modelapproach to efficient and cost-effective third-party ... post - 3rd party...to efficient and...
TRANSCRIPT
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net 1 © 2017 HITRUST Alliance
Model Approach to Efficient and Cost-Effective Third-Party Assurance
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net 2 © 2017 HITRUST Alliance
CHALLENGES WITH THIRD-PARTYASSURANCE
What’s Driving Demand for Increased Assurance?• Increasing risk posed by third parties• Increasing cyber threat landscape• Confusion
– What is reasonable, appropriate or adequate?
• Growing compliance risk and liability– Breach and legal costs; regulatory penalties
ComplianceEffectiveness
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance3
Cost of Compliance
Approach from Customer (Covered Entity)
• No consistency of request– Self-attestation and questionnaires
– Proprietary assessments
– Third-party audits
Request detailed information on the Business Associate Require appropriate assurances on or Vendor Security Program • Scope of information theyreceive
• What was tested
• How the information was vetted
Obtain assurances inaformat they can understandand consume
Customer
BusinessPartner
Business Partner
Customer
Business Partner
Business Partner
Customer
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance4
BusinessPartner
Response from Business Partners
• Suggest alternative approaches• Complicates contracting process
due to unique security requirements
• Broad range and inconsistent expectations for responses to questionnaires—inability to effectively leverage responses across organizations
• Dedicate staff and funding to those requiring unique approaches
Customer Business Partner
(BP)
Business Partner
(BP)
Business Partner
(BP)
Customer
CustomerAudit Report 1
Requirement s
Audit Report 2
Requirement s
Requirement s
Requirement s
Requirement s
Audit Report X
Audit Report Y
Audit Report #
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance5
Negotiate requests they receive from their customers
Implications of the Current Response
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance6
Customers• Requires significant resources to engage, negotiate and track assurances
Business Partners• Dedicates significant resources to respond to duplicative and redundant assurance requests• Incurs costs to comply and satisfy requests and requirements• Creates inconsistency around acceptable standards of due diligence and duecare• Distracts resources from other security-related programs
Although addressed in many different ways, there are only so many privacy and securitycontrols one can implement and assess
Universal Agreement that the Current Modelis Broken• There are no scenarios where performing 25, 50 or 250 or more unique assessments makes sense for
a business partner to communicate their information privacy and security posture (on same scope)• Nor does maintaining and supporting an organizational specific assessment methodology and
performing assessments• HITRUST has been working with organizations and business partners to identify a practical and
implementable approach
Common Requirements
Uniform Assessment
Process
Simplified Reporting
More Efficient and Effective Compliance
Process
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance7
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net 8 © 2017 HITRUST Alliance
HOW HITRUST FACILITATESTHIRD-PARTY ASSURANCE
Approach Taken in Healthcare IndustryTo minimize the cost, time and effort around third-party assurance, initially five (5) of the largest U.S. health plans notified industry of updates to their business associate and partner agreements, specifically their use of the HITRUST CSF Assurance Program
• HITRUST CSF certification or SOC 2® leveraging HITRUST CSF Controls is required
• 2-year implementation schedule
• Created the momentum to move the industry and vendor community
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance9
HITRUST CSF Assurance Program• Provides a common set of information security and privacy requirements through the HITRUST CSF• Provides a standardized assessment and reporting processes
– Improved efficiency
– Lowered costs
• Helps ensure organizations can trust that their business partners are adequately protecting sensitive information through HITRUST’s oversight and governance of the program
For more information, see https://hitrustalliance.net/csf/ and https://hitrustalliance.net/csf-assurance/
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance10
A “Win-Win” for Customers and Vendors• Established a uniform set of
expectations for communicatinginformation privacy and security posture
• Reduced time and expense on redundant audits, assessments,andonsite reviews
• Reduced time and expenseofprocurement managing various assessment processes
• Facilitates a specific level of assurancearound implemented controls
BusinessPartner(BP)
BusinessPartner(BP)
Business Partner (BP)
Customer
HITRUST Common Business Partner
ComplianceFramework
CSF Requirements
CSF Requirements
CSF Requirements
HITRUSTAssessment
HITRUSTAssessment
HITRUSTAssessment
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance11
Customer
Customer
The HITRUST Vendor/Business Associate Council
• Provides healthcare vendors the opportunity to drive efficiency and effectiveness in third-party assurance.
