3 Month 4 Month 5 Month 6 Month 7 Month 8 onwards Phase 1 CC/Customer Phase 2 CC/Customer CC/Customer CC/Customer CC/Customer Phase 3 CC/Customer Phase 4 CC* CC* CC* Phase 5 CC/Customer** Phase 6 CC - Submission to HITRUST HITRUST Quality Assurance
22 CONTROLCASE METHODOLOGY FOR HITRUST i1 ASSESSMENT • Help with determining the scope for the HITRUST i1 assessment. • Review customer’s environment and articulate HITRUST requirements accordingly. • Identify gaps and help strategize remediation approach. • Independent HITRUST CCSFP to perform the i1 assessment and the required testing. • End to End process of 5 months to submission.
23 Solving for the Inefficient Method of Authenticating, Requesting, Sharing, and Analyzing Assessment Results
24 Today’s TPA Reports Sharing Landscape • Generally, the sharing of TPA reports is largely manual and less than ideal: • Involves requesting PDF reports from business partners (e.g., customers) • Usually involves sharing of PDFs back and forth • The PDFs vary greatly depending on the type of report, the issuing party, etc. • The PDFs may be copy-protected and/or password- protected, making them tough to access and use • The PDFs are static and non-interactive, making it necessary to copy data into more feature-rich tools to do any meaningful analysis • This process is repeated annually Reliant party Assessed entity Reliant party requests the report Assessed entity provides the report 2 1 ? Reliant party manually inspects the report 3 Current? Authentic? Scope? Findings? Reliant party manually scrapes data from report for entry elsewhere 4 Ctrl+F Ctrl+C Ctrl+V sigh
25 What can (and does) go wrong? 1. Sharing of: • Expired reports • The wrong vendor’s report • Doctored or fake reports • The correct report to the wrong recipients 2. After hitting “send” on the email: • No visibility of who the assessment report PDF is ultimately shared with • No control over who can and can’t open the assessment report PDF 3. Copy + paste errors when moving assessment results from PDFs into tracking spreadsheets, VRM tools, and GRC systems 4. Decisions made using info in out-of-date and/or invalidated third- party assurance reports • Management’s responses to identified findings are X months old… what’s happened since? 5. Overlooked and/or poorly understood: • Adverse overall conclusions • Control findings • Scope limitations and carve-outs 6. Users of these complex reports can’t always find what they’re after • Which sections is all this in? • Which columns in which tables again? • Where does the canned content end and the meat of it start? 7. Non-value-added activities throughout the process • Distracts personnel from focusing on actually managing risk • Time-consuming
26 With the HITRUST Results Distribution System Assessed entity grants the reliant party access in RDS Reliant party 1 Assessed entity 2 Reliant party interacts with assessment results in RDS 3 Assessment results can be consumed by reliant party through various means • The HITRUST Results Distribution System will addresses the highly inefficient method of authenticating, requesting, sharing, and analyzing Assessment results • Unlike most other certification and accreditation bodies, HITRUST: • Is the sole issuer of all HITRUST Assessments allowing us to ensure integrity and validity of the process. • We’re uniquely positioned to streamline the sharing of assessment results via a centralized mechanism A Better Way: Results Sharing
27
28 Planned Future Enhancements • API integration with GRC and TPRM/VRM systems • The RDS API will enable GRC and VRM platforms to electronically consume assessment results and allow users of those systems to fully leverage the analytics capabilities that they offer • HITRUST is partnering with key GRC and VRM vendors to facilitate this integration • Enhanced Data Analytics • An enhanced data analysis toolset for relying parties to perform even richer analytics against assessment results of multiple vendors
29 HITRUST Assessments and Assurance Program is a “Win/Win” for Everyone Assessed Entities • One framework, one assurance program and one assessment tool for information assurance needs of an entire enterprise. • HITRUST r2 Certification has been a competitive advantage with customers, as it provides significant assurances that can be relied upon by all stakeholders (e.g., Customers, Regulators, Cyber Underwriters), and expect i1 Certification to obtain a similar status. • HITRUST CSF covers over 40 authoritative sources, such as ISO 27001, NIST 800-53, 800-171, HIPAA, GBPR Control Requirements. It can satisfy multiple stakeholders with one assessment and reduce unnecessary efforts of responding to third-party proprietary questionnaires. “Assess Once, Report Many.” • HITRUST Assessments allow for internal and external inheritance to reduce the time and cost of testing with External Assessors. • Differentiates your organization relative to security and privacy posture and can facilitate potential new business partnerships with other organizations who require in-depth, third-party validated assurances. • Able to start with bC Assessment, and easily leverage that assessment when ready to move to the next level (i1) as your IRM program matures. • Every assessment leverages the HITRUST RDS, which allows you to electronically share your assessment results with your customers that you designate. Eliminates all the back and forth to get the required information your customer wants. • Can Minimize Cyber Insurance Premiums. Relying Parties • The most Rely-able™ assurance report due to suitability of controls, rigor of assurance program, and centralized oversight – HITRUST QAs 100% of the reports. • Ensures Suitability of the controls • Transparency in how controls were evaluated and scored • Better accuracy based on a quasi-quantitative, rather than “qualitative” scoring. • Consistency in how controls are evaluated • Integrity in the report with over 50 automated checks and 6 levels of independent and objective quality assurance reviews by HITRUST. • Able to Run your entire Security and Privacy Third-Party Risk Management Program through HITRUST • Portfolio of Assessments to meet the needs of all vendors, regardless of risk level, company size, or purpose. No reason NOT to get HITRUST • Assurance framework to support more organizations on their assurance continuum journey. • Receive all HITRUST assessment results electronically through the HTIRUST Results Distribution System to radically improve efficiency over the outdated process for authenticating, requesting, sharing, and analyzing assessment results.
30 Question and Answer Session
31 © 2021 HITRUST Alliance www.HITRUSTAlliance.net THANK YOU FOR ATTENDING For additional HITRUST resources, please visit: HITRUSTAlliance.net or our Download Center l

