modelapproach to efficient and cost-effective third-party ... post - 3rd party...to efficient and...

855.HITRUST (855.448.7878)www.HITRUSTAlliance.net 1 © 2017 HITRUST Alliance

Model Approach to Efficient and Cost-Effective Third-Party Assurance

http://www.HITRUSTAlliance.net/


CHALLENGES WITH THIRD-PARTYASSURANCE


What’s Driving Demand for Increased Assurance?• Increasing risk posed by third parties• Increasing cyber threat landscape• Confusion

– What is reasonable, appropriate or adequate?

• Growing compliance risk and liability– Breach and legal costs; regulatory penalties

ComplianceEffectiveness

855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance3

Cost of Compliance


Approach from Customer (Covered Entity)

• No consistency of request– Self-attestation and questionnaires

– Proprietary assessments

– Third-party audits

Request detailed information on the Business Associate Require appropriate assurances on or Vendor Security Program • Scope of information theyreceive

• What was tested

• How the information was vetted

Obtain assurances inaformat they can understandand consume

Customer

BusinessPartner

Business Partner

Customer

Business Partner

Business Partner

Customer


BusinessPartner


Response from Business Partners

• Suggest alternative approaches• Complicates contracting process

due to unique security requirements

• Broad range and inconsistent expectations for responses to questionnaires—inability to effectively leverage responses across organizations

• Dedicate staff and funding to those requiring unique approaches

Customer Business Partner

(BP)

Business Partner

(BP)

Business Partner

(BP)

Customer

CustomerAudit Report 1

Requirement s

Audit Report 2

Requirement s

Requirement s

Requirement s

Requirement s

Audit Report X

Audit Report Y

Audit Report #


Negotiate requests they receive from their customers


Implications of the Current Response


Customers• Requires significant resources to engage, negotiate and track assurances

Business Partners• Dedicates significant resources to respond to duplicative and redundant assurance requests• Incurs costs to comply and satisfy requests and requirements• Creates inconsistency around acceptable standards of due diligence and duecare• Distracts resources from other security-related programs

Although addressed in many different ways, there are only so many privacy and securitycontrols one can implement and assess


Universal Agreement that the Current Modelis Broken• There are no scenarios where performing 25, 50 or 250 or more unique assessments makes sense for

a business partner to communicate their information privacy and security posture (on same scope)• Nor does maintaining and supporting an organizational specific assessment methodology and

performing assessments• HITRUST has been working with organizations and business partners to identify a practical and

implementable approach

Common Requirements

Uniform Assessment

Process

Simplified Reporting

More Efficient and Effective Compliance

Process




HOW HITRUST FACILITATESTHIRD-PARTY ASSURANCE


Approach Taken in Healthcare IndustryTo minimize the cost, time and effort around third-party assurance, initially five (5) of the largest U.S. health plans notified industry of updates to their business associate and partner agreements, specifically their use of the HITRUST CSF Assurance Program

• HITRUST CSF certification or SOC 2® leveraging HITRUST CSF Controls is required

• 2-year implementation schedule

• Created the momentum to move the industry and vendor community



HITRUST CSF Assurance Program• Provides a common set of information security and privacy requirements through the HITRUST CSF• Provides a standardized assessment and reporting processes

– Improved efficiency

– Lowered costs

• Helps ensure organizations can trust that their business partners are adequately protecting sensitive information through HITRUST’s oversight and governance of the program

For more information, see https://hitrustalliance.net/csf/ and https://hitrustalliance.net/csf-assurance/


https://hitrustalliance.net/csf/

https://hitrustalliance.net/csf-assurance/


A “Win-Win” for Customers and Vendors• Established a uniform set of

expectations for communicatinginformation privacy and security posture

• Reduced time and expense on redundant audits, assessments,andonsite reviews

• Reduced time and expenseofprocurement managing various assessment processes

• Facilitates a specific level of assurancearound implemented controls

BusinessPartner(BP)

BusinessPartner(BP)

Business Partner (BP)

Customer

HITRUST Common Business Partner

ComplianceFramework

CSF Requirements

CSF Requirements

CSF Requirements

HITRUSTAssessment

HITRUSTAssessment

HITRUSTAssessment


Customer

Customer


The HITRUST Vendor/Business Associate Council

• Provides healthcare vendors the opportunity to drive efficiency and effectiveness in third-party assurance.

