By leveraging the same control framework-based approach to risk analysis78 used by U.S. government organizations and following the NIST tailoring79 process, HITRUST integrated and harmonized multiple information security and privacy regulations, standards, and best practice frameworks—referred to as authoritative sources—to create the CSF as an industry-level enhanced overlay80 of the NIST moderate-level initial security control baseline.81
Figure 11. The HITRUST CSF – A Highly Tailored, Industry-level Control Framework Overlay
The control requirements in the overlay were then organized along the lines of the security control clauses contained in Appendix A of ISO/IEC 27001 with slight modifications, such as the addition of three new families of controls: CSF Control Category 0 – Information Security Management Program, CSF Control Category 3 – Risk Management Program, and CSF Control Category 13 – Privacy Practices. A high-level depiction of the HITRUST CSF Control Categories and Supporting Control Objectives is provided below.
Figure 12. HITRUST CSF Control Framework Structure
The HITRUST CSF is also structured in such a way that specific control requirements can be applied to a specific scope based on relevant organizational, system (technical), and regulatory (compliance) risk factors as shown in the next figure.
Figure 13. Layered Structure of a HITRUST CSF Control
Each HITRUST CSF control contains a core implementation level consisting of good security hygiene and industry best practice requirements. Each control may also contain one or more control segments, which are currently brought in by at least one relevant risk factor (e.g., the amount of data held by the organization, the number of interfaces with other systems, or a specific law, regulation, or framework). Each segment provides additional prescription to cover control requirements that are generally unique to the organization and/or data type that is addressed by the risk factor but was not included previously in the core requirements.
78 For more information, see Cline, B. (2017, Sep).
79 Tailoring is the process by which a security control baseline is modified based on: (i) the application of scoping guidance; (ii) the specification of compensating security controls, if needed; and (iii) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements. See definition in Appendix C.
80 An overlay is a specification of security controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, which is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems. See definition in Appendix C.
81 For more information on tailoring and overlays, see JTF (2020, Oct).