This page provides an overview of the HITRUST CSF and the current HITRUST requirements & controls monitored in Secberus.


The HITRUST CSF integrates and harmonizes data protection requirements from many authoritative sources–such as ISO, NIST, PCI, HIPAA–and tailors the requirements to an organization based on specific organizational, system, and regulatory risk factors. The official HITRUST CSF documentation can be found here.

Supported HITRUST CSF Level 1 Controls

Control Reference #Control Reference TitleControl Reference Specification
01.cPrivilege ManagementThe allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls.
01.dUser Password ManagementPasswords shall be controlled through a formal management process.
01.jUser Authentication for External ConnectionsAppropriate authentication methods shall be used to control access by remote users.
01.mSegregation in NetworksGroups of information services, users, and information systems should be segregated on networks.
01.nNetwork Connection ControlFor shared networks, especially those extending across the organization's boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications.
01.oNetwork Routing ControlRouting controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications.
01.vInformation Access RestrictionsLogical and physical access to information and application systems and functions by users and support personnel shall be restricted in accordance with the defined access control policy.
09.iBack-UpBack-up copies of information and software shall be taken and tested regularly.
09.5mNetwork ControlsNetworks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit.
09.aaAudit LoggingAudit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.
09.acProtection of Log InformationLogging systems and log information shall be protected against tampering and unauthorized access.
09.adAdministrator and Operator LogsSystem administrator and system operator activities shall be logged and regularly reviewed.
10.fPolicy on the Use of Cryptographic ControlsA policy on the use of cryptographic controls for protection of information shall be developed and implemented, and supported by formal procedures.
10.gKey ManagementKey management shall be in place to support the organization's use of cryptographic techniques.


If there is a specific requirement not included here that you would like to monitor, please email [email protected].