HITRUST CSF

Summary

HITRUST CSF is both risk and compliance-based, making it possible for organizations of varying risk profiles to customize their security and privacy control baselines. It is sensitive to data protection compliance and the challenges of assembling and maintaining various programs. Therefore, it provides the structure, transparency, guidance and cross-references to authoritative sources that organizations need in order to check their data protection compliance, as well as an approach to ensure the proper alignment, maintenance and comprehensiveness of components. The version used in this section is HITRUST CSF v9.6.0.

Definitions

Definition	Requirements
HITRUST-01_a. Access control policy	331. Guarantee legal compliance
HITRUST-01_c. Privilege management	033. Restrict administrative access 034. Manage user accounts 035. Manage privilege modifications 095. Define users with privileges 096. Set user's required privileges
HITRUST-01_d. User password management	126. Set a password regeneration mechanism 129. Validate previous passwords 130. Limit password lifespan 131. Deny multiple password changing attempts 133. Passwords with at least 20 characters 136. Force temporary password change 137. Change temporary passwords of third parties 138. Define lifespan for temporary passwords 209. Manage passwords in cache 238. Establish safe recovery 332. Prevent the use of breached passwords 367. Proper generation of temporary passwords 380. Define a password management tool
HITRUST-01_e. Review of user access rights	315. Provide processed data information
HITRUST-01_h. Clear desk and clear screen policy	176. Restrict system objects 221. Disconnect unnecessary input devices 340. Use octet stream downloads
HITRUST-01_i. Policy on the use of network services	250. Manage access points 253. Restrict network access 257. Access based on user credentials
HITRUST-01_j. User authentication for external connections	262. Verify third-party components 284. Define maximum number of connections 324. Control redirects 330. Verify Subresource Integrity 092. Use externally signed certificates
HITRUST-01_k. Equipment identification in networks	232. Require equipment identity 351. Assign unique keys to each device
HITRUST-01_l. Remote diagnostic and configuration port protection	154. Eliminate backdoors 249. Locate access points 250. Manage access points 255. Allow access only to the necessary ports 284. Define maximum number of connections
HITRUST-01_m. Segregation in networks	259. Segment the organization network
HITRUST-01_n. Network connection control	249. Locate access points 257. Access based on user credentials 284. Define maximum number of connections 033. Restrict administrative access
HITRUST-01_o. Network routing control	249. Locate access points 250. Manage access points 320. Avoid client-side control enforcement
HITRUST-01_p. Secure log-on procedures	377. Store logs based on valid regulation 378. Use of log management system
HITRUST-01_q. User identification and authentication	143. Unique access credentials 264. Request authentication 096. Set user's required privileges
HITRUST-01_r. Password management system	380. Define a password management tool
HITRUST-01_t. Session time-out	023. Terminate inactive user sessions 031. Discard user session data
HITRUST-01_u. Limitation of connection time	236. Establish authentication time 369. Set a maximum lifetime in sessions 072. Set maximum response time
HITRUST-01_v. Information access restriction	176. Restrict system objects 265. Restrict access to critical processes 280. Restrict service root directory
HITRUST-01_w. Sensitive system isolation	159. Obfuscate code 180. Use mock data 265. Restrict access to critical processes 374. Use of isolation methods in running applications
HITRUST-01_x. Mobile computing and communications	205. Configure PIN 229. Request access credentials 264. Request authentication 336. Disable insecure TLS versions 351. Assign unique keys to each device
HITRUST-01_y. Teleworking	153. Out of band transactions 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
HITRUST-02_d. Management responsibilities	302. Declare dependencies explicitly 331. Guarantee legal compliance
HITRUST-03_a. Risk management program development	161. Define secure default options 262. Verify third-party components 266. Disable insecure functionalities 075. Record exceptional events in logs
HITRUST-04_a. Information security policy document	331. Guarantee legal compliance
HITRUST-05_c. Allocation of information security responsibilities	095. Define users with privileges
HITRUST-05_d. Authorization process for information assets and facilities	314. Provide processing confirmation 315. Provide processed data information
