Watch this to learn how you can best prepare to become HITRUST Certified and how SecurityMetrics and Privaxi can help you.
Watch SecurityMetrics' VP of Assessments Gary Glover, SecurityMetrics' Audit Director Matt Halbleib, SecurityMetrics' Director of Sales Operations Lee Pierce, and Privaxi's CEO and CISO Peter Briel discuss how you can best prepare to become HITRUST Certified, as well as:
This webinar was given on November 30, 2023.
Welcome, everyone. My name is Gary Glover. We've got a great, webinar for you today. We're gonna be discussing HITRUST and HITRUST certification, Security Metrics and also Peter Briel from privacy.
We have Matt Halblib, who is the head of our audit department, and Lee Pierce, who is the expert in sales enterprise sales for HITRUST in in all of our activities here at Securitymetrics. So we're grateful to have these good gentlemen. They're very knowledgeable. They're gonna do most of the talking today. I'm gonna be listening. So today, we're gonna be kinda going over a couple of things about HITRUST again, as I mentioned, and we'd like to begin just with a little bit of background about security metrics, and privacy kind of at as a whole. So, Lee, why don't you give us a little bit of background just on Security Metrics?
Sure. Securitymetrics has been in the business over twenty two years. We specialize in security audits, penetration testing, general consulting.
We have a large merchant program with banks where we help out small merchants with their PCI compliance.
And, we got into the HIPAA space early on when HIPAA was coming on, and we picked up high trust about four or five years ago.
We like to pride ourselves in service and competence, and, we look for opportunities to help people.
Perfect. Thanks. Peter, why don't you give us a little bit about privacy?
Well, privacy, we specialize in compliance and security and managed IT services to help organizations, reduce risk, protect data, and meet compliance standards. Right? We were traditionally a managed service security provider, but we are now also a high trust readiness and remediation assessment firm.
Perfect. And that's really kind of the the the place that Peter's playing in our discussion today.
Matt and his team are we have a number of assessors that are HITRUST certified as assessors.
And yet, as an assessor, we we really don't like to to go over and be a readiness assessor and be the assessor at the same time. We gotta make sure we keep independence. And so so we work very closely with Peter and his team as readiness assessors to help people. We'll be talking a little bit more about that as we go on.
So let me just quickly review what we're gonna be talking about today. So first of all, what does getting HITRUST certified do for you and your business? We're gonna be talking about that topic. What does HITRUST certification process look like? How long does it take? What are the steps that need to be done?
And then how security metrics and and privacy really are helping to prepare customers for that successful HITRUST certification.
And, and then also helping you decide which certification to get to is is something that we'll discuss.
Also, just sort of an end up why why it would be a great decision for you to choose the security metrics and privacy team to help you through your HITRUST certification. So what does really HITRUST certification mean for businesses, and, you know, why is it important? Peter and Lee, why don't you start us off? Peter, why is HITRUST important?
Well, Gary, you know, by obtaining a HITRUST certification, it's a designation that, you know, demonstrates your organization's, commitment to compliance, you know, with a comprehensive set of security and privacy controls specifically tailored to your business. Right? So it shows your partners and your business associates that you are dedicated to security. Right? And making sure that, your data is protected and make sure that you've done your due diligence as a business to reduce risk.
Yeah. Great.
Lee, if you got any other comments or Yeah.
We find that, customers are trying to address multiple assessments these days, and, HITRUST is great for mapping to various, various assessments.
When we partner with privacy, we can help these customers with readiness.
It's something that a lot of people need to do, but they're scared to do because they don't have the resources. Yeah. So we feel that with our combination of services between readiness and validation assessment.
We can help put people's minds at ease as they address this.
And, Matt, as our HITRUST lead, are are people required by other entities to get HITRUST certified? What are some of the reasons why people actually say come to us and say, I need to be HITRUST certified?
Yeah.
Good question. So, I mean, leaning in there a little bit, but, probably the number one reason is just because somebody else is telling them they need to. Right?
Many large organizations are high trust validated, but to help them manage some of their business associates or their service providers and things, they need to have some level of confidence that that business associate or service provider, as Peter said earlier, is both committed to security and doing the things that are necessary to be secure, and, of course, securing the data that that they're entrusted with.
So, you know, one of the primary reasons is because somebody else is telling you you have to do it. But it's not the only reason you'd necessarily choose to be Right. A HITRUST validated. Right?
It's not a bad just security standard in and of itself. Right?
Right. I mean, you know, they call it the HITRUST CSF. It stands for common security framework.
They've gone out and looked at a whole bunch of different security frameworks and tried to kind of reconcile and bring all of them under one umbrella so that you don't have to repetitively, you know, prove your compliance with a whole bunch of different people, but rather can you can say, oh, I know that if I'm doing this, password control or whatever, that it's going to meet all these different standards.
So it's it's helpful in that way. Plus, you know, like any good security framework and, program inside an entity, it helps reduce your risk, helps reduce your susceptibility to, being compromised. And if you are, then it helps you detect it on an earlier, phase in the in the attack cycle and be able to minimize some of the damage.
Yeah. Great.
So I know that I as I've read, there's all kinds of different types of HITRUST assessments that may focus on either different controls or the number of controls. I'd like to kinda start a discussion here between all of us about what are the different types of HITRUST certification there are?
Matt, why don't you start us off, and then Peter and Lee chime in as as, you have a comment or something. So let's go ahead and kinda talk about the different types of HITRUST certification.
Yeah. Absolutely. There's there's three, different, programs that they offer. They have e one or, like, you know, just the beginnings there. So e one is forty four requirements.
We have an I one So e stands for essentials probably.
Right?
Essentials. Yeah. Thanks.
It does. Yeah. Essentials. I one is, implemented, and then r two is the risk based approach.
So e one is forty four requirements.
