Achieving the Benefits of the NIST Cybersecurity Framework

September 27, 2017
954 Views

Comparing the NIST Cybersecurity Framework and HITRUST Common Security

Framework The NIST Cybersecurity Framework (NIST CsF) continues to gain traction as a tool for reporting on the maturity and effectiveness of an organization’s cyber related controls. At the same time, the HITRUST CSF continues to gain adoption as a controls and reporting framework for information privacy and security across many industries both domestically and internationally. The NIST CsF and HITRUST CSF are complementary tools and can be used together to satisfy many needs within and across organizations.

How are the NIST CsF and HITRUST CSF related?

The NIST CsF is provides a mechanism for assessing and maturing a cybersecurity program based on 98 objective-level Core Subcategories that describe intended cybersecurity outcomes. The HITRUST CSF and its Assurance Program complement the NIST CsF in two major ways: 1) the HITRUST CSF provides the details needed to implement each of the 98 cybersecurity objectives in a way that map to and meet many critical compliance and risk management standards in the most efficient way possible; and 2) the Assurance Program provides a standards-driven process to monitor, assess, and maintain those controls. Without the HITRUST CSF, practitioners using the NIST CSF must create these standards and processes themselves.

How has HITRUST enabled current NIST CsF users to get started?

With the release of HITRUST CSF v9, organizations participating in the HITRUST CSF Assurance Program can view their information privacy and security programs through the lens of the NIST CsF. The NIST CsF Scorecard, now provided in every HITRUST CSF assessment report, details how well an organization meets the objectives specified by the NIST CsF Core Subcategories based on how well it has implemented the underlying HITRUST CSF controls. And for those that do not undergo an assessment under the HITRUST CSF Assurance Program, organizations can prepare a similar report using a publicly-available cross-reference between the HITRUST CSF controls and the NIST CsF Core Subcategories.

About the HITRUST CSF Assurance Program

By leveraging the HITRUST CSF Assurance Program, an organization can perform one assessment against the HITRUST CSF framework to satisfy multiple reporting requests including HIPAA, SOC 2®, NIST Cybersecurity, MARS-E or one of the other regulations or standards incorporated into the HITRUST CSF. In short, it reduces costs, resource burdens and time via an assess once, report many approach.

Additional explanation on how the HITRUST CSF is a model implementation of the NIST CsF and provides support for an organization’s attestation of compliance with the NIST Cybersecurity Framework can be found on the Department of Homeland Security / US CERT website in the Healthcare Sector Cybersecurity Framework Implementation Guide.

Share this with your friends...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

You may be interested

HITRUST Sessions Demonstrate the Value of Using a Framework for Certification and How Cybersecurity Efforts Need to Consider the Physician Perspective
Leadership
shares252 views
Leadership
shares252 views

HITRUST Sessions Demonstrate the Value of Using a Framework for Certification and How Cybersecurity Efforts Need to Consider the Physician Perspective

Lacy Deatrich - May 03, 2018

Written by HITRUST Independent Security Journalist Sean Martin. As part of the commitment to support and engage with healthcare organizations…

Facebook and GDPR Show the Importance of Third Party Privacy Monitoring
Privacy
shares390 views
Privacy
shares390 views

Facebook and GDPR Show the Importance of Third Party Privacy Monitoring

Lacy Deatrich - May 02, 2018

Written by Anne Kimbol, Assistant General Counsel – Chief Privacy Officer at HITRUST The Facebook-Cambridge Analytica issue became public at…

Looking Back One Year Ago, We May Still WannaCry
Cyber
shares832 views
Cyber
shares832 views

Looking Back One Year Ago, We May Still WannaCry

Lacy Deatrich - Apr 05, 2018

Written by Elie Nasrallah, CISSP, Director – Cyber Security Strategy at HITRUST Research from Trend Micro and HITRUST points to…