HITRUST CSF Level 1
This page provides an overview of the HITRUST CSF and the current HITRUST requirements & controls monitored in Secberus.
Overview
The HITRUST CSF integrates and harmonizes data protection requirements from many authoritative sources–such as ISO, NIST, PCI, HIPAA–and tailors the requirements to an organization based on specific organizational, system, and regulatory risk factors. The official HITRUST CSF documentation can be found here.
Supported HITRUST CSF Level 1 Controls
| Control Reference # | Control Reference Title | Control Reference Specification |
|---|---|---|
| 01.c | Privilege Management | The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls. |
| 01.d | User Password Management | Passwords shall be controlled through a formal management process. |
| 01.j | User Authentication for External Connections | Appropriate authentication methods shall be used to control access by remote users. |
| 01.m | Segregation in Networks | Groups of information services, users, and information systems should be segregated on networks. |
| 01.n | Network Connection Control | For shared networks, especially those extending across the organization's boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications. |
| 01.o | Network Routing Control | Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications. |
| 01.v | Information Access Restrictions | Logical and physical access to information and application systems and functions by users and support personnel shall be restricted in accordance with the defined access control policy. |
| 09.i | Back-Up | Back-up copies of information and software shall be taken and tested regularly. |
| 09.5m | Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| 09.aa | Audit Logging | Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. |
| 09.ac | Protection of Log Information | Logging systems and log information shall be protected against tampering and unauthorized access. |
| 09.ad | Administrator and Operator Logs | System administrator and system operator activities shall be logged and regularly reviewed. |
| 10.f | Policy on the Use of Cryptographic Controls | A policy on the use of cryptographic controls for protection of information shall be developed and implemented, and supported by formal procedures. |
| 10.g | Key Management | Key management shall be in place to support the organization's use of cryptographic techniques. |
If there is a specific requirement not included here that you would like to monitor, please email [email protected].
Updated 8 months ago