WHITE PAPER: Best Practices for HITRUST CSF Automation

Similar documents
BPS Resolver Internal Audit

CONFLICTS OF INTEREST MANAGER SOLUTION OVERVIEW

RSAM User Conference. Janice Sarver Karen Bulawa InfoSec Risk Management September 25, 2013

Enterprise Asset Management STREAMLINE FACILITY MAINTENANCE OPERATIONS & REDUCE COSTS

CLEAResult Powers Growth with End-To-End Efficiency

We help companies operate responsibly and sustainably, grow with a clear understanding of strategic risk and

Selecting an Association Management System

Beyond Tools Optimizing Workforce Management Process and Technology

Simple Rules. for Purchasing ALM Software. W h i t e P a p e r. 1. Create a Project Brief and Identify Requirements

Practices in Enterprise Risk Management

A COMPLIANCE SOLUTION DESIGNED TO HELP PLANS MEET CMS REQUIREMENTS

13-POINT CHECKLIST FOR BUYING & IMPLEMENTING NEW BUSINESS SYSTEMS

Connecting Systems, People and Processes with Workflow. Three steps to automated success

Enhancing productivity. Enabling success. Sage CRM

Vendor Cloud Platinum Package: Included Capabilities

Turning Clients Into Creative Team Partners. inmotionnow

Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER

Behaviour-Based Interview

Technology Landscape. 3 Types of Advisor-Client Texting Solutions for Financial Services

So little time,so many timesheets. LS Staff Management

IT departments need to be the leader of technological. Business / Clinical leadership need to own enterprise solutions

UTILITIES PROVIDERS ACCESSING THE NEXT GENERATION 1 OF FIELD SERVICE TECHNOLOGIES

GUIDEBOOK ADAPTIVE INSIGHTS

A Modern Intranet Defined

Better Business Analytics with Powerful Business Intelligence Tools

Streamline the Claims Management Process

Service management solutions White paper. Six steps toward assuring service availability and performance.

VULNERABILITY MANAGEMENT BUYER S GUIDE

A Simplified and Sustainable Approach to NERC CIP Compliance with Cyberwiz-Pro. NERC CIP Compliance Solutions from WizNucleus

Monitoring: Know Your Audience

DFS-Sphere Human Resources Automation Efficient processes, Compliance and Audit Trails: Keys to Success

Time 3:15-4:00 Session TBD: Better Processes Leading to Better Communication (Room 205)

Cloud Communications & the Modern Workplace

4 Key Steps for Buying Pest Control Software

Solution Evaluation. Chapter Study Group Learning Materials

Step 1. Develop the Workforce Integration Project Plan. Chapter Goal

Leveraging GDS to Automate Data Synchronization. Lessons Learned at The Clorox Company

Contract Manager Data Sheet

Sustainable Identity and Access Governance

White Paper. Seven Secrets of Successful PMOs

Avoiding Data Loss Prevention (DLP) Pitfalls A Discussion of Lessons Learned. April 2013

BMC FootPrints. Service Management Solution Overview.

Kids II Deploys Workfront Enterprise- Wide to Scale Innovation, Increasing Efficiency by 50%

Developing a Successful RFP for an ITFM Solution ITFMA 2017 Austin

SCHWAB PERFORMANCE TECHNOLOGIES PORTFOLIO MANAGEMENT SOLUTIONS THAT KEEP YOU AHEAD.

WHITE PAPER: CUSTOMER DATA PLATFORMS FOR BUSINESS-TO-BUSINESS SOFTWARE AS A SERVICE (SAAS) MARKETING

STEPS TO TRANSFORMATIVE CUSTOMER SERVICE INCORPORATING SOCIAL MEDIA INTO YOUR CUSTOMER SERVICE STRATEGY

Checklist 2.0 for Measuring Social Media

Realizing Business Value through Collaborative Document Development

VULNERABILITY MANAGEMENT BUYER S GUIDE

Making intelligent decisions about identities and their access

NASCIO Award Application. Section A: Cover Page. NCDOT Vendor Prequalification System. Digital Government: Government to Business (G to B)

Expandable's Customers Implement Best Practices to Improve Performance

Owning & Controlling Social Data What Businesses Need to Know

COLLABORATIVE SUPPORT ENHANCES THE TECHNICAL SUPPORT EXPERIENCE

NICE Quality Central. Unify Your Quality Programs in a Single Application

Research supported by. Whitepaper. Omni-Channel Authentication: A Unified Approach to a Multi-Authenticator World

