BARR’s Analysis of the Newly Released HITRUST Risk Management Handbook

HITRUST recently published the HITRUST Risk Management Handbook—a comprehensive resource explaining the major elements of the HITRUST Risk Management Framework (RMF). The HITRUST Risk Management Handbook provides organizations and assessors alike with best practices for adapting and developing a successful risk management program.

As one of BARR’s HITRUST experts, Attest Services Manager Steve Ryan provided details about the new handbook and an overview of its content.

NIST’s Four-Step Process to Risk Management

“In the first section of the newly released HITRUST Risk Management Handbook, HITRUST outlines the four-step risk management process using the National Institute of Standards and Technology (NIST) Risk Management Framework for illustration,” said Ryan.

Step 1: The first step to NIST’s risk management framework is identifying risks and defining protection requirements. This process includes, but is not necessarily limited to, identifying key risk management roles in your organization, establishing a strategy for managing risk, determining your organization’s risk tolerances, and conducting an organization-wide risk analysis.
Step 2: The second step is to specify controls. When selecting security controls for your information system, it’s first essential to choose an initial set of baseline security controls based on the impact level of the information system as determined by the security categorization performed in step one. After selecting the initial set of baseline security controls, your organization can start the tailoring process to appropriately modify and more closely align the controls with specific conditions within your organization.
Step 3: The third step is implementing and managing controls. While there’s not a ton of specific guidance or tool support on how organizations can implement the NIST control framework, NIST does provide guidance on various information security controls within their resources.
Step 4: Finally, the fourth and final step recommended for creating a risk management program is assessing and reporting. NIST provides guidance for this step in several of their catalogs and guides.

The HITRUST Risk Management Framework

The benefit of leveraging a recognized control framework such as the one provided by NIST is that it allows organizations to generate a reasonable number of controls to easily protect sensitive or critical information. The process is meant to be more effective than if your organization were to conduct your own risk analysis from scratch.

“The handbook discusses several major elements of the HITRUST RMF based on the same four-step process outlined above,” said Ryan. “The primary goal of a control framework-based risk analysis is the specification of controls to address threats to sensitive or critical information, rather than categorize their information systems based on a more limited analysis—like identifying one of three levels of potential impact.”

Ryan added, “What’s also great is that organizations can tailor the HITRUST CSF based on relevant inherent risk factors, including but not limited to the type and amount of information processed, how that information is processed, and who processed the information. When risk factors are applied to tailor HITRUST CSF control requirements based on inherent risks relevant to a scope of application, the resulting control specification helps establish an organization’s target profile and subsequently its risk target.”

HITRUST CSF Control Overlay and Specification

“HITRUST integrated and harmonized multiple information security and privacy regulations, standards, and best practice frameworks to create the CSF as an industry-level enhanced overlay of the NIST moderate-level initial security control baseline. Each HITRUST CSF control contains a core implementation level consisting of good security hygiene and industry best practice requirements,” said Ryan.

Due to the flexibility of the HITRUST CSF, HITRUST strongly recommends applying the framework across your entire organization to help avoid the inefficiencies associated with multiple contrasting and often hierarchical information protection programs.

HITRUST’s “rely-ability” Assurance

“Through a significant level of confidence and trustworthiness that allows an organization to rely upon the evidence provided by an assessment or audit and how it is reported, HITRUST uses the term, “rely-ability” to describe one’s ability to rely upon, or trust, the information provided by another,” said Ryan.

The three dimensions of “rely-ability” are:

Suitability is intended to address the security features, practices, procedures, and architecture subject to the intended assurances.
Rigor provides the grounds for confidence that the set of intended security controls in an information system are effective in their application.
Impartiality addresses the measure or grounds for confidence a relying party needs in an assessment.

Maturity Evaluation and Scoring

“There are many features of the HITRUST assessment and reporting approach. This can include extensive assessment guidance, training and vetting of qualified assessors, implementation maturity model used to evaluate every HITRUST CSF control requirement, and the centralized quality assurance review of every assessment for which HITRUST issues a report,” said Ryan.

HITRUST’s approach to evaluating and scoring a control’s implementation includes five maturity levels—policy, procedure, implemented, measured, and managed.

Ryan added, “I think it’s important to mention that special topics related to the HITRUST RMF are presented in an appendix at the end and range from a relatively narrow discussion around how controls function to much broader topics—such as third-party risk management and evaluating assurance requirements based on the inherent risk of a specific business relationship.”