Recommandé

HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
Ivan Piskunov
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Mart Rovers
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 

Recommandé

HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
Ivan Piskunov
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Mart Rovers
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0
Mark S. Mahre
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
khushboo
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdf
SerkanRafetHalil1
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organization
VISTA InfoSec
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Compliance 101 HITRUST Update.pdf
Compliance 101 HITRUST Update.pdfCompliance 101 HITRUST Update.pdf
Compliance 101 HITRUST Update.pdf
AmyPoblete3
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptx
ControlCase
 

Contenu connexe

Tendances

Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 

Tendances (20)

ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdf
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organization
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 

Similaire à HITRUST Certification

Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
070215 Plenary Ray
070215 Plenary Ray070215 Plenary Ray
070215 Plenary Ray
maniclub
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 

Similaire à HITRUST Certification (20)

Compliance 101 HITRUST Update.pdf
Compliance 101 HITRUST Update.pdfCompliance 101 HITRUST Update.pdf
Compliance 101 HITRUST Update.pdf
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptx
 
Regulatory Compliance Audit Management Solution
Regulatory Compliance Audit Management SolutionRegulatory Compliance Audit Management Solution
Regulatory Compliance Audit Management Solution
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
 
Regulatory compliance with winshuttle products v7 1docx (5)
Regulatory compliance with winshuttle products v7 1docx (5)Regulatory compliance with winshuttle products v7 1docx (5)
Regulatory compliance with winshuttle products v7 1docx (5)
 
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
 
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
Gaining assurance over 3rd party soc 1 and soc 2 reporting 7-2014
 
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
Swiss Re Reinsurance Solutions - Claims Automated Rules Engine – Insurer Inno...
 
070215 Plenary Ray
070215 Plenary Ray070215 Plenary Ray
070215 Plenary Ray
 
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceWhy a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA Compliance
 
How to Interpret and Plan for the 2014 CMS CEHRT Rule
How to Interpret and Plan for the 2014 CMS CEHRT Rule How to Interpret and Plan for the 2014 CMS CEHRT Rule
How to Interpret and Plan for the 2014 CMS CEHRT Rule
 
Navigating Trust: The Essentials of Background Verification for Credible Deci...
Navigating Trust: The Essentials of Background Verification for Credible Deci...Navigating Trust: The Essentials of Background Verification for Credible Deci...
Navigating Trust: The Essentials of Background Verification for Credible Deci...
 
