SlideShare a Scribd company logo
CSF
COMMON SECURITY FRAMEWORK
Development ofthe CSF
The development of the CSF is overseen by HITRUST Executive Council, which is composed of leaders from a
variety of industry segments with expertise in healthcare and information security. The initial development of the
CSF occurred throughout 2008 prior to the release of the first version in March 2009. The initial development group
consisted ofsecurity professionals from:
• Security vendors
• Technology and IT infrastructure organizations
• Professional services firms
• Healthcare providers
• Health plans
• Pharmacies and PBMs
• Medical device manufacturers
• Information networks and clearinghouses
CSF is comprises of;
1. 2 components
a. Information Security Implementation Manual
b. Standards/Regulations Mapping.
2. 13 security control categories
3. 42 control objectives
4. 135 control specifications
3 implementation levels
Control Framework
The Implementation Manual contains 13 security control categories comprised of 42 control objectives and 135
control specifications.
The categories included in the Manual are:
1. Information Security Management Program
2. Access Control
3. Human Resources Security
4. Risk Management
5. Security Policy
6. Organization of Information Security
7. Compliance
8. Asset Management
9. Physical and Environmental Security
10. Communications and Operations Management
11. Information Systems Acquisition
12. Development and Maintenance
13. Information Security Incident Management
14. Business Continuity Management
Requirement Levels
Each control specification includes multiple levels (1, 2 and 3) of implementation requirement(s), which are the
details to support the implementation of the control in meeting the control objective. The implementation
requirement levels relate to the degree of restrictiveness for a particular control.
HITRUST leveraged the concept adopted by the National Institute of Standards and Technology’s Computer
Security Division for the Special Publication 800 Series security standards (i.e., NIST 800-53). Level 1 is the
minimum set of security requirements for all systems and organizations regardless of size, sophistication,or
complexity.
Level 2 and Level 3 are required only for organizations and systems of increased risk and complexity as determined
by the associated organization and systemfactors. For example, with respect to password controls,six character
passwords would be a lower level of control compared with two factor authentication at a higher level. The levels
are also designed to account for the increased requirements of the varying standards and regulations that comprise
the CSF. For example, where HIPAA is in almost every instance met at level 1, NIST 800-53 is both more
comprehensive and more detailed and thus is generally captured in the level 2 or 3 requirements.
Alternate Controls
HITRUST has also defined an alternate control process to allow for the temporary adoption of standardized
Alternate Controls for systems (e.g. medical devices and applications) that cannot meet the CSF’s requirements . If
an Alternate Control is not yet defined in the CSF, any organization can propose a solution to appropriately mitigate
the risk of a control failure. This process is closely integrated into the CSF and any approved Alternate Controls are
made available to the entire industry to provide the standard adoption of accepted short and long-term compensating
strategies.
The tool gives organizations a 360° perspective of their information security landscape.Covered standards and
regulations include:
• ISO/IEC 27001:2005
• ISO/IEC 27002:2005
• ISO/IEC 27799:2008
• COBIT 4.1
• HIPAA
• NIST SP 800-53 Revision 3
• NIST SP 800-66
• PCI DSS version 2.0
• 16 CFR Part 681
• FTC Red Flags Rule
• HITECH Act
• 21 CFR Part 11
• JCAHO IM
• 201 CMR 17.00 (State of Mass.)
• NRS 603A (State of Nev.)
• CSA Cloud Controls Matrix v1
• CMS ARS
Common Security Framework Summary
Executive Council
HITRUST is led by a seasoned management team and governed by an Executive Council made
up of leaders from across the healthcare industry and its supporters. These leaders represent the
governance of the organization, but other founders also comprise the leadership to ensure the
framework meets the short and long term needs of the entire industry.
Executive Council members represent the following organizations:
 BlueCross BlueShield of Tennessee
 Cisco Systems, Inc.
 CVS Caremark
 Express Scripts, Inc.
 Highmark
 Hospital Corporation of America
 Humana Inc.
 IMS Health
 Kaiser Permanente
 McKesson Corporation
 UnitedHealth Group
 Wellpoint
CSF Assessors
HITRUST CSF Assessors are those organizations that have been approved by HITRUST for
performing assessment and services associated with the CSF Assurance program and the CSF.
CSF Assessors include:
 AT&T Consulting
 BluePrint Healthcare IT
 Coalfire Systems, Inc
 Deloitte & Touche LLP
 Ernst & Young, LLP
 Fortrex Technologies
 Lattimore Black Morgan & Cain
 Protiviti
 Solutionary
 Sword & Shield Enterprise Security
 Verizon Business
Common Security Framework Summary

