Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
855.HITRUST • www.HITRUSTalliance.net v.HT-501-03
Regardless of the industry served, organizations are challenged with managing information security risks, data governance, complying
with the numerous information protection regulations, and adhering to national and international standards and best practices. HITRUST®
understands that addressing these challenges is a priority for organizations of all sizes, in all industries and geographies. Implementing
an information risk management framework, performing a thorough and accurate information risk assessment, streamlining remediation
activities, and reporting and tracking compliance is resource intensive and complicated at best and in many instances overwhelming.
We’ve leveraged our unique position and experience in framework development and information risk management and compliance,
combined with processing hundreds of thousands of risk assessments to design the most efficient solution for assessing, managing, and
reporting information risk and compliance.
Best in Class Information Risk Management Platform for Assessing and Reporting Information Risk and Compliance
HITRUST CSF – The HITRUST MyCSF
incorporates the HITRUST CSF allowing
organizations to perform assessments and
report against the privacy and security controls
of the HITRUST CSF or any one of the over 40
authoritative sources currently included in the
framework, such as NIST 800-53, ISO 27000,
NIST Cybersecurity Framework, HIPAA, PCI,
FFIEC, and GDPR.
Key Components of MyCSF
CSF A
ssurance Methodology
HITRUST CSF AssessmentPlatform
HITRUST CSF Assurance Methodology – The HITRUST CSF Assurance Program provides
a simplified and consistent approach to assessments and reporting against the HITRUST
CSF and any of the over 40 authoritative sources it incorporates. This risk-based assurance
approach, which is governed and managed by HITRUST, is designed to address evolving
information threats and unique regulatory and business needs of organizations while
delivering an effective, standardized and streamlined assessment process for reporting
compliance and information risk posture. Since the HITRUST CSF synthesizes numerous
standards and frameworks into a single comprehensive and harmonized framework,
it eliminates the need for multiple assessments or answering redundant assessment
questions, an approach we refer to as “Assess Once, Report Many.”
HITRUST MyCSF Assessment Platform – The HITRUST MyCSF makes it easy and cost-
effective for an organization to manage information risk and meet international, federal, and
state regulations concerning privacy and security. The HITRUST MyCSF tool provides global
organizations of all sizes with a purposefully designed and engineered SaaS solution for
performing risk assessments, and corrective action plan management, including enhanced
benchmarking and dashboards as well as integration with major GRC platforms and the
HITRUST Assessment XChange™. The HITRUST MyCSF is a solution that will support an
organization’s evolving assessment needs that align with managing risk in the ever-changing
cyber threat, information risk, and global regulatory landscape.
v.HT-501-03855.HITRUST • www.HITRUSTalliance.net
Overview
MyCSF – Features
ü Assessment Navigation – Provides an intuitive application
design coupled with dynamic logic that guides users
ü CSF Assessment Preview – Provides an understanding
of the implications that changes in scope, authoritative
sources or CSF version will have on an assessment
ü Evidence Support – Maintain a library of supporting
documentation and link them to control requirements and
maturity domains
ü Aggregated Respondent Answers – Aggregates
scoring for assessment questions that have been
delegated to multiple respondents based on weights you
determine
ü Advanced Analytics & Dashboards – Includes the
ability to create customized charts and dashboards
ü Benchmarking – Customized benchmarks against
populations that you choose
ü UI and Platform Support – Enables full functionality for
desktop, tablet and mobile use
ü Control Inheritance – Supports the ability to inherit
control scores from internal and external assessments
ü Comprehensive Reporting – Includes compliance
reporting on various authoritative sources
ü Robust API – Enables integration and exchange of
assessment related information with GRC tools and the
HITRUST Assessment XChange
By utilizing MyCSF, an organization can reduce resources, improve efficiencies, enhance reporting and dashboards, streamline assessment modeling and share assessment information with other applications relating
to information risk management and compliance.
v.HT-501-03855.HITRUST • www.HITRUSTalliance.net
Overview
Below are some of the advanced subscription features of MyCSF that simplify the process of sharing information, provide a comparison of your
organization’s assessment scores, and streamline analytics and reporting.
Inheritance - Benchmarking - Advanced Analytics
Inheritance
Inheritance allows scores from one assessment to be applied to another assessment. This can occur within an organization (internal) or from
another organization (external).
Response inheritance enables hosting, cloud, and service
providers* to make assessment scores available for inheritance into
any organization’s assessment—easily, seamlessly, and automatically.
This simplifies the process and
reduces the effort necessary for
hosting and service organization
customers to be assessed. By
working with a participating
service provider, customers can
reduce the required testing and
associated costs for inherited controls in a fully automated manner.
External inheritance allows an organization to inherit assessment
controls from a service provider’s HITRUST CSF Validated Assessment
into their own assessment as long as the services they are providing
are covered under the scope of the original assessment.
Key Benefits of Response and External Inheritance:
ü Reduces risk
ü Gain higher assurance when relying on third-party
service providers
ü Gain another layer of protection
ü Reduces data entry and effort
ü Reduces testing required
Internal inheritance gives organizations the ability to inherit
control scores from one of their assessments and apply them to
another of their assessments, streamlining the assessment process.
Key Benefits: ü Flexibility of approach by allowing organizations to assess
parts of their organization and build upon them through
inheritance into subsequent assessments
ü Only assess an application, infrastructure component,
server, or location once, then leverage it as part of
other assessments
Benchmarking
Basic – Enables a comparison of your organization’s assessment scores against all HITRUST CSF Validated Assessments to understand how
you compare to the average scores.
Advanced – With advanced benchmarking, organizations can compare assessment scores against specific types of population segments,
sizes, types and number of employees yielding a more relevant analysis. The ability to accurately compare to appropriate peer groups
provides a more precise comparison which is ideal for management communication.
* To take advantage of this offering, service providers must have an appropriate MyCSF subscription and a current HITRUST CSF Validated Assessment in good standing.
855.HITRUST • www.HITRUSTalliance.net
Overview
v.HT-501-03
Advanced Analytics, Dashboards and Comprehensive Reporting
The MyCSF analytics and reporting solution is essential to enabling
actionable discussions across the entire organization. Management and users
can easily create and collaborate on the progress and outcomes of a HITRUST
CSF assessment. MyCSF analytics streamlines analysis and reporting for all
levels of management and Board of Directors.
Analytics and Reporting Packages:
Basic – This option provides pre-defined, static reports that are similar to the
dashboards and allows for effective communication.
Advanced – Enables reporting on administrative details and factors,
assessment status, illustrative procedures and CAPs. This reporting option
allows access to the full suite of dashboards and reports.
Premium – In addition to the Advanced package, the Premium package allows
for the creation of customized reports and defined dashboards, enabling
organizations to tailor specific reporting and analysis to fit their needs.
Robust API
Streamline integration with GRC or other risk management tools.
The MyCSF API allows you to exchange information with risk management and GRC tools. By providing API access, HITRUST allows for assessment data to
be exchanged in an automated fashion allowing organizations to manage risk in their native toolsets.
© 2020 HITRUST All rights reserved. Any commercial uses or creations of derivative works are prohibited. No part of this publication may be reproduced or utilized other than being shared as is in full, in any form or by any means, electronical or mechanical, without HITRUST’s prior written permission.
Overview
Subscription Options:
MyCSF is available at various subscription levels. Report only access limits you to the functionality required to perform an assessment and
submit to HITRUST for processing. Annual subscriptions to MyCSF afford access to more enhanced features that streamline and enhance the
process of performing an assessment, thereby managing your HITRUST CSF adoption. Subscription level and associated features are:
HITRUST’s management and support of the MyCSF tool set it apart as a one-of-a-kind resource.
MyCSF is offered in varying subscription levels. For more information, visit the MyCSF webpage or contact [email protected].