The HITRUST CSF

The HITRUST CSF

Categories

JUMP TO ANOTHER FORUM

  1. Because we have a control maturity model that considers a written policy for each requirement, requirements focused on a single control maturity level should be avoided in v10. For example, the CSF currently contains some requirements about having a written policy, program, standard, guideline, etc. In those requirements, testing of both the "policy" and "implemented" control maturity levels are both test of a written policy (often the same one). Instead, requirements should be action-oriented (e.g. the org. does X) instead of policy oriented (e.g. the org. has a policy about X). Because of the control maturity model, the existence of…

    8 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Clarity of Understanding  ·  Flag idea as inappropriate…  ·  Admin →
  2. In many information security, privacy, and financial auditing approaches, the audited customer needs to produce one piece/set of evidence per requirement. Each requirement needs distinct artifacts. This allows for simple data management - my list of requirements is X long and therefore my list of evidence artifacts/sets should be the same length. I can then track progress as an audited customer by measuring how much evidence I have produced, and how much is left to go. I can even set up workflows within project management tools and GRC tools easily to accommodate this. Put in data terms - my requirement…

    4 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Clarity of Understanding  ·  Flag idea as inappropriate…  ·  Admin →
  3. 3 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Planned  ·  1 comment  ·  Enhanced Capabilities  ·  Flag idea as inappropriate…  ·  Admin →
  4. 3 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Clarity of Understanding  ·  Flag idea as inappropriate…  ·  Admin →
  5. 4 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Planned  ·  0 comments  ·  Clarity of Understanding  ·  Flag idea as inappropriate…  ·  Admin →
  6. 4 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Planned  ·  0 comments  ·  Clarity of Understanding  ·  Flag idea as inappropriate…  ·  Admin →
  7. When setting up a new assessment, only a subset of the 44 authoritative sources in the CSF today are selectable / optional regulatory factors. Instead, 44 authoritative sources should be made into optional (selectable) regulatory factors.

    2 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Planned  ·  1 comment  ·  Increased Customization  ·  Flag idea as inappropriate…  ·  Admin →
  8. 3 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Clarity of Understanding  ·  Flag idea as inappropriate…  ·  Admin →
  9. 3 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Enhanced Capabilities  ·  Flag idea as inappropriate…  ·  Admin →
  10. 2 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Planned  ·  1 comment  ·  Increased Customization  ·  Flag idea as inappropriate…  ·  Admin →
  11. Assessors and assessed entities could benefit from something communicating the exact number of CSF implementation specifications present in the policy illustrative procedures. This could be through something like a number that precedes the policy illustrative procedure or even consistent use of roman numerals in the policy illustrative procedure. This would help everyone involved in preparing for, performing, and reviewing assessments ensure they are working with a generally understood denominator for scoring calculations.

    For example:
    Instead of saying "Inspect written policies to determine that they contain X, Y, and Z.", the policy illustrative procedure could display as,
    "Inspect written policies to…

    12 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Planned  ·  4 comments  ·  Clarity of Understanding  ·  Flag idea as inappropriate…  ·  Admin →
  12. 1 vote
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Comprehensive Coverage  ·  Flag idea as inappropriate…  ·  Admin →
  13. 2 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Enhanced Capabilities  ·  Flag idea as inappropriate…  ·  Admin →
  14. 1 vote
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Enhanced Capabilities  ·  Flag idea as inappropriate…  ·  Admin →
  15. 2 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Planned  ·  0 comments  ·  Increased Customization  ·  Flag idea as inappropriate…  ·  Admin →
  16. In the requirement, "Risk designations are assigned for all positions in the organization", a scope of the whole organization is forced through the wording. In v10, no requirements should dictate scope in and of themselves and should instead be written in such a way that they can be tested to the assessment's scope.

    3 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Planned  ·  0 comments  ·  Increased Customization  ·  Flag idea as inappropriate…  ·  Admin →
  17. 1 vote
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Planned  ·  0 comments  ·  Clarity of Understanding  ·  Flag idea as inappropriate…  ·  Admin →
  18. 1 vote
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Enhanced Capabilities  ·  Flag idea as inappropriate…  ·  Admin →
  19. 1 vote
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Planned  ·  0 comments  ·  Comprehensive Coverage  ·  Flag idea as inappropriate…  ·  Admin →
  20. 0 votes
    Sign in
    (thinking…)
    Sign in with:
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Comprehensive Coverage  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?