Information security is a growing concern for many organizations, especially those that handle financial and healthcare information. Many such organizations are required to undergo a SOC 2 examination. This type of assessment provides assurance that their security controls are designed and operating effectively.
SOC 2 Reporting
A SOC 2 examination focuses on one or more of the five Trust Service principles as specified by the American Institute of Certified Public Accountants (AICPA):
- Security: defines the system’s physical and logical controls against data theft or loss.
- Processing Integrity: relates to how a system processes information so that it is complete, accurate, timely and authorized.
- Availability: specifies when and how the information system is made available for authorized use.
- Confidentiality: describes protection of information designated as confidential per agreement.
- Privacy: addresses personal information that must be kept private in order to comply with established criteria, and with an organization’s privacy notice.
A service organization can undergo a SOC 2 examination of any one or all five trust services principles. For example, some SAAS providers may need to address system availability, security, and integrity, but they might not have any privacy or confidentiality concerns. Healthcare organizations, on the other hand, must comply with privacy and confidentiality regulations.
HITRUST® created the HITRUST CSF framework for use by organizations that work with sensitive data, including PHI and financial information. HITRUST CSF Assessment Reports are standard reports that provide a consistent representation of risk exposure, compliance posture, and corrective actions. They allow for benchmarking of results against security and privacy best practices. HITRUST assessments are scored against the five levels of the PRISMA-based maturity model.
- Policy: requires security processes and implementation requirements to be outlined for employees.
- Process/Procedures: demands that the procedures for the implementation of security measures are documented and communicated to the individuals who must follow them.
- Implementation – checks that the organization is implementing all the elements related to security controls.
- Measured – highlights the importance of gauging performance and testing the effectiveness of controls.
- Managed – asks the organization to identify problems and address emerging threats.
The HITRUST CSF framework and the SOC 2 reporting model are complementary since both are done through the efficient assessment of security policies and implemented controls.
Combined SOC 2 + HITRUST CSF Certification
HITRUST and the AICPA collaborated to develop a set of recommendations to simplify the compliance process. Because some service organizations have very specific reporting formats from which they may not deviate, it was important to implement an internal control reporting structure that is efficient, yet flexible. By joining HITRUST and SOC 2, your organization can benefit from some valuable advantages.
What Are the Advantages of Using the SOC 2 + HITRUST Combined Reporting Model?
Mapping the HITRUST CSF framework to the AICPA SOC 2 Trust Principles and Common Criteria is a way to provide a reporting structure that is both efficient and flexible. Under this structure of reporting, the SOC 2 + HITRUST report becomes the default method of reporting that meets a wider range of requirements.
Saving on the Time & Expense of Compliance
Carrying out two separate auditing and reporting processes for HITRUST and SOC 2 can take up a lot of time, effort, and resources from your organization. The SOC 2 + HITRUST reports are designed to help service organizations that create, handle, store, or transmit PHI to meet their dual reporting requirements.
Because there is some overlap between the two standards, combining the security assessment processes helps save your organization time and money. You can evaluate compliance with controls comprised in both requirements in a single report. This is beneficial for organizations of all sizes, but especially for companies that have thin resources.
Consolidate Audit Resources
There are extensive security controls and lengthy documentation needed to meet both SOC 2 and HITRUST compliance. Mapping reveals overlap in HITRUST and SOC 2 controls in multiple areas. Some examples include organizational and management criteria, communications, the design and implementation of controls, monitoring, physical access, systems operations, and change management.
Combining the processes means consolidating audit evidence and reducing the amount of time demanded of internal and external auditors. It’s also likely to help prevent the dreaded audit fatigue.
What do You Need for SOC 2 + HITRUST CSF Certification?
HITRUST suggests engaging a CPA who also functions as a HITRUST Authorized External Assessor in order to enjoy the efficiency of satisfying both needs in one step. While an independent CPA can assist with assessing performance using the HITRUST CSF criteria, only a HITRUST Authorized External Assessor can guide your organization through the validated assessment and certification process.
Get more expert help here: the HITRUST Term Glossary and the Advantages of SOC 2 Certification for Cloud Service Providers.
Time-Saving Solutions from I.S. Partners
Our team is constantly looking for new efficiencies and strategies to save our clients time and effort. And, in the business world, we all know that time and effort equal money. Why not schedule a consultation with one of our security auditing experts to find out how we can make regulatory compliance a faster, anxiety-free process for your organization?