And if you really are new at trying to implement a security program inside of your company, you know, e one's kind of a one of those nice entry level things. It's like, okay. It's only forty four requirements. Let's get it going. And, it's good for a year, so you can be certified through HITRUST for it and everything.
You have to redo it every year, but it's a it's a good intro to your, you you know, building your own security practice within a company.
I one's kind of that next step up. It's a hundred and eighty two requirements, and it encompasses the I one's forty four requirements.
So each each phase, and it kinda builds on the other final one there is r two. It's based on a bunch of risk factors, which, you know, we should probably talk about a little bit later.
Yeah.
But, bottom line is, you know, depending on what risk factors you choose then dictates the number of requirements that you have to meet.
But it will include all of the e one, I one requirements as well.
Yeah. So, Peter, as you work with customers, you know, as a readiness assessor, what have you found, you know, kind of works for people? Sometimes, is it hard for people to jump right into the r one or r two? I mean, are there are there kinda some patterns you're seeing? Or now that they've I think the essentials is a pretty new, product out there.
Why don't you talk to us a little bit about what how you see customers can kinda get into this and and, what you're seeing people kinda like to start with?
Well, basically, what I've seen, Gary, it's all it all depends on the business need and also the the risk risk appetite of the business. Right? The business has a need, like, you know, we we mentioned earlier in the in the introduction of the meeting. You know, there must be maybe a business case. Right? Maybe there is a requirement from, you know, a partner for them to, you know, have the Hydra certification. Right?
You know, it all depends on, you know, the level of of maturity that the organization wants to reach. You know, as as mentioned by Matt, the e one is just an essential, you know, forty four control tailored just to, you know, to, you know, basic, security and cybersecurity controls. Right?
They you know, it caters to the most critical controls, and then, you know, organizations may choose between, you know, e one, r two based on, resources and budget. Right? Budget is another a key key you know, key factor in, you know, selecting, what, you know, what, you know, high trust package to choose from. Right? But majority of the time, it's it's just, you know, again, risk appetite and and business case.
Yeah. And is it and that might be something that you want to, as someone who is seeking HITRUST certification, really talk to the entity that maybe have asked you about it first. You know, may maybe you need to understand what what level. They may tell you what level they want you certified at, or they may accept a different level. And like Peter said, you have to be ready to decide what is my risk level, what is my capacity, what is my ability, how close am I to, lots of security controls, and what would, you know, a governing body, let's call them, kind of want from me to show that I'm on the path. So it may be that there's a path that people can use towards the r two, and I think that's kinda how HITRUST decided to add these different, certifications. So it may be something that people need to understand from who's asking them to get HITRUST certified.
Lee, you got any other comment you'd like to make there?
Or Yeah.
We find that, lots of times that that's a really good point because they'll come to us and they'll say, I need to do HITRUST. We'll say, what did they say? And they say, well, you need to be HITRUST.
And so if if somebody watching this could take from this, this is an important takeaway, go ahead and ask those questions. Because they may say, we just wanna know that you're on the path.
Right.
They may say, gotta be an r two. It's gotta be the big one. You can't even play with us unless you get the full gold standard certification.
Right.
So they really should ask. But it's good to know that whether you start with e one, I one, or just go straight to r two, if you take those smaller ones preliminarily, they will build. They'll they'll benefit you later. Right.
There may be budgetary budgetary, constraints or whatever. Any other comments on on this kind of topic of how do you choose a HITRUST, certification level before we move on? Anybody?
Everybody's good? No. Okay. Good. I think we'd cover that topic really well. Obviously, if you have any additional questions, we are the guys that'll help you understand that.
And, we'd love for you to give us a call, and we can can talk to you about it. So now we're thinking about, okay. We've gone through somebody's told us we need to be HITRUST certified. We've kinda got an idea of what level of certification we would like.
Now how do we understand as a as a person seeking HITRUST certification what that process is gonna look like and how hard it's gonna be?
And, you you know, I think, Matt, why don't you start us off on on how do you define a scope for HITRUST?
Yeah. Well, scoping is one of those things that, I I I tend to say it's almost most critical.
You know, you can you can choose too big a scope and bite off more than you really wanna chew.
And, you know, we go back to these comments about, you know, well, what did you're told somebody told you you have to be HITRUST validated or certified.
Ask them exactly what that means. Is that an e one, I one, r two, whatever. Then when you know that, then you go, okay. Well, what exactly am I doing for that other entity? What service am I performing for them?
And then based on that, it kind of helps you narrow down your scope.
If you're a very large organization, you wouldn't wanna try and make your whole company I trust certified. It just, it would it would take way too long and cost you way too much time and money and effort.
Not to say that, you know, you don't need to implement good security controls within the organization, but to go through the whole process to be I trust certified, is significant effort.
So, you know, in the end, scoping is critical. You you need to figure out which service or systems, involved with that service and things are part of the scope. And then once you kind of have that answer, then you go to the next step of, well, what exactly is involved with this service?
And this is maybe Lee can help too because I know he does a lot of the the risk based, scoping questions that HITRUST has in their myCSF tool. But it goes off of things like, how many records are you processing?
Is it Internet connected? Do you have Wi Fi? Fi? They have a bunch of different questions because it's a risk based, and r two is risk based assessment. The more of those things that you answer affirmatively to, then the more controls that we'll bring in, to try and help, bring the risk down.
Yeah.
And, Peter, you got oh, go ahead, Lee.
Yeah. Go ahead.
Sorry to interrupt.
So when you go to the myCSF portal when we're scoping a customer, we always go to the factoring exercise to help them understand what what they would look like dialed in for an r two risk based assessment.
And, when you were talking earlier, you were mentioning who are you trying to satisfy. Because in the risk based assessment, there's several options. There's FedRAMP. There's California, Texas, Nevada.
