The HITRUST CSF: Hot (26 ideas) – Have an idea? Share it!

How can we improve the HITRUST CSF?

Enter your idea

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

HITRUST r2 alignment to DoD Zero Trust Strategy

HITRUST r2 alignment to DoD Zero Trust Strategy

https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf

1 vote

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Enhanced Capabilities · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
HITRUST r2 alignment to NYDFS - 23 NYCRR Part 500

HITRUST r2 alignment to NYDFS - 23 NYCRR Part 500

1 vote

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Enhanced Capabilities · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
All requirements should be contained within the requirement statement

Requirements which must be met by implemented controls or processes should be entirely contained within the requirement statement. Additional requirements should not be introduced in illustrative procedures.

1 vote

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Clarity · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

Started · AdminJeremy Huval (Chief Innovation Officer, HITRUST) responded

Thanks for your idea submission! This is what we'll be doing for the next major CSF release.
add HHS's safer guidelines as a source

https://www.healthit.gov/topic/safety/safer-guides

2 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Included authoritative sources · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Adjust Wording in Task Under Domain 18

Type: Organizational . Level: 1 . ID: 1828.08a1Organizational.12

Missing word in policy portion under Illustrated Procedures: "Computers that store or process covered information are located in areas that are unattended and have unrestricted access by the public."

Adjusted sentence would be "Computers that store or process covered information are never located in areas..."

1 vote

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

Planned · 0 comments · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
In v10, requirements focused on a single control maturity level should be avoided

Because we have a control maturity model that considers a written policy for each requirement, requirements focused on a single control maturity level should be avoided in v10. For example, the CSF currently contains some requirements about having a written policy, program, standard, guideline, etc. In those requirements, testing of both the "policy" and "implemented" control maturity levels are both test of a written policy (often the same one). Instead, requirements should be action-oriented (e.g. the org. does X) instead of policy oriented (e.g. the org. has a policy about X). Because of the control maturity model, the existence of a written policy is still considered on the action-oriented requirements (making the stand-alone policy-focused requirements duplicative).

Because we have a control maturity model that considers a written policy for each requirement, requirements focused on a single control maturity level should be avoided in v10. For example, the CSF currently contains some requirements about having a written policy, program, standard, guideline, etc. In those requirements, testing of both the "policy" and "implemented" control maturity levels are both test of a written policy (often the same one). Instead, requirements should be action-oriented (e.g. the org. does X) instead of policy oriented (e.g. the org. has a policy about X). Because of the control maturity model, the existence of…

9 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Clarity · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Each requirement statement should address only one idea, and each idea should be addressed by only one requirement statement

In many information security, privacy, and financial auditing approaches, the audited customer needs to produce one piece/set of evidence per requirement. Each requirement needs distinct artifacts. This allows for simple data management - my list of requirements is X long and therefore my list of evidence artifacts/sets should be the same length. I can then track progress as an audited customer by measuring how much evidence I have produced, and how much is left to go. I can even set up workflows within project management tools and GRC tools easily to accommodate this. Put in data terms - my requirement to evidence relationship is one to one, or one to many.

In contrast, in an efficient HITRUST project with the current rubric and version, I will encounter many scenarios where my requirement statement has more than 1 idea contained within it. This has increased with the new rubric's adoption of Policy Elements. I then gather a larger set of evidence for the requirement. But in order to be efficient, and to not burden the assessor or the audited firm teams with duplicative evidence requests, I have to take the returned artifacts and consider which of many requirements the evidence may meet. For example, a HIPAA risk assessment may be appropriately used as an artifact for multiple controls spanning Domain 1, 6, 17 and 19. However, some of those controls are not fully satisfied by this artifact alone. In effect I must maintain 2 maps for bi-directional association of Requirements to Evidence and Evidence to Requirements. This is a many-to-many relationship.

This can cause friction and difficulty in a few places. First, many audited firm compliance teams are geared to operationalize and measure progress against the production of evidence more so than by completing HITRUST Requirements. This is due to the fact that many organizations must meet multiple frameworks worth of audit requests and only a common evidence approach scales up. Second, this causes duplicative efforts for audited firm teams and assessor teams where a topic has been addressed in earlier requirements but the same tests of the same artifacts must be duplicated in later tests to achieve full coverage. Going back to the earlier example, when I review the HIPAA risk assessment I know I will have to duplicate that testing as a portion of coverage in a number of controls. Ideally, I would test the HIPAA risk assessment once and therefore spare duplicated testing, and duplicated evidence production and upload by the audited firm team.

