[author: Nicholas Parker]
HITRUST recently announced a formal partnership with both Amazon Web Services (AWS) and Microsoft Azure. Essentially, HITRUST has collaborated with both cloud hosting service providers to outline and define a responsibility matrix called the HITRUST Shared Responsibility Matrix™ (SRM). This represents a step forward in enhancing the HITRUST inheritance program that is native to their MyCSF portal, and the overall efficiency of performing HITRUST CSF Validated Assessment with clear inheritance guidelines.
What is the HITRUST MyCSF Inheritance Program?
The HITRUST MyCSF Inheritance Program is a functionality native to the MyCSF portal that allows subscribers to inherit control maturity of a parent organization or third-party who is responsible for that control within the subscriber’s environment. Control inheritance decreases the work effort for both the subscriber and assessors during HITRUST CSF assessments and allows the subscriber to have a clearer picture of controls implemented by third-parties within their environment.
For example, XYZ Data Center is HITRUST CSF Certified and provides secured cages for ABC Corp’s server infrastructure. XYZ Data Center has implemented door-delay alarms on all of their cages, which scored 100% Implemented during their HITRUST Validated Assessment. When ABC Corp undergoes their HITRUST CSF Validated Assessment, they can inherit the 100% Implemented score of XYZ Data Center’s door-delay alarms.
How does the Inheritance Program work with AWS and MS Azure?
Inheriting controls from AWS and MS Azure will work just like any other service provider. When a subscriber gets to a control they want to inherit, they will have to select either AWS or MS Azure from the list of external service providers with current HITRUST CSF Certifications. The selected service provider will then have to approve the inheritance, after which it will be reflected for that specific control.
- Fully Inheritable: Instances where the subscriber/customer has no responsibility for the performance of the control (e.g., fire suppression in a third-party data center).
- Partially Inheritable: Instances where the subscriber/customer shares the responsibility for the performance of the control with the service provider (e.g., installing anti-virus and anti-malware software on systems not managed by the service provider).
- Not Inheritable: Instances where the subscriber/customer has full responsibility for the performance of the control (e.g., identifying what systems or services process sensitive information).
While Fully Inheritable and Not Inheritable controls are pretty straight forward, Partially Inheritable controls are usually separated into two types:
- Third-party security technologies used by the subscriber/customer that require policy or procedure development, which dictates how the implemented technology will be utilized.
- Third-party security technologies that do not cover the full scope of the environment and require additional implementation to cover systems wholly controlled/managed by the subscriber/customer.
Determining scoring for Partially Inheritable controls will depend on the scope of the assessment and the implementation maturity of both the customer/subscriber and service provider. HITRUST provides a scoring rubric that should give detailed guidance on how to score controls based on the scope and measuring the performance of the control.
For example, XYZ Cloud Service Provider hosts an application developed by ABC Corp. XYZ Cloud Service Provider has an Intrusion Detection System (IDS) for all incoming traffic, which scored 100% Implemented during their Validated Assessment. ABC Corp has a backup of covered information in-scope for their Validated Assessment located at their corporate office. ABC Corp does not have an IDS deployed for any incoming traffic at their corporate office. This would result in a 25%-75% Implemented score depending on how many total systems in-scope are protected by IDS, versus how many total systems in-scope are not protected by IDS.
What are the benefits of the HITRUST SRM?
The HITRUST SRM has substantial benefits for all involved parties. As mentioned, it accurately defines what controls are inheritable by subscribers, and gives detailed guidance on how inherited controls should be assessed. The HITRUST SRM also provides service providers the ability to clearly delineate what is their responsibility versus the customer/subscriber’s.
Perhaps the most substantial benefit of the HITRUST SRM is its enhancement to the existing MyCSF Inheritance Program. The HITRUST SRM partnership with AWS and MS Azure enables a significant number of organizations to reap the benefits of the inheritance program:
- Decreased testing requirements
- Decreased data entry
- Increased control maturity/scores
- Increased insight into service provider compliance
Overall, this announcement is great news for organizations who already utilize either of these cloud hosting service providers. If you are an organization that has been on the fence about whether or not HITRUST is attainable, the HITRUST SRM could be the edge you need to achieve certification. Similarly, if you are an organization that has struggled to attain or maintain a HITRUST CSF Certification, this could be the boost your scores need to ensure certification.