So You Got HITRUST Certified – Now What?
You submitted all the evidence, you did all the work, conversed (begged, pleaded…) with your assessor. Your policies probably went through quite the redline process, and processes and procedures were likely created to satisfy controls. These policies and process span across your entire organization, from legal reviews to management involvement to tighter third-party oversight and software development, and you undoubtedly had a lot of fun conversations with all your department leads to get them that way. You are a security and assessment super star! No doubt an intense process, and your efforts have resulted in a HITRUST certification.
But now what? Do you have someone or a department that now oversees all the work you said you would do in those policies? Weekly reviews of intrusion detection logs, monthly visitor log reviews, bimonthly and quarterly user access reviews, vulnerability scan remediation, third-party assessments, management reviews and so many more activities are all required now. This sounded good in policy (and to get through certification), but in practice…not so much.
Is this work done in a single department? Is this a single person? Who is going to add this to their plate? Are you tracking all the action items you just added to your policies? Are you documenting all the activities? Sure, they sound and look good, but what are the tangible practices? Not to mention the evidence that you know you should be producing for the assessor next time they come knocking.
Depending on the size of your firm, this can be a challenge bordering on being completely overwhelming. And the reality is that maybe you don’t know how to do everything. Or maybe you don’t have the time. Well, Kuma is here to help.
What Kuma can offer?
Kuma designed our Continuous Monitoring Program (CMP) as a response to the increasing compliance needs of our clients. Kuma created the CMP with control tracking methodology aligned to operations, descriptions, control location, control owner, and frequency of control review. This CMP will additionally include the review and incorporation of other tracking procedures (as appropriate), which may include any risk analyses, gap analyses, etc., as they relate to CMP controls.
You will remain in the driver’s seat for making decisions, implementing the controls, and generating logs, reports and evidence. Kuma will guide you in that evidence collection and strategic oversight of maintaining an ongoing operationalization of all those beautiful policies and procedures you just said you’d uphold.
Your firm won’t have to do another HITRUST audit for two years, but in the interim year, a HITRUST assessor will ask for you to prove compliance with one control selection from each of the 19 domains. Will you be ready?
In two years, when you do another full assessment, will your maturity level satisfy the higher maturity of Measured and Managed criteria? HITRUST is elevating its expectations of illustrative procedures…are you prepared to rise to the occasion?
Some of the generic evaluation criteria for those higher maturity levels include:
- Are self-assessments, audits and/or tests routinely performed and/or metrics collected to evaluate the adequacy and effectiveness of the implementation of each element of the requirements statement?
- Are evaluation requirements, including requirements regarding the type and frequency of self-assessments, audits, tests, and/or metrics collection documented, approved and effectively implemented?
- Does the frequency and rigor with which each element of the requirements statement is evaluated depend on the risks that will be posed if the implementation is not operating effectively?
- Are effective corrective actions taken to address identified weaknesses in the elements of the requirements statement, including those identified as a result of potential or actual information security incidents or through information security alerts?
- Do decisions around corrective actions consider cost, risk and mission impact?
- Are threats impacting the requirements periodically re-evaluated and the requirements adapted as needed?
Get some Continuous Monitoring!
Are you ready for managing everything? If you’re not, it’s OK. Breathe. Kuma is here to help. Don’t lose your HITRUST certification and all the work you did.