The process of “realization” is an interesting one.

My first thoughts on HITRUST tended towards the negative; “Why do we need another ISO-27001 derivative information security framework?” “Why not just get ISO-27001 certified?” “Is this going to be another pay-to-play framework like PCI that is more focused on generating revenue than it is on securing data?”  The latter concern was “enforced” by the HITRUST Alliance’s initial policy of only making the CSF available to those willing to pony up a couple of grand.

Fast forward a year plus and things are looking significantly different to me.

• ISO-27001 holds tremendous promise as a form of third party attestation IF it is used right.  That is, it is important that the recipient of a 27001 certificate validates that the ISMS scope, the risks the ISMS scope considers, and the acceptable risk criteria established  align with the services being  utilized, the risks specific to the recipient of the certificate, and acceptable risk criteria established by the recipient. When considered in this context, I have come to see the “prescriptive” elements of HITRUST as being a “pre-definition” of the logical scope, risks, and risk acceptance criteria that are common to healthcare organizations.  So in a sense, the recipient of a HITRUST certification already knows that the scope, risks considered, and risk acceptance criteria are likely well aligned with their expectations.
• There are some really smart people aligning themselves with HITRUST and it appears to be reaching a critical mass.  Should it hit its “tipping-point” it will move from “should we” to “we need”.
• HITRUST has comported itself in a manner more consistent with being a trustable entity (think ISO or OWASP) than a non-trustable entity (think PCI).
• When you view HITRUST as ISO-27001 with a pre-defined scope, risk, and acceptable risk criteria the two “standards” don’t seem like an either/or proposition, rather they seem complementary in nature.  If I were a health care organization that would rather have an ISO-27001 certification – I would still choose to leverage the HITRUST CSF to simplify the process and benefit from the standards (e.g., HITECH, NIST, PCI) cross-mapping and the controls implementation guidance it provides.

So if you’re in the healthcare space and you are asking yourself which Information Security framework you should align yourself with … I would argue that there is no reason to make that decision.  By aligning yourself with HITRUST you are simultaneously aligning yourself with ISO-27001 at the same time. Hence, I think that we will soon start seeing healthcare entities with both certifications.

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.