Multiple, multiple, boxes you can check when you are doing these factors.
Again, we always recommend going simple, nice, and easy because, you can build on that later. Unless, of course, let's say you got somebody from Texas saying you have to comply with HITRUST and the Texas Medical Records Privacy Act. And if that's the case, then check that box. That'll help us determine the controls that would apply to your assessment, for example.
And as Matt was saying, it it it's all about the number of records, what type of exposure, who's using the infrastructure, are you in the cloud, are you not, lots of questions that help determine the applicable controls that would be in scope. It could be that when you're doing the e one or the I one that some of those controls simply wouldn't apply to you, and that's fine as long as you document as to why they don't apply. But when it comes to the r two, we're really dialing in on those things that do apply. And so it's important to do the factoring exercise very deliberately and carefully in making those decisions.
Yeah.
And then we can once we've crunched the the the data on the factoring, then we go to another control panel that just basically tells us of the nineteen domains, x number of controls are found in this domain and that domain. And then that sums up to be somewhere in the range of, you know, typically two hundred seventy controls all the way up. You know, it can go a long way if you select a lot of the different factors.
Yeah. Peter, do you have anything you'd like to add? Or, specifically, I'm sort of interested in your experience in in, you know, people making scoping errors at all or or, you know, anything you'd like to kinda talk about with your experience in in this area has scoping how important really it is to the actual getting ready for it and to making this a successful process.
Very important. As Matt mentioned, Gary, you know, one of the key points here, you know, that he that Matt mentioned was, you know, to scope. Right? The idea is to reduce the scope as much as possible.
Right? You don't want to go in there and and, you you know, just scope out the whole entity when only a certain business unit is processing the EPHI. In this case, right, the PII. Right?
So one one important factor is understanding your data. Right? Understanding your assets is very, very, very important. Understanding the network flow and data flow of your information and and and entity.
That's that's, I think, one of the key factors. As we go through this open exercise, a lot of folks, you know, they, you know, tend to, you know, hesitate sometimes when we ask them about systems that interconnect with our systems. Right? How many records are they being processed?
How many locations are are, you you know, in play within, you know, the scope and exercise?
So, you know, I would like to emphasize the fact that, you know, identifying the access and data that you want to certify is very key.
And what so, you know, one thing I think and, Matt, maybe you maybe you're gonna answer this question, but, you know, I'm kinda thinking about you know, Peter made a couple of comments about data flows and things. Being able to document that information, to be able to present that to the HITRUST assessor, because the HITRUST assessor, as I understand it, has to be involved in the scoping.
Maybe we can have a quick discussion on kind of do's or don'ts or really helpful things for for your readiness or for your assessment, getting started on what kind of documentation is really important to have.
Yeah. I think, definitely, I I wanna add one thing to what Peter was talking about, when it comes to to scoping and environment and things like that. I will say, one thing that HITRUST, does pretty well in their portal is the inheritance function. So if you're in the cloud, so if you're in Amazon or Azure or whatever, you can inherit a lot of controls, because those two organizations have already gone through a high trust thing. So when it comes to this idea of scoping and and, you know, narrowing down exactly which systems are you're going to apply HITRUST to. If you can put them in a cloud environment like that, one of the major cloud provider, you can really take advantage of inheritance and help reduce some of your burden.
So around, you know, that documentation thing you're talking about, Gary, it's it's honestly critical. You have to know, and this all plays into what we've already been discussing about, understanding what your environment is. And you kinda, you know, you say peeling the onion. You have to kind of understand from the outside.
Okay.
Where am I getting data from?
Where am I sending it to? And then I can kinda go back a layer and go, okay. It's you know, I get it from this person that comes into this environment or whatever. But when it's in here, then I need to talk about, well, what which systems is it actually touching?
And where am I sending it inside my own company? Am I send putting it in this database? Am I sending it somewhere else? Am I doing any sort of, you know, vaulting or let's say you've you've got some, you know, key management kind of stuff that you're you have involved because you're encrypting data and things.
Having a clear understanding of the flow of that data and which systems it touches and having it all documented is critical to really being able to answer the questions of of the scope and then how to apply the controls to that environment.
And and and, Matt, that's that's key. Right? Gary, you know, I always say to to clients, I said, you know, I say, you cannot protect what you don't know what you have. Right? So if you don't have a solid asset management, right, of of your data, if you don't have data classification, right, then how do you know you're gonna protect it? Right? How do you know what to protect?
Exactly. Right? So it's very key to know what you have. You know, solid network diagram is good. Data flow is something that we always ask, you know, the preliminary meetings, you know, when we go into a, you know, a scoping call to understand a little bit more about the organization.
Yeah. And I think we do our best to make sure that we get as much scope defined as possible. I'm guessing sometimes, maybe even during the readiness preparation, we might find new areas that that either were discovered or weren't discussed, and we may have to kind of add some of those to the scope. But our goal is to try to really understand the scope, help you, make sure that the document you've done all your thinking and make sure that we get as that as close as possible at the very beginning. I think it's very helpful.
You know, one thing I noticed that all three of you or three guys have been talking about is something called the myCSF portal.
What the heck is that? And what if people don't really know what that is? And how does that kind of involved in this whole, process from the beginning even to the end? Just so that people are understanding. When we say things like my my CSF portal, what does that mean?
I could share a screen even if you'd like, but the myCSF portal is where the activity occurs When you engage for a HITRUST validation assessment, you will end up in the myCSF portal. So a separate discussion needs to be had with the HITRUST Alliance themselves.
When you are wishing to do this, you engage with HITRUST, the HITRUST Alliance to get a subscription to the myCSF portal and to schedule, an actual assessment down the road once you're ready for that. That is essential. There's there's really no other way to do it.
