How to Streamline Your SOC Audit: Use HITRUST CSF™ Built-In Control Categories
Per HITRUST™, “the foundation of all HITRUST™ programs and services is the HITRUST CSF™, a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management.”
Understanding the value that HITRUST™ and the HITRUST CSF™ provides your business is one thing. Putting everything in motion and determining the scope of your SOC assessment is something else entirely.
Fortunately, the HITRUST™ team has created a roadmap to help you choose the best SOC assessment scope for your organization.
The HITRUST CSF™ Is a Comprehensive Tool to Help You Determine Your Own SOC Assessment Scope
The HITRUST CSF™ was built to normalize various security requirement issues for healthcare organizations, which include:
- Federal legislation that includes HIPAA and HITECH
- Federal agency rules and guidance, such as NIST, FTC and CMS
- State legislation, per state
- Industry frameworks for PCI, COBIT and ISO 27001
A glance at these legislative bodies and industry frameworks—also known as scoping factors—might seem intimidating when you are facing a SOC audit. The leadership at HITRUST™ thought of this and developed the HITRUST CSF™ with this very concern in mind.
In conjunction with the HITRUST CSF™ Assurance Program, which delivers simplified compliance assessment and reporting for business associates, HITRUST CSF™ provides the perfect model for the implementation of the cybersecurity framework for the healthcare industry.
What Are the Components, Control Categories and Control Objectives That Help You Determine the Scope of Your SOC Audit?
The HITRUST CSF™ was designed as a comprehensive tool—comprised of components, control categories and control objectives—developed and intended to help all organizations that create, store, access or exchange electronic health and other sensitive information.
There are two major components associated with the HITRUST CSF™:
- Information Security Implementation Manual.
- Standards and Regulations Mapping.
These best practice-based specifications work so well since they are certifiable and include sound and stable security governance practices and security control practices that scale to accommodate the size, type and complexity of each organization.
This component allows for reconciliation between the framework to unique and common aspects of generally adopted policies and standards.
Control categories are high-level groupings, based on ISO 27001 and 27002 and are made up of 46 control objectives that fit within the prescriptive control categories. Each of the following control categories—accompanied by a brief overview of each—is weighted separately but equally, so it is important to consider them all on the same level.
- Information Security Management Program.
- Access Control.
- Human Resources Security.
- Risk Management.
- Security Policy.
- Organization of Information Security.
- Asset Management.
- Physical and Environmental Security.
- Communications and Operations Management.
- Information Systems Acquisition, Development and Maintenance.
- Information Security Incident Management.
- Business Continuity Management.
- Privacy Practices.
This control category involves designing, implementing and maturing security practices to protect critical business practices, processes and IT assets across the organization. It makes it possible for IT leaders to manage the program scope in order to set and achieve realistic goals, which might include the effectiveness of controls, audits and risk assessment results are key success criteria.
Factors explored regarding access category may include the overall policy for communications, including user registration, password management and use, user authentication for external connections and more.
The assignment of risk designations to all organizational positions and establish screening criteria, along with a plan to review and revise designations every 365 days. Additionally, this control calls for the institution of a formal sanctions process for non-compliance.
Organizational leaders must identify risks before incidents, when possible. If an incident occurs, update existing remediation and corrective action plans.
Information security documents need regular reviews; at least annually.
The review and assessment of the effectiveness of the implementation of the information security policy, the requirements for confidentiality and update for the point of contact for review, at least once per year.
An examination all the organization’s formal policies and procedures manual, other critical records—such as results from a risk assessment—and disclosures of individuals’ protected health information (PHI) made shall be retained for a minimum of six years. Also, information systems and network components, such as firewalls, routers and switches are included under compliance. At least once each year, the team should check for compliance manually, by an individual with experience with the systems, or with the assistance of automated software tools.
The maintenance of inventory logs of all media and conduct media inventories to be reviewed annually. Ensure proper accountability of assets, particularly in times of employee turnover and reassignment to a new staff member.
The organization must maintain and make frequent updates to access logs for the locations in the facilities that contain information systems for at least two years. Access rights to the facility are reviewed every 90 days. Also, the facility must have intruder detection systems, according to industry standards.
The development, dissemination, annual review and update of a list of current service providers, along with a description of services.
Applications must undergo application vulnerability testing each year by an expert auditing team, focusing on the use of add, modify, and delete functions to implement any changes to data.
Each year, the organization tests and exercises the incident response capability for the information system. Anytime there are 10 or more individuals with insufficient or out-of-date contact information, such as a phone number or another piece identification associated with communication, a conspicuous posting will be placed on the home page of the organization’s web site for a period of 90 days.
Business continuity assessments are to be carried out once a year, involving the owners of the business resources and processes. Formal, documented contingency planning policy and formal, documented procedures are developed, disseminated, and reviewed annually.
The covered entity provides notice or notices, relevant to the individual no later than the compliance date or upon enrollment thereafter, within 60 days of a material revision, and no less than every three years.
How Do the Control Categories Help You Determine the Right Scope for Your next SOC Audit?
It is recommended by HITRUST that scoping occurs in the initial phases of your HITRUST assessment process so you can sort out which controls you need to include in your assessment. A combination of the control categories, the 46 control objectives and the 149 Control Specifications (135 Security, 14 Privacy) all work together to determine which scope is right for your audit among the following three options:
- Security Assessment
- Comprehensive Assessment
- Assessment with Privacy
Are You Ready to Pin Down the Scope of Your SOC Audit?
If you are still questioning the scope of your upcoming SOC audit, our skilled team of auditors at I.S. Partners, LLC. can help. We understand that determining the scope of a SOC audit can be complex.