Logical Writing Solutions, Inc.
  • Home
  • About Ann
  • About Us
  • Why Us
  • Deliverables
  • Case Studies
  • Blog
  • Fav Quotes
  • Contact

OUR BLOG

HITRUST Requirement for "Independent Review of Information Security" Clarified

10/23/2020

0 Comments

 
Picture
Photo by Mike van Schoonderwalt from Pexels
Organizations preparing for HITRUST certification typically have questions around Control Reference 05.h Independent Review of Information Security: "The organization's approach to managing information security and its implementation (control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, at a minimum annually, or when significant changes to the security implementation occur."

The first question is typically: Does the requirement for an "independent" review necessitate hiring external auditors? The second question is often: How does this differ from other HITRUST review requirements?
 
Defining independent: The Level 1 notes for 05.h in the Cyber Security Framework (CSF) begin to clarify things. It says: "The review ... is carried out by individuals independent of the area under review (e.g. the internal audit function, an independent manager or a third-party organization specializing in such reviews." In addition, the HITRUST glossary defines Independent as "With respect to an assessor or measure, one that is not influenced by the person or entity that is responsible for the implementation of the requirement/control being evaluated or measured." So an independent review can be conducted either by staff in a separate department or on a separate team from the function being reviewed as long as it isn't being influenced by the implementors, or by an external team. 

Overall HITRUST Review and Assessment Requirements: At a minimum, in addition to independent review, HITRUST baseline requirements typically include:
  1. A HITRUST validated assessment (recertification) every other year.
  2. A HITRUST interim assessment on the alternating years.
  3. An annual review of the Information Security Management Program (ISMP) or set of information security policies.(Control Reference 00.a Information Security Management Program).
  4. A Risk Assessment on the scoped environment that addresses all HITRUST domains (Control Reference 03.b Performing Risk Assessments). 
  5. Penetration testing (Control Reference 10.m Control of Technical Vulnerabilities).

Baseline requirements are identified for an organization based on an organization's answer to scoping questions.  

Besides HITRUST reviews, these organizations may also be subject to SOC, PCI-DSS, ISO27001, penetration tests, and/or other reviews.

Illustrative procedures: In addition to the baseline requirement statements, organizations should also look at the "illustrative procedure" (IP) language for selected 05.h baseline requirements to understand how they are being tested. (Organizations can export a spreadsheet from the reporting section of MyCSF that includes the baseline requirements and the IP language for each requirement.) With a solid understanding of the organization-specific controls, the organization can consider whether existing assessment efforts are sufficient. If so, an organization may create an assurance plan specifying how the independent review requirement is met by existing efforts instead of performing an additional review. 

Focus on IPs and not the CSF: Keep in mind that if an organization wants to achieve HITRUST certification with efficiency, it should not consider the HITRUST CSF as equivalent to every organization's HITRUST scope. Not all CSF  "Implementation Requirements" apply for every organization. Organizations should primarily focus on their baseline requirements and IPs, referencing the CSF for additional context only. 
0 Comments



Leave a Reply.

    BLOG POSTS

    All
    Advanced Persistent Threats
    Defending Agile Web Apps
    Dilbert: Acronym Madness
    Goals That Inspire
    Hacking The Family Car
    Launching An InfoSec Career
    Learning: Gamification
    Practical Threat Modeling
    Preparing For External Content Developers
    Privacy: Search History
    Sandboxed Web Browsers
    Top Security Podcasts
    User Stories
    Why White Papers Fail

    Archives

    October 2020
    March 2019
    February 2019
    January 2019
    August 2017
    June 2017
    March 2017
    February 2017
    July 2016
    May 2016
    January 2016
    March 2015
    March 2014
    July 2012

    RSS Feed

​© copyright 2024 Logical Writing Solutions
  • Home
  • About Ann
  • About Us
  • Why Us
  • Deliverables
  • Case Studies
  • Blog
  • Fav Quotes
  • Contact