Yeah. Ali, why don't you go ahead and give us just a really quick look at what that might look like? I don't think we need to spend a whole lot of time here, but just help people have kind of a vision of maybe what that portal looks like and knowing that you're gonna spend a lot of time there.
Sure. One of the first things we do when we are talking with the customer preliminarily is we pull up the screen, and we just basically go through a scoping exercise with them to help them understand the factors that are involved. They don't have to have a subscription to the myCSF portal to do this. So they're doing it with me sharing a screen, and and they just basically get an idea K. As we go through. And we look at things, and we answer questions.
And then I can give them an idea of the number of controls they have.
I mentioned earlier that there's a lot of standards here, and you can find those standards as well that that you'll need to consider if you wanna keep as your factors. So once we've gone through that exercise with the customer, then they can understand what they're looking at as far as, you know, how many controls they'd be looking at and what those controls represent in the nineteen domains that are represented over over here on the left. So there's these nineteen domains, and and that's the way HITRUST is is structured.
And we're happy to do that factoring exercise. It's not a problem. Probably takes about ten minutes. Right. It's quite simple, quite easy to use, and, very informative Right. As to the applicability.
And customers who may have done this before may already have an a subscription, and it's like, it is, it's a subscription per year. You may already have access to that, and it may be something you've already done. But if you're new to this process, understand that we can help you kinda through that and get started and kinda get kinda get rolling, before you decide and make commitments on on, you know, your scope and who what type of assessment you need to do. And we can be spending the right amount of money rather than than different you know, than what you may need. So I noticed, Matt, that this this portal thing might be a little bit new to people who have never, you know, kinda had to access or or set up an audit through a portal before before they even kinda get going. Why is it what is the difference, and and why is HITRUST kinda work that way? Do you have any thoughts?
Yeah. So, you know, as as you kind of alluded to earlier, everybody's been using the term myCSF. That is what what Lee showed is the myCSF portal.
And and as he said, that's where we can help you. You know, if you talk to us first, then we can help you, you know, determine whether you need an e one, I one, r two, depending on whoever's telling you you have to have something done or even your own decision to to start implementing security in your organization.
That'll help then identify, as Lee said, the number of, requirements or controls that will you'll be subject to and, and, you know, what we need to gather the evidence on. And this is where the the myCSF portal will become your friend, if you will.
Because as the entity, you have to go as as we said, talk to the HITRUST Alliance. You have to purchase access to it. You'll enter all those questions about the the scoping and risk factors and all that. It will generate all the list of controls in the nineteen domains.
And then from there, you'll work with Peter and his team on the readiness side to start making sure that you have all of the policies, procedures, and items implemented at a minimum. There's there's five levels from a, HITRUST perspective on their maturity there.
Policy procedure, implemented, measured, managed.
You don't have to do measured, managed, and we really don't even recommend people do that to begin.
Especially the first time.
Yeah.
Yeah. Much more mature organization. Just to to get HITRUST the first time, just do up through the implemented side.
So in any case, you'll go in there and you have to provide evidence in the portal of that you're actually doing all the things that, you know, if it says you gotta have password length of x, well, then you're gonna have to provide evidence both to to us and to Peter's team showing that you really do, and you can put it in the portal there. And then every client has to score themselves on how well they're meeting the various controls. And there's documentation from HITRUST, to help you on the scoring side. But, bottom line is you score yourself.
Peter can help with that. His team can help both gather the information as well as help with the scoring. Eventually, it gets submitted to us as the validation assessors.
Then we've you know, the assessor you've been working with has to go into the myCSF portal, and you you give us access as a as a validated assessor.
And you give Peter's team access too, but in a different way. But, anyways, you give us, access to the portal, and we go in. We've already, hopefully, you know, been looking at all the evidence for a while, making sure it's all there. We have to then score, each of your answers as well. And, you know, the way we like to do it with Peter's help and everything is that we're working hand in hand as we go along. He's asking us, is this good enough? Does this meet through, you know, the, the evaluative criteria in each of the different, requirements?
And we work closely together to to make sure that when Peter and the client score it, that it's not a surprise when we go in and score it either because you don't want the client to go in and score themselves at, you know, hundred percent, and then we go in there and go, oh, sorry. You're only doing this at fifty percent level.
You know, that wouldn't be a good thing.
But we work closely with Peter's team to make sure that, you don't get those kind of surprises at the end.
So let's let's go back and kinda just review over kinda where we're at. So we've looked at the CSF portal, myCSF portal.
We've decided our scope.
And and then, typically, you know, between Matt's team and Peter's team, we'll conduct some sort of a gap analysis, I'm I'm guessing, and we'll kinda figure out, you know, where you're at. Do you need a lot of help? How can you get that help?
What kind of controls you need to address?
And then as Matt mentioned, there's a lot of preparation. So in other words, can you just jump right into and, Peter, why don't you kind of address this? Now that you've got what your controls are, you kinda have an idea of where you're at. So you're almost done.
Right? You know? So what happens next? Next? Right? What's the step where somebody says, well, I've already done a whole lot of stuff now.
How close am I? And that's where you kinda get into this preparation phase, which is where Peter's team, has all the expertise and has the ability to really kinda help you at the level you need. So why don't you talk a little bit about how you help people prepare for, HITRUST certification, Peter?
So so that's a great question, Gary. Right? We have very unique approach, to the HITRUST, you know, readiness and remediation approach. Right?
We we like to, you know, break down each domain domain by domain, and then we do a gap analysis, to see what the current state is at, right, of the client. Leverage any work that they've done prior, you know, if they've gone through any risk management, you know, gap analysis before. Right? So we like to leverage current existing systems with any documentation as well.
And then we like to work, you know, hand in hand with the client, to determine, okay, these are your gaps. This is what we need to do to remedy these gaps. Right? If they don't have the internal resources for you know, to do this work, right, we provide those resources for them.
