https://community.isc2.org/t5/Tech-Talk/HITRUST/m-p/19585#M919 <P>While HITRUST is copyrighted, anyone can download the CSF.&nbsp; There are just certain restrictions on its use.<BR /><BR /><BR /></P> Thu, 28 Feb 2019 21:45:24 GMT emb021 2019-02-28T21:45:24Z https://community.isc2.org/t5/Tech-Talk/HITRUST/m-p/19530#M915 <P>What do people know about HITRUST.&nbsp; I am interested as I have been selected out of a cast of one to do the work.</P><P>&nbsp;</P><P>After a complete list requirements, domains, controls, checks, and evidence requirements if anyone can help????</P> Mon, 09 Oct 2023 09:07:25 GMT https://community.isc2.org/t5/Tech-Talk/HITRUST/m-p/19530#M915 skyflier21 2023-10-09T09:07:25Z https://community.isc2.org/t5/Tech-Talk/HITRUST/m-p/19534#M916 <P>Its kind of a "kitchen sink" mode of IT Controls.</P><P>&nbsp;</P><P>Its aim is at the healthcare industry, as a means to meet HIPAA compliance.&nbsp; They basically started off with ISO/IEC 27002 controls (pretty clear if you compare the two control sets), and then started to dump on top of that almost every other possible control set.&nbsp; In fact, if you take a look at the change list in the HITRUST document, you'll see all the standards and regulations they've dumped into it (PCI, GDPR, NY-DFS, etc etc).&nbsp; You almost have to wonder if they're training to create the "one ring" of IT control sets.</P><P>&nbsp;</P><P>Its a bit daunting, as depending on the size of the organization, more controls are expected.</P><P>&nbsp;</P><P>What I also find a little confusing is they have their MyCSF tool that isn't quite the same as the HITRUST CSF.&nbsp; Don't understand why.</P><P>&nbsp;</P><P>At this point, my experience is that most of the companies that are pursing HITRUST certification are those that are forced to by their clients.</P><P>&nbsp;</P><P>I won't claim to be a HITRUST expert, but I've helped several clients get prepared for HITRUST certification, but can't do the certification work.&nbsp; That can only be don't by people certified by HITRUST (similar to PCI assessments).<BR /><BR /></P> Wed, 27 Feb 2019 20:31:18 GMT https://community.isc2.org/t5/Tech-Talk/HITRUST/m-p/19534#M916 emb021 2019-02-27T20:31:18Z https://community.isc2.org/t5/Tech-Talk/HITRUST/m-p/19558#M918 <P>I have implemented and used the framework and used to be a certified in&nbsp;HITRUST.&nbsp; (I let it lapse as the certification only holds value if you are at a company that does HITRUST audits.)</P><P>&nbsp;</P><P>HITRUST is a proprietary framework that is copyrighted.&nbsp; However, you can get a list of the controls as they map to AICPA's SOC framework from the AICPA website.&nbsp; That might be a good place to start if you are looking for something that is no cost.</P> Thu, 28 Feb 2019 14:34:12 GMT https://community.isc2.org/t5/Tech-Talk/HITRUST/m-p/19558#M918 TankerT 2019-02-28T14:34:12Z https://community.isc2.org/t5/Tech-Talk/HITRUST/m-p/19585#M919 <P>While HITRUST is copyrighted, anyone can download the CSF.&nbsp; There are just certain restrictions on its use.<BR /><BR /><BR /></P> Thu, 28 Feb 2019 21:45:24 GMT https://community.isc2.org/t5/Tech-Talk/HITRUST/m-p/19585#M919 emb021 2019-02-28T21:45:24Z