Which HITRUST Assesment Scope is Right for My Organization?
There are 14 different control categories, each with their own number of objectives and requirements. These include the following:
- Information Security Management Program
- Access Control
- Human Resources Security
- Risk Management
- Security Policy
- Organization of Information Security
- Asset Management
- Physical and Environmental Security
- Communications and Operations Management
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Business Continuity Management
- Privacy Practices
These control categories are high-level groupings that are based on ISO 27001 and 27002. There are then 46 control objectives that fall within these categories, which essential state what the control is trying to achieve. For example, requirement 0.01 requires that organization implement and manage and Information Security Management Program. These controls are then broken down by implementation level, which is used to support the control that needs to be met and prescribes what level your organization needs to be at dependent on particular risk factors.
The CSF has 135 controls with 3 levels of implementation. Which control level is necessary is dependent on organizational, system and regulatory factors. Which of these controls are relevant to your organization is dependent on the scope of assessment that you receive: security, comprehensive or an assessment with privacy.
Formerly known as the baseline assessment, the security assessment is a set of questions drawn from the MyCSF library across a variety of different assessment domains. This can be used as an initial compliance assessment to determine where your organization is able to meet satisfactory security levels to third-parties. This assessment is designed to measure against 64 of the 149 implementation requirements, thereby providing a minimum set of requirements that covers each of the HIPAA Security Rule’s standards and implementation specifications. The scope of this assessment supports self-assessment and third-party validated assessments.
A comprehensive assessment pulls questions from the MyCSF library and spans 19 different assessment domains. This assessment is able to measure where your organization is in more detail, and is used to show satisfactory security levels to third-parties. This is because it is designed to measure your organization against all of the implementation requirements, providing a higher level of assurance for each of HIPAA’s Security Rule standards and implementation specifications.
The scope of this assessment also supports self-assessment and third-party validated assessments.
Assessment with Privacy
An assessment with privacy adds the 14th domain, privacy, to your assessment. This can be added onto your security assessment or your comprehensive assessment.
This is mandatory for companies operating within Texas, Massachusetts or Nevada, and could be mandatory for organizations doing business within these states, including both covered entities and business associates. However, organizations who are not doing business in these states can also select privacy if there is a contractual obligation to do so.