HITRUST Certification

1
www.ControlCase.com | www.HITRUSTAlliance.net | 855.HITRUST (855.448.7878)
© 2021 HITRUST Alliance
www.HITRUSTAlliance.net
HITRUST Brings Rely-Ability and Efficiency to
All Levels of Information Assurance
l

2
AGENDA
• INTRODUCTIONS
• ABOUT CONTROLCASE
• WHAT IS HITRUST?
• WHAT ARE THE OBJECTIVES OF HITRUST?
• WHAT IS HITRUST CSF?
• KEY COMPONENTS OF THE HITRUST CSF ASSURANCE PROGRAM
• WHAT ARE THE HITRUST DOMAINS
• HITRUST PRESENTATION
• CONTROLCASE METHODOLOGY FOR HITRUST
• HITRUST RESULTS DISTRIBUTION SYSTEM
• Q&A

3
ABOUT CONTROLCASE
HITRUST EXTERNAL ASSESSOR SINCE 2014
Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
50+ 15+
200+
HITRUST
CLIENTS
HITRUST
CERTIFICATIONS
GLOBALLY
HITRUST
EXTERNAL
ASSESSORS

4
WHAT IS HITRUST?
Founded in 2007 to help
companies safeguard sensitive
data and manage risk.
Established a certifiable framework
for organizations that create, access, store
or exchange personal health
and financial information to
implement and be certified against.
Born out of the belief that information
security is critical to the broad
adoption, utilization and confidence
in health information systems,
medical technologies and electronic
exchanges of health information.

5
WHAT ARE THE OBJECTIVES OF HITRUST?
HITRUST aims to establish a fundamental and holistic change in the way organizations manage information security
risk by:
• Rationalizing regulations and standards into a single
overarching framework tailored for each organization.
• Deliver a prescriptive, scalable and certifiable process.
• Address inconsistent approaches to certification, risk
acceptance and adoption of compensating controls to
eliminate ambiguity in the processes.
• Enable the ability to cost-effectively monitor compliance
of organizational, business partner and governmental
requirements.
• Provide support and facilitate sharing of ideas, feedback and
experiences within the industry.
• Establish trust between organizations.
• Develop an approach for the practical, efficient and consistent
adoption of security by organizations across multiple
industries.

6
WHAT IS THE HITRUST CSF?
HITRUST CSF
The HITRUST CSF is a certifiable framework built upon other
standards and authoritative sources relevant to the healthcare
industry
• Harmonizes the requirements of existing standards and
regulations – HIPAA, SOC, GDPR, ISO 27001, NIST 800-
53 .etc.
• Allows organizations the ability to tailor their security
control baselines based on their specific information
security requirements.
• Incorporates both compliance and risk
management principles
• Defines a process to effectively and efficiently evaluate
compliance and security risk
• Supports HITRUST Certification

7
KEY COMPONENTS OF THE CSF ASSURANCE
PROGRAM
STANDARDIZED TOOLS & PROCESSES
Questionnaire
• Focus assurance dollars to efficiently
assess risk exposure
• Measured approach based on risk
and compliance
• Ability to escalate assurance level based
on risk
Report
• Output that is consistently interpreted across the
industry
RIGOROUS ASSURANCE
• Multiple assurance options based on risk
• Quality control processes to ensure consistent
quality and output across HITRUST External
Assessors
• Streamlined and measurable process within the
HITRUST MyCSF tool
• End User support

8
WHAT ARE THE HITRUST DOMAINS
1. Information Protection Program
2. Endpoint Protection
3. Portable Media Security
4. Mobile Device Security
5. Wireless Security
6. Configuration Management
7. Vulnerability Management
8. Network Protection
9. Transmission Protection
10. Password Management
11. Access Control
12. Audit Logging & Monitoring
13. Education, Training and Awareness
14. Third Party Assurance
15. Incident Management
16. Business Continuity & Disaster Recovery
17. Risk Management
18. Physical & Environmental Security
19. Data Protection & Privacy

9
HITRUST PRESENTATION

10
Learning Objectives
• Why the Need for Information Protection Assurances
• Not all Assurances are Created Equal
• New HITRUST Assessment Portfolio
• The Inefficient Method of Authenticating, Requesting, Sharing, and Analyzing Assessment Results
• New HITRUST Results Distribution System

