HITRUST is announcing resources that address national cyber and information security priorities identified by government agencies, legislators, and industry. First, the need for an effective set of cyber hygiene controls and mitigations (applicable to smaller organizations) that remain relevant to evolving cyber threats, and a reliable method to demonstrate that organizations have appropriately implemented those controls. Additionally, a standardized, effective, and practical methodology for organizations to determine the inherent risk posed by third parties and recommend an appropriate level of assurances to enable effective evaluation of the controls in operation by the third party – establishing a level of due care for third-party risk management.
“HITRUST’s Innovation and Research teams were tasked with designing practical and effective solutions to solve these national cyber and information risk priorities,” said Robert Booker, Chief Strategy Officer, HITRUST. “I am proud of what was developed as it addresses these crucial issues and will have a significant impact on reducing information risk across companies of all sizes, among those with different inherent risk characteristics, and across their community of suppliers and other associates.”
“Having a cyber hygiene assessment that is kept relevant is a huge win in reducing breaches”
This cyber essentials assessment was designed to meet several unique requirements. It had to:
- Provide a readiness (self) assessment or validated assessment with certification.
- Incorporate controls necessary for relevant and essential information and cyber security, including controls and mitigations associated with current and emerging cyber threats.
- Maintain control relevance as the cyber threat landscape evolves and, if warranted, electronically notify assessed entities of potentially relevant changes in control guidance and mitigations, enabling them to evaluate the current effectiveness of a specific control implementation.
- Incorporate an assurance program that ensures rely-ability of the results, while not being burdensome on the assessed entity to complete.
- Enable the results to be distributed in an electronically consumable manner instead of distributing as a PDF report.
To achieve these unique design requirements, the new Cyber Essentials Assessment leverages HITRUST’s (recently announced) Cyber Threat Adaptive approach to framework development and control selection, which ensures ongoing relevance of controls as the threat landscape evolves by frequently evaluating current Indicators of Attack (IoA) and Compromise (IoC) against security controls and mitigations associated with a cyber hygiene and essential level of assurance.
This third assessment in the HITRUST Assessment portfolio allows HITRUST to offer assessment coverage across a broad spectrum of assurance needs. It targets lower-risk organizations as defined in the new HITRUST TPRM methodology or can be a starting point for organizations that may be early in implementing their information security controls. The Cyber Essentials Assessment will be available in January 2023.