HITRUST-05_i. Identification of risks related to external parties	262. Verify third-party components
HITRUST-05_k. Addressing security in third party agreements	137. Change temporary passwords of third parties 142. Change system default credentials 155. Application free of malicious code 161. Define secure default options 178. Use digital signatures 302. Declare dependencies explicitly 316. Allow rectification requests 318. Notify third parties of changes 033. Restrict administrative access
HITRUST-06_a. Identification of applicable legislation	331. Guarantee legal compliance
HITRUST-06_b. Intellectual property rights	331. Guarantee legal compliance
HITRUST-06_c. Protection of organizational records	377. Store logs based on valid regulation 075. Record exceptional events in logs 080. Prevent log modification
HITRUST-06_d. Data protection and privacy of covered information	176. Restrict system objects 178. Use digital signatures 181. Transmit data using secure protocols 185. Encrypt sensitive information 300. Mask sensitive data 305. Prioritize token usage 365. Avoid exposing technical information
HITRUST-06_f. Regulation of cryptographic controls	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 331. Guarantee legal compliance
HITRUST-06_g. Compliance with security policies and standards	331. Guarantee legal compliance
HITRUST-07_b. Ownership of assets	077. Avoid disclosing technical information 096. Set user's required privileges
HITRUST-08_b. Physical entry controls	229. Request access credentials 231. Implement a biometric verification component 232. Require equipment identity 235. Define credential interface 237. Ascertain human interaction
HITRUST-08_c. Securing offices, rooms and facilities	249. Locate access points 250. Manage access points 255. Allow access only to the necessary ports 257. Access based on user credentials
HITRUST-08_f. Public access, delivery and loading areas	249. Locate access points 250. Manage access points 257. Access based on user credentials
HITRUST-08_g. Equipment siting and protection	213. Allow geographic location 249. Locate access points 250. Manage access points
HITRUST-09_c. Segregation of duties	176. Restrict system objects 186. Use the principle of least privilege 341. Use the principle of deny by default 096. Set user's required privileges
HITRUST-09_d. Separation of development, test and operational environments	159. Obfuscate code 180. Use mock data 265. Restrict access to critical processes 374. Use of isolation methods in running applications
HITRUST-09_e. Service delivery	155. Application free of malicious code 161. Define secure default options 262. Verify third-party components 314. Provide processing confirmation 315. Provide processed data information 317. Allow erasure requests
HITRUST-09_f. Monitoring and review of third-party services	142. Change system default credentials 302. Declare dependencies explicitly
HITRUST-09_g. Managing changes to third party services	137. Change temporary passwords of third parties 316. Allow rectification requests 318. Notify third parties of changes
HITRUST-09_h. Capacity management	177. Avoid caching and temporary files 322. Avoid excessive logging 323. Exclude unverifiable files 083. Avoid logging sensitive data
HITRUST-09_i. System acceptance	331. Guarantee legal compliance
HITRUST-09_j. Controls against malicious code	115. Filter malicious emails 155. Application free of malicious code 340. Use octet stream downloads 039. Define maximum file size 041. Scan files for malicious code
HITRUST-09_k. Controls against mobile code	205. Configure PIN
HITRUST-09_m. Network controls	147. Use pre-existent mechanisms 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 251. Change access point IP 252. Configure key encryption 253. Restrict network access 255. Allow access only to the necessary ports 257. Access based on user credentials 259. Segment the organization network 077. Avoid disclosing technical information
HITRUST-09_p. Disposal of media	183. Delete sensitive data securely 360. Remove unnecessary sensitive information 375. Remove sensitive data from client-side applications
HITRUST-09_q. Information handling procedures	314. Provide processing confirmation 315. Provide processed data information 329. Keep client-side storage without sensitive data
HITRUST-09_r. Security of system documentation	176. Restrict system objects 095. Define users with privileges 096. Set user's required privileges
HITRUST-09_s. Information exchange policies and procedures	145. Protect system cryptographic keys 147. Use pre-existent mechanisms 206. Configure communication protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy 030. Avoid object reutilization
HITRUST-09_v. Electronic messaging	160. Encode system outputs 206. Configure communication protocols 348. Use consistent encoding 032. Avoid session ID leakages