11
Why the Need for Quality Information Protection Assurances
Assessed Entities Need…
• To provide credible and reliable Information risk
management assurances to internal and external
stakeholders and relying parties
• Board of Directors
• Management
• Customers
• Regulators
• Shareholders and Investors
• Cyber Insurers
•To stop wasting time performing duplicative
assessments and filling out proprietary questionnaires
they receive from customers
•To save time and money in performing assessments
Relying Parties Need…
• Assurance results they can actually rely upon
• Understanding of the suitability of the controls
• Full transparency on how the controls were scored and evaluated
• Consistency in testing and evaluation so that different assessors
reviewing the same evidence would come to the same
result/conclusion.
• Eliminate subjectivity or variability to bring integrity to the report
• Increased levels of impartiality from a centralized quality
assurance program over independent auditor
•To send proprietary questionnaires to their vendors
asking for specific information they need in the absence
of a reliable report
•To effectively manage third-party risk across hundreds or
thousands of vendors in the most efficient way.

12
Self-Assessment with No Outside QA
LOW
MEDIUM
HIGH
SUITABILITY OF INFORMATION PROTECTION CONTROLS CONSIDERED
RIGOR
OF
ASSESSMENT
APPROACH
&
ASSURANCE
PROGRAM
LOW MEDIUM HIGH
THE LANDSCAPE OF
INFORMATION PROTECTION
ASSESSMENTS
Greater number of
controls
Robust approach
based on formal
maturity model
Certification Body
report
Robust, comprehensive,
prescriptive controls
Consistent methodology
and reliable approach to
meet regulations
Certification
Body report
Industry recognized
controls and good
hygiene practices
May use a risk-based,
targeted approach
Self-selected controls
with limited depth and
breadth
Ad hoc scoping
approach often uses a
simple Yes/No checklist
Industry recognized
controls selection
with greater depth
Ad hoc scoping
approach may not
be risk-based
Greater number
of controls
Approach is more
prescriptive and
comprehensive
Produces Varying Levels of Assurance,
based on…
• Suitability of information protection controls
• Rigor of assessment approach and
assurance program
Third- Party Assessment with Some Level of QA & Final Report Issued by Assessor
Third-Party Assessment, often with Certification Body QA Review and Final Report
Limited controls
Formal maturity model
Certification Body
report
Greater number of
targeted and
prescriptive controls for
Authoritative Sources
Comprehensive,
prescriptive scope
based on formal
maturity model
breadth
Ad hoc scoping
approach often uses
KEY
Level of Controls:
Approach:
Certification Body Report:
Impartiality:
QA & Review:
Self...........................
Self & Assessor...............
Self/Assessor/Cert Body.............

13
Self-Assessment with No Outside QA
LOW
MEDIUM
HIGH
LOW MEDIUM HIGH
Greater number of
controls
Robust approach
based on formal
maturity model
Certification Body
report
Robust, comprehensive,
prescriptive controls
Consistent methodology
and reliable approach to
meet regulations
Certification
Body report
Industry recognized
controls and good
hygiene practices
May use a risk-based,
targeted approach
breadth
Ad hoc scoping
approach often uses a
Industry recognized
controls selection
with greater depth
Ad hoc scoping
approach may not
be risk-based
Greater number
of controls
Approach is more
prescriptive and
comprehensive
Third- Party Assessment with Some Level of QA & Final Report Issued by Assessor
Third-Party Assessment, often with Certification Body QA Review and Final Report
Limited controls
Formal maturity model
Certification Body
report
Greater number of
targeted and
prescriptive controls for
Authoritative Sources
Comprehensive,
prescriptive scope
based on formal
maturity model
breadth
Ad hoc scoping
approach often uses
RIGOR
OF
ASSESSMENT
APPROACH
&
ASSURANCE
PROGRAM
ASSURANCE LEVELS ARE CORRELATED
WITH CONTROLS CONSIDERED, RIGOR OF
ASSESSMENT APPROACH, AND EFFORT
SUITABILITY OF INFORMATION PROTECTION CONTROLS CONSIDERED
Level of
Effort
Characteristics of Each
High Level Assurances
• Robust Control Requirements
• Comprehensive and Prescriptive
• Formal Risk-Based Maturity Model
• Validation by Third-Party and QA by
Certifying body.
Moderate Level Assurances
• Industry-Recognized Targeted Control
Requirements
• Tested and Validated by a Third-Party
Assessor
• Provide a general assurance of an
organization’s cyber preparedness and
resilience
Low Level Assurances:
• Self-Selected Controls/ Limited Breadth
• Simple /Basic Approach
• Self-attested