Efficient, Secure, and Tailored Background Verification Solutions
Efficient, Secure, and Tailored Background Verification SolutionsEfficient, Secure, and Tailored Background Verification Solutions
Efficient, Secure, and Tailored Background Verification Solutions
 
Visual Security.pptx
Visual Security.pptxVisual Security.pptx
Visual Security.pptx
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comCmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
 
Audit and compliance services
Audit and compliance servicesAudit and compliance services
Audit and compliance services
 

Plus de ControlCase

Plus de ControlCase (20)

Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptx
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIEC
 

Dernier

Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
uneakwhite
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
instagramfab782445
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdf
laloo_007
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
gargpaaro
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
ZurliaSoop
 

Dernier (20)

HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Arti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfArti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdf
 
Buy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From Seosmmearth
 
Over the Top (OTT) Market Size & Growth Outlook 2024-2030
Over the Top (OTT) Market Size & Growth Outlook 2024-2030Over the Top (OTT) Market Size & Growth Outlook 2024-2030
Over the Top (OTT) Market Size & Growth Outlook 2024-2030
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow ChallengesFalcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
BeMetals Investor Presentation_May 3, 2024.pdf
BeMetals Investor Presentation_May 3, 2024.pdfBeMetals Investor Presentation_May 3, 2024.pdf
BeMetals Investor Presentation_May 3, 2024.pdf
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdf
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 Updated
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
 
Rice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna ExportsRice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna Exports
 

