Watch this to get answers to the most commonly asked HITRUST questions, such as what demands on my time and resources are required to get HITRUST certified?
In this webinar, SecurityMetrics’ Lee Pierce and Privaxi’s Peter Briel will discuss:
Learn more about HITRUST here.
Welcome to a SecurityMetrics webinar. Today, we're joined by Peter Briel of Privacy, high trust readiness assessor company and a lot more. You'll you'll learn more about Peter's group in our interview today.
I'm Lee Pierce. I'm with SecurityMetrics. I've been with the company about nineteen years working in professional services, audits, pen tests, forensics.
Right now, I put most of my focus upon HITRUST and penetration testing. And today, we're gonna talk about, the questions that we often get regarding HITRUST. People have a lot of questions. It's, not as old a standard as some. And so people rightfully, when they're approached by their partners or other third parties that are asking them to delve into HITRUST, they they come to us with questions. And so we're gonna talk about a lot of those questions today and see if we can provide some answers for you.
Peter, would you like to tell us a little bit about yourself first?
Sure, Lee. Thank you. My name is Peter Briel. I am the founder of Privacy.
We are a HITRUST, readiness and remediation, assessor.
We've been in the industry for over five years. Myself, I have over thirty years of, experience in the, information technology and security space.
Right? We work collectively with you guys to provide our clients, with the end to end solutions for readiness, remediation, and validation.
Excellent.
And one of the things I wanna point out is, a HITRUST validation assessor cannot do hands on work with their clients' data or their processes, controls, policies, and procedures.
And our customers do have a lot of needs in that area. And we found that partnering with privacy, a readiness assessor, they can do readiness and remediation, writing policies, doing very, very hands on work. And it allows us to have a separation of duties and keep integrity in the whole process of achieving, HITRUST certification.
So let's talk a little bit about these questions now that we have. So, basically, one of the questions that people have is, what is HITRUST, and and why might I need to have this assessment performed?
A lot of organizations out there understand risk regarding, PII, PHI.
And, also, there's a lot of involvement with third parties being, the weak spot for data breaches. And so there's a lot of focus particularly on third parties, but not just exclusively on third parties regarding the securing of personal identifiable information or or PHI as well.
HITRUST is a standard that was, brought about, bringing together HIPAA, NIST, ISO, even PCI and GDPR.
And it's an assessment standard that is now being asked for more and more by companies, that are seeking to have a surety from their third party partners. Here's an example. Health three PT is an initiative that's focused on improving third party risk management, and they have specifically come out and said that they accept a high trust validation as a standard for the certification to give assurance to their third parties that are working with them.
Peter, let's talk a little bit about the, three types of HITRUST. People often say, I'm asked to do HITRUST, but what do I do? It's good if you're a third part if you're a third party and you have partners asking you to do HITRUST, you might wanna follow-up with them about the specifics of what they would require. There are three types of HITRUST.
There's the e1, the i1, and the r2.
Now the e one provides entry level assurance. It's focused on the most critical cybersecurity controls that essential cyber cybersecurity hygiene is in place.
The nice thing about the high trust e one is if you're starting out, it only has forty four controls that you need to address, and it's, it encompasses cybersecurity practices.
It's it's very good for people who are just getting, you know, getting their toe dipped in the water of, of, compliance to start there. It is pretty simple. Most organizations will want to move on from the e one perhaps to the I one or the r two.
The I one is a step up. It includes all the forty four controls that were in the e e one, but they add additional controls. And so it adds, it adds more controls, I think, about one hundred eighty two total controls, and it is, definitely a step up. It is more critical.
It deals with more, inclusion of, controls that are recognized as more along the lines of leading cybersecurity practices.
And, one of the elements of the I one is that it is in a two year cycle.
The e one is yearly. If you were to stay with the e one, it would simply be forty four controls every year. If you went to the I one, the second year is called the rapid recertification where it's a reduction of controls reviewed from a hundred eighty two down to sixty, and that makes for a more affordable validation in the second year.
And that's the I one.
The r two then is probably what they call the gold standard.
It is the biggest and the most comprehensive.
And while it includes all of the controls that we've already mentioned in the e one and I one, it adds on to those controls anything applicable to your to your business. So, for example, to even understand what the r two would look like for your business, we would need to first do a factoring exercise where we go in and learn attributes of your company.
What does your involvement with third parties look like? Where do you store data? Very specific. Do you have bring your own device policies?
Do you handle physical media that involves sensitive data?
The the questions go on and on. As well as other questions regarding certifying bodies, like are you trying to satisfy Texas and their particular laws, for example, or California?
Are are you wanting to add in additional elements? The r two validation assessment for certification can be, typically for a small footprint would be in the high two hundreds for control count up through five, six hundred controls, for more complexity. You could literally go crazy with it and get over two thousand controls involved in your validation, but I haven't seen people do that.
But there is that potential.
The next question, I guess, we would talk about would be how long does a certification take?
That's another question you need to ask yourselves internally and ask the people with whom you're working regarding what kind of deadlines do I have.
If it's a very short deadline, what you might wanna look at is the e one because you can achieve an e one in three to four months, typically speaking.
The I one steps it up a bit. You're looking at between six and eight months to achieve the I one validation.
Now with the r two on the calendar, as as I'd mentioned, it it can have a varied number of controls. So the the time to achieve it is also varied. We we find that most people with the smaller footprint are achieving their r two validation between ten and twelve months, sometimes thirteen, fourteen. You could literally go almost two years working on the r two if you have a very complicated environment.
So we like to have all of the understanding there that it could be pretty complicated, but it doesn't necessarily have to be if you have a smaller footprint.
Peter, would you like to add anything to that?
Yes. One thing to mention, Lee, is that, you know, each each, type of certification has a, you know, a level of assurance. Right? You know, the e one, being a low level of of assurance for your partners, I one being a middle level of assurance, and then the r two, the highest level insurance because, you know, again, it it encompasses so much more.
Right? So for organizations, like you said, that want to just step into the framework, you know, we always suggest, hey. Listen. The e one is the way to go depending on, you know, the business needs.
Right? What's the requirements? What are what are your partners asking for or that, you know, that business need? Right?
So, you know but most of the time, folks that really don't don't have that requirement, then they usually like to start with the e one, which is, again, low level of insurance assurance. I'm sorry.
Basic hygiene, for security.
Yeah. And, you don't have to feel like you're locked into any one particular standard. So for example, you could start out with an e one, and in the next year, you could jump into the I one or the r two. It's very fluid that way, so you're not locked into anything. One thing I failed to mention with the r two is it too is a two year cycle, and the second year is a sampling of the controls.
A big relief actually because the r two second year is just a couple of domains. If that pulled from each of the nineteen domains. You