Right? So we have a blended approach with between security our security engineers and our compliance folks, right, that we become an extension of of their team, for the life of the program. Right? So once we identify each gap, we try to remediate, cater those policy procedures, you know, to whatever, you know, integration we do.
If it's through, you know, through operations or technology, we make sure that the policies and procedures, you know, are meet the requirements of the, of the entity, then, obviously, we work with your validation team to make sure they're that they are okay with what we're doing. Right? Once everybody, you know, gives us a thumbs up, we make sure that the client is okay with the process established procedures, make sure that technology is up to par, then we move to the second domain, and then we follow the same structure. Right?
This would allow us to really, really button down the the the, you know, the security posture of the other business while providing us a real time visibility of what they're currently doing and what they're trying to be.
Right. And I think an important point to make here is is we're we're making sure that we're kind of staying independent.
Matt's team are the guys that are gonna say, I'm your auditor. I'm your assessor. I'm gonna make the decision as to how how I score you. Right?
And Peter and his team can actually help implement procedure process, help you actually maybe even in your network setting up things or whatever whatever level you need. And those two teams are independent. And so we can't you know, it's easy to say, well, the auditor told me what I needed to do, and then he came in and did it. Right?
And and that's that's kind of not really looked well on in the audit kind of world. And so I think that's the real one of the real benefits of working with a a company that has this type of structure is is that we can handle all aspects of of HITRUST certification from scoping, actually preparing, implementing, and then the final validation phase. Matt, it looks like you had something you'd like to say.
Yeah. I did. I just kinda wanted to go a little on what you're saying there.
Peter's I wanna point out that Peter's team is independent of of my team.
And we're we're the validation assessor, and he's the readiness assessor. So he can go in and he can help you make those choices. You wanna you need to modify a business process. You need to modify your policies and procedures or whatever. He can help you with that. He can help you make the right choices to to, meet the HITRUST controls and everything.
But as assessors, you know, I can't be the one to to grade myself.
Right. Conflict of interest. Right?
So Yeah.
So we we maintain a a separation between the the two teams in that sense so that he handles all the readiness side of it. We handle the validation side of it.
Peter, it looks like you were ready to jump in with another comment. Are you good or no?
No. No. No. No. I'm good.
I think You're good.
Okay.
One yeah. One thing that's unique about us, Gary, as you know, is that we are also a you know, we started off as a managed service security provider. Right? That's what makes us very unique.
We are already in a successor remediation, but we have an in house expertise around AWS, and around Azure, right, and Google Cloud or on premise. Right? So a lot of a lot of our clients like to leverage those services, right, to make sure that we implement what is needed and required, for HITRUST. But at the same time, we know that no two businesses face the same threats.
Right? So when we tailor, you know, the strategies around information security management program, you know, we like to make sure that, you know, that company not only, you know, meets compliance, but also is very buttoned up for future sets as well.
Perfect.
Okay. So now we're we're in the process here. We've scoped.
We've prepared, and now comes the actual ready for validation. And there is this is where Matt's team comes into to play really heavily here. Peter and his team have entered all of this great information into the myCSF portal directly for the client.
Everything's ready now to turn over to What kind of is that process, and how is HITRUST then involved in that kind of in the end game? And and is there a specific amount of time that you have to do this kind of stuff? Matt, why don't you just start us off and talk about some of those endgame type processes?
Yeah.
So as I mentioned earlier, you know, the client and with Peter's help and everything, we'll upload all the evidence and score themselves on the various controls. How well they're meeting, each of the different controls at a policy procedure implemented measured managed level. So is it a hundred percent, of policy, a hundred percent of procedure, a hundred percent of, implemented, that sort of thing? They score themselves.
When when that domain's all complete and I think they've got everything uploaded and everything scored and everything, they submit the that information to the assessor. And then and then us as validation assessors, we go in and we look and we go, yep. That looks good. This is what I, you know, I've seen these things.
And we then score that same control, to, you know, hopefully, the same levels as the as the customer. Right? But that's goes back to what I was saying about us and Peter's team working. You know?
They'll do some things. And while we're they're the ones actually choosing how to implement things and stuff, they will also ask us, you know, if if we think that's going to, to meet the requirements or whatever.
So Not as many surprises that way.
Yeah. Not as many surprises. But nonetheless, in the end, you have to submit all that to us as the validation assessor. We go in, we score it all, and then eventually, we have to submit everything to the HITRUST Alliance themselves.
So couple of points here. One is that for the most part, if you've implemented something new, it's a system or something, it has to have been in place for ninety days before it's considered to be in place from my trust perspective. Policy, they changed a little while ago to be sixty days on policy, to say that it's fully implemented and things.
But in any case, sixty to ninety days is kinda critical to know that, because if you just implemented it today and you submitted, now we're trying to submit to HITRUST, it's not gonna work because it it won't have been in place, for a sufficient amount of time.
So you have to kinda look a little bit ahead and go look. Here's when I think I'm gonna have all this stuff done, and I'm gonna meet my deadlines for my sixty ninety day stuff.
I think I'm going to have you know, with Peter's help, I'm gonna have everything in place by this date, which means I should be ready, to submit to HITRUST for their scoring.
And, you know, because, like I say, you score yourself, we score you. They go in and look at a sample of all the controls.
They've admitted they actually have some automated processes in the background that goes through.
HITRUST.
HITRUST.
They being HITRUST. I'm just making sure we're clear there.
Yeah. Absolutely. They have some processes that go through all the documentation that submitted all the policies and everything, and they can infer, certain keywords and stuff. And then they they sometimes they look at things, personally as well. But in the end, they have to go through. If they have any questions, they can turn things back to either us, the external assessor, or to the client or whatever. Eventually, all of those ends get answered in a way that's satisfactory to HITRUST.