HITRUST Certification

  • 1. 1 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) © 2021 HITRUST Alliance www.HITRUSTAlliance.net HITRUST Brings Rely-Ability and Efficiency to All Levels of Information Assurance l
  • 2. 2 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) AGENDA • INTRODUCTIONS • ABOUT CONTROLCASE • WHAT IS HITRUST? • WHAT ARE THE OBJECTIVES OF HITRUST? • WHAT IS HITRUST CSF? • KEY COMPONENTS OF THE HITRUST CSF ASSURANCE PROGRAM • WHAT ARE THE HITRUST DOMAINS • HITRUST PRESENTATION • CONTROLCASE METHODOLOGY FOR HITRUST • HITRUST RESULTS DISTRIBUTION SYSTEM • Q&A
  • 3. 3 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) ABOUT CONTROLCASE HITRUST EXTERNAL ASSESSOR SINCE 2014 Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 50+ 15+ 200+ HITRUST CLIENTS HITRUST CERTIFICATIONS GLOBALLY HITRUST EXTERNAL ASSESSORS
  • 4. 4 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) WHAT IS HITRUST? Founded in 2007 to help companies safeguard sensitive data and manage risk. Established a certifiable framework for organizations that create, access, store or exchange personal health and financial information to implement and be certified against. Born out of the belief that information security is critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information.
  • 5. 5 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) WHAT ARE THE OBJECTIVES OF HITRUST? HITRUST aims to establish a fundamental and holistic change in the way organizations manage information security risk by: • Rationalizing regulations and standards into a single overarching framework tailored for each organization. • Deliver a prescriptive, scalable and certifiable process. • Address inconsistent approaches to certification, risk acceptance and adoption of compensating controls to eliminate ambiguity in the processes. • Enable the ability to cost-effectively monitor compliance of organizational, business partner and governmental requirements. • Provide support and facilitate sharing of ideas, feedback and experiences within the industry. • Establish trust between organizations. • Develop an approach for the practical, efficient and consistent adoption of security by organizations across multiple industries.
  • 6. 6 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) WHAT IS THE HITRUST CSF? HITRUST CSF The HITRUST CSF is a certifiable framework built upon other standards and authoritative sources relevant to the healthcare industry • Harmonizes the requirements of existing standards and regulations – HIPAA, SOC, GDPR, ISO 27001, NIST 800- 53 .etc. • Allows organizations the ability to tailor their security control baselines based on their specific information security requirements. • Incorporates both compliance and risk management principles • Defines a process to effectively and efficiently evaluate compliance and security risk • Supports HITRUST Certification
  • 7. 7 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) KEY COMPONENTS OF THE CSF ASSURANCE PROGRAM STANDARDIZED TOOLS & PROCESSES Questionnaire • Focus assurance dollars to efficiently assess risk exposure • Measured approach based on risk and compliance • Ability to escalate assurance level based on risk Report • Output that is consistently interpreted across the industry RIGOROUS ASSURANCE • Multiple assurance options based on risk • Quality control processes to ensure consistent quality and output across HITRUST External Assessors • Streamlined and measurable process within the HITRUST MyCSF tool • End User support
  • 8. 8 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) WHAT ARE THE HITRUST DOMAINS 1. Information Protection Program 2. Endpoint Protection 3. Portable Media Security 4. Mobile Device Security 5. Wireless Security 6. Configuration Management 7. Vulnerability Management 8. Network Protection 9. Transmission Protection 10. Password Management 11. Access Control 12. Audit Logging & Monitoring 13. Education, Training and Awareness 14. Third Party Assurance 15. Incident Management 16. Business Continuity & Disaster Recovery 17. Risk Management 18. Physical & Environmental Security 19. Data Protection & Privacy
  • 9. 9 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) HITRUST PRESENTATION
  • 10. 10 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) Learning Objectives • Why the Need for Information Protection Assurances • Not all Assurances are Created Equal • New HITRUST Assessment Portfolio • The Inefficient Method of Authenticating, Requesting, Sharing, and Analyzing Assessment Results • New HITRUST Results Distribution System
