Information protection cannot be a “one size fits all” approach for many reasons. For example, organizations more often than not have different information systems (or different implementations of similar systems), different business and compliance requirements, different cultures, and different risk appetites. Even the HITRUST CSF cannot account for all these differences through the tailoring of controls based on a limited set of organizational, system, and regulatory risk factors. So, if an organization cannot implement a required control, one or more compensating controls should be selected to address the risks posed by the threats the originally specified control was meant to address. But while compensating controls are well-known and extensively employed by such compliance frameworks such as PCI-DSS, the term compensating control has often been used to describe everything from a legitimate work-around to a mere shortcut to compliance that fails to address the intended risk. Organizations should therefore be able to demonstrate the validity of a compensating control by way of a legitimate risk analysis that shows the control addresses a similar type and level of risk as the original. In addition, the compensating control must be something other than what may be required by other, existing controls. This is because all the CSF controls specified by an organization’s risk factors must be implemented to provide a minimally acceptable level of residual risk.
HITRUST provides for the selection of compensating controls based on a standardized risk analysis, which is used to justify an exception to one or more HITRUST CSF control requirements applicable to a specific organization or gain HITRUST approval for its broader application across the industry. HITRUST refers to compensating controls submitted to and approved by the HITRUST Alternate Controls Committee as ‘alternate controls.’ Accordingly, all alternate control risk analyses submitted to HITRUST must comprehensively address the elements identified in the following flow chart.
Figure 17. Notional Process Flow for the Risk Analysis of Alternative Controls
HITRUST does not currently specify a particular risk analysis methodology for alternate controls. However, while any risk analysis has its limitations based on the specific methods, tools and data used, the methodology should be sufficiently robust to meet the needs of the decision-maker, i.e., the information provided should be of sufficient quality to make a reasonably good decision.
HITRUST is also currently working to develop a general methodology for targeted types of risk analysis such as the one used to evaluate alternate controls by leveraging QQRRA. This document will be updated to include a brief discussion of this methodology once development is complete.