• Arvato Digital Services• Armor• Availity• Azure (Microsoft)• Catalyze• Change Healthcare• Cognizant• Dropbox• Epic Systems


• Fiserv:• Healthedge• HMS• PDHI• RR Donnelley• Salesforce• West Corporation• Xerox

Corporation


Vendor / Market Support




KEY ELEMENTS OF THE APPROACH


TransparencyThe approach should be open and transparent.

Requirements are agnostic for similar types of sensitive information• Integrates relevant federal control baselines• Incorporates industry leading practices• Leverages threat-to-control relationships*

Entire program is publicly available andcommonly understandable• Control framework / requirements• Assessment methodology / procedures• Scoring model

*Leveraging HITRUST Threat Catalogue



Accuracy

HITRUST uses a 5x5 control maturity and scoring model to evaluate the HITRUST CSF’s control requirements

• 5 maturity levels for each control requirement

• 5 scoring levels for each control maturity level

HITRUST also provides a scoring rubric for each maturity level

The approach should ensure accuracy in evaluation and reporting of the implemented controls.



ConsistencyThe approach should ensure consistency in evaluation and reporting regardless of the specific assessor used.

Extensive assessment guidance• General guidance for each maturity level• Specific guidance for each control

HITRUST quality assurance review process• Applies to all third-party assessments

Standardized reporting format



ScalabilityThe approach should be scalable enough to address the needs of the entire industry, while maintaining consistency and accuracy.

Formal HITRUST CSF Assessor Program• HITRUST CSF trained staff

• Experience/capabilities vetted by HITRUST

Choose from a pool of certified HITRUST CSF Assessors to ensure• The best fit

• The best price

Program is market-based• As demand for assurances increase, so does the poolof

HITRUST CSF Assessor organizations



EfficiencyThe approach should allow an organization to assess once and report many, i.e., an assessment must address multiple compliance and best practice requirements and support the reporting of assurances tailored to each requirement.

HITRUST fully leverages the ‘Assess Once, Report Many’ approach

• Multiple security requirements (e.g., legal, regulatory)

• One cybersecurity program

• One targeted, cost-effective assessment that provides a reasonablelevel of assurance at a reasonable cost

• Multiple reporting options from a single assessment



CSF Assurance - Degrees of Assurance

• CSF Self Assessments can be conducted by business associate

• CSF Validated or Certified requires third party engagement

20 855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance20


Reporting Options


Consideration HITRUST CSF Report SOC 2 Report with HITRUST CSF SOC 2 + HITRUST CSF Report

Type of report(Relevant Standard) HITRUST CSF Assurance AT101 AT101 + HITRUST CSF Assurance

Scope of report HITRUST CSF controls (may or may not be limited to those required for certification)

Security, availability, confidentiality Trust Services Principles; HITRUST CSF controls (may or may not be limited to those required for certification)

Security, availability, confidentiality Trust Services Principles; HITRUST CSF controls (may or may not be limited to those required for certification)

Intended Users Unlimiteddistribution Limiteddistribution Limiteddistribution

Resulting DeliverableHITRUST CSF report with background, mgmt. rep., scope, results of maturity scores, CAPs, NIST CsF scorecard/certification

Attest Opinion with description of systems & service auditor test/ results against selected Trust Services Principles; HITRUST CSF controls (suitable criteria)

Attest Opinion with description of systems & service auditor test/ results against selected Trust Services Principles, HITRUST CSF controls (suitable criteria); HITRUST CSF report with background, mgmt. rep., scope, scores, CAPs, NIST CsF scorecard/certification

Report issued by HITRUST Independent CPA firms Independent CPA firms, HITRUST

Report Addresses HITRUST CSF, NISTCsF HITRUST CSF, AICPA Trust Services Principles

HITRUST CSF, AICPA Trust Services Principles, NISTCsF


Reliability

RELIABILITY

Transparency

ConsistencyScalability

Accuracy


• Transparency• Accuracy• Consistency• Scalability

Provided by:• HITRUST CSF• HITRUST CSF Assurance Program• HITRUST CSF Assessor Program

The approach should provide a high degree of assurance for relying parties, such as internal stakeholders (e.g., audit, management, Board of Directors) and external stakeholders (e.g., customers, business partners, vendors and regulators).

