Based on Verizon’s 2024 Data Breach Investigations Report, the public administration, finance, professional, manufacturing, and education industries are the most popular targets for cyber criminals. The most common attacks occur through ransomware, phishing emails, desktop sharing, virtual private networks, and web applications. All of which have led to an increased number of stolen credentials and exploited vulnerabilities. In order to reduce the likelihood of a security incident or breach from happening at your organization, it is important to have attestations and assessments performed against your organization’s internal controls by an independent third-party. Third party audits like a SOC 2 examination and/or HITRUST assessment are predicated upon ensuring that best practice internal controls are designed and operating effectively on a continuous basis.
Best Practice Internal Controls
- Logical and physical access controls over enterprise and software assets.
- Data protection controls.
- Configuration management.
- Account and access management.
- Vulnerability management.
- Penetration testing.
- Logging and monitoring management.
- Malware defenses.
- Data recovery controls.
- Infrastructure management.
- Security awareness and skills training.
- Vendor management.
- Incident response management.
HITRUST Common Security Framework (CSF)
The HITRUST Common Security Framework (CSF) incorporates and leverages a range of existing security requirements that service organizations must comply with under federal, state, and other governmental laws and regulations. The goal of completing a HITRUST CSF assurance program is to ensure that the protection over the sensitive information stored, processed, and handled on a daily basis remains secure. The program allows a service organization to identify how well its internal controls have been designed, through its current suite of policies and procedures, and whether they are operating effectively, through implementation testing. Additional testing is performed to evaluate whether a service organization is internally measuring, on a regular basis, the adequacy and effectiveness of all internal control implementations, as well as whether all internal controls are being sufficiently managed to ensure their success.
As the demand continuously increases for service organizations to show that they have maintained a list of certifications for potential and current customers, you may think that the HITRUST CSF assurance program appears to be a great option given its structure and design as a one-stop-shop that has the ability to test a service organization against the multiple laws and regulations that they must follow. However, while the HITRUST CSF assurance program is a highly regarded certification, some service organizations may not be ready to take it on, as it is relatively expensive and complex, and it must be completed within a 90-day window, which can be overwhelming if current staff levels do not allow for such a turnaround. Therefore, a great alternative would be for a service organization to go through the examination of a SOC 2 + HITRUST CSF report.
SOC 2 + HITRUST CSF Report
A SOC 2 + HITRUST CSF report is a mapping between the requirements of the HITRUST CSF and the security, availability, and confidentiality trust service criteria (TSC) categories of a SOC 2 report to provide information to user entities that a service organization’s internal controls surrounding its system are suitably designed and, if a Type 2, operating effectively to meet such standards. This option increases transparency by enabling you to communicate your organization’s processes and procedures used to meet the applicable TSC as well as those it uses to meet the HITRUST CSF criteria without needing to go through a HITRUST CSF assurance program.
If your organization is interested in obtaining a SOC 2 + HITRUST CSF report, the first step is to engage with a CPA firm that issues SOC 2 + HITRUST CSF reports and performs HITRUST assessments. Prior to jumping into the examination audit period, it is recommended to complete a SOC readiness assessment. A readiness assessment is a great step and can help you prepare for the examination period by identifying your organization’s current internal controls, deficiencies, gaps, and needed remediation. In addition, auditors can help determine if this type of SOC report is right for your organization to ensure that you will receive the most benefit from investing in the report and that your user entities’ needs will be met once it is completed. Other SOC report options include a SOC 1, SOC 2, and/or SOC 3 report.