Transcription of HITRUST Common Security Framework
1 This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these terms is a violation of law and may be grounds for criminal or civil penalties. Page 1 of 488 HITRUST Common Security Framework 2014 Version This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these terms is a violation of law and may be grounds for criminal or civil penalties.
2 Page 2 of 488 Summary of Changes Version Description of Change Author Date Published Final Version of Initial Release HITRUST September 11, 2009 NIST SP 800-53 r2 PCI-DSS HITECH ISO/IEC 27002 Rework HITRUST January 12, 2010 (State of Mass.) 201 CMR CMR HITRUST March 1, 2010 Cloud Security Alliance Controls Matrix , Joint Commission (formerly JCAHO) Information Management State of Nevada (NRS 603A) HITRUST September 10, 2010 CMS IS ARS v1-Appendix A (HIGH) HITRUST December 1, 2010 PCI-DSS HITRUST August 4, 2011 NIST SP 800-53 r3 HIE WG Recommendations NIST-ISO-HIPAA Harmonization HITRUST December 28, 2011 NIST SP 800-53 r4 (Feb 2012 IPD) Texas Gen. Laws 181 ( TX HB 300 ) HITECH (MU Stage 2) CAQH Committee on Operating Rules for Information Exchange (CORE) NIST-CMS Harmonization Implementation Requirement Harmonization for CSF 2013 Certification-required Controls HITRUST January 28, 2013 NIST SP 800-53 r4 (Apr 2013 FPD) CMS IS ARS (2012) Title 1 TX Admin.
3 Code (TX Standards), including privacy requirements to support TX certification of the HIPAA Privacy Rule NIST-CMS Harmonization (Publication Updates) HITRUST February 12, 2014 This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these terms is a violation of law and may be grounds for criminal or civil penalties. Page 3 of 488 CSF Table of Contents Introduction .. 11 Organization of the CSF .. 13 Key Components .. 13 Control Categories .. 14 Implementation Requirement Levels .. 15 Segment Specific Requirements .. 16 Risk Factors .. 16 Alternate Controls .. 18 Evolution of the CSF.
4 18 CSF Assurance and MyCSF .. 19 Implementing the CSF .. 21 Management Commitment .. 21 Scope .. 21 Organization .. 21 Systems .. 21 Implementation .. 22 Critical Success Factors .. 22 Primary Reference Material .. 23 Control Category: - Information Security Management Program .. 27 Objective Name: Information Security Management 27 Control Reference: Information Security Management Program .. 27 Control Category: - Access Control .. 31 Objective Name: Business Requirement for Access Control .. 31 Control Reference: Access Control Policy .. 31 Objective Name: Authorized Access to Information 33 Control Reference: User Registration .. 33 Control Reference: Privilege Management .. 37 Control Reference: User Password Management .. 42 Control Reference: Review of User Access Rights .. 46 This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information may be used only during the term of a valid HITRUST license.
5 Copying, dissemination or use of this information contrary to these terms is a violation of law and may be grounds for criminal or civil penalties. Page 4 of 488 Objective Name: User Responsibilities .. 48 Control Reference: Password Use .. 48 Control Reference: Unattended User Equipment .. 51 Control Reference: Clear Desk and Clear Screen Policy .. 53 Objective Name: Network Access Control .. 55 Control Reference: Policy on the Use of Network Services .. 55 Control Reference User Authentication for External Connections .. 58 Control Reference Equipment Identification in Networks .. 61 Control Reference Remote Diagnostic and Configuration Port Protection .. 63 Control Reference: Segregation in Networks .. 66 Control Reference: Network Connection Control .. 69 Control Reference: Network Routing Control .. 72 Objective Name: Operating System Access Control .. 74 Control Reference: Secure Log-on 74 Control Reference User Identification and Authentication.
6 78 Control Reference Password Management System .. 82 Control Reference Use of System Utilities .. 85 Control Reference: Session Time-out .. 88 Objective Name: Application and Information Access Control .. 91 Control Reference: Information Access Restriction .. 91 Control Reference: Sensitive System Isolation .. 95 Objective Name: Mobile Computing and Teleworking .. 97 Control Reference: Mobile Computing and Communications .. 97 Control Reference: 100 Control Category: - Human Resources Security .. 104 Objective Name: Prior to Employment .. 104 Control Reference: Roles and Responsibilities .. 104 Control Reference: Screening ..106 Objective Name: During On-Boarding .. 109 Control Reference: Terms and Conditions of Employment .. 109 Objective Name: During Employment .. 113 This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information may be used only during the term of a valid HITRUST license.
7 Copying, dissemination or use of this information contrary to these terms is a violation of law and may be grounds for criminal or civil penalties. Page 5 of 488 Control Reference: Management 113 Control Reference: Information Security Awareness, Education and Training .. 116 Control Reference: Disciplinary Process .. 120 Objective Name: Termination or Change of Employment .. 123 Control Reference: Termination or Change Responsibilities .. 123 Control Reference: Return of Assets .. 125 Control Reference: Removal of Access Rights .. 127 Control Category: - Risk Management .. 131 Objective Name: Risk Management Program .. 131 Control Reference: Risk Management Program Development .. 131 Control Reference: Performing Risk Assessments .. 134 Control Reference: Risk Mitigation .. 137 Control Reference: Risk Evaluation .. 140 Control Category: - Security Policy .. 143 Objective Name: Information Security Policy.
8 143 Control Reference: Information Security Policy Document .. 143 Control Reference Review of the Information Security Policy .. 146 Control Category: - Organization of Information Security .. 151 Objective Name: Internal Organization .. 151 Control Reference: Management Commitment to Information Security .. 151 Control Reference: Information Security Coordination .. 154 Control Reference Authorization Process for Information Assets and Facilities .. 163 Control Reference: Confidentiality Agreements .. 165 Control Reference: Contact with Authorities .. 168 Control Reference: Contact with Special Interest Groups .. 170 Control Reference: Independent Review of Information Security .. 172 Objective Name: External Parties .. 174 Control Reference: Identification of Risks Related to External Parties .. 174 Control Reference: Addressing Security When Dealing with Customers .. 178 Control Reference: Addressing Security in Third Party Agreements.
9 181 Control Category: Compliance .. 187 Objective Name: Compliance with Legal Requirements .. 187 This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these terms is a violation of law and may be grounds for criminal or civil penalties. Page 6 of 488 Control Reference: Identification of Applicable Legislation .. 187 Control Reference: Intellectual Property Rights .. 189 Control Reference: Protection of Organizational Records .. 191 Control Reference: Data Protection and Privacy of Covered Information .. 195 Control Reference: Prevention of Misuse of Information Assets.
10 198 Control Reference: Regulation of Cryptographic Controls .. 201 Objective Name: Compliance with Security Policies and Standards and Technical Compliance .. 204 Control Reference: Compliance with Security Policies and Standards .. 204 Control Reference: Technical Compliance 207 Objective Name: Information System Audit Considerations .. 209 Control Reference: Information Systems Audit 209 Control Reference: Protection of Information Systems Audit Tools .. 212 Control Category: - Asset Management .. 214 Objective Name: Responsibility for Assets .. 214 Control Reference: Inventory of Assets .. 214 Control Reference: Ownership of Assets .. 218 Control Reference: Acceptable Use of Assets .. 221 Control Reference: Classification Guidelines .. 223 Control Reference: Information Labeling and Handling .. 225 .. 229 Control Category: - Physical and Environmental Security .. 230 Objective Name: Secure Areas.
