WHITE PAPER: Best Practices for HITRUST CSF Automation
TABLE OF CONTENTS Executive Summary... 2 Seven Considerations for HITRUST Automation... 2 Planning for Automation... 3 Staffing Requirments for Automation... 3 Scoping for Automation... 4 What can be automated?... 5 What cannot be automated?... 5 Managing Exceptions & Remediation Plans... 6 Distribute or Centralize?... 6 Selecting an Automation Tool... 7 Advanced Topics: Capitalizing on CSF Automation... 7 Critical Success Factors & Lessons Learned... 8 1 Page Rsam 2012
EXECUTIVE SUMMARY Over the past 10 years Rsam has witnessed a growing need for automation and distribution of risk and compliance efforts due to larger assessment scopes, more regulatory mandates, limits in staff size, and the requirement for recurrence and ongoing management of results. AUTOMATION creates efficiency, consistency, and reliability in the assessment, results, and analysis. DISTRIBUTION allows for a wider range of participation and greater coverage across the organization. If done properly, distribution results in gained efficiency and data accuracy. Both automation and distribution of governance, risk, and compliance (GRC) efforts come with upfront and ongoing costs; however, these up-front costs pay off in the long run. Rsam has been a partner of the HITRUST organization since 2011. Rsam has helped implement and automate HITRUST CSF within many large healthcare organizations. This white paper focuses on sharing best practices and lessons learned in automating the HITRUST Common Security Framework (CSF) across many healthcare organizations. CONSIDERATIONS FOR HITRUST AUTOMATION The HITRUST CSF provides an excellent framework that lends to the distribution and automation of assessments within an organization. The CSF provides detailed control verbiage, a level system for control selection that maps across a variety of standards, grouping of assessments into tangible types (systems, orgs, etc.), and a prescriptive assessment methodology. This whitepaper addresses the critical elements for automation and distribution of the CSF. They include: PLANNING STAFFING SCOPING DISTRIBUTION VS. CENTRALIZATION TOOL SELECTION Scoping considerations for automation Resource considerations for enabling automation Practical understanding of what can & cannot be automated Guidance in selecting which elements to distribute and which elements to centralize Considerations for tool selection; integration points with other tools 2 Page Rsam 2012
PLANNING FOR AUTOMATION HITRUST provides the CSF via spreadsheets with macros that have some basic degree of automation. Not every organization needs to automate the CSF beyond this point; however, common candidates for extended CSF automation include: Large and mid-sized organizations Organizations with many systems or multiple divisions Organizations that need to assess systems / organizations outside of their own (such as assessing multiple business associates) Organizations with additional assessment needs beyond CSF Automating CSF requires planning, and the tasks can vary in size and scope depending on the approach the organization chooses to adopt. Common elements that will require careful consideration include: Selection of a project team Designation of a tool administrator Defining the extent of automation Budgeting funds and resources for tools, training, and implementation Selecting an automation tool Establishing infrastructure or contracts for a hosted solution Implementation Ongoing management / maintenance STAFFING REQUIRMENTS FOR AUTOMATION While automation will ultimately help reduce the time spent on the assessment process, enabling automation and distribution requires a combination of up-front development, resources, and commitment; and the payoff, although significant, it is not instant. Organizations should plan for the cyclical nature of the workload for these resources, which will require an extended effort before, during, and after the first assessment. After that point, less time and attention will be required for the tool. Organizations will find that the initial implementation and yearly content updates will require greater resource utilization. Other times may only require part-time utilization. 3 Page Rsam 2012
The following are the types of resources an organization will need to properly manage this type of initiative: APPLICATION RESOURCE: More than just a resource to manage the automation mechanism, application resources will need to become highly proficient in the application and have some familiarity with the backend technologies (database, etc.); but not necessarily at the level of a developer. The number of resources required for a CSF automation initiative will vary greatly and depend heavily on the tool and approach being used. TOOL ADMINISTRATOR: Resources can range from a single part-time administrator to several administrators plus developers. This resource should be in-tune with the business goals, objectives, and decisions, as well as familiarity with the CSF framework. It is also critical to consider the total number of hours required to implement such a project when selecting a tool and the approach. It is very helpful to obtain references from other similar organizations using the same tool for the same purpose. BUSINESS RESOURCE: These resources will need to make / approve decisions on scope, methodology, and workflow. OTHER CONTRIBUTING RESOURCES: Although a variety of contributors will weigh-in on process decisions, it s recommended to keep contributors to a select few who have the bandwidth to participate in the process. CONSULTANTS VS. IN-HOUSE STAFF: Consultants from the product vendor or a trusted third party advisor can be very helpful during this process; however, it is crucial to have in-house staff trained and fully aware of the implementation details. Organizations should plan to be selfsufficient and knowledgeable of how to make additions and/or changes within the tool rather than relying on third parties for the long-term. It is also critical to NOT allow third parties to expand the scope of the project beyond what is needed for an initial rollout. SCOPING FOR AUTOMATION The first challenge of automation is deciding on which components to automate. Without taking the time to scope properly, on the project team may fixate on elements that ultimately provide little-to-no value, or, even worse, attempt to boil the ocean by automating and distributing every element. In today s world of constantly shifting priorities and resources, long and drawn-out implementations can be the 4 Page Rsam 2012