It gets turned to them.
They then if it's all good to go, we'll submit we'll generate what they call a draft report, which is the client's opportunity to look it all over and go, yeah. That says what I expect it to, and that's that's good.
And if everybody's good with that and approves it and everything, then eventually they issue HITRUST themselves issues the actual HITRUST report.
And if it's an r two, that's good for two years with an interim where you have to prove you've kinda kept your processes, working.
So a one year interim thing where they ask you about twenty ish requirements.
And, like I say, that's just to prove that you still got things in place. And Peter's team can help with that too. If you want that level of help, they can they can help you make sure that you're doing your change control or, you know, applying your patches, all that sort of stuff. As a validation assessor, I I've stepped back at that point, because we're just kinda grading the work, if you will.
The only other thing I would mention is that I mentioned the sixty ninety days, and there's there is a thing where the client has to reserve a QA period with HITRUST themselves.
And so that's where I was I kinda forgot to mention that. But when I was saying kind of projecting out, this is when we think we'll be done. So and this is my timeline. Well, then you need to project forward a little more and go, okay. By this date, we're gonna get everything submitted to HITRUST.
Right.
And it does sound like there's a patient with them.
Does sound like there's kind of these important chunks of time to be aware of. So we've gotten everything going. We've worked with Peter's team.
You have these processes now in place. You're hoping you know, you you need to know that they need to be in place for ninety or sixty days. And who is it that has to schedule the appointment with HITRUST?
Who is that?
Yeah.
The client has to schedule the appointment with HITRUST.
And, Peter, in your experience, what happens when a client kind of thinks that they're gonna be done a little soon or, you know, isn't maybe as conservative at scheduling that date. And when that ninety day, QA period for the HITRUST submission starts, what are some of the pitfalls that people that in your experience, people kind of experience?
Well, I like to underpromise and overdeliver. Right? So I usually like to give the client enough time to, you know, be able to meet that those ninety the ninety sixty rule. Right?
Some of the pitfalls, I think, it's around mostly, around technology. What I've seen is a lot of companies, unfortunately, don't have the in house resources Mhmm. Right, to go out of certain technologies or the know how. Right?
So, at the time of engagement, you know, it takes them a while to understand some of the technology that is required.
We see some challenges around processes, around operations, you know, basically, security awareness training, you know, certain documentation and the way that that likes to see things. Right? So, for the most part, you know, clients come in and thinking that, hey. Listen.
We can achieve this in six months, eight months. That's not the case, especially for an r two. Right? You need thorough planning.
You need a lot of engagement. I like to call that you know, I like to call it the, you know, the, you need to have a a, engaged, CEO, and the culture of the company needs to be Mhmm. Very risk aware.
Right? So accountability is key. Right? It starts from the top down. If your team is not is not accountable, they're not engaged, then, you know, we have no say in that.
Right? We try to make sure the client understands that, hey. Listen. You're working with us.
This is no harm on file. Just give us what you have. Tell us what you have, and then we'll guide you to where you need to be. Right?
So those are some of the challenges that that I'm seeing out there.
Yeah. I'll chime in with what, Peter was saying there too about, executive, buy off.
This I trust is not a trivial exercise.
It takes a lot of work to get there, especially in r two. It can take, you know, a year or more even depending on where you're at as, you know, an individual's at as an organization. But almost more critical is you have to have executive buy off on the whole process.
Because if if your CEO or c level individuals aren't on board with this, then you probably aren't gonna get the budget and the time to make both policy and procedure and hardware type changes that are gonna be required of your organization.
Yeah. So let me let me summarize a little bit what I think I've heard you guys say. So we we projected out. We've scheduled our time with HITRUST for for this ninety day kind of final endgame process to happen. So you start the ninety days and you think, oh, well, I have ninety days to get all my evidence in to this process, and then they can you know, by the end within the last week, the assessor and Pete everybody can get that done really quick. Right?
So I don't think that's how it works. I think the idea needs to be when you start the ninety day period, you have all your evidence in. You're ready to go. It's not that you get to start then to putting the evidence in. So thinking about your long term schedule and thinking, well, I'm gonna set my ninety day period for the valuation now six months in advance, and I will make sure my team does that.
And, you know, I got those ninety days too. Right? So, So, I mean, that's, I think, the a fallacy that people will will think, well, ninety days, that's three months. That's forever.
I mean, how hard can it be to be an assessor and go through all this stuff? And, you know, how hard is it to work with a portal? It can't be that hard. So we can give you experience here to say companies that don't plan on having everything done almost before that ninety day period starts, we often may end up with, yeah, we didn't make the ninety day period.
And what happens if that happens? Do you have to start over?
What happens if you you don't get all everything done submitted to HITRUST within that ninety days?
Well Anyone?
Anyone?
That becomes a problem.
You're not gonna meet your reservation.
You could potentially push the reservation if you give HITRUST enough warning.
K.
Otherwise, you're gonna have to potentially pay for another reservation.
If in the end, your controls really aren't in place, you thought they were, but they're not.
And, you know, either the assessor has to knock your score down or HITRUST does. And if you don't get a passing score, well, you don't get a passing score.
And and then your option is to just try again at another point, and you have to pay for all of it again.
Exactly. So I I think that's an important point we wanna bring out. Peter, you can make your comment tonight. And also in the same kind of time, I'd like to ask Peter about after he's done with that. There's this concept of something called a cap.
And why don't you talk to us about that? So go ahead and and say what you're gonna say and then add that on.
So I wanted to point it out that one of the unique things about us, as working collectively is we have a set of of items already predefined once we start disengagement of of things that we like to see ahead of time. Right? Technology being one. So we try to avoid that time constraint when it comes to the client not meeting that ninety day technology window and sixty day, you know, policy procedures. Right? So we try to work as best as we can, with the client to make sure that the client has all the technology implemented right you know, way before, you know, it's, you know, it's due.