14
Need for a broader range of assurances
• By design, today’s HITRUST certification offers a
gold-standard level of assurance due to the
comprehensive control requirements and
assurance program requirements.
• As a result: It’s a heavy lift.
• A broader range of options to address varying
assurance requirements and needs is necessary.
• HITRUST will soon offer new assessments and a
new certification:
• Requiring less effort than today’s validated assessment.
• While still living up to the gold-standard level of quality
for which HITRUST certifications are known.
Assurance
Level
H
M
L
L M H
Validated
Assessment
Readiness
Assessment
Rapid
Assessment
Unaddressed
Assessment Effort

15
Current Assessment and Certification Portfolio
• Today, the HITRUST assessment portfolio consists of the following offerings:
o HITRUST CSF Rapid Assessment: A self-assessed, security-only questionnaire facilitated through the HITRUST
Assessment Exchange (low level of assurance)
o HITRUST CSF Readiness Assessment: Assessment performed in preparation for a validated assessment (low
level of assurance)
o HITRUST CSF Validated Assessment: Assessment leading to HITRUST CSF Certification, can optionally be tailored
to include one or more authoritative source (very high level of assurance)
• HITRUST currently offers entities only one certification (the HITRUST CSF
Validated Assessment Report with Certification) at a very high level of assurance

16
HITRUST Expanded Assurance Portfolio
Basic, Current-state (“bC”) Assessment
• Focus on good security hygiene controls in virtually any size
organization with a simple approach to evaluation, which is
suitable for rapid and/or low assurance requirements
Implemented, 1-year (“i1”) Assessment
• Focus on leading security practices with a more rigorous approach
to evaluation, which is suitable for moderate assurance
requirements
Risk-based, 2-year (“r2”) Assessment
• Renames our current “validated assessment”, otherwise
unchanged
• Focus on a comprehensive risk-based specification of controls with
a very rigorous approach to evaluation, which is suitable for high
assurance requirement
Assurance
Level
H
M
L
L M H
r2 Validated
Assessment
r2 Readiness
Assessment
Basic
Assessment
Assessment Effort
i1 Validated
Assessment
i1 Readiness
Assessment
When
The Basic and i1 assessments will be available
by the end of this calendar year

17
NOT ALL ASSURANCES ARE CREATED EQUAL: BUYER BEWARE!
TRANSPARENCY
Transparency is needed for internal and external stakeholders to
understand the framework your organization uses to satisfy compliance
objectives. The framework should be publicly available, widely adopted,
and well-understood so that report recipients understand how the
controls were selected, evaluated, and scored.
Key Questions:
• Where do the assessed Controls come from?
• How do you know the control requirements are
suitable?
ACCURACY
Many other frameworks and assurance programs are qualitative,
judgment-based, and devoid of any quantitative measurements
Key Questions:
• How granular is the scoring / evaluation model to
evaluate the control environment?
• What infrastructure exists to inherit assessment
results from vendor-performed controls?
.
CONSISTENCY
When frameworks are vague, subjective, or free of maturity levels
and scoring methodologies, it becomes difficult to gauge an
organization’s posture against that of another framework or even an
industry baseline. This problem is compounded when assessment
activities are not subject to quality and integrity reviews by an
independent third-party assessor or certification body.
Key Questions:
• Can the effort result in a Certification?
• How many entities issue these certifications
or opinions?
INTEGRITY
Simply put, the integrity of your assessment reports and assurances
to internal and external stakeholders depends upon an audit and
validation process during which trained external assessors evaluate
your control requirements one by one and say things like: "Prove to
me you're doing this," or “Show me where it's documented."
Key Questions:
• Is the Assessor's methodology, testing, and
deliverables peer-reviewed by other firms?
• Are the assessor's methodology, testing, and
deliverables reviewed by an accreditation
and/or standards-enforcement body?
RELY-ABILITY
TRANSPARENCY + CONSISTENCY
+ ACCURACY + INTEGRITY

