Photo by Mike van Schoonderwalt from Pexels

Organizations preparing for HITRUST certification typically have questions around Control Reference 05.h Independent Review of Information Security: "The organization's approach to managing information security and its implementation (control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, at a minimum annually, or when significant changes to the security implementation occur."

The first question is typically: Does the requirement for an "independent" review necessitate hiring external auditors? The second question is often: How does this differ from other HITRUST review requirements?
 
Defining independent: The Level 1 notes for 05.h in the Cyber Security Framework (CSF) begin to clarify things. It says: "The review ... is carried out by individuals independent of the area under review (e.g. the internal audit function, an independent manager or a third-party organization specializing in such reviews." In addition, the HITRUST glossary defines Independent as "With respect to an assessor or measure, one that is not influenced by the person or entity that is responsible for the implementation of the requirement/control being evaluated or measured." So an independent review can be conducted either by staff in a separate department or on a separate team from the function being reviewed as long as it isn't being influenced by the implementors, or by an external team. 

Overall HITRUST Review and Assessment Requirements: At a minimum, in addition to independent review, HITRUST baseline requirements typically include:

1. A HITRUST validated assessment (recertification) every other year.
2. A HITRUST interim assessment on the alternating years.
3. An annual review of the Information Security Management Program (ISMP) or set of information security policies.(Control Reference 00.a Information Security Management Program).
4. A Risk Assessment on the scoped environment that addresses all HITRUST domains (Control Reference 03.b Performing Risk Assessments). 
5. Penetration testing (Control Reference 10.m Control of Technical Vulnerabilities).

Baseline requirements are identified for an organization based on an organization's answer to scoping questions.  

Besides HITRUST reviews, these organizations may also be subject to SOC, PCI-DSS, ISO27001, penetration tests, and/or other reviews.

Illustrative procedures: In addition to the baseline requirement statements, organizations should also look at the "illustrative procedure" (IP) language for selected 05.h baseline requirements to understand how they are being tested. (Organizations can export a spreadsheet from the reporting section of MyCSF that includes the baseline requirements and the IP language for each requirement.) With a solid understanding of the organization-specific controls, the organization can consider whether existing assessment efforts are sufficient. If so, an organization may create an assurance plan specifying how the independent review requirement is met by existing efforts instead of performing an additional review. 

Focus on IPs and not the CSF: Keep in mind that if an organization wants to achieve HITRUST certification with efficiency, it should not consider the HITRUST CSF as equivalent to every organization's HITRUST scope. Not all CSF  "Implementation Requirements" apply for every organization. Organizations should primarily focus on their baseline requirements and IPs, referencing the CSF for additional context only. 

By Ann Grove, Logical's President

Added Hacker Valley and other updates: 10/2/2020
Original post: 8/2/2017

​If you are looking for opportunities to keep your finger on the pulse of security, podcasts fit the bill. Here are some of our favorite security podcasts, in alphabetical order.

1. Brakeing Down Security covers a range of topics such as conferences, software bloat, containerization, and technology culture. Hosts Bryan Brake, Brian Boettcher, and Amanda Berlin broadcast every week or two.  
2. Crypto-Gram Security Podcast is Bruce Schneier's newsletter, read by Dan Henage. Schneier covers news and books that are often overlooked by others.
3. Cyber Security Interviews offers insights into the minds of security thought leaders and the direction of the industry.
4. Cyberwire podcast lineup includes a daily 20-minute podcast covering news about cyberspace and commentary.
5. Defensive Security Podcast is a deep dive into recent cyber security breaches with Jerry Bell and Andrew Kalat. 
6. DevSecCon (previously The Secure Developer) covers application security, security tools for developers, and development best practices. Guy Podjarny, CEO at Snyk, launched this podcast in 2016.
7. Down the Security Rabbithole Podcast provides "a business-first approach" to security hacks, risks, and threats.
8. Hacker Valley Blue by Ron and Chris (a friend of mine) focused on threat intelligence. Coming soon: Hacker Valley Red, focused on the human element of security.
9. ITSPmagazine discusses security within the context of IT, privacy, and society.
10. Malicious Life by Cybereason tells the unknown stories of the history of cybersecurity, with comments and reflections by real hackers, security experts, journalists, and politicians
11. Paul's Security Weekly (aka Paul Dotcom), in play since about 2005, hasn't published for some time but some of the team's other shows including Enterprise Security Weekly are still in play. 
12. Risky Business, hosted by Patrick Gray since 2007. Security luminaries provide commentary. For instance, a 2020 episode talks about identity as the new perimeter.  
13. SANS Internet Storm Center StormCast, daily security threat updates in 10 minutes or less for the TL;DR crowd.
14. Security Now! with Steve Gibson and Leo Laporte in part focuses on the evolution of threats, vulns and security with a smattering of news and trends. On the air since 2005.
15. 7-minute Security Podcast has been talking about pentesting, blue teaming, and building a career in security since 2004. Bonus: Check out host Brian Johnson's  original song, CryptoLocker'd, inspired by a client experience in 2017.
16. ​Social-Engineer Podcast (broken link in 2020) is about the risks humans create in interacting with technology. 
17. Unsupervised Learning Podcast features Daniel Miessler providing perspective on the human impact of technology and security. It's Daniel's summary of 20 hours of reading each week. 

Let us know if you have any podcasts to add! 


About Ann

​Ann Grove, president of Logical, is Logical’s lead consultant. Logical's clients include security and compliance vendors as well as penetration test consultants.