More Related Content

What's hot

HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
OnRamp
 
HITRUST Article
HITRUST ArticleHITRUST Article
HITRUST Article
Alexis Kennedy, CPA, CISA
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
Kimberly Simon MBA
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
PYA, P.C.
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
Evan Francen
 
It Audit Expectations High Detail
It Audit Expectations   High DetailIt Audit Expectations   High Detail
It Audit Expectations High Detail
ecarrow
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
Kimberly Simon MBA
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
O'Connor Davies CPAs
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
tbeckwith
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
Jose Ivan Delgado, Ph.D.
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
Charles McNeil
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
ControlCase
 
Ecfirstbiz
EcfirstbizEcfirstbiz
Ecfirstbiz
shailu devi
 
Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2
BHUOnlineDepartment
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
Redspin, Inc.
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
Kimberly Simon MBA
 
Nist 800 53 deep dive 20210813
Nist 800 53 deep dive 20210813Nist 800 53 deep dive 20210813
Nist 800 53 deep dive 20210813
Kinetic Potential
 

What's hot (19)

HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
 
HITRUST Article
HITRUST ArticleHITRUST Article
HITRUST Article
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
 
It Audit Expectations High Detail
It Audit Expectations   High DetailIt Audit Expectations   High Detail
It Audit Expectations High Detail
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
Ecfirstbiz
EcfirstbizEcfirstbiz
Ecfirstbiz
 
Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Nist 800 53 deep dive 20210813
Nist 800 53 deep dive 20210813Nist 800 53 deep dive 20210813
Nist 800 53 deep dive 20210813
 

Similar to Common Security Framework Summary

International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
NIST Special Publication 800-37 Revision 2 Ris.docx
 NIST Special Publication 800-37 Revision 2  Ris.docx NIST Special Publication 800-37 Revision 2  Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx
robert345678
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
lneut03
 
NIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdfNIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdf
>hey> whee hey
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
newbie2019
 
CSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALCSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINAL
Ronald Jackson, Jr
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
Kinetic Potential
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
karthikvcyber
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
karthikvcyber
 
800-37.pptx
800-37.pptx800-37.pptx
800-37.pptx
AvniJain836319
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
Muhammad Mazhar
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
kevlekalakala
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdf
ICS
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
Abdulrahman Alamri
 
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAMIT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IJCSEA Journal
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
Michelle Singh
 
OT_Security.pptx
OT_Security.pptxOT_Security.pptx
OT_Security.pptx
Nandan Dutta
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 

Similar to Common Security Framework Summary (20)

International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
 
NIST Special Publication 800-37 Revision 2 Ris.docx
 NIST Special Publication 800-37 Revision 2  Ris.docx NIST Special Publication 800-37 Revision 2  Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
 
NIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdfNIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdf
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
CSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALCSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINAL
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
800-37.pptx
800-37.pptx800-37.pptx
800-37.pptx
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdf
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
 
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAMIT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
OT_Security.pptx
OT_Security.pptxOT_Security.pptx
OT_Security.pptx
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 

