Now that we have a better understanding of assurance, we can identify the criteria one should consider when selecting a controls assessment and reporting option. These criteria include but are not necessarily limited to:
- Transparency. The underlying control framework and the assessment approach, including its evaluation and scoring model, should be open and transparent to all stakeholders.
- Comprehensiveness. The control framework should provide a comprehensive treatment of information security, privacy, and compliance-related risk.
- Prescriptiveness. The controls in the framework should be detailed enough to support their implementation as well as their assessment.
- Scalability. The control framework and assessment approach should be scalable to any organization.
- Consistency. Assessment results should be consistent regardless of the assessor used.
- Accuracy. Assessment results should accurately reflect the state of an organization’s controls.
- Efficiency. Assessments and their reports should satisfy multiple stakeholders for multiple purposes.
HITRUST’s unique and comprehensive approach to information risk management and compliance addresses all of these criteria to provide some of the most robust assurances available today. The most notable components of the HITRUST Approach that enable this are the HITRUST CSF Framework and the HITRUST Assurance Program, both of which are extensively documented and available to the public for review. (Transparency)
The HITRUST CSF was built upon a control framework-based risk analysis and integrates and harmonizes dozens of authoritative sources for a complete treatment of information security, privacy, and compliance-related risk. (Comprehensiveness)
HITRUST CSF controls consist of multiple, detailed requirements in increasingly more rigorous levels of implementation and risk-specific segments to ensure organizations understand exactly what must be implemented and subsequently how they should be assessed. In addition, unlike most other frameworks that are refreshed infrequently, the HITRUST CSF is updated regularly to stay current with controls and mappings that address the latest cyber threats, including ransomware and phishing. (Prescriptiveness)
When organizations perform a risk-based assessment against the HITRUST CSF, which includes prescriptive security and privacy controls as well as mappings to dozens of authoritative sources, they can tailor those controls based on defined organizational, system, and regulatory risk factors to fit their specific assurance requirements. They can also select from a variety of assessment and reporting options based on the inherent risk of their operations and the needs of their relying parties. (Scalability)
HITRUST provides the only assessment report that clearly articulates the maturity of a control’s implementation using its innovative PRISMA-based N x M x I Maturity Model, lending a degree of accuracy simply not achievable by traditional assessment approaches. (Accuracy)
The HITRUST Assurance Program also provides organizations and their business partners with a common approach to managing security assessments, including a vetted, authorized assessor pool trained in the HITRUST assessment methodology, as well as centralized quality control of each assessment for which HITRUST issues a report. More than a hundred quality checks are performed by the HITRUST MyCSF® risk management platform to identify and address assessment errors, and HITRUST collects multiple quality metrics to help ensure the quality control process performs as intended. (Consistency)
And because HITRUST has harmonized controls from different frameworks into a single set of rationalized control requirements, organizations do not need to answer more questionnaires than necessary. HITRUST can instead produce a single, comprehensive assessment report capable of providing assurances to multiple requesting parties, saving organizations time and money—an approach that HITRUST calls Assess Once, Report Many ™. (Efficiency)
While other assessment and reporting options may provide an open control framework, many lack transparency in how the controls are derived, updated, or assessed. Some frameworks provide a limited set of controls that may not address risk comprehensively or lack the details necessary to ensure their correct implementation. These frameworks are often “one size fits all” and not easily scalable to different types and sizes of organizations; and most of the available options do not leverage a maturity model, which subsequently impacts the accuracy of the results. There are no other options that provide a vetted and trained independent assessor pool as well as centralized quality control, a lack of which can result in inconsistent assessment and reporting. And many available options are single purpose, resulting in less efficiency when reporting to multiple stakeholders with different assurance needs.