  • 11. 11 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) Why the Need for Quality Information Protection Assurances Assessed Entities Need… • To provide credible and reliable Information risk management assurances to internal and external stakeholders and relying parties • Board of Directors • Management • Customers • Regulators • Shareholders and Investors • Cyber Insurers •To stop wasting time performing duplicative assessments and filling out proprietary questionnaires they receive from customers •To save time and money in performing assessments Relying Parties Need… • Assurance results they can actually rely upon • Understanding of the suitability of the controls • Full transparency on how the controls were scored and evaluated • Consistency in testing and evaluation so that different assessors reviewing the same evidence would come to the same result/conclusion. • Eliminate subjectivity or variability to bring integrity to the report • Increased levels of impartiality from a centralized quality assurance program over independent auditor •To send proprietary questionnaires to their vendors asking for specific information they need in the absence of a reliable report •To effectively manage third-party risk across hundreds or thousands of vendors in the most efficient way.
  • 12. 12 Self-Assessment with No Outside QA LOW MEDIUM HIGH SUITABILITY OF INFORMATION PROTECTION CONTROLS CONSIDERED RIGOR OF ASSESSMENT APPROACH & ASSURANCE PROGRAM LOW MEDIUM HIGH THE LANDSCAPE OF INFORMATION PROTECTION ASSESSMENTS Greater number of controls Robust approach based on formal maturity model Certification Body report Robust, comprehensive, prescriptive controls Consistent methodology and reliable approach to meet regulations Certification Body report Industry recognized controls and good hygiene practices May use a risk-based, targeted approach Self-selected controls with limited depth and breadth Ad hoc scoping approach often uses a simple Yes/No checklist Industry recognized controls selection with greater depth Ad hoc scoping approach may not be risk-based Greater number of controls Approach is more prescriptive and comprehensive Produces Varying Levels of Assurance, based on… • Suitability of information protection controls • Rigor of assessment approach and assurance program Third- Party Assessment with Some Level of QA & Final Report Issued by Assessor Third-Party Assessment, often with Certification Body QA Review and Final Report Limited controls Formal maturity model Certification Body report Greater number of targeted and prescriptive controls for Authoritative Sources Comprehensive, prescriptive scope based on formal maturity model Self-selected controls with limited depth and breadth Ad hoc scoping approach often uses simple Yes/No checklist KEY Level of Controls: Approach: Certification Body Report: Impartiality: QA & Review: Self........................... Self & Assessor............... Self/Assessor/Cert Body.............
  • 13. 13 Self-Assessment with No Outside QA LOW MEDIUM HIGH LOW MEDIUM HIGH Greater number of controls Robust approach based on formal maturity model Certification Body report Robust, comprehensive, prescriptive controls Consistent methodology and reliable approach to meet regulations Certification Body report Industry recognized controls and good hygiene practices May use a risk-based, targeted approach Self-selected controls with limited depth and breadth Ad hoc scoping approach often uses a simple Yes/No checklist Industry recognized controls selection with greater depth Ad hoc scoping approach may not be risk-based Greater number of controls Approach is more prescriptive and comprehensive Third- Party Assessment with Some Level of QA & Final Report Issued by Assessor Third-Party Assessment, often with Certification Body QA Review and Final Report Limited controls Formal maturity model Certification Body report Greater number of targeted and prescriptive controls for Authoritative Sources Comprehensive, prescriptive scope based on formal maturity model Self-selected controls with limited depth and breadth Ad hoc scoping approach often uses simple Yes/No checklist RIGOR OF ASSESSMENT APPROACH & ASSURANCE PROGRAM ASSURANCE LEVELS ARE CORRELATED WITH CONTROLS CONSIDERED, RIGOR OF ASSESSMENT APPROACH, AND EFFORT SUITABILITY OF INFORMATION PROTECTION CONTROLS CONSIDERED Level of Effort Characteristics of Each High Level Assurances • Robust Control Requirements • Comprehensive and Prescriptive • Formal Risk-Based Maturity Model • Validation by Third-Party and QA by Certifying body. Moderate Level Assurances • Industry-Recognized Targeted Control Requirements • Tested and Validated by a Third-Party Assessor • Provide a general assurance of an organization’s cyber preparedness and resilience Low Level Assurances: • Self-Selected Controls/ Limited Breadth • Simple /Basic Approach • Self-attested
  • 14. 14 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) Need for a broader range of assurances • By design, today’s HITRUST certification offers a gold-standard level of assurance due to the comprehensive control requirements and assurance program requirements. • As a result: It’s a heavy lift. • A broader range of options to address varying assurance requirements and needs is necessary. • HITRUST will soon offer new assessments and a new certification: • Requiring less effort than today’s validated assessment. • While still living up to the gold-standard level of quality for which HITRUST certifications are known. Assurance Level H M L L M H Validated Assessment Readiness Assessment Rapid Assessment Unaddressed Assessment Effort