More from Jason Rusch - CISSP CGEIT CISM CISA GNSA

NIST sp800 53-v4 Topology
NIST sp800 53-v4 TopologyNIST sp800 53-v4 Topology
NIST sp800 53-v4 Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
CSA v4 Topology
CSA v4 TopologyCSA v4 Topology
ISO.IEC 27001 27002-2013
ISO.IEC 27001 27002-2013ISO.IEC 27001 27002-2013
ISO.IEC 27000 Series Map
ISO.IEC 27000 Series MapISO.IEC 27000 Series Map
Cobit v5 High Level Controls Topology
Cobit v5 High Level Controls TopologyCobit v5 High Level Controls Topology
Cobit v5 High Level Controls Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Cobit & ISO 27002 Governance Topology
Cobit & ISO 27002 Governance TopologyCobit & ISO 27002 Governance Topology
Cobit & ISO 27002 Governance Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
GLBA Topology
GLBA TopologyGLBA Topology
HIPAA Topology
HIPAA TopologyHIPAA Topology
ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
PCI-DSS DESV Topology
PCI-DSS DESV TopologyPCI-DSS DESV Topology
DATA PROTECTION LAWS OF THE WORLD
DATA PROTECTION LAWS OF THE WORLDDATA PROTECTION LAWS OF THE WORLD
DATA PROTECTION LAWS OF THE WORLD
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Information_Governance_Risk_Compliance_Frameworks (v5)
Information_Governance_Risk_Compliance_Frameworks (v5)Information_Governance_Risk_Compliance_Frameworks (v5)
Information_Governance_Risk_Compliance_Frameworks (v5)
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
SOX Titles Topology
SOX Titles TopologySOX Titles Topology
ITIL v3 Topology
ITIL v3 TopologyITIL v3 Topology
HITRUST CSF Topology
HITRUST CSF TopologyHITRUST CSF Topology
HIPAA Topology
HIPAA TopologyHIPAA Topology
GLBA Topology
GLBA TopologyGLBA Topology
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
Octave Topology
Octave TopologyOctave Topology
FFIEC I.T. Booklets Topology
FFIEC I.T. Booklets TopologyFFIEC I.T. Booklets Topology
FFIEC I.T. Booklets Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 

More from Jason Rusch - CISSP CGEIT CISM CISA GNSA (20)

NIST sp800 53-v4 Topology
NIST sp800 53-v4 TopologyNIST sp800 53-v4 Topology
NIST sp800 53-v4 Topology
 
CSA v4 Topology
CSA v4 TopologyCSA v4 Topology
CSA v4 Topology
 
ISO.IEC 27001 27002-2013
ISO.IEC 27001 27002-2013ISO.IEC 27001 27002-2013
ISO.IEC 27001 27002-2013
 
ISO.IEC 27000 Series Map
ISO.IEC 27000 Series MapISO.IEC 27000 Series Map
ISO.IEC 27000 Series Map
 
Cobit v5 High Level Controls Topology
Cobit v5 High Level Controls TopologyCobit v5 High Level Controls Topology
Cobit v5 High Level Controls Topology
 
Cobit & ISO 27002 Governance Topology
Cobit & ISO 27002 Governance TopologyCobit & ISO 27002 Governance Topology
Cobit & ISO 27002 Governance Topology
 
GLBA Topology
GLBA TopologyGLBA Topology
GLBA Topology
 
HIPAA Topology
HIPAA TopologyHIPAA Topology
HIPAA Topology
 
ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
 
PCI-DSS DESV Topology
PCI-DSS DESV TopologyPCI-DSS DESV Topology
PCI-DSS DESV Topology
 
DATA PROTECTION LAWS OF THE WORLD
DATA PROTECTION LAWS OF THE WORLDDATA PROTECTION LAWS OF THE WORLD
DATA PROTECTION LAWS OF THE WORLD
 
Information_Governance_Risk_Compliance_Frameworks (v5)
Information_Governance_Risk_Compliance_Frameworks (v5)Information_Governance_Risk_Compliance_Frameworks (v5)
Information_Governance_Risk_Compliance_Frameworks (v5)
 
SOX Titles Topology
SOX Titles TopologySOX Titles Topology
SOX Titles Topology
 
ITIL v3 Topology
ITIL v3 TopologyITIL v3 Topology
ITIL v3 Topology
 
HITRUST CSF Topology
HITRUST CSF TopologyHITRUST CSF Topology
HITRUST CSF Topology
 
HIPAA Topology
HIPAA TopologyHIPAA Topology
HIPAA Topology
 
GLBA Topology
GLBA TopologyGLBA Topology
GLBA Topology
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
 
