Listen to: "Streamline Your SOC Audit Using HITRUST CSF Built-In Control Categories"
By now, you probably know about HITRUST CSF®. It’s “the foundation of all HITRUST programs and services…a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management.”
Though most companies can understand the value that HITRUST and the HITRUST CSF provide, application can be complex. Putting everything in motion and determining the scope of your SOC assessment is often an overwhelming undertaking.
Fortunately, the HITRUST team has created a roadmap to help you choose the best SOC assessment scope for your organization.
How HITRUST CSF Helps Determine Your SOC Assessment Scope
The HITRUST CSF was built to normalize security requirement issues for organizations, which include:
- Federal legislation, such as HIPAA and HITECH,
- Federal agency rules and guidance, such as NIST, FTC and CMS
- State legislation regarding sensitive information, and
- Industry frameworks for PCI, COBIT and ISO 27001.
At a glance, these legislative bodies and industry frameworks—also known as scoping factors—might seem intimidating when you are preparing for a SOC audit. This is the reasoning behind the development of HITRUST CSF.
In conjunction with the HITRUST CSF Assurance Program, which simplifies compliance assessment and reporting for business associates, HITRUST CSF provides the perfect model for the implementation in a wide range of industries.
HITRUST CSF – Components & Controls
The HITRUST CSF is a comprehensive tool—including components, control categories, and control objectives—developed specifically to assist organizations that create, store, access or exchange ePHI and other sensitive information.
There are two major components associated with the HITRUST CSF:
Information Security Implementation Manual
These specifications are based on best practices. They are certifiable and founded on sound and stable security governance and security control practices. Not only are these specifications effective, but they also scale to accommodate the size, type, and complexity of each organization.
Standards and Regulations Mapping
This component allows for reconciliation between the framework to unique and common aspects of generally adopted policies and standards.
Control categories are high-level groupings, based on ISO 27001 and 27002 and are made up of 49 control objectives that fit within the prescriptive control categories. All factors are weighted separately but equally, so it is important to consider them all on the same level. We have provided a brief description of each of the control categories below.
0. Information Security Management Program
This control category involves designing, implementing and maturing security practices to protect critical business activities, processes, and IT assets across the organization. It enables IT leaders to manage the program scope in order to set and achieve realistic goals, which might include the effectiveness of controls, audits, and risk assessment results as key success criteria.
1. Access Control
Factors regarding the access category may include the overall policy for communications, comprised of user registration, password management and use, user authentication for external connections, and more.
2. Human Resources Security
This refers to the assignment of risk designations to all organizational positions and the establishment of screening criteria. This also includes the institution of a plan to review and revise designations every 365 days and a formal sanctions process for non-compliance.
3. Risk Management
Organizational leaders must identify risks before incidents, when possible. This control category states that existing remediation and corrective action plans must be updated following an incident.
4. Security Policy
According to the HITRUST CSF controls, at least once per year, information security documents need to be reviewed.
5. Organization of Information Security
At least once per year, review of the effectiveness of the information security policy, confidentiality requirements, and point of contact is also required.
An examination of all the organization’s formal policies and procedures, other critical records—such as results from a risk assessment—and disclosures of sensitive information made should be retained for a minimum of six years. Also, information systems and network components, such as firewalls, routers, and switches are included under compliance. At least once each year, an individual with experience with the systems, or with the assistance of automated software tools should be charged with verifying compliance.
7. Asset Management
At least once per year, the maintenance of inventory logs of all media and conduct media inventories must also be reviewed. This is to ensure proper accountability of assets, particularly in times of employee turnover and reassignment to new staff members.
8. Physical and Environmental Security
For at least two years, the organization must maintain and regularly update access logs for the locations in the facilities that contain information systems. Additionally, every 90 days, access rights to the facility need to be reviewed. Also, the facility must have intruder detection systems, according to industry standards.
9. Communications and Operations Management
At least once per year, a list of current service providers, along with a description of the related services, must be reviewed and updated.
10. Information Systems Acquisition, Development and Maintenance
At least once per year, applications must undergo application vulnerability testing performed by an expert auditing team. Testing should focus on the use of add, modify, and delete functions to implement changes to data.
11. Information Security Incident Management
At least once per year, the organization should test the incident response protocol for the information system. Anytime there are 10 or more individuals with insufficient or out-of-date contact information, such as a phone number, a conspicuous posting will be placed on the homepage of the organization’s website for a period of 90 days.
12. Business Continuity Management
At least once per year, business continuity assessments, involving the owners of the business resources and processes, must be carried out. Additionally, formal, documented contingency planning policy and formal, documented procedures should be developed, disseminated, and reviewed annually.
13. Privacy Practices
At least every three years, the covered entity must provide notice(s), relevant to the individual, no later than the compliance date or upon enrollment thereafter, within 60 days of a material revision.
Factors for Determining the Scope of Your SOC Audit
The HITRUST recommends determining the scope during the initial phases of your HITRUST assessment process. This allows your team to sort out which controls need to be included in the assessment. A combination of the 14 control categories, 49 control objectives, 156 control references (135 Security, 21 Privacy), 1,837 requirement statements, and 44 additional authoritative sources all work together to determine which scope of the three options is right for your audit:
- Security Assessment
- Comprehensive Assessment
- Assessment with Privacy
Identify the Scope of Your SOC Audit
If you are still questioning the scope of your upcoming SOC audit, our skilled team of auditors at I.S. Partners, LLC can help. We understand that determining the scope of a SOC audit can be complex.
This blog was originally published on October 17, 2017 and has since been modified and updated to reflect the most accurate information.