PROJECT CHAMPION USER GUIDE

The Financial Edge. The Financial Edge. An Introduction

Preference Management. Eric Holtzclaw and Eric Tejeda PossibleNOW. November,

Nuclear power plant reliability depends on a culture of problem solving

SOLUTION BRIEF DOSSIER MANAGEMENT

Addressing the Challenges of Medical Content Authoring

A BUYER S GUIDE TO CHOOSING A MOBILE MARKETING PLATFORM

Seven Key Success Factors for Identity Governance

Microsoft Dynamics Oil and Gas Telesales Guide

Business Compliance. Module factsheet. Noticeboard and Document Management

A TECHTARGET WHITE PAPER

Project Portfolio Management Assessment

Total Print Management

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Successfully Choosing and Using an ITFM Solution ITFMA 2017 New Orleans COPYRIGHT 2017 NICUS SOFTWARE, INC ALL RIGHTS RESERVED

Grey Chameleon Call Now: Tollfree:

USING PR MEASUREMENT TO BEAT YOUR COMPETITORS: A HOW-TO GUIDE

Flexibility of WRM and The Power of WRM. Bob Adderley

UNDERSTANDING. Communications Platform Technologies

Financial Close Software Comparison G2 Crowd Analysis of FloQast and BlackLine Reviews

Joy E. Spicer, President & CEO. March 28, 2011

Exclusive Voice of the Customer framework for smart CX managers: Delivering world-class customer experience every step of the way

WHITE PAPER. Standardization in HP ALM Environments. Tuomas Leppilampi & Shir Goldberg.

Fundamentals of Project Management with Microsoft Project 2010

Choosing the Right Tools for an ABM Strategy...4 CRM...4 Marketing Automation...5 Data Analytics Software...6 Digital Advertising...

Article from: CompAct. April 2013 Issue No. 47

COMPENSATION STATEMENT

CRM Boot Camp for Dynamics 365

Moving to Microsoft Office 365? Get Started with 5 Proven Best Practices

Capacity building supporting long-range sustainable nuclear energy system planning

Primaned Belgium. Oracle Primavera P6 Enterprise Project Portfolio Management Data Sheet. Revision Date 04/08/2017

The Guide to Securely Boosting In-App Engagement: Enabling powerful real-time communications between your users, machines, and IoT.

EBOOK. BUILD VS. BUY: Calculate the TCO of BDR

WHAT S THE SECRET TO CMMS SUCCESS?

HQX HQX. HQXchange Is Your Single Comprehensive EDI Platform

When you have to be right. Tax & Accounting. 5 Ways to Increase Your Engagement Workflow Efficiency

GOVERNANCE AUTOMATION ONLINE

Enhancing productivity. enabling Success. Sage CRM

The Optanix Platform. Service Predictability. Delivered. Optanix Platform Overview. Overview. 95% 91% proactive incidents first-time fix rate

Managing Change. By Ann McDonald. to the success of a business. Companies most likely to be successful in making change work to their

Copyright WorldAPP. All rights reserved US: +1(781) UK: +44(0) US TOLL FREE: +1(888) AU: +1(800)

COMPUTERIZED MAINTENANCE MANAGEMENT SOFTWARE BUYER S GUIDE FOR MANUFACTURERS A GUIDE TO PURCHASING THE CMMS THAT S RIGHT FOR YOU

The 5 Building Blocks of a CAPA Solution. Managing Corrective Actions/Preventive Actions for the Consumer Products Industry

Transcription:

WHITE PAPER: Best Practices for HITRUST CSF Automation

TABLE OF CONTENTS Executive Summary... 2 Seven Considerations for HITRUST Automation... 2 Planning for Automation... 3 Staffing Requirments for Automation... 3 Scoping for Automation... 4 What can be automated?... 5 What cannot be automated?... 5 Managing Exceptions & Remediation Plans... 6 Distribute or Centralize?... 6 Selecting an Automation Tool... 7 Advanced Topics: Capitalizing on CSF Automation... 7 Critical Success Factors & Lessons Learned... 8 1 Page Rsam 2012

EXECUTIVE SUMMARY Over the past 10 years Rsam has witnessed a growing need for automation and distribution of risk and compliance efforts due to larger assessment scopes, more regulatory mandates, limits in staff size, and the requirement for recurrence and ongoing management of results. AUTOMATION creates efficiency, consistency, and reliability in the assessment, results, and analysis. DISTRIBUTION allows for a wider range of participation and greater coverage across the organization. If done properly, distribution results in gained efficiency and data accuracy. Both automation and distribution of governance, risk, and compliance (GRC) efforts come with upfront and ongoing costs; however, these up-front costs pay off in the long run. Rsam has been a partner of the HITRUST organization since 2011. Rsam has helped implement and automate HITRUST CSF within many large healthcare organizations. This white paper focuses on sharing best practices and lessons learned in automating the HITRUST Common Security Framework (CSF) across many healthcare organizations. CONSIDERATIONS FOR HITRUST AUTOMATION The HITRUST CSF provides an excellent framework that lends to the distribution and automation of assessments within an organization. The CSF provides detailed control verbiage, a level system for control selection that maps across a variety of standards, grouping of assessments into tangible types (systems, orgs, etc.), and a prescriptive assessment methodology. This whitepaper addresses the critical elements for automation and distribution of the CSF. They include: PLANNING STAFFING SCOPING DISTRIBUTION VS. CENTRALIZATION TOOL SELECTION Scoping considerations for automation Resource considerations for enabling automation Practical understanding of what can & cannot be automated Guidance in selecting which elements to distribute and which elements to centralize Considerations for tool selection; integration points with other tools 2 Page Rsam 2012