Octave Topology
Octave TopologyOctave Topology
Octave Topology
 
FFIEC I.T. Booklets Topology
FFIEC I.T. Booklets TopologyFFIEC I.T. Booklets Topology
FFIEC I.T. Booklets Topology
 

Recently uploaded

MathematicsGrade7-Presentation-July-12024.pptx
MathematicsGrade7-Presentation-July-12024.pptxMathematicsGrade7-Presentation-July-12024.pptx
MathematicsGrade7-Presentation-July-12024.pptx
nolicaliso1
 
7. Post Harvest Entomology and their control.pptx
7. Post Harvest Entomology and their control.pptx7. Post Harvest Entomology and their control.pptx
7. Post Harvest Entomology and their control.pptx
UmeshTimilsina1
 
11. Post harvest quality, Quality criteria and Judgement.pptx
11. Post harvest quality, Quality criteria and Judgement.pptx11. Post harvest quality, Quality criteria and Judgement.pptx
11. Post harvest quality, Quality criteria and Judgement.pptx
UmeshTimilsina1
 
How To Sell Hamster Kombat Coin In Pre-market
How To Sell Hamster Kombat Coin In Pre-marketHow To Sell Hamster Kombat Coin In Pre-market
How To Sell Hamster Kombat Coin In Pre-market
Sikandar Ali
 
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
ALBERTHISOLER1
 
View Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17  SlidesView Inheritance in Odoo 17 - Odoo 17  Slides
View Inheritance in Odoo 17 - Odoo 17 Slides
Celine George
 
MATATAG CURRICULUM sample lesson exemplar.docx
MATATAG CURRICULUM sample lesson exemplar.docxMATATAG CURRICULUM sample lesson exemplar.docx
MATATAG CURRICULUM sample lesson exemplar.docx
yardenmendoza
 
Lecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privilegesLecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privileges
Murugan146644
 
DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008
Glenn Rivera
 
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptxParkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
AnujVishwakarma34
 
6. Physiological Disorder of fruits and vegetables.pptx
6. Physiological Disorder of fruits and vegetables.pptx6. Physiological Disorder of fruits and vegetables.pptx
6. Physiological Disorder of fruits and vegetables.pptx
UmeshTimilsina1
 
FINAL MATATAG Science CG 2023 Grades 3-10.pdf
FINAL MATATAG Science CG 2023 Grades 3-10.pdfFINAL MATATAG Science CG 2023 Grades 3-10.pdf
FINAL MATATAG Science CG 2023 Grades 3-10.pdf
maritescanete2
 
PRESS RELEASE - UNIVERSITY OF GHANA, JULY 16, 2024.pdf
PRESS RELEASE - UNIVERSITY OF GHANA, JULY 16, 2024.pdfPRESS RELEASE - UNIVERSITY OF GHANA, JULY 16, 2024.pdf
PRESS RELEASE - UNIVERSITY OF GHANA, JULY 16, 2024.pdf
nservice241
 
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
Nguyen Thanh Tu Collection
 
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
Dr. Nasir Mustafa
 
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.pptFIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
ashutoshklal29
 
Java MCQ Questions and Answers PDF By ScholarHat
Java MCQ Questions and Answers PDF By ScholarHatJava MCQ Questions and Answers PDF By ScholarHat
Java MCQ Questions and Answers PDF By ScholarHat
Scholarhat
 
JavaScript Interview Questions PDF By ScholarHat
JavaScript Interview  Questions PDF By ScholarHatJavaScript Interview  Questions PDF By ScholarHat
JavaScript Interview Questions PDF By ScholarHat
Scholarhat
 
Demonstration module in Odoo 17 - Odoo 17 Slides
Demonstration module in Odoo 17 - Odoo 17 SlidesDemonstration module in Odoo 17 - Odoo 17 Slides
Demonstration module in Odoo 17 - Odoo 17 Slides
Celine George
 
2 Post harvest Physiology of Horticulture produce.pptx
2 Post harvest Physiology of Horticulture  produce.pptx2 Post harvest Physiology of Horticulture  produce.pptx
2 Post harvest Physiology of Horticulture produce.pptx
UmeshTimilsina1
 

