To address the growing misunderstandings, risks and complexities when leveraging service providers, HITRUST is introducing a new program to clarify the roles and responsibilities regarding ownership and operation of security controls while automating and streamlining the assurance process when security controls are shared or inherited.

Protecting sensitive information is a challenge for any organization and even more so for organizations that leverage service providers. The risks associated with control failures by third party service providers - such as cloud hosting, platform-as-a-service, or a business process outsourcer - continue to increase as customers don't fully understand their responsibilities, coupled with the complexity of assessing security control effectiveness when control responsibility is shared.

The HITRUST Shared Responsibility Program will remove the guesswork, ambiguity and confusion in understanding the roles and responsibilities between customer and their service provider relating to shared and inherited controls by outlining data governance, information risk management and regulatory compliance requirements in clear, concise language.

"This program capitalizes on HITRUST's expertise and the foundation we have established in managing information risk and protecting sensitive information," says Michael Parisi, vice president of assurance strategy and community development. "This program is another example of how organizations can better manage information risk and reduce costs and complexities leveraging the HITRUST CSF, CSF Assurance and MyCSF."

There is added complexity and time-consuming effort introduced in determining who is responsible for the operation of security controls and gaining assurance that these controls are operating effectively when an organization retains a service provider. There are numerous scenarios when organizations are inheriting or sharing control responsibility, the service provider is responsible for the entire operation of the control; the customer retains responsibility for a portion of the control, while the remaining implementation requirements are inherited by their service provider; or the customer retains all responsibility for the operation of the control.

"Being a part of the working group helping shape the program to address this important issue is invaluable to both us and our customers," says Matt Rathbun, Chief Security Officer, Azure Global of Microsoft and working group member. "Customers and service providers like Microsoft who are entrusted with sensitive information will mutually benefit from the clarity in control ownership this program produces."

HITRUST established a working group that includes cloud service providers and professional services firms to assist in mapping the respective control operation responsibilities of customers and third-party service providers to ensure accountability.

"There is a lot of confusion around control responsibility when engaging cloud service providers and inefficiencies and inconsistencies in the assessment process," said Susan Mercurio, Digital Cloud Compliance and Risk Management Officer - SAP. "I'm pleased to be working with HITRUST and other leaders to address this important issue."

Key components of the HITRUST Shared Responsibility Program

The program identifies the respective security control operation responsibilities of the customer and service provider to avoid misunderstandings, establishes comprehensive assessment guidance ensuring effective assessment and review of the controls operations and streamlines and automates the process of inheriting controls in a shared responsibility model.

"The inclusion of recommendations, as well as assessment guidance, will clearly help identify responsibility and accountability," says working group member Nancy Free, Head of Governance Risk and Compliance and Internal Audit at Armor. "This will significantly improve the assessment process and efficiencies."

There are four main components to the program:

1) HITRUST CSF® - Updates to HITRUST CSF to better delineate responsibility and allow for a clear distinction of accountability for controls that are leveraged in outsourcing arrangements, including those where shared responsibility occurs ensuring more granular requirements are defined and can be assigned.

2) Shared Responsibility Matrix - Matrix of the HITRUST CSF Controls that lists the common set of sharable and inheritable controls based on a specific third-party service provider's CSF Certification. The matrix will include recommendations for assigning responsibility for controls and specific requirements for shared controls and help ensure all aspects of control responsibility are understood when outsourcing systems and services to third-parties. This allows organizations to determine those controls that are - or should be - a third-party's full responsibility and understand their own specific duties for those that are a shared responsibility. A completed matrix would then be used by the CSF Assessor as part of the CSF Assessment to ensure compliance.

3) Shared Assurance Program - Ensuring controls with shared responsibility are operating effectively with specific guidance for proper sampling, testing, and scoring.

4) MyCSF Assessment Automation - Updates to the MyCSF tool to allow organizations to pre-populate their assessments with fully inherited or shared responsibility control results and scores directly from designated HITRUST CSF Certified service providers. MyCSF will streamline the process for customers using CSF Certified service providers to complete their assessment and reduce the effort required during the assessment review process.

HITRUST anticipates the program will be available in the first quarter of 2019.