  • 15. 15 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) Current Assessment and Certification Portfolio • Today, the HITRUST assessment portfolio consists of the following offerings: o HITRUST CSF Rapid Assessment: A self-assessed, security-only questionnaire facilitated through the HITRUST Assessment Exchange (low level of assurance) o HITRUST CSF Readiness Assessment: Assessment performed in preparation for a validated assessment (low level of assurance) o HITRUST CSF Validated Assessment: Assessment leading to HITRUST CSF Certification, can optionally be tailored to include one or more authoritative source (very high level of assurance) • HITRUST currently offers entities only one certification (the HITRUST CSF Validated Assessment Report with Certification) at a very high level of assurance
  • 16. 16 www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878) HITRUST Expanded Assurance Portfolio Basic, Current-state (“bC”) Assessment • Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirements Implemented, 1-year (“i1”) Assessment • Focus on leading security practices with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements Risk-based, 2-year (“r2”) Assessment • Renames our current “validated assessment”, otherwise unchanged • Focus on a comprehensive risk-based specification of controls with a very rigorous approach to evaluation, which is suitable for high assurance requirement Assurance Level H M L L M H r2 Validated Assessment r2 Readiness Assessment Basic Assessment Assessment Effort i1 Validated Assessment i1 Readiness Assessment When The Basic and i1 assessments will be available by the end of this calendar year
  • 17. 17 NOT ALL ASSURANCES ARE CREATED EQUAL: BUYER BEWARE! TRANSPARENCY Transparency is needed for internal and external stakeholders to understand the framework your organization uses to satisfy compliance objectives. The framework should be publicly available, widely adopted, and well-understood so that report recipients understand how the controls were selected, evaluated, and scored. Key Questions: • Where do the assessed Controls come from? • How do you know the control requirements are suitable? ACCURACY Many other frameworks and assurance programs are qualitative, judgment-based, and devoid of any quantitative measurements Key Questions: • How granular is the scoring / evaluation model to evaluate the control environment? • What infrastructure exists to inherit assessment results from vendor-performed controls? . CONSISTENCY When frameworks are vague, subjective, or free of maturity levels and scoring methodologies, it becomes difficult to gauge an organization’s posture against that of another framework or even an industry baseline. This problem is compounded when assessment activities are not subject to quality and integrity reviews by an independent third-party assessor or certification body. Key Questions: • Can the effort result in a Certification? • How many entities issue these certifications or opinions? INTEGRITY Simply put, the integrity of your assessment reports and assurances to internal and external stakeholders depends upon an audit and validation process during which trained external assessors evaluate your control requirements one by one and say things like: "Prove to me you're doing this," or “Show me where it's documented." Key Questions: • Is the Assessor's methodology, testing, and deliverables peer-reviewed by other firms? • Are the assessor's methodology, testing, and deliverables reviewed by an accreditation and/or standards-enforcement body? RELY-ABILITY TRANSPARENCY + CONSISTENCY + ACCURACY + INTEGRITY
  • 18. 18 Guide to Selecting the Right HITRUST Assessment for Your Organization’s Needs: r2 Validated Assessment (Former Name: CSF Validated Assessment) Comprehensive, Risk-based i1 Validated Assessment Good Security Hygiene and Leading Security Practices bC Assessment Good Security Hygiene r2 Features: • High level of effort and assurance • Varies from 198 – 2000 requirements, based on inherent risk factors and included authoritative sources (optional) • Scores: Policies, Procedures, Implemented, Measured, and Managed • Full 5x5 PRISMA evaluation using a comprehensive scoring rubric • Able to demonstrate regulatory compliance against authoritative sources such as HIPAA and the NIST Cybersecurity Framework • Can be bridged by a HITRUST CSF Bridge Certificate • Readiness Assessment available • 2-year certification i1 Features: • Moderate level of effort and assurance • Approx. 200 HITRUST CSF requirements (static / fixed) • Provides strong coverage of NIST 800-171, the GDPR Safeguards Rule, much of the HIPAA Security Rule, and portions of AICPA TSC • 1 maturity level (Implemented) • 1-year certification • Uses an external assessor’s annual evaluation of control implementation along with HITRUST review and QA • Readiness Assessment available bC Features: • Low level of effort and assurance • Self-assessment only; verified by HITRUST Assurance Intelligence Engine • 71 HITRUST CSF requirements • 1 maturity level (Implemented) • Provide coverage against NISTIR 7621, Small Business Information Security: The Fundamentals HITRUST Assessment Attributes Higher Quality and Reliability at Every Level of Assurance Each HITRUST CSF Assessment Offers Unique, Industry-Leading Advantages, Including: • Single Control Framework • Best in Class MyCSF® SaaS Assessment Platform • Consistent Approach • Common Assurance Methodology • Standard Report Formatting • Supports Inheritance • HITRUST Assurance Intelligence EngineTM (AIE) identifies errors, omissions, and potential deceit • HITRUST Results Distribution System (RDS) shares assessment results with relying parties • And More...