18
Guide to Selecting the Right
HITRUST Assessment for Your
Organization’s Needs:
r2 Validated Assessment
(Former Name: CSF Validated Assessment)
Comprehensive, Risk-based
i1 Validated Assessment
Good Security Hygiene and Leading Security
Practices
bC Assessment
Good Security Hygiene
r2 Features:
• High level of effort and assurance
• Varies from 198 – 2000
requirements, based on inherent risk
factors and included authoritative
sources (optional)
• Scores: Policies, Procedures,
Implemented, Measured, and
Managed
• Full 5x5 PRISMA evaluation using a
comprehensive scoring rubric
• Able to demonstrate regulatory
compliance against authoritative
sources such as HIPAA and the NIST
Cybersecurity Framework
• Can be bridged by a HITRUST CSF
Bridge Certificate
• Readiness Assessment available
• 2-year certification
i1 Features:
• Moderate level of effort and
assurance
• Approx. 200 HITRUST CSF
requirements (static / fixed)
• Provides strong coverage of NIST
800-171, the GDPR Safeguards Rule,
much of the HIPAA Security Rule,
and portions of AICPA TSC
• 1 maturity level (Implemented)
• 1-year certification
• Uses an external assessor’s annual
evaluation of control implementation
along with HITRUST review and QA
• Readiness Assessment available
bC Features:
• Low level of effort and assurance
• Self-assessment only; verified by
HITRUST Assurance Intelligence
Engine
• 71 HITRUST CSF requirements
• 1 maturity level (Implemented)
• Provide coverage against NISTIR
7621, Small Business Information
Security: The Fundamentals
HITRUST Assessment Attributes
Higher Quality and Reliability at Every Level of Assurance
Each HITRUST CSF Assessment Offers
Unique, Industry-Leading Advantages,
Including:
• Single Control Framework
• Best in Class MyCSF® SaaS Assessment Platform
• Consistent Approach
• Common Assurance Methodology
• Standard Report Formatting
• Supports Inheritance
• HITRUST Assurance Intelligence EngineTM (AIE) identifies
errors, omissions, and potential deceit
• HITRUST Results Distribution System (RDS) shares
assessment results with relying parties
• And More...

19
PREVIEW: Expanded HITRUST Assessment Portfolio
HITRUST CSF Basic,
Current State Assessment (bC)
(NEW)
HITRUST CSF Implemented,
1-year (i1) Assessment
(NEW)
HITRUST CSF Risk-based,
2-year (r2) Assessment
(Former Name: HITRUST CSF Validated Assessment)
Description Verified Self-Assessment Validated Assessment + Certification
Validated Assessment +
Risk-Based Certification
Purpose (Use Case)
Focus on good security hygiene controls in virtually
any size organization with a simple approach to
evaluation, which is suitable for rapid and/or low
assurance requirements
Focus on leading security practices in medium-
sized and larger organizations with a more rigorous
approach to evaluation, which is suitable for
moderate assurance requirements
Focus on a comprehensive risk-based specification
of controls suitable for most organizations with a
very rigorous approach to evaluation, which is
suitable for high assurance requirement
Number of Control Requirement Statements 71 Static 215 Static
2000+ based on Tailoring
(360 average in scope of assessments)
Specificity of Control Granular Requirements Granular Requirements Granular Requirements
Flexibility of Control Selection No Tailoring No Tailoring Tailoring
Evaluation Approach 1x3: Control Implementation 1x5: Control Implementation
3×5 or 5×5: Control Maturity assessment against
either 3 or 5 maturity levels
Targeted Coverage*
NISTIR 7621: Small Business Information Security
Fundamentals
NIST SP 800-171, HIPAA Security Rule
NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA
TSC, PCI DSS, GDPR, and 37 others
Level of Assurance** Low Moderate High
Relative Level of Effort 0.5 1.0 5.0
Certifiable Assessment No Yes, 1 Year Yes, 2 Year
Complementary Assessments None Readiness Readiness, Interim, Bridge
Leverages Results Distribution System (RDS) to
Share Results
Yes Yes Yes
Leverages the AI Engine to Prevent Omissions,
Errors, or Deceit
Yes Yes Yes
*Targeted Coverage means substantial coverage is intended
** A particular level of assurance (e.g., low, medium/moderate, or high) is generally characterized by the relative level of suitability, impartiality, and rigor in the
approach used to specify, assess, and report on the effectiveness of information security and privacy controls and the risks they are intended to manage.