death of such projects. Organizations should focus on building a solid foundation, and then further expand their implementations over time. Overreach in the initial phase can be detrimental to a project. Successful organizations focus first on pain points that can be solved quickly and easily, and then regroup to take on greater challenges. Throughout the entire life cycle of this process, organizations must continually re-evaluate the cost of automation vs. doing something manually, and of the benefit of complex methodologies vs. keeping things simple. What Can Be Automated? Not everything can be automated, and more importantly, not everything SHOULD be automated. The following are some of the most valuable areas for CSF automation: Managing the selection & gathering of profile data using CSF Risk Factors Selection of controls & control levels to respond to, based on the profile data Routing of responses for review & approval Generation of test instances for validation Generation of Findings/Gaps based on standards Ongoing management of Risk Treatment Options, including exception tracking Scoring, metrics and reporting All of this can be accomplished by allowing users to participate in the process within their own schedule. The tool can alert users letting them know what they should be doing and when. This also allows for presentation of role-based views optimizing work queue / task management. Finally, all of this data becomes available to be mined & analyzed in role-based dashboards and reports. What Cannot Be Automated? It is not possible to fully automate a CSF Control Assessment. This means that automated tools such as scanners cannot auto-populate responses to CSF controls/questions. While automation of this nature can help, most controls surround topics that go beyond automation. Additionally, while testing workflows can be automated, the actual CSF testing cannot. Although some automated systems can send nag messages and create escalation notices / reports, without support from senior management, these mechanisms will have little weight with complacent team members. 5 Page Rsam 2012
Managing Exceptions & Remediation Plans At the completion of the CSF assessment process, issues and findings will be identified. While some of these findings can be addressed in a timely manner, others will require the completion of a variance request. This variance could require an exception, a risk acceptance, or alternative controls. Organizations should ensure that exception management is a multi-step process, requiring approval(s) or at the very least, a confirmation. The workflow surrounding exceptions and remediation should be automated. Exceptions / risk acceptance should include auto-expirations and be revisited on a recurring basis, often times annually, or every few years for long-term exceptions. Automated reminders, notices, and escalations can help with this process. Proper and timely management of exceptions can be as critical as the actual assessment itself. Auditors understand that everything is not going to be perfect; however, they want assurance that imperfections are being tracked and managed. DISTRIBUTION OR CENTRALIZATION? Distributing CSF assessment efforts across the organization can be extremely helpful, but not everything can or should be distributed. The following considers which items should be distributed vs. centralized: DISTRIBUTED Questionnaire Data Gathering Remediation Planning & Tracking Testing Exception Management Documenting Alternative Controls & Approval Permission Assignment (assignments to core teams & reassignment from there) CENTRALIZED Management of Assessment Methodology Workflow Design Content Management Scoring Methodology Management of Universal Report Templates Inventory (to promote consistency & avoid conflicts) Ultimately, the culture and audience of your organization will dictate the degree to which the process must be facilitated. Always leave room for the audience that requires hand-holding. 6 Page Rsam 2012
SELECTING AN AUTOMATION TOOL When selecting a tool to support automation, organizations should consider the following: OVERALL COST OF OWNERSHIP: In addition to the upfront tool cost, factor in the cost of consulting services, hosting, ongoing administration costs, etc. It is important to understand the overall pricing structure of the tool to ensure there are no surprises (such as per-user pricing) later on. OUT-OF-THE-BOX INTEGRATION WITH HITRUST: While many vendors may claim easy ability to import and customize HITRUST content, be sure that the tool has out-of-the-box HITRUST CSF content. The exercise is greater than just a simple import there are thousands of mappings and linking required for manifesting CSF within a tool. Therefore, there is significant benefit and cost savings in selecting a tool that has out-of-the-box and well integrated CSF content. Additionally, make sure the tool is extensible and customizable to adapt to your specific organizational needs. ABILITY TO MANAGE YOUR OWN INSTANCE: Even if you plan to have the vendor or consultants implement the tool or manage it, these situations can often change in an organization. Being stuck with an unmanageable tool can be worse than never having automated in the first place. EASE OF CUSTOMIZATION: Make sure the tool is flexible and easy to manage from the administrative interface (no customization / coding / major API requirements) to minimize dependency on vendors or consultants. ADVANCED TOPICS: CAPITALIZING ON CSF AUTOMATION The quickest and easiest route to success is to use the CSF content as-is. However, some organizations have found value using the following variations: Break down high-level controls into smaller, more distinct control statements or questions. This requires time and effort, but will also help promote more accurate assessment results. Cross-Map- CSF controls to your internal policies. Although this takes time, you may experience push-back if you generate findings for things that are not required by your policies. 7 Page Rsam 2012
Create leading questions to determine what follow-up questions are required. (For example, no need to ask about authentication details if the system utilizes the corporate directory service.) Since you are already soliciting information from a variety of stakeholders, don t pass up the opportunity to gather other important data such as storage of other sensitive data types, connections with external networks & 3rd parties, FIPS 199 classification (FISMA), Business continuity /uptime requirements, related business processes, inventory data, etc.. CRITICAL SUCCESS FACTORS & LESSONS LEARNED Make sure that you are familiar with CSF and what you want to get out of it. Make sure you have the right people involved. Tools provide little help if you don t have the proper audience participating. Set expectations ahead of time for both time commitment and knowledge requirements of your users. And allow for re-assignment / distribution when possible. Make sure users have deadlines for their activities, and that you follow-up on those deadlines, otherwise your program will stall. Don t make users start over each time they participate. In subsequent assessments / years, provide users with data from their previous assessments. Expect and plan for change and evolution in both content and processes. Senior Management Support is Critical Keep it simple - Having a simple process for your users is far more powerful than introducing extraneous details and methodologies that may be comprehensive, but are unsupportable. 8 Page Rsam 2012