And, you know, again, it all boils down to engagement accountability. Right? We find a lot of clients that they have that tendency too late, not not attend the meetings, postpone the meetings. Right?
So those are the ones that usually get in trouble. Right? So, I would suggest and encourage that, you know, whenever you engage in the HITRUST program, make sure that, you know, you are in the meetings with whoever the assessor is. Right?
Hopefully, us. But make sure that you provide all the list of items that we are going to ask right at the beginning of the scope. If you don't have them, we'll work with you to get them. Right?
But it's it's, you know, it's it's key for us to have that list, you know, ahead of time so we can work towards having, you know, that incubation cleared for both the technology and then the policy.
And let me ask my question again. So so that was perfect. And and now we're done. We're all in.
We've got it submitted. HITRUST is looking at it. They can come back and ask some questions. We may have to do a little bit of looking and and rewording or sending it back in.
Then at the very end, HITRUST, issues a report, and that report can be totally, I guess, clean or it can be a report with some conditions. What are those conditions called? Is that what a cap is?
That is correct. Right. It's caps is pretty much, you know, the controls or that identify they're not meeting the the the CFS certification requirements. Right?
They're giving a maturity score. Right? Risk rating, perhaps you score yourself a hundred. You know?
They say, oh, listen. You know what? You have a fifty. Right? And, what what happens next is that, you know, high transmission issues that report that you're certified.
But you have now to you know, the whole year to work on those caps before you go ahead and and, you know, and try to go for the interim assessment. So when you apply for the interim assessment, you have to make sure that those caps that were there, you know, have been taken care of prior to submitting, you know, the interim assessment that that the, anniversary of the certification.
Perfect. And what does CAP stand for? Does anybody know?
Corrective action plans.
There we go. Lee, did you have you raised your hand, Lee.
I sure did. I'd like to make a sales pitch here and ask a question regarding the outcomes of our customers that have worked with Security Metrics and privacy to get the job done for their high trust, would someone like to volunteer the number of caps on average or even every time that come out on the back end when our reports are done.
Peter, how many caps?
Zero caps so far.
Zero caps so far.
So that's a good thing. Right? So you'd like an assessor to be able to help you through. And at the end, say, well, you guys were pretty good, but I'd like you to work on these things.
It's like taking your driving test or your pilot test and saying, you did pretty good and you didn't kill me, but I'd really like to work on making those right hand turns. Right? So you don't really wanna have those because then you don't have to work on them afterwards. And then you can really focus on actually meeting the controls, keeping that evidence up, and getting ready for any kind of interim assessment.
Let's say, if you have a an r two. I think there are other kind of requirements for some of the other ones. I don't think we'll get deep into it. But if there's an I one, I think you have to do something every year for that.
And I think it's also the same for an e one. Is that correct? So so the r two lasts for two years, need to do a small recertification. But the idea is that people that who are going for this type of certification need to think like, oh, great.
I'm done. I'm I'm all done. I don't have to worry about anything again for a whole year. I don't need to think about it.
Is that is that the way we we really have to work here? No.
You have to keep going, and you have to know that you're gonna have to do something probably in a year again. So this is an ongoing security thing, which, you know, Matt and I, as as cybersecurity guys, we know that that you can't just be one and done.
You you gotta keep your practice up. You can't always, you know, remember how to land a plane if you haven't flown for a year. So you gotta keep it up. Right? You don't wanna be messing up on those things that can really damage your business.
So Yeah. And, frankly, it the hackers don't take a day off, Gary.
Yeah. Exactly.
Because they got plenty of Hot Pockets, and they got plenty of Mountain Dew. Right? You can always get that.
Months of the And time is on their side.
Time is on their side. So we always have to be vigilant. So I think we've had kind of a really good just overall discussion about this whole process.
And, you know, Lee, if you wanted to sum up maybe how, you know, how does this process with with this group of guys here, really make this process of HITRUST certification easier? What what have you found as you've talked to customers even after the fact?
Mhmm. This is definitely a secret sauce we've got going on here, and I'm very happy about it. We had somebody come to us that they were just floundering in their HITRUST efforts. They just could not get it done.
We brought privacy in. They worked on it with them. They helped them set goals that were attainable. They did it in order that made sense.
They're they're our biggest fan now. And oftentimes, these people that finish up their HITRUST assessments with us, as you mentioned, Gary, they they need to keep continuing things along the way, and a lot of people will engage Peter's group to just on a monthly basis, quarterly basis, be there for them in the off season, if you will, to help sure that make sure that they're up to date, that they're that they're updating any evidence that needs to be changed as they make changes, documenting things as they go. I even had one customer the other day say, and I'd also like to be able to take the day off. And if something comes up, we know that we can call you guys if there's a a red alert. So we really like the synergy going on with security metrics and privacy.
The other thing is is that because because you've got a partner on your side of the of the fence, because privacy is kinda working for you, right, as as an extension of your team, you don't have to learn things the hard way. You you can learn from the experience, certainly expertise of privacy.
And on the other hand, with the security metrics, we've got twenty plus years of assessments under our belt. We've got a lot of assessors. We've got tons of customers.
And security translates from one standard to another. You can map a lot of things together. Even though we've been in the high trust space going on five years, we've been in the security assessment space for over twenty.
I think there's a lot of reasons to choose security metrics and privacy as your solution for HITRUST.
Great. Any other comments?
Any other on that topic?
One of the one of the key things that that really identifies us as a as a a collective, you know, team, Gary, is our our focus on communication. Right? Where we where we strive on, you know, communicating, you know, clarity to our to our clients. Right?