PLANNING FOR AUTOMATION HITRUST provides the CSF via spreadsheets with macros that have some basic degree of automation. Not every organization needs to automate the CSF beyond this point; however, common candidates for extended CSF automation include: Large and mid-sized organizations Organizations with many systems or multiple divisions Organizations that need to assess systems / organizations outside of their own (such as assessing multiple business associates) Organizations with additional assessment needs beyond CSF Automating CSF requires planning, and the tasks can vary in size and scope depending on the approach the organization chooses to adopt. Common elements that will require careful consideration include: Selection of a project team Designation of a tool administrator Defining the extent of automation Budgeting funds and resources for tools, training, and implementation Selecting an automation tool Establishing infrastructure or contracts for a hosted solution Implementation Ongoing management / maintenance STAFFING REQUIRMENTS FOR AUTOMATION While automation will ultimately help reduce the time spent on the assessment process, enabling automation and distribution requires a combination of up-front development, resources, and commitment; and the payoff, although significant, it is not instant. Organizations should plan for the cyclical nature of the workload for these resources, which will require an extended effort before, during, and after the first assessment. After that point, less time and attention will be required for the tool. Organizations will find that the initial implementation and yearly content updates will require greater resource utilization. Other times may only require part-time utilization. 3 Page Rsam 2012

The following are the types of resources an organization will need to properly manage this type of initiative: APPLICATION RESOURCE: More than just a resource to manage the automation mechanism, application resources will need to become highly proficient in the application and have some familiarity with the backend technologies (database, etc.); but not necessarily at the level of a developer. The number of resources required for a CSF automation initiative will vary greatly and depend heavily on the tool and approach being used. TOOL ADMINISTRATOR: Resources can range from a single part-time administrator to several administrators plus developers. This resource should be in-tune with the business goals, objectives, and decisions, as well as familiarity with the CSF framework. It is also critical to consider the total number of hours required to implement such a project when selecting a tool and the approach. It is very helpful to obtain references from other similar organizations using the same tool for the same purpose. BUSINESS RESOURCE: These resources will need to make / approve decisions on scope, methodology, and workflow. OTHER CONTRIBUTING RESOURCES: Although a variety of contributors will weigh-in on process decisions, it s recommended to keep contributors to a select few who have the bandwidth to participate in the process. CONSULTANTS VS. IN-HOUSE STAFF: Consultants from the product vendor or a trusted third party advisor can be very helpful during this process; however, it is crucial to have in-house staff trained and fully aware of the implementation details. Organizations should plan to be selfsufficient and knowledgeable of how to make additions and/or changes within the tool rather than relying on third parties for the long-term. It is also critical to NOT allow third parties to expand the scope of the project beyond what is needed for an initial rollout. SCOPING FOR AUTOMATION The first challenge of automation is deciding on which components to automate. Without taking the time to scope properly, on the project team may fixate on elements that ultimately provide little-to-no value, or, even worse, attempt to boil the ocean by automating and distributing every element. In today s world of constantly shifting priorities and resources, long and drawn-out implementations can be the 4 Page Rsam 2012

death of such projects. Organizations should focus on building a solid foundation, and then further expand their implementations over time. Overreach in the initial phase can be detrimental to a project. Successful organizations focus first on pain points that can be solved quickly and easily, and then regroup to take on greater challenges. Throughout the entire life cycle of this process, organizations must continually re-evaluate the cost of automation vs. doing something manually, and of the benefit of complex methodologies vs. keeping things simple. What Can Be Automated? Not everything can be automated, and more importantly, not everything SHOULD be automated. The following are some of the most valuable areas for CSF automation: Managing the selection & gathering of profile data using CSF Risk Factors Selection of controls & control levels to respond to, based on the profile data Routing of responses for review & approval Generation of test instances for validation Generation of Findings/Gaps based on standards Ongoing management of Risk Treatment Options, including exception tracking Scoring, metrics and reporting All of this can be accomplished by allowing users to participate in the process within their own schedule. The tool can alert users letting them know what they should be doing and when. This also allows for presentation of role-based views optimizing work queue / task management. Finally, all of this data becomes available to be mined & analyzed in role-based dashboards and reports. What Cannot Be Automated? It is not possible to fully automate a CSF Control Assessment. This means that automated tools such as scanners cannot auto-populate responses to CSF controls/questions. While automation of this nature can help, most controls surround topics that go beyond automation. Additionally, while testing workflows can be automated, the actual CSF testing cannot. Although some automated systems can send nag messages and create escalation notices / reports, without support from senior management, these mechanisms will have little weight with complacent team members. 5 Page Rsam 2012