Obtained through:



COMMON QUESTIONS


What does the HITRUST CSF Include?• The HITRUST CSF provides coverage across multiple regulations and includes significant components

from other well-respected IT security standards bodies and governance sources.• It is scalable, risk based, industry agnostic and certifiable

ControlCategories1. Information Security ManagementProgram2. AccessControl3. Human ResourcesSecurity4. Risk Management5. SecurityPolicy6. Organizationof InformationSecurity7. Compliance8. Asset Management9. Physical and EnvironmentalSecurity10.Communications and Operations Management11. Information Systems Acquisition, Development & Maintenance12. Information Security IncidentManagement13. Business Continuity Management14. Privacy Practices

Scoping Factors

Regulatory• Federal, state and domain specific compliance requirementsOrganization• Geographic factors• Number of records processed orheldSystem• Data stores• External connections• Number of users/transactions

Legislative, Regulatory, and ‘Best Practice” Standards and Frameworks include, but are not limited to:

ISO/IEC 27001:2005 2013, 27002:2005, 2013, 27799:2008CFR Part11COBIT4.1

NIST SP 800-53 Revision 4NIST Cybersecurity Framework (CsF)

DHS Cyber Resilience Review (in CSF v9)

NIST SP 800-66 Revision 1 PCI DSS version 3 FTC Red FlagsRule

FFIEC IT InfoSec Examination (in CSFv9)201 CMR 17.00 (State of Mass.)

NRS 603A (State of Nev.)

CSA Cloud Controls Matrix version 3.1 CIS CSC version 6 (SANS Top 20)

CMS IS ARS version2MARS-E version2

IRS Pub 1075 v2014FedRAMP (in CSFv9)

Analyzed, Rationalized & Consolidated

Control Specifications

(149)

Control Objectives

(45)

ControlCategories

(14)



Does this mean I have to redo mysecurity program?

The HITRUST CSF covers 100% of the:• ISO 27002-2005 controls (mapping is trivial,

as the HITRUST CSF is built on ISO 27001-2005)

• ISO 27002-2013 controls (depicted on the left)

• NIST SP 800-53 r4 controls, moderate-level baseline (depicted on the left)

To simplify the process of aligning from a standard like ISO or NIST to the HITRUST CSF, HITRUST provides a HITRUST CSF Standards & Regulations Cross-Reference (X-Ref) spreadsheet with detailed mappings (depicted by the examples on the right)


*HITRUST CSF control category 0.0 addresses the original ISMS requirements in Section 4 of ISO 27001:2005


How does all this facilitate trust?



Why can’t I just do a SOC 2?HITRUST CSF meets AICPA SOC 2 reporting requirements for suitable criteria• Realize significant time efficiencies and cost savings• Reduce inefficiencies/costs associated with multiple reporting requirements• Provide additional detail around how an organization is addressing internal control

Lack of uniform ‘acceptable controls criteria’ results in a reduction of the following when viewed across multiple entities:• Transparency• Accuracy• Consistency• Reliability



What does ‘acceptable controls criteria’ mean?• The SOC 2 guide and Appendix C of TSP section 100 require an organization to

establish controls that meet all applicable trust services criteria

• The control objectives must align with the applicable trust services criteria, and thecontrols must address all of the applicable trust services criteria

• AICPA requirements for suitable criteria– Objectivity

– Measurability

– Completeness

– Relevance



Why can’t I just use the NISTCybersecurity Framework?

Although scalable, the NIST CSF lacks prescription in:• Requirements

• Assessment methodology

Subsequently lacks:• Transparency

• Accuracy

• Consistency

• Reliability

The HITRUST CSF provides the foundation needed to implement the NIST Cybersecurity Framework.