And I think the clients can really appreciate that by saying, listen. Okay. We got an an assessing firm, security, merchant, and privacy. There's no fear here.
Right? We're trying to help you guys out. Right? So, you know, like that, we could just pretty much, you know, focus on the, you know, minimal impact of the client's operations and resources.
Right? But, you know, our our focus is to help clients, right, and to make sure that they identify the and address the the opportunities for improvement in their controls and in their security posture. Right? But, you know, we really pride ourselves in that communication as a team.
Perfect. Perfect.
And and, you know, I think I'd like to end this by saying, who wouldn't wanna work with these nice guys?
Right?
So we're not here to try to to rush you through a process.
We wanna be thorough. If you wanna just do a checkbox kind of a thing, then then we can refer you to some other assessors, perhaps, or other organizations. But this really is, you know and I've tried to build a team over the years too of of people that really care and that really want you to get through something. And we wanna communicate with you, and we want you to know, yeah, this isn't gonna be easy, but we're here to help. And we have the skills to help at all levels, and we'd love to be your partner for multiple years. And and that way, you feel comfortable and confident on what's going going to happen in the future.
So there's my kind of end thing. At this point, we do have a couple of questions that have come in, and I'll pick just a couple of them here. I think we're getting close to our time. But and and a lot of them we've already kinda covered.
So, you know, I'm sure that these were were things. I think I wanted to just reemphasize. Somebody asked, how much time and resources does it really take to get HITRUST certified? And I've heard a couple of refer you know, a couple of you reference to time periods.
Maybe somebody wants to make a comment on kind of an average amount, over over the time. And and, Peter, why don't you start and say, you know, what what kind of have you seen over time?
If somebody says and, you know, obviously, you have to pick r two, you know, e one or I one or whatever. But, how long does this really take, and how hard is it going to be?
The time depends on the engagement of of the firm. Right? I always say Perfect.
You know, you have to have a company that's engaged.
Right? As long as they're engaged, and r two could take anywhere from, you know, twelve to fourteen months depending on the size of the of the entity.
And and from there, I mean, everything is feasible. Right? So twelve to fourteen months is feasible for an SMB.
Perfect. Perfect. Any other comments there?
In year two, when it's the r two's off season year, I guess, when you just do the interim assessment where it's a sampling of twenty or so controls, then you're looking at two, three, four months max. So your second year is is a kind of a, you know, year to take a nice deep breath and relax just a little bit as far as the the the actual active load of of the assessment, two to four months for your interim assessment.
Perfect.
For the I one, it's still a chunk of work.
It's a hundred and eighty plus And are those the are those the easiest requirements out of all of HITRUST that they that they have selected for that hundred and ninety or hundred and eighty requirement?
I see some I see some smiles going on. Why? Why?
Well, they wanna they're really consolidating, right, into a secure footprint. Right? So an I one is going to have some tough controls.
All the hard ones. I've heard people say it's all the hard ones. Right?
Mhmm. Yeah. It's it's boiled down to a real tight tight ship there.
Six to eight months for an I one.
K.
I think we forgot the e one. The e one, anywhere from four to six months to get that done.
I also wanted to mention that that the I one the I one assessment, it can take six to eight months. In this in the off year, they have what's called rapid recertification.
And you would be eligible to get that if you haven't had any significant changes since the previous assessment of the I one in the previous year. Perfect.
So I think we have time for kinda one last question, and and I'm just gonna and this one is, how do I even get started, and who will I talk to first?
Paul Lee.
Well, well, I I think that you would talk to me, and we always bring Peter in for these calls too.
We the way it would work is in the initial call, if you have the time and you have a fairly good idea of how you wanna navigate, we would go ahead and scope you with the factors. We'd we'd plug you into the myCSF.
We'd answer the questions specific to your organization. We'd give you an idea of what that looks like.
That's how you would begin.
And from there, we could provide you with a formal, proposal.
One of those things in the factoring, because we're not just the validation assessor, we've also got privacy helping you with readiness in that initial call or two. We'd also be asking questions about the maturity of your policies and procedures.
How comfortable are you with your technology? Do you feel like there might be some changes take place? How many endpoints do you have? Physical locations.
We try to get to know if Peter's group privacy were to come in and help you, what what kind of a lift would that be? And how much help would you want? Some customers, they're just like, I don't really need help with this. I just need this.
Well, great. Peter's group comes in and helps organize everything for you. That's the bare minimum. They'll they'll get everything organized, and and you've already done the work or you're doing the work all the way up to, we don't have anything.
We had a customer actually today say, I don't have anything by way of policies and procedures. I don't even know what I'm doing.
And and and a customer in that situation too, they're scared. Right?
So we can help somebody. We can help somebody who's been through a HITRUST assessment three times. We can also help you if you're just brand new to it. And our goal is to help you feel to be calm. Isn't there one of those those signs? We should have a high trust, be calm.
That's true. Carry on. Yeah. Carry on, or is it carry on? Whatever it is. So Carry on.
So thank you very much.
I think we're out of time here, but I really appreciate both, this opportunity to visit with our guests, to talk about HITRUST, and to really kind of give you some nitty gritties on on what this process is really like and what are some of the advantages of using, kind of a team like this and some of the things that you should be looking for when you're choosing a HITRUST assessor. We would love to be considered for that. We really, enjoy making relationships with people. That, to me, is one of the fun parts about being kind of an assessor. It's not just all the technical mumbo jumbo and all of the things that we get to do.
It's really about making relationships with people and really helping them through this process. That's what I've tried to kinda build here at Security Metrics as the VP of Assessments. That's how I want this team to work, and I think we've done a great job at it. So thank you very much for attending today, and, there's lots of other information you can get on our website, on HITRUST, and, we'll be happy to answer any questions if you just wanna call and talk. Thanks a lot.
.svg)