Managing Exceptions & Remediation Plans At the completion of the CSF assessment process, issues and findings will be identified. While some of these findings can be addressed in a timely manner, others will require the completion of a variance request. This variance could require an exception, a risk acceptance, or alternative controls. Organizations should ensure that exception management is a multi-step process, requiring approval(s) or at the very least, a confirmation. The workflow surrounding exceptions and remediation should be automated. Exceptions / risk acceptance should include auto-expirations and be revisited on a recurring basis, often times annually, or every few years for long-term exceptions. Automated reminders, notices, and escalations can help with this process. Proper and timely management of exceptions can be as critical as the actual assessment itself. Auditors understand that everything is not going to be perfect; however, they want assurance that imperfections are being tracked and managed. DISTRIBUTION OR CENTRALIZATION? Distributing CSF assessment efforts across the organization can be extremely helpful, but not everything can or should be distributed. The following considers which items should be distributed vs. centralized: DISTRIBUTED Questionnaire Data Gathering Remediation Planning & Tracking Testing Exception Management Documenting Alternative Controls & Approval Permission Assignment (assignments to core teams & reassignment from there) CENTRALIZED Management of Assessment Methodology Workflow Design Content Management Scoring Methodology Management of Universal Report Templates Inventory (to promote consistency & avoid conflicts) Ultimately, the culture and audience of your organization will dictate the degree to which the process must be facilitated. Always leave room for the audience that requires hand-holding. 6 Page Rsam 2012

SELECTING AN AUTOMATION TOOL When selecting a tool to support automation, organizations should consider the following: OVERALL COST OF OWNERSHIP: In addition to the upfront tool cost, factor in the cost of consulting services, hosting, ongoing administration costs, etc. It is important to understand the overall pricing structure of the tool to ensure there are no surprises (such as per-user pricing) later on. OUT-OF-THE-BOX INTEGRATION WITH HITRUST: While many vendors may claim easy ability to import and customize HITRUST content, be sure that the tool has out-of-the-box HITRUST CSF content. The exercise is greater than just a simple import there are thousands of mappings and linking required for manifesting CSF within a tool. Therefore, there is significant benefit and cost savings in selecting a tool that has out-of-the-box and well integrated CSF content. Additionally, make sure the tool is extensible and customizable to adapt to your specific organizational needs. ABILITY TO MANAGE YOUR OWN INSTANCE: Even if you plan to have the vendor or consultants implement the tool or manage it, these situations can often change in an organization. Being stuck with an unmanageable tool can be worse than never having automated in the first place. EASE OF CUSTOMIZATION: Make sure the tool is flexible and easy to manage from the administrative interface (no customization / coding / major API requirements) to minimize dependency on vendors or consultants. ADVANCED TOPICS: CAPITALIZING ON CSF AUTOMATION The quickest and easiest route to success is to use the CSF content as-is. However, some organizations have found value using the following variations: Break down high-level controls into smaller, more distinct control statements or questions. This requires time and effort, but will also help promote more accurate assessment results. Cross-Map- CSF controls to your internal policies. Although this takes time, you may experience push-back if you generate findings for things that are not required by your policies. 7 Page Rsam 2012

Create leading questions to determine what follow-up questions are required. (For example, no need to ask about authentication details if the system utilizes the corporate directory service.) Since you are already soliciting information from a variety of stakeholders, don t pass up the opportunity to gather other important data such as storage of other sensitive data types, connections with external networks & 3rd parties, FIPS 199 classification (FISMA), Business continuity /uptime requirements, related business processes, inventory data, etc.. CRITICAL SUCCESS FACTORS & LESSONS LEARNED Make sure that you are familiar with CSF and what you want to get out of it. Make sure you have the right people involved. Tools provide little help if you don t have the proper audience participating. Set expectations ahead of time for both time commitment and knowledge requirements of your users. And allow for re-assignment / distribution when possible. Make sure users have deadlines for their activities, and that you follow-up on those deadlines, otherwise your program will stall. Don t make users start over each time they participate. In subsequent assessments / years, provide users with data from their previous assessments. Expect and plan for change and evolution in both content and processes. Senior Management Support is Critical Keep it simple - Having a simple process for your users is far more powerful than introducing extraneous details and methodologies that may be comprehensive, but are unsupportable. 8 Page Rsam 2012

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback