CSF Roadmap 2015 and Beyond

Presented By Bryan S. Cline, Ph.D.

Presented For HITRUST

Page 2

Introduction

Information Security Implementation Manual

Compliance Reporting System

U.S. Healthcare Industry Implementation Standards

Control Objectives Primary Ref: ISO/IEC 27002:2005

& ISO/IEC 27001:2005

Self Assessment Process

Certification Process

Standards and Regulations Cross Reference Matrix

HITRUST NIST COBIT HIPAA

Control 1 X X

Control 2 X X

Control 3 X

Standards and Materials Leveraged

HIPAA/HITECH

HITRUST member experience

NIST 800 Series

CMS

The Joint Commission

Others

FTC Red Flags

Mass. 201 CMR 17.00

Page 3

Outline

Page 3

Page 4

2014 CSF v6

Page 4

•  NIST SP 800-53 r4 (Apr 2013 FPD) •  CMS IS ARS v1.5 (2012) •  NIST-CMS Harmonization (Publication Updates) •  Title 1 TX Admin. Code 390.2 (TX Standards),

–  Privacy requirements to support TX certification of the HIPAA Privacy Rule

–  Dozens of other federal and state legislation and regulations related to the protection of health information

Page 5

Something new – 2014 CSF v6.1

Page 5

•  PCI-DSS v3.0 (2013) •  HIPAA Omnibus Rule (2013) •  ISO/IEC 27001:2013 (2013) •  ISO/IEC 27002:2013 (2013) •  NIST Cybersecurity Framework v1 (2014)

Page 6

Something new – 2014 CSF v6.2

Page 6

•  Minimum Acceptable Risk Safeguards–Exchanges (MARS-E) (2012) –  Catalog of Minimum Acceptable Risk Controls for

Exchanges v1 (2012) –  Includes references to IRS Pub 1075 requirements for FTI,

which also supports TX Covered Entity Privacy & Security Certification requirements

•  NIST HSR Toolkit v1 (2011) –  Unknown if NIST plans to update the tool

•  OCR Audit Protocol v2 (2014) –  When released –  May also impact CSF Assurance Program

Page 7

•  Considering COBIT 5, but …

2015 CSF v7 and beyond …

Page 8

See you in 2015!

Page 8

Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP HITRUST Advisor

Bryan.Cline@HITRUSTalliance.net