Listen to: "HITRUST Shared Responsibility™ Program: Understanding CSP Security Control Coverage"
From storing customer data, deploying business-related apps, or hosting computer system infrastructures, cloud service demands are on the rise for business owners. Having the right cloud service provider allows you to keep your operations running. Yet you also understand that by using the cloud to gather, store and transmit data, you’ll need the appropriate security controls in place to prevent hackers and malicious code from stealing information.
A cloud service provider will have security controls that are certified to ensure that all implementations follow specified regulations. Since the cloud provider has these security controls on their end, you may be under the belief that you don’t have to do anything on your end to enhance data security, or that you can provide the bare minimum while the cloud service provider’s security controls will allow all your controls to be certified.
Some Security Controls Are Not Shareable
While the cloud service provider has security controls in place, some controls can be leveraged by your business while others may not be shareable. The problem that often arises is that you have no way of knowing what control implementations have been put into place by the cloud service provider and whether they meet the needs of your operations.
In addition, the cloud service provider may have security controls or mitigation policies that do not fully align with the types of measures you want in place to protect your data. While their strategies are suitable for their industry, you may be looking for alternative security and mitigation strategies that are more suitable to your requirements.
HITRUST Shared Responsibility Program Helps Define CSP Security Controls
For more clarity regarding security controls that the cloud service provider and a business has, and which strategies can be leveraged, HITRUST® has developed the Shared Responsibility Program. The program assists businesses and cloud service providers to help them define their data security controls so they can better collaborate their efforts to keep information secure.
The Shared Responsibility Program consists of a HITRUST Shared Responsibility Matrix, which will be released in 2020, as the business and the cloud service provider places in the types of controls that they have in their data systems. The matrix will show who is responsible for certain controls and which controls are shared between the business and the service provider. Then it provides automation tools so people can track their control responsibility and testing tasks, as well as track risk identification and mitigation strategies. The HITRUST Shared Responsibility Matrix will also use a third-party service provider’s HITRUST CSF® Certification to create a list of inheritable and shareable controls as the provider can then use it to help align security controls with their customer’s strategies.
Another important aspect of the HITRUST Shared Responsibility Program is that it will provide recommendations regarding how to assign responsibility for shared controls and solo ownership of certain controls. These recommendations help businesses understand their responsibilities when they plan to outsource any services or systems to third-party service providers.
Within the Shared Responsibility Program is also the HITRUST Shared Responsibility Model. This model offers cloud service providers and businesses common taxonomy that can be used to start a meaningful dialogue when communicating about which controls will be shared between them. They can talk about the assessment details, define why there will be separate controls in certain instances, and talk about the responsibilities each party has when a security control is shared.
Defining Responsibilities and Due Diligence About Data Security
While the HITRUST Shared Responsibility Program will provide more clarity about industry standards when it comes to cloud service providers and their security controls, final responsibility and due diligence when it comes to protecting customer data will always remain with the business using the cloud service.
When gathering, storing and transmitting data, a business owner should start out with the mindset that comprehensive data protection must be maintained in-house first. They should never assume that the cloud service provider will take on all the responsibilities themselves or that their controls will be adequate to fulfill the company’s requirements. Getting an assessment for their company, such as SOC, HITRUST and ISO, will ensure that the business is meeting all compliance standards and regulations.
Get an Assessment from I.S. Partners, LLC
If your company gathers and manages customer data, you want to have the right security controls, policies and risk management procedures in place to keep this data safe. I.S. Partners, LLC provides valid assessments and auditing so companies can receive certification. Contact I.S. Partners, LLC today at 215-675-1400 or use our contact form to request more information and to receive a quote.