Recently uploaded (20)

MathematicsGrade7-Presentation-July-12024.pptx
MathematicsGrade7-Presentation-July-12024.pptxMathematicsGrade7-Presentation-July-12024.pptx
MathematicsGrade7-Presentation-July-12024.pptx
 
7. Post Harvest Entomology and their control.pptx
7. Post Harvest Entomology and their control.pptx7. Post Harvest Entomology and their control.pptx
7. Post Harvest Entomology and their control.pptx
 
11. Post harvest quality, Quality criteria and Judgement.pptx
11. Post harvest quality, Quality criteria and Judgement.pptx11. Post harvest quality, Quality criteria and Judgement.pptx
11. Post harvest quality, Quality criteria and Judgement.pptx
 
How To Sell Hamster Kombat Coin In Pre-market
How To Sell Hamster Kombat Coin In Pre-marketHow To Sell Hamster Kombat Coin In Pre-market
How To Sell Hamster Kombat Coin In Pre-market
 
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
Brigada Eskwela 2024 PowerPoint Update for SY 2024-2025
 
View Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17  SlidesView Inheritance in Odoo 17 - Odoo 17  Slides
View Inheritance in Odoo 17 - Odoo 17 Slides
 
MATATAG CURRICULUM sample lesson exemplar.docx
MATATAG CURRICULUM sample lesson exemplar.docxMATATAG CURRICULUM sample lesson exemplar.docx
MATATAG CURRICULUM sample lesson exemplar.docx
 
Lecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privilegesLecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privileges
 
DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008
 
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptxParkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
 
6. Physiological Disorder of fruits and vegetables.pptx
6. Physiological Disorder of fruits and vegetables.pptx6. Physiological Disorder of fruits and vegetables.pptx
6. Physiological Disorder of fruits and vegetables.pptx
 
FINAL MATATAG Science CG 2023 Grades 3-10.pdf
FINAL MATATAG Science CG 2023 Grades 3-10.pdfFINAL MATATAG Science CG 2023 Grades 3-10.pdf
FINAL MATATAG Science CG 2023 Grades 3-10.pdf
 
PRESS RELEASE - UNIVERSITY OF GHANA, JULY 16, 2024.pdf
PRESS RELEASE - UNIVERSITY OF GHANA, JULY 16, 2024.pdfPRESS RELEASE - UNIVERSITY OF GHANA, JULY 16, 2024.pdf
PRESS RELEASE - UNIVERSITY OF GHANA, JULY 16, 2024.pdf
 
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
BỘ ĐỀ THI HỌC SINH GIỎI CÁC TỈNH MÔN TIẾNG ANH LỚP 9 NĂM HỌC 2023-2024 (CÓ FI...
 
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
 
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.pptFIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
 
Java MCQ Questions and Answers PDF By ScholarHat
Java MCQ Questions and Answers PDF By ScholarHatJava MCQ Questions and Answers PDF By ScholarHat
Java MCQ Questions and Answers PDF By ScholarHat
 
JavaScript Interview Questions PDF By ScholarHat
JavaScript Interview  Questions PDF By ScholarHatJavaScript Interview  Questions PDF By ScholarHat
JavaScript Interview Questions PDF By ScholarHat
 
Demonstration module in Odoo 17 - Odoo 17 Slides
Demonstration module in Odoo 17 - Odoo 17 SlidesDemonstration module in Odoo 17 - Odoo 17 Slides
Demonstration module in Odoo 17 - Odoo 17 Slides
 
2 Post harvest Physiology of Horticulture produce.pptx
2 Post harvest Physiology of Horticulture  produce.pptx2 Post harvest Physiology of Horticulture  produce.pptx
2 Post harvest Physiology of Horticulture produce.pptx
 