20
CONTROLCASE METHODOLOGY FOR HITRUST
r2 ASSESSMENT
• MyCSF Subscription
• Customer purchases
MyCSF Subscription
• ControlCase helps
build the
assessment
• Readiness
Assistance
• ControlCase assigns
an independent
readiness consultant
to guide customer to
provide required
HITRUST evidence
• Customer purchases
validated
assessment from
HITRUST Portal
once ready
• ControlCase helps
the customer to
identify a
submission date and
complete the
reservation for
HITRUST QA
• HITRUST Validated
Assessment
• Independent
ControlCase auditor
(HITRUST CCSFP)
completes the
validated
assessment and
required testing.
• ControlCase Quality
Assurance
• Engagement
Executive Review
• ControlCase moves
evidence to MyCSF
• Submit to HITRUST
• HITRUST QA
• Final Certified /
Validated Report
1 2 3 4 5 6
ControlCase will follow a 6-PHASE APPROACH for the HITRUST Assessment

21
HIGH-LEVEL HITRUST CERTIFICATION PLAN (r2
VALIDATED ASSESSMENT)
Phase/Month Month 1 Month 2 Month 3 Month 4 Month 5 Month 6 Month 7 Month 8 onwards
Phase 1 CC/Customer
Phase 2 CC/Customer CC/Customer CC/Customer CC/Customer
Phase 3 CC/Customer
Phase 4 CC* CC* CC*
Phase 5 CC/Customer**
Phase 6
CC - Submission to
HITRUST
HITRUST Quality
Assurance

22
CONTROLCASE METHODOLOGY FOR HITRUST
i1 ASSESSMENT
• Help with determining the scope for the HITRUST i1 assessment.
• Review customer’s environment and articulate HITRUST
requirements accordingly.
• Identify gaps and help strategize remediation approach.
• Independent HITRUST CCSFP to perform the i1 assessment and the
required testing.
• End to End process of 5 months to submission.

23
Solving for the Inefficient Method of
Authenticating, Requesting, Sharing,
and Analyzing Assessment Results

24
Today’s TPA Reports Sharing
Landscape
• Generally, the sharing of TPA reports is largely
manual and less than ideal:
• Involves requesting PDF reports from business
partners (e.g., customers)
• Usually involves sharing of PDFs back and forth
• The PDFs vary greatly depending on the type of report,
the issuing party, etc.
• The PDFs may be copy-protected and/or password-
protected, making them tough to access and use
• The PDFs are static and non-interactive, making it
necessary to copy data into more feature-rich tools to
do any meaningful analysis
• This process is repeated annually
Reliant party Assessed entity
Reliant party requests the report
Assessed entity provides the report
2
1 ?
Reliant party manually inspects the report
3 Current?
Authentic?
Scope?
Findings?
Reliant party manually scrapes data from report for entry elsewhere
4 Ctrl+F
Ctrl+C
Ctrl+V
sigh

25
What can (and does) go wrong?
1. Sharing of:
• Expired reports
• The wrong vendor’s report
• Doctored or fake reports
• The correct report to the wrong recipients
2. After hitting “send” on the email:
• No visibility of who the assessment report PDF is ultimately shared
with
• No control over who can and can’t open the assessment report
PDF
3. Copy + paste errors when moving assessment results from PDFs
into tracking spreadsheets, VRM tools, and GRC systems
4. Decisions made using info in out-of-date and/or invalidated third-
party assurance reports
• Management’s responses to identified findings are X months old…
what’s happened since?
5. Overlooked and/or poorly understood:
• Adverse overall conclusions
• Control findings
• Scope limitations and carve-outs
6. Users of these complex reports can’t always find what they’re after
• Which sections is all this in?
• Which columns in which tables again?
• Where does the canned content end and the meat of it start?
7. Non-value-added activities throughout the process
• Distracts personnel from focusing on actually managing risk
• Time-consuming

