1855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

HITRUST WebinarThe HITRUST Shared Responsibility Matrix: The Key to Secure Adoption of Cloud TechnologiesMarch 17, 2020

HITRUST Webinar

The HITRUST Shared Responsibility Matrix: The Key to Secure Adoption of Cloud Technologies

Tuesday | March 17, 2020

2855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

Agenda

Understanding the Challenges with Cloud Compliance

HITRUST Shared Responsibility (SR) Matrix™ Version 1.0• Overview• 2 Versions: Control Summary vs. Full• How to Access• Applying HITRUST’s Shared Responsibility Model to the HITRUST CSF®

• Deep Dive• Q&A

Call to Action: The Shared Responsibility Early-Adopter Program

3855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

Understanding the Challenges with Cloud Compliance• Growing misunderstandings, risks, complexities, and

assurance inefficiencies when leveraging cloudservice providers (CSPs)

• Lack of clarity over roles & responsibilities regardingownership & operation of security and privacycontrols shared with CSPs

• Need for automation & streamlining of theassurance process when inheriting controls

4855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

SR Matrix V1.0 – Overview• Built upon an industry-guided shared responsibility

model – a standard set of core principles & commonterminology for SaaS, PaaS, IaaS & Colo services

• Clarifies transparency & accountability on howsecurity & privacy controls are shared – a common-sense benchmark for cloud service contracting &supplier risk management

• Enables & streamlines process for control inheritancefrom cloud service providers (CSPs) – Assess Once,Inherit Many™

5855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

SR Matrix V1.0 – 2 Versions: Control Summary vs. Full

Supports full cross-version compatibility for HITRUST CSF® Versions 9.1, 9.2, and 9.3

Stand-Alone SR Matrix not yet permitted for use in HITRUST MyCSF® assessment & external inheritance processes

6855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

SR Matrix V1.0 – How to Access

2. Full VersionHITRUST MyCSF® (subscriber-only)

1. Control Summary VersionHITRUST CSF Version 9.3 package (free)

7855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

HITRUST’s Shared Responsibility (SR) ModelAssertion Cloud Use-Cases: Reliance upon CSP influencing Tenant’s control design & operating effectiveness for

suitable consumption of cloud services without imposing higher risk

Not Inheritable

No reliance –a) Tenant’s organizational programs, policies & processesb) On-prem hardware / digital assets only accessible by Tenant personnelc) CSP remains fully responsibility for independent compliance

Partially Inheritable

Partial reliance (within Tenant’s cloud-hosted environment) –a) Tenant’s compliance with CSP’s on-prem datacenter security protocolsb) Subset of technologies & digital assets only accessible by CSP personnelc) Tenant’s involvement in CSP’s security & availability incident response processesd) Tenant’s involvement in cloud service contracting & SLAse) Tenant’s unfettered operation of purchased cloud services & supported features / capabilitiesf) CSP’s shared privacy regulatory compliance

Fully Inheritable

Full reliance –a) Third-party service provider / data processor-only complianceb) CSP’s on-prem datacenter security protocols & environmental protections not involving Tenantc) On-prem hardware / digital assets only accessible by CSP personnel

8855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

HITRUST’s SR Model – Applied to HITRUST CSF® V9.1, 9.2 & 9.30.0 - Information Security Management Program 01.0 - Access Control 02.0 - Human Resources Security

9855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

HITRUST’s SR Model – Applied to HITRUST CSF® V9.1, 9.2 & 9.3

03.0 - Risk Management 04.0 - Security Policy 05.0 - Organization of Information Security

10855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

HITRUST’s SR Model – Applied to HITRUST CSF® V9.1, 9.2 & 9.3

06.0 - Compliance 07.0 - Asset Management 8.0 - Physical and Environmental Security

09.0 - Communications and Operations Management

11855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

HITRUST’s SR Model – Applied to HITRUST CSF® V9.1, 9.2 & 9.310.0 - Information Systems Acquisition, Development,

and Maintenance

11.0 - Information Security Incident Management

12.0 - Business Continuity Management

13.0 - Privacy Practices

12855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

SR Matrix V1.0 – Deep Dive

13855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

14855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

Shared Responsibility Program – Call to Action

15855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

The Shared Responsibility Early Adopter ProgramROLL-OUT PHASE 1:• HITRUST to collaborate with CSP community to support their adoption to customize

templates for their tailored versions of the SR Matrix• Cloud tenants leverage new toolkit to help broker meaningful supplier risk

conversations with their cloud-hosting providers

Program enhancement objectives:a) Implement SR Matrix feature enhancements, e.g., add automation that enables ease-of-use and shorter

ramp-up time

b) Create a sustainable model to permit CSP to safely disclose their customized SR Matrices with their tenant, upon request

16855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

The Shared Responsibility Early Adopter Program

ROLL-OUT PHASE 2:• HITRUST to partner with assessors and their clients to take a CSP’s

customized SR Matrix through the end-to-end assessment process

Program enhancement objectives:a) Build out new operational capabilities that uplift the HITRUST CSF Assurance and

External Inheritance Programs supported by HITRUST MyCSF tooling automation enhancements

b) Providing input on control design and revision in the development of HITRUST CSF Version 10 to ensure clarity is sufficient when sharing security and privacy responsibility in the cloud

17855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

The Shared Responsibility Early Adopter ProgramWHY PARTICIPATE:HITRUST will work directly with CSP organizations to accomplish the following:• Off-load the CSP’s burden to manually customize the SR Matrix which is tailored for their

cloud-hosted services, including those hosted on other cloud-hosted platforms (i.e., SaaS-on-IaaS/PaaS )

• Apply practical cloud use-cases to support the validation (and further refinement) of the HITRUST Shared Responsibility Model and seek opportunities to improve SR Matrix usability

HOW TO PARTICIPATE:1. Click here to go to the HITRUST Shared Responsibility Program webpage2. Scroll to the bottom to complete the “SR Matrix Early-Adopter Program” online sign-up form3. Respond to the online survey referenced (weblink included) within the email confirmation

18855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

Q&A

19855.HITRUST (855.448.7878)www.HITRUSTAlliance.net © 2020 HITRUST Alliance

For more information on HITRUST’s Programs visit www.HITRUSTAlliance.net

To view our latest documents, visit the Content Spotlight