• Arvato Digital Services• Armor• Availity• Azure (Microsoft)• Catalyze• Change Healthcare• Cognizant• Dropbox• Epic Systems
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance12
• Fiserv:• Healthedge• HMS• PDHI• RR Donnelley• Salesforce• West Corporation• Xerox
Corporation
Vendor / Market Support
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance13
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net 14 © 2017 HITRUST Alliance
KEY ELEMENTS OF THE APPROACH
TransparencyThe approach should be open and transparent.
Requirements are agnostic for similar types of sensitive information• Integrates relevant federal control baselines• Incorporates industry leading practices• Leverages threat-to-control relationships*
Entire program is publicly available andcommonly understandable• Control framework / requirements• Assessment methodology / procedures• Scoring model
*Leveraging HITRUST Threat Catalogue
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance15
Accuracy
HITRUST uses a 5x5 control maturity and scoring model to evaluate the HITRUST CSF’s control requirements
• 5 maturity levels for each control requirement
• 5 scoring levels for each control maturity level
HITRUST also provides a scoring rubric for each maturity level
The approach should ensure accuracy in evaluation and reporting of the implemented controls.
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance16
ConsistencyThe approach should ensure consistency in evaluation and reporting regardless of the specific assessor used.
Extensive assessment guidance• General guidance for each maturity level• Specific guidance for each control
HITRUST quality assurance review process• Applies to all third-party assessments
Standardized reporting format
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance17
ScalabilityThe approach should be scalable enough to address the needs of the entire industry, while maintaining consistency and accuracy.
Formal HITRUST CSF Assessor Program• HITRUST CSF trained staff
• Experience/capabilities vetted by HITRUST
Choose from a pool of certified HITRUST CSF Assessors to ensure• The best fit
• The best price
Program is market-based• As demand for assurances increase, so does the poolof
HITRUST CSF Assessor organizations
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance18
EfficiencyThe approach should allow an organization to assess once and report many, i.e., an assessment must address multiple compliance and best practice requirements and support the reporting of assurances tailored to each requirement.
HITRUST fully leverages the ‘Assess Once, Report Many’ approach
• Multiple security requirements (e.g., legal, regulatory)
• One cybersecurity program
• One targeted, cost-effective assessment that provides a reasonablelevel of assurance at a reasonable cost
• Multiple reporting options from a single assessment
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance19
CSF Assurance - Degrees of Assurance
• CSF Self Assessments can be conducted by business associate
• CSF Validated or Certified requires third party engagement
20 855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance20
Reporting Options
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance21
Consideration HITRUST CSF Report SOC 2 Report with HITRUST CSF SOC 2 + HITRUST CSF Report
Type of report(Relevant Standard) HITRUST CSF Assurance AT101 AT101 + HITRUST CSF Assurance
Scope of report HITRUST CSF controls (may or may not be limited to those required for certification)
Security, availability, confidentiality Trust Services Principles; HITRUST CSF controls (may or may not be limited to those required for certification)
Security, availability, confidentiality Trust Services Principles; HITRUST CSF controls (may or may not be limited to those required for certification)
Intended Users Unlimiteddistribution Limiteddistribution Limiteddistribution
Resulting DeliverableHITRUST CSF report with background, mgmt. rep., scope, results of maturity scores, CAPs, NIST CsF scorecard/certification
Attest Opinion with description of systems & service auditor test/ results against selected Trust Services Principles; HITRUST CSF controls (suitable criteria)
Attest Opinion with description of systems & service auditor test/ results against selected Trust Services Principles, HITRUST CSF controls (suitable criteria); HITRUST CSF report with background, mgmt. rep., scope, scores, CAPs, NIST CsF scorecard/certification
Report issued by HITRUST Independent CPA firms Independent CPA firms, HITRUST
Report Addresses HITRUST CSF, NISTCsF HITRUST CSF, AICPA Trust Services Principles
HITRUST CSF, AICPA Trust Services Principles, NISTCsF
Reliability
RELIABILITY
Transparency
ConsistencyScalability
Accuracy
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance22
• Transparency• Accuracy• Consistency• Scalability
Provided by:• HITRUST CSF• HITRUST CSF Assurance Program• HITRUST CSF Assessor Program
The approach should provide a high degree of assurance for relying parties, such as internal stakeholders (e.g., audit, management, Board of Directors) and external stakeholders (e.g., customers, business partners, vendors and regulators).