26
With the HITRUST Results Distribution System
Assessed entity grants the reliant
party access in RDS
Reliant party
1
Assessed entity
2
Reliant party interacts with
assessment results in RDS
3
Assessment results can be
consumed by reliant party
through various means
• The HITRUST Results Distribution System will
addresses the highly inefficient method
of authenticating, requesting, sharing, and
analyzing Assessment results
• Unlike most other certification and
accreditation bodies, HITRUST:
• Is the sole issuer of all HITRUST Assessments
allowing us to ensure integrity and validity of the
process.
• We’re uniquely positioned to streamline the
sharing of assessment results via a centralized
mechanism
A Better Way: Results Sharing

28
Planned Future Enhancements
• API integration with GRC and TPRM/VRM systems
• The RDS API will enable GRC and VRM platforms to electronically consume
assessment results and allow users of those systems to fully leverage the analytics
capabilities that they offer
• HITRUST is partnering with key GRC and VRM vendors to facilitate this integration
• Enhanced Data Analytics
• An enhanced data analysis toolset for relying parties to perform even richer analytics
against assessment results of multiple vendors

29
HITRUST Assessments and Assurance Program is a “Win/Win” for Everyone
Assessed Entities
• One framework, one assurance program and one assessment tool
for information assurance needs of an entire enterprise.
• HITRUST r2 Certification has been a competitive advantage with customers,
as it provides significant assurances that can be relied upon by all
stakeholders (e.g., Customers, Regulators, Cyber Underwriters), and expect i1
Certification to obtain a similar status.
• HITRUST CSF covers over 40 authoritative sources, such as ISO 27001, NIST
800-53, 800-171, HIPAA, GBPR Control Requirements. It can satisfy multiple
stakeholders with one assessment and reduce unnecessary efforts of
responding to third-party proprietary questionnaires. “Assess Once,
Report Many.”
• HITRUST Assessments allow for internal and external inheritance to
reduce the time and cost of testing with External Assessors.
• Differentiates your organization relative to security and privacy
posture and can facilitate potential new business partnerships with
other organizations who require in-depth, third-party validated assurances.
• Able to start with bC Assessment, and easily leverage that assessment
when ready to move to the next level (i1) as your IRM program matures.
• Every assessment leverages the HITRUST RDS, which allows you
to electronically share your assessment results with your customers that
you designate. Eliminates all the back and forth to get the required
information your customer wants.
• Can Minimize Cyber Insurance Premiums.
Relying Parties
• The most Rely-able™ assurance report due to suitability of controls, rigor
of assurance program, and centralized oversight – HITRUST QAs 100% of
the reports.
• Ensures Suitability of the controls
• Transparency in how controls were evaluated and scored
• Better accuracy based on a quasi-quantitative, rather than
“qualitative” scoring.
• Consistency in how controls are evaluated
• Integrity in the report with over 50 automated checks and 6 levels
of independent and objective quality assurance reviews by HITRUST.
• Able to Run your entire Security and Privacy Third-Party Risk
Management Program through HITRUST
• Portfolio of Assessments to meet the needs of all vendors, regardless
of risk level, company size, or purpose. No reason NOT to get HITRUST
• Assurance framework to support more organizations on their
assurance continuum journey.
• Receive all HITRUST assessment results electronically through the
HTIRUST Results Distribution System to radically improve
efficiency over the outdated process for authenticating, requesting,
sharing, and analyzing assessment results.

30
Question and Answer Session

31
© 2021 HITRUST Alliance
www.HITRUSTAlliance.net
THANK YOU FOR ATTENDING
For additional HITRUST resources, please visit:
HITRUSTAlliance.net or our Download Center
l

HITRUST Certification

In this document