  • 19. 19 PREVIEW: Expanded HITRUST Assessment Portfolio HITRUST CSF Basic, Current State Assessment (bC) (NEW) HITRUST CSF Implemented, 1-year (i1) Assessment (NEW) HITRUST CSF Risk-based, 2-year (r2) Assessment (Former Name: HITRUST CSF Validated Assessment) Description Verified Self-Assessment Validated Assessment + Certification Validated Assessment + Risk-Based Certification Purpose (Use Case) Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirements Focus on leading security practices in medium- sized and larger organizations with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements Focus on a comprehensive risk-based specification of controls suitable for most organizations with a very rigorous approach to evaluation, which is suitable for high assurance requirement Number of Control Requirement Statements 71 Static 215 Static 2000+ based on Tailoring (360 average in scope of assessments) Specificity of Control Granular Requirements Granular Requirements Granular Requirements Flexibility of Control Selection No Tailoring No Tailoring Tailoring Evaluation Approach 1x3: Control Implementation 1x5: Control Implementation 3×5 or 5×5: Control Maturity assessment against either 3 or 5 maturity levels Targeted Coverage* NISTIR 7621: Small Business Information Security Fundamentals NIST SP 800-171, HIPAA Security Rule NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others Level of Assurance** Low Moderate High Relative Level of Effort 0.5 1.0 5.0 Certifiable Assessment No Yes, 1 Year Yes, 2 Year Complementary Assessments None Readiness Readiness, Interim, Bridge Leverages Results Distribution System (RDS) to Share Results Yes Yes Yes Leverages the AI Engine to Prevent Omissions, Errors, or Deceit Yes Yes Yes *Targeted Coverage means substantial coverage is intended ** A particular level of assurance (e.g., low, medium/moderate, or high) is generally characterized by the relative level of suitability, impartiality, and rigor in the approach used to specify, assess, and report on the effectiveness of information security and privacy controls and the risks they are intended to manage.
  • 20. 20 CONTROLCASE METHODOLOGY FOR HITRUST r2 ASSESSMENT • MyCSF Subscription • Customer purchases MyCSF Subscription • ControlCase helps build the assessment • Readiness Assistance • ControlCase assigns an independent readiness consultant to guide customer to provide required HITRUST evidence • Customer purchases validated assessment from HITRUST Portal once ready • ControlCase helps the customer to identify a submission date and complete the reservation for HITRUST QA • HITRUST Validated Assessment • Independent ControlCase auditor (HITRUST CCSFP) completes the validated assessment and required testing. • ControlCase Quality Assurance • Engagement Executive Review • ControlCase moves evidence to MyCSF • Submit to HITRUST • HITRUST QA • Final Certified / Validated Report 1 2 3 4 5 6 ControlCase will follow a 6-PHASE APPROACH for the HITRUST Assessment
  • 21. 21 HIGH-LEVEL HITRUST CERTIFICATION PLAN (r2 VALIDATED ASSESSMENT) Phase/Month Month 1 Month 2 Month 3 Month 4 Month 5 Month 6 Month 7 Month 8 onwards Phase 1 CC/Customer Phase 2 CC/Customer CC/Customer CC/Customer CC/Customer Phase 3 CC/Customer Phase 4 CC* CC* CC* Phase 5 CC/Customer** Phase 6 CC - Submission to HITRUST HITRUST Quality Assurance
  • 22. 22 CONTROLCASE METHODOLOGY FOR HITRUST i1 ASSESSMENT • Help with determining the scope for the HITRUST i1 assessment. • Review customer’s environment and articulate HITRUST requirements accordingly. • Identify gaps and help strategize remediation approach. • Independent HITRUST CCSFP to perform the i1 assessment and the required testing. • End to End process of 5 months to submission.
  • 23. 23 Solving for the Inefficient Method of Authenticating, Requesting, Sharing, and Analyzing Assessment Results
  • 24. 24 Today’s TPA Reports Sharing Landscape • Generally, the sharing of TPA reports is largely manual and less than ideal: • Involves requesting PDF reports from business partners (e.g., customers) • Usually involves sharing of PDFs back and forth • The PDFs vary greatly depending on the type of report, the issuing party, etc. • The PDFs may be copy-protected and/or password- protected, making them tough to access and use • The PDFs are static and non-interactive, making it necessary to copy data into more feature-rich tools to do any meaningful analysis • This process is repeated annually Reliant party Assessed entity Reliant party requests the report Assessed entity provides the report 2 1 ? Reliant party manually inspects the report 3 Current? Authentic? Scope? Findings? Reliant party manually scrapes data from report for entry elsewhere 4 Ctrl+F Ctrl+C Ctrl+V sigh