Obtained through:
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net 29 © 2017 HITRUST Alliance
COMMON QUESTIONS
What does the HITRUST CSF Include?• The HITRUST CSF provides coverage across multiple regulations and includes significant components
from other well-respected IT security standards bodies and governance sources.• It is scalable, risk based, industry agnostic and certifiable
ControlCategories1. Information Security ManagementProgram2. AccessControl3. Human ResourcesSecurity4. Risk Management5. SecurityPolicy6. Organizationof InformationSecurity7. Compliance8. Asset Management9. Physical and EnvironmentalSecurity10.Communications and Operations Management11. Information Systems Acquisition, Development & Maintenance12. Information Security IncidentManagement13. Business Continuity Management14. Privacy Practices
Scoping Factors
Regulatory• Federal, state and domain specific compliance requirementsOrganization• Geographic factors• Number of records processed orheldSystem• Data stores• External connections• Number of users/transactions
Legislative, Regulatory, and ‘Best Practice” Standards and Frameworks include, but are not limited to:
ISO/IEC 27001:2005 2013, 27002:2005, 2013, 27799:2008CFR Part11COBIT4.1
NIST SP 800-53 Revision 4NIST Cybersecurity Framework (CsF)
DHS Cyber Resilience Review (in CSF v9)
NIST SP 800-66 Revision 1 PCI DSS version 3 FTC Red FlagsRule
FFIEC IT InfoSec Examination (in CSFv9)201 CMR 17.00 (State of Mass.)
NRS 603A (State of Nev.)
CSA Cloud Controls Matrix version 3.1 CIS CSC version 6 (SANS Top 20)
CMS IS ARS version2MARS-E version2
IRS Pub 1075 v2014FedRAMP (in CSFv9)
Analyzed, Rationalized & Consolidated
Control Specifications
(149)
Control Objectives
(45)
ControlCategories
(14)
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance24
Does this mean I have to redo mysecurity program?
The HITRUST CSF covers 100% of the:• ISO 27002-2005 controls (mapping is trivial,
as the HITRUST CSF is built on ISO 27001-2005)
• ISO 27002-2013 controls (depicted on the left)
• NIST SP 800-53 r4 controls, moderate-level baseline (depicted on the left)
To simplify the process of aligning from a standard like ISO or NIST to the HITRUST CSF, HITRUST provides a HITRUST CSF Standards & Regulations Cross-Reference (X-Ref) spreadsheet with detailed mappings (depicted by the examples on the right)
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance25
*HITRUST CSF control category 0.0 addresses the original ISMS requirements in Section 4 of ISO 27001:2005
How does all this facilitate trust?
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance26
Why can’t I just do a SOC 2?HITRUST CSF meets AICPA SOC 2 reporting requirements for suitable criteria• Realize significant time efficiencies and cost savings• Reduce inefficiencies/costs associated with multiple reporting requirements• Provide additional detail around how an organization is addressing internal control
Lack of uniform ‘acceptable controls criteria’ results in a reduction of the following when viewed across multiple entities:• Transparency• Accuracy• Consistency• Reliability
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance27
What does ‘acceptable controls criteria’ mean?• The SOC 2 guide and Appendix C of TSP section 100 require an organization to
establish controls that meet all applicable trust services criteria
• The control objectives must align with the applicable trust services criteria, and thecontrols must address all of the applicable trust services criteria
• AICPA requirements for suitable criteria– Objectivity
– Measurability
– Completeness
– Relevance
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance28
Why can’t I just use the NISTCybersecurity Framework?