In many information security, privacy, and financial auditing approaches, the audited customer needs to produce one piece/set of evidence per requirement. Each requirement needs distinct artifacts. This allows for simple data management - my list of requirements is X long and therefore my list of evidence artifacts/sets should be the same length. I can then track progress as an audited customer by measuring how much evidence I have produced, and how much is left to go. I can even set up workflows within project management tools and GRC tools easily to accommodate this. Put in data terms - my requirement…

7 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Clarity · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
PIPEDA

Inclusion of The Personal Information Protection and Electronic Documents Act (PIPEDA)

2 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Included authoritative sources · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Remove Assessment Domains in favor of CSF Control Categories

6 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

Planned · 0 comments · Clarity · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Provide a means of uniquely identifying individual requirement statements that tells a complete story

3 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

1 comment · Clarity · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Transition from 3 Levels of Controls to a Single Core

4 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

Planned · 0 comments · Clarity · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Offer a Mobile Application Environment Specific Assessment/Certification

4 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Enhanced Capabilities · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
An easy way to determine exact number of CSF elements in the policy illustrative procedure

Assessors and assessed entities could benefit from something communicating the exact number of CSF implementation specifications present in the policy illustrative procedures. This could be through something like a number that precedes the policy illustrative procedure or even consistent use of roman numerals in the policy illustrative procedure. This would help everyone involved in preparing for, performing, and reviewing assessments ensure they are working with a generally understood denominator for scoring calculations.

For example:
Instead of saying "Inspect written policies to determine that they contain X, Y, and Z.", the policy illustrative procedure could display as,
"Inspect written policies to determine that they contain (i) X, (ii) Y, and (iii) Z"
or even
"{3} Inspect written policies to determine that they contain X, Y, and Z."

Assessors and assessed entities could benefit from something communicating the exact number of CSF implementation specifications present in the policy illustrative procedures. This could be through something like a number that precedes the policy illustrative procedure or even consistent use of roman numerals in the policy illustrative procedure. This would help everyone involved in preparing for, performing, and reviewing assessments ensure they are working with a generally understood denominator for scoring calculations.

For example:
Instead of saying "Inspect written policies to determine that they contain X, Y, and Z.", the policy illustrative procedure could display as,
"Inspect written policies to…

14 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

Planned · 4 comments · Clarity · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Make all 44 authoritative sources into optional (selectable) regulatory factors

When setting up a new assessment, only a subset of the 44 authoritative sources in the CSF today are selectable / optional regulatory factors. Instead, 44 authoritative sources should be made into optional (selectable) regulatory factors.

2 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

Planned · 1 comment · Increased Customization · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Adopt and express requirement statements in a standardized natural language format/syntax

3 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Clarity · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Add additional risk factor questions that allow for greater tailoring of requirement statements included in the scope of an assessment

2 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

Planned · 1 comment · Increased Customization · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
in v10: No requirements should dictate scope

In the requirement, "Risk designations are assigned for all positions in the organization", a scope of the whole organization is forced through the wording. In v10, no requirements should dictate scope in and of themselves and should instead be written in such a way that they can be tested to the assessment's scope.

4 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

Planned · 0 comments · Increased Customization · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Add ISO 27017-standard on Cloud Security as a new Authoritative Source

1 vote

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Included authoritative sources · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Offer a Privacy-Specific Assessment and/or Certification

1 vote

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

1 comment · Enhanced Capabilities · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Provide organizations with the ability to sort controls/requirements by different options (e.g., by ISO, NIST, etc.)

2 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

Planned · 0 comments · Increased Customization · Delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

← Previous 1 2 Next →

Don't see your idea?

The HITRUST CSF

Feedback

The HITRUST CSF

JUMP TO ANOTHER FORUM

Searching…

How can we improve the HITRUST CSF?

HITRUST r2 alignment to DoD Zero Trust Strategy

HITRUST r2 alignment to NYDFS - 23 NYCRR Part 500

All requirements should be contained within the requirement statement

add HHS's safer guidelines as a source

Adjust Wording in Task Under Domain 18

In v10, requirements focused on a single control maturity level should be avoided

Each requirement statement should address only one idea, and each idea should be addressed by only one requirement statement

PIPEDA

Remove Assessment Domains in favor of CSF Control Categories

Provide a means of uniquely identifying individual requirement statements that tells a complete story

Transition from 3 Levels of Controls to a Single Core

Offer a Mobile Application Environment Specific Assessment/Certification

An easy way to determine exact number of CSF elements in the policy illustrative procedure

Make all 44 authoritative sources into optional (selectable) regulatory factors

Adopt and express requirement statements in a standardized natural language format/syntax

Add additional risk factor questions that allow for greater tailoring of requirement statements included in the scope of an assessment

in v10: No requirements should dictate scope

Add ISO 27017-standard on Cloud Security as a new Authoritative Source

Offer a Privacy-Specific Assessment and/or Certification

Provide organizations with the ability to sort controls/requirements by different options (e.g., by ISO, NIST, etc.)

The HITRUST CSF

Categories

Searching…

How can we improve the HITRUST CSF?

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here

We're glad you're here