  • 25. 25 What can (and does) go wrong? 1. Sharing of: • Expired reports • The wrong vendor’s report • Doctored or fake reports • The correct report to the wrong recipients 2. After hitting “send” on the email: • No visibility of who the assessment report PDF is ultimately shared with • No control over who can and can’t open the assessment report PDF 3. Copy + paste errors when moving assessment results from PDFs into tracking spreadsheets, VRM tools, and GRC systems 4. Decisions made using info in out-of-date and/or invalidated third- party assurance reports • Management’s responses to identified findings are X months old… what’s happened since? 5. Overlooked and/or poorly understood: • Adverse overall conclusions • Control findings • Scope limitations and carve-outs 6. Users of these complex reports can’t always find what they’re after • Which sections is all this in? • Which columns in which tables again? • Where does the canned content end and the meat of it start? 7. Non-value-added activities throughout the process • Distracts personnel from focusing on actually managing risk • Time-consuming
  • 26. 26 With the HITRUST Results Distribution System Assessed entity grants the reliant party access in RDS Reliant party 1 Assessed entity 2 Reliant party interacts with assessment results in RDS 3 Assessment results can be consumed by reliant party through various means • The HITRUST Results Distribution System will addresses the highly inefficient method of authenticating, requesting, sharing, and analyzing Assessment results • Unlike most other certification and accreditation bodies, HITRUST: • Is the sole issuer of all HITRUST Assessments allowing us to ensure integrity and validity of the process. • We’re uniquely positioned to streamline the sharing of assessment results via a centralized mechanism A Better Way: Results Sharing
  • 27. 27
  • 28. 28 Planned Future Enhancements • API integration with GRC and TPRM/VRM systems • The RDS API will enable GRC and VRM platforms to electronically consume assessment results and allow users of those systems to fully leverage the analytics capabilities that they offer • HITRUST is partnering with key GRC and VRM vendors to facilitate this integration • Enhanced Data Analytics • An enhanced data analysis toolset for relying parties to perform even richer analytics against assessment results of multiple vendors
  • 29. 29 HITRUST Assessments and Assurance Program is a “Win/Win” for Everyone Assessed Entities • One framework, one assurance program and one assessment tool for information assurance needs of an entire enterprise. • HITRUST r2 Certification has been a competitive advantage with customers, as it provides significant assurances that can be relied upon by all stakeholders (e.g., Customers, Regulators, Cyber Underwriters), and expect i1 Certification to obtain a similar status. • HITRUST CSF covers over 40 authoritative sources, such as ISO 27001, NIST 800-53, 800-171, HIPAA, GBPR Control Requirements. It can satisfy multiple stakeholders with one assessment and reduce unnecessary efforts of responding to third-party proprietary questionnaires. “Assess Once, Report Many.” • HITRUST Assessments allow for internal and external inheritance to reduce the time and cost of testing with External Assessors. • Differentiates your organization relative to security and privacy posture and can facilitate potential new business partnerships with other organizations who require in-depth, third-party validated assurances. • Able to start with bC Assessment, and easily leverage that assessment when ready to move to the next level (i1) as your IRM program matures. • Every assessment leverages the HITRUST RDS, which allows you to electronically share your assessment results with your customers that you designate. Eliminates all the back and forth to get the required information your customer wants. • Can Minimize Cyber Insurance Premiums. Relying Parties • The most Rely-able™ assurance report due to suitability of controls, rigor of assurance program, and centralized oversight – HITRUST QAs 100% of the reports. • Ensures Suitability of the controls • Transparency in how controls were evaluated and scored • Better accuracy based on a quasi-quantitative, rather than “qualitative” scoring. • Consistency in how controls are evaluated • Integrity in the report with over 50 automated checks and 6 levels of independent and objective quality assurance reviews by HITRUST. • Able to Run your entire Security and Privacy Third-Party Risk Management Program through HITRUST • Portfolio of Assessments to meet the needs of all vendors, regardless of risk level, company size, or purpose. No reason NOT to get HITRUST • Assurance framework to support more organizations on their assurance continuum journey. • Receive all HITRUST assessment results electronically through the HTIRUST Results Distribution System to radically improve efficiency over the outdated process for authenticating, requesting, sharing, and analyzing assessment results.
  • 31. 31 © 2021 HITRUST Alliance www.HITRUSTAlliance.net THANK YOU FOR ATTENDING For additional HITRUST resources, please visit: HITRUSTAlliance.net or our Download Center l

Notes de l'éditeur

  1. For Mike – How many controls and domains can we expect from the i1?   For Kishor – How long would an i1 assessment take?