Why can’t I just do the AICPA Cyber Examination?AICPA Cyber Examination consists of two major components:• A description of an entity’s program based on new descriptioncriteria• An assessment of control effectiveness based on its controlcriteria

As with the AICPA Trust Services Principles, additional information (specificity) is needed to address the criteria, and the Cyber Examination would result in a reduction of the following when viewed across multiple entities:• Transparency• Accuracy• Consistency• Reliability



How do I know what was in place and tested?HITRUST CSF Validated and Certified Report• Letter of Certification

• Representation Letter

• Assessment Context

• Assessment Scope

• Security Program Analysis

• Assessment Results

• Overall Security Program Summary

• Breakdown of Controls Required for Certification

• Testing Summary

• Corrective Action Plan

• Questionnaire Results (Detailed)

• System Profile



How do I benefit from all this?


• Redundant, inconsistent assessments result in lost productivity, additional costs• A more efficient, streamlined approach benefits the Plan and the Plan Sponsor• Recommended approach leverages:

– A single controls framework for context– A strong assessment methodology that provides high assurance and consistency– A single assessment to provide efficient reporting

• HITRUST CSF – control maturity scoring

• SOC 2 – HITRUST CSF provides SOC 2 the necessary prescriptiveness and transparency for availability, confidentiality and security criteria

• NIST Cybersecurity Framework – HITRUST CSF provides basis for consistency, HITRUST CSF Assurance enables transparency and assurance, and scorecard enables reporting on NIST CsF Core Subcategories


Questions



Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight



http://hitrustalliance.net/content-spotlight/


HITRUST Resources

Healthcare Sector CsF ImplementationGuide

Discusses healthcare’s implementation of the NIST Cybersecurity Framework based on the HITRUST CSF and CSFAssurance Program

https://hitrustalliance.net/document s/cybersecurity/HITRUST_Healthc are_Sector_Cybersecurity_Frame work_Implementation_Guide.pdf

Risk Analysis Guide

Provides a detailed discussion of HITRUST’s NIST-based control implementation maturity model, HITRUST’s scoring model, and additional information on risk treatments, including remediation planning for control deficiencies

https://hitrustalliance.net/documents/csf_rmf_related/RiskAnalysisGuide.pdf

Risk vs. Compliance-based Protection

Discusses the difference between compliance and risk-based information protection programs and shows how controls are selected based on a risk analysis, after which their implementation becomes a compliance exercise

https://hitrustalliance.net/documents/csf_rmf_related/RiskVsComplianceWhitepaper.pdf

MyCSF vs. GRC Tools

Provides a discussion of the differences between a “typical” GRC tool and MyCSF, which was primarily designed to automate HITRUST’s assessment validation and certification process

https://hitrustalliance.net/documents/content/MyCSFVsGRCTool.pdf

CSF Assessment Methodology

Discusses HITRUST’s NIST-based approach to conducting CSF assessments, including information on how to determine organizational and systemscope

https://hitrustalliance.net/documents/assurance/csf/CSFAssessmentMethodology.pdf

CSF Assurance Program Requirements

Provides an overview of the CSDF Assurance Program, the various types of assessments available, and the process of obtaining and maintaining certification

https://hitrustalliance.net/documents/assurance/csf/CSFAssuranceProgramRequirements.pdf


https://hitrustalliance.net/documents/cybersecurity/HITRUST_Healthcare_Sector_Cybersecurity_Framework_Implementation_Guide.pdf

https://hitrustalliance.net/documents/csf_rmf_related/RiskAnalysisGuide.pdf

https://hitrustalliance.net/documents/csf_rmf_related/RiskVsComplianceWhitepaper.pdf



https://hitrustalliance.net/documents/assurance/csf/CSFAssessmentMethodology.pdf

https://hitrustalliance.net/documents/assurance/csf/CSFAssuranceProgramRequirements.pdf


modelapproach to efficient and cost-effective third-party ... post - 3rd party...to efficient and...

Documents