Common Security Framework Summary

  • 1. CSF COMMON SECURITY FRAMEWORK Development ofthe CSF The development of the CSF is overseen by HITRUST Executive Council, which is composed of leaders from a variety of industry segments with expertise in healthcare and information security. The initial development of the CSF occurred throughout 2008 prior to the release of the first version in March 2009. The initial development group consisted ofsecurity professionals from: • Security vendors • Technology and IT infrastructure organizations • Professional services firms • Healthcare providers • Health plans • Pharmacies and PBMs • Medical device manufacturers • Information networks and clearinghouses CSF is comprises of; 1. 2 components a. Information Security Implementation Manual b. Standards/Regulations Mapping. 2. 13 security control categories 3. 42 control objectives 4. 135 control specifications 3 implementation levels Control Framework The Implementation Manual contains 13 security control categories comprised of 42 control objectives and 135 control specifications. The categories included in the Manual are: 1. Information Security Management Program 2. Access Control 3. Human Resources Security 4. Risk Management 5. Security Policy 6. Organization of Information Security 7. Compliance 8. Asset Management 9. Physical and Environmental Security 10. Communications and Operations Management 11. Information Systems Acquisition 12. Development and Maintenance 13. Information Security Incident Management
  • 2. 14. Business Continuity Management Requirement Levels Each control specification includes multiple levels (1, 2 and 3) of implementation requirement(s), which are the details to support the implementation of the control in meeting the control objective. The implementation requirement levels relate to the degree of restrictiveness for a particular control. HITRUST leveraged the concept adopted by the National Institute of Standards and Technology’s Computer Security Division for the Special Publication 800 Series security standards (i.e., NIST 800-53). Level 1 is the minimum set of security requirements for all systems and organizations regardless of size, sophistication,or complexity. Level 2 and Level 3 are required only for organizations and systems of increased risk and complexity as determined by the associated organization and systemfactors. For example, with respect to password controls,six character passwords would be a lower level of control compared with two factor authentication at a higher level. The levels are also designed to account for the increased requirements of the varying standards and regulations that comprise the CSF. For example, where HIPAA is in almost every instance met at level 1, NIST 800-53 is both more comprehensive and more detailed and thus is generally captured in the level 2 or 3 requirements. Alternate Controls HITRUST has also defined an alternate control process to allow for the temporary adoption of standardized Alternate Controls for systems (e.g. medical devices and applications) that cannot meet the CSF’s requirements . If an Alternate Control is not yet defined in the CSF, any organization can propose a solution to appropriately mitigate the risk of a control failure. This process is closely integrated into the CSF and any approved Alternate Controls are made available to the entire industry to provide the standard adoption of accepted short and long-term compensating strategies. The tool gives organizations a 360° perspective of their information security landscape.Covered standards and regulations include: • ISO/IEC 27001:2005 • ISO/IEC 27002:2005 • ISO/IEC 27799:2008 • COBIT 4.1 • HIPAA • NIST SP 800-53 Revision 3 • NIST SP 800-66 • PCI DSS version 2.0 • 16 CFR Part 681 • FTC Red Flags Rule • HITECH Act • 21 CFR Part 11 • JCAHO IM • 201 CMR 17.00 (State of Mass.) • NRS 603A (State of Nev.) • CSA Cloud Controls Matrix v1 • CMS ARS
  • 4. Executive Council HITRUST is led by a seasoned management team and governed by an Executive Council made up of leaders from across the healthcare industry and its supporters. These leaders represent the governance of the organization, but other founders also comprise the leadership to ensure the framework meets the short and long term needs of the entire industry. Executive Council members represent the following organizations:  BlueCross BlueShield of Tennessee  Cisco Systems, Inc.  CVS Caremark  Express Scripts, Inc.  Highmark  Hospital Corporation of America  Humana Inc.  IMS Health  Kaiser Permanente  McKesson Corporation  UnitedHealth Group  Wellpoint CSF Assessors HITRUST CSF Assessors are those organizations that have been approved by HITRUST for performing assessment and services associated with the CSF Assurance program and the CSF. CSF Assessors include:  AT&T Consulting  BluePrint Healthcare IT  Coalfire Systems, Inc  Deloitte & Touche LLP  Ernst & Young, LLP  Fortrex Technologies  Lattimore Black Morgan & Cain  Protiviti  Solutionary  Sword & Shield Enterprise Security  Verizon Business