The HITRUST CSF is used in many different ways, which can range simply from its use as reference for leading practices to the basis for an organization’s entire risk management program and anywhere in between. But, due to the extraordinary flexibility of the HITRUST CSF, HITRUST strongly recommends applying the framework across one’s entire organization to help avoid the inefficiencies associated with multiple disparate and often stove-piped information protection programs.
To do this, organizations should segment their information systems82 based on the sensitivity and/or criticality of the information they process83 and strictly define the interfaces between and amongst each segment or ‘scope of application’ as shown in the following figure.
Figure 14. Segmenting the Organizational Environment for HITRUST CSF Implementation
HITRUST CSF controls would be specified based on the inherent risk factors relevant to each segment and interface as described earlier in Step 2 and then implemented through an organization’s normal operational and capital budget and work processes with Board-level and senior executive oversight using existing governance structures and processes.
82 HITRUST adopts NIST’s view of an information system, which is broadly defined to include hardware, software, data, humans, processes, facilities, materials, and naturally occurring physical entities. See definition in App C.
83 As used here, processing encompasses all states of data or information, including data or information at rest or in transit. See related definitions in Appendix C.