HITRUST-09_x. Electronic commerce services	325. Protect WSDL files
HITRUST-09_y. On-line transactions	145. Protect system cryptographic keys 147. Use pre-existent mechanisms 153. Out of band transactions 174. Transactions without a distinguishable pattern 223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms 300. Mask sensitive data 335. Define out of band token lifespan 346. Use initialization vectors once 084. Allow transaction history queries
HITRUST-09_z. Publicly available information	261. Avoid exposing sensitive information 364. Provide extended validation (EV) certificates 045. Remove metadata when sharing files
HITRUST-09_aa. Audit logging	376. Register severity level 075. Record exceptional events in logs 079. Record exact occurrence time of events
HITRUST-09_ab. Monitoring system use	322. Avoid excessive logging 377. Store logs based on valid regulation 378. Use of log management system 077. Avoid disclosing technical information 080. Prevent log modification 083. Avoid logging sensitive data
HITRUST-09_ac. Protection of log information	046. Manage the integrity of critical files 080. Prevent log modification
HITRUST-09_ad. Administrator and operator logs	046. Manage the integrity of critical files 075. Record exceptional events in logs 079. Record exact occurrence time of events
HITRUST-09_af. Clock synchronization	363. Synchronize system clocks 079. Record exact occurrence time of events
HITRUST-10_b. Input data validation	173. Discard unsafe inputs 342. Validate request parameters
HITRUST-10_c. Control of internal processing	122. Validate credential ownership 330. Verify Subresource Integrity 364. Provide extended validation (EV) certificates 373. Use certificate pinning
HITRUST-10_d. Message integrity	145. Protect system cryptographic keys 147. Use pre-existent mechanisms 178. Use digital signatures 224. Use secure cryptographic mechanisms 321. Avoid deserializing untrusted data 030. Avoid object reutilization 062. Define standard configurations
HITRUST-10_e. Output data validation	160. Encode system outputs 348. Use consistent encoding
HITRUST-10_f. Policy on the use of cryptographic controls	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms
HITRUST-10_g. Key management	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 151. Separate keys for encryption and signatures 223. Uniform distribution in random numbers 346. Use initialization vectors once 361. Replace cryptographic keys 370. Use OAEP padding with RSA 371. Use GCM Padding with AES 372. Proper Use of Initialization Vector (IV)
HITRUST-10_i. Protection of system test data	171. Remove commented-out code 180. Use mock data
HITRUST-10_j. Access control to program source code	158. Use a secure programming language 159. Obfuscate code 161. Define secure default options 051. Store source code in a repository 096. Set user's required privileges
HITRUST-10_l. Outsourced software development	262. Verify third-party components
HITRUST-11_a. Reporting information security events	313. Inform inability to identify users
HITRUST-13_a. Privacy notice	189. Specify the purpose of data collection 311. Demonstrate user consent 314. Provide processing confirmation 315. Provide processed data information
HITRUST-13_b. Openness and transparency	314. Provide processing confirmation 315. Provide processed data information
HITRUST-13_c. Accounting of disclosures	314. Provide processing confirmation 315. Provide processed data information
HITRUST-13_d. Consent required	189. Specify the purpose of data collection 310. Request user consent
HITRUST-13_e. Choice	312. Allow user consent revocation
HITRUST-13_f. Principle access	084. Allow transaction history queries 085. Allow session history queries
HITRUST-13_g. Purpose legitimacy	331. Guarantee legal compliance
HITRUST-13_h. Purpose specification	315. Provide processed data information
HITRUST-13_j. Data minimization	360. Remove unnecessary sensitive information
HITRUST-13_k. Use and disclosure	173. Discard unsafe inputs 300. Mask sensitive data
HITRUST-13_l. Retention and disposal	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
HITRUST-13_m. Accuracy and quality	310. Request user consent 315. Provide processed data information 316. Allow rectification requests 318. Notify third parties of changes 326. Detect rooted devices 360. Remove unnecessary sensitive information
HITRUST-13_n. Participation and redress	301. Notify configuration changes 316. Allow rectification requests
HITRUST-13_s. Privacy monitoring and auditing	376. Register severity level 377. Store logs based on valid regulation 075. Record exceptional events in logs 079. Record exact occurrence time of events 085. Allow session history queries

Last updated

2023/09/18