Although scalable, the NIST CSF lacks prescription in:• Requirements
• Assessment methodology
Subsequently lacks:• Transparency
• Accuracy
• Consistency
• Reliability
The HITRUST CSF provides the foundation needed to implement the NIST Cybersecurity Framework.
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance29
Why can’t I just do the AICPA Cyber Examination?AICPA Cyber Examination consists of two major components:• A description of an entity’s program based on new descriptioncriteria• An assessment of control effectiveness based on its controlcriteria
As with the AICPA Trust Services Principles, additional information (specificity) is needed to address the criteria, and the Cyber Examination would result in a reduction of the following when viewed across multiple entities:• Transparency• Accuracy• Consistency• Reliability
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance30
How do I know what was in place and tested?HITRUST CSF Validated and Certified Report• Letter of Certification
• Representation Letter
• Assessment Context
• Assessment Scope
• Security Program Analysis
• Assessment Results
• Overall Security Program Summary
• Breakdown of Controls Required for Certification
• Testing Summary
• Corrective Action Plan
• Questionnaire Results (Detailed)
• System Profile
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance31
How do I benefit from all this?
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance32
• Redundant, inconsistent assessments result in lost productivity, additional costs• A more efficient, streamlined approach benefits the Plan and the Plan Sponsor• Recommended approach leverages:
– A single controls framework for context– A strong assessment methodology that provides high assurance and consistency– A single assessment to provide efficient reporting
• HITRUST CSF – control maturity scoring
• SOC 2 – HITRUST CSF provides SOC 2 the necessary prescriptiveness and transparency for availability, confidentiality and security criteria
• NIST Cybersecurity Framework – HITRUST CSF provides basis for consistency, HITRUST CSF Assurance enables transparency and assurance, and scorecard enables reporting on NIST CsF Core Subcategories
Questions
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance33
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content Spotlight
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance34
HITRUST Resources
Healthcare Sector CsF ImplementationGuide
Discusses healthcare’s implementation of the NIST Cybersecurity Framework based on the HITRUST CSF and CSFAssurance Program
https://hitrustalliance.net/document s/cybersecurity/HITRUST_Healthc are_Sector_Cybersecurity_Frame work_Implementation_Guide.pdf
Risk Analysis Guide
Provides a detailed discussion of HITRUST’s NIST-based control implementation maturity model, HITRUST’s scoring model, and additional information on risk treatments, including remediation planning for control deficiencies
https://hitrustalliance.net/documents/csf_rmf_related/RiskAnalysisGuide.pdf
Risk vs. Compliance-based Protection
Discusses the difference between compliance and risk-based information protection programs and shows how controls are selected based on a risk analysis, after which their implementation becomes a compliance exercise
https://hitrustalliance.net/documents/csf_rmf_related/RiskVsComplianceWhitepaper.pdf
MyCSF vs. GRC Tools
Provides a discussion of the differences between a “typical” GRC tool and MyCSF, which was primarily designed to automate HITRUST’s assessment validation and certification process
https://hitrustalliance.net/documents/content/MyCSFVsGRCTool.pdf
CSF Assessment Methodology
Discusses HITRUST’s NIST-based approach to conducting CSF assessments, including information on how to determine organizational and systemscope
https://hitrustalliance.net/documents/assurance/csf/CSFAssessmentMethodology.pdf
CSF Assurance Program Requirements
Provides an overview of the CSDF Assurance Program, the various types of assessments available, and the process of obtaining and maintaining certification
https://hitrustalliance.net/documents/assurance/csf/CSFAssuranceProgramRequirements.pdf
855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2017 HITRUSTAlliance35