The world of compliance is filled with acronyms and abbreviations for some of its more complicated regulation systems and organizations. There is perhaps no better example than the long list of acronyms associated with federal compliance laws. “Federal Compliance Definitions: A Glossary of Terms”
Federal assessments like FedRAMP, FISMA and NIST 800-171 help mitigate the risk of data breaches to important federal government agencies and departments, making them mandatory assessments used for federal security standards. “Protecting the Nation: How to Achieve Federal Compliance”
Since 2007, the HITRUST Common Security Framework (CSF) has been recognized as a well-rounded and certifiable security framework for any organizations of all sizes and industries. With the upcoming CSF v9.3 update, HITRUST continues to demonstrate its value for any organization by expanding to incorporate new frameworks, legislation and standards.
What is the HITRUST CSF?
The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001, NIST 800-171, HIPAA/HITECH, PCI DSS, GDPR and more into one comprehensive system, the HITRUST CSF saves time and energy by assessing once and reporting many.
Thanks to its ability to combine several assessments and frameworks into one framework, the HITRUST CSF allows clients to decide what they want to test against and get controls based on that level of risk. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one. Because of this benefit and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.
Originally designed specifically for the healthcare industry, the recent HITRUST CSF v9.2 grew the framework to make it useful for any organization around the globe.
CSF v9.3 will be released Q3 of 2019 and the HITRUST organization has detailed the additional regulatory factors that will be added to the framework.
Incorporation with the California Consumer Privacy Act
One of the most notable updates in CSF v9.3 is the incorporation of new standards and regulations, including requirements placed on organizations by the California Consumer Privacy Act (CCPA).
Passed in 2018, the CCPA was built to be similar to the European Union’s General Data Protection Regulation (GDPR) and takes a stronger stance to protect the sharing, transmission and storage of consumer data. The CCPA legislation goes into effect on January 1, 2020, with the enforcement of the law starting on July 1, 2020.
Not only does the HITRUST CSF v9.3 incorporate standards and regulations from the CCPA, it reflects key differences between the CCPA and GDPR, including requirements for data access, applicability and requirements for opt-out methods.
Other Important Updates to CSF v9.3
Aligning the HITRUST CSF with the CCPA is only one of the updates to the HITRUST framework. CSF v9.3 also updates the framework to incorporate other authoritative sources, including:
- The Federal Risk and Authorization Management Program (FedRAMP)
- The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1
- Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1
- IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information
- South Carolina’s Bill 4655, the Insurance Data Security Act
Who Should Migrate to CSF v9.3
If your entity wants to add any of the six regulatory factors outlined above to your HITRUST assessment, you will need to undergo CSF v9.3. If you are not interested in adding these factors, you can instead opt to undergo CSF v9.1 or CSF v9.2.
By giving organizations more choice to better fit their needs, the HITRUST CSF continues to position itself as a valuable, powerful and flexible framework for organizations of all sizes across all industries.
The A-LIGN Difference
A-LIGN’s experience and commitment to quality helped over 130 clients successfully achieve HITRUST certification. Our vigorous process outlined above helps you prepare for the HITRUST assessment, and our team of HITRUST experts are here to answer any question you might have through every step of the process by answering all inquiries within twenty-four hours. With A-LIGN, you’re on the right path to HITRUST certification success.
Interested in pursuing the HITRUST CSF for your organization? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity and compliance professionals.
As the digital landscape evolves and transforms the way organizations run their operations, many experience unprecedented opportunities as well as new challenges. In recent years, universities and colleges have experienced a higher number of cyber-attacks and security breaches due to a lack of a proper security infrastructure to secure student information, including financial aid.
For example, the University of Maryland experienced a large security breach in 2014 leaking over 300,000 student records including names, birthdates, and even social security numbers, according to University Business. Other universities have fallen victim to security breaches as well, including Penn State University and Harvard University.
As security breaches and cyber-attacks continue to increase in the education industry, the Department of Education (DOE) has released guidance that will regulate data security practices at colleges and universities under the Gramm-Leach-Bliley Act (GLBA).
The Gramm-Leach-Bliley Act (GLBA) is a federal law primarily focused on protecting private and personal information within financial institutions. As mandated, these financial institutions are required to develop security programs and to openly communicate privacy practices to clients.
The DOE will use the GLBA to require universities and colleges to:
- Develop, implement, and maintain a written information security program;
- Designate the employee(s) responsible for coordinating the information security program;
- Identify and assess risks to stored personal/confidential information;
- Design and implement an information safeguards program;
- Select appropriate service providers that are capable of maintaining appropriate safeguards; and
- Periodically evaluate and update their security program.
The DOE plans to conduct an annual audit on universities and colleges to ensure compliance with the GLBA and assess financial aid information protection.
Additionally, the DOE highly encourages institutions to comply with the standards developed by the National Institute of Standards and Technology (NIST), specifically 800-171 Rev. 1 to further protect student financial-aid information.
The NIST 800-171 standard originally released in June of 2015, provides holistic security standards for controlled unclassified information (CUI). Conducting an assessment following this standard includes:
- Review of existing processes
- Risk assessment of 14 control families
- Development of a compliance roadmap
- Evaluation of compliance through an audit
The main difference between the GLBA and NIST 800-171 are the frameworks the institutions will test against. Since NIST is a more commonly used and comprehensive federal standard it has more controls within its framework, which will offer greater assurance to not only educational institutions, but also their student body.
Protect Your Institution
With the average cost of a U.S. educational record being $245, it’s more important than ever that universities and colleges enhance their information security to protect their institutions’ financial assets, as well as their students’ personal and financial information. To put it in a greater perspective, the University of Maryland’s 2014 breach cost them around $40 million, with the average cost of a record being $100.
Reduce evolving threats and protect student information today by enhancing your institution’s information security programs using NIST 800-171.
To learn more about how A-LIGN can assist your institution in developing a security program to comply with the DOE Annual Audit Requirements, including GLBA and NIST 800-171 standards, please reach out to one of our experienced security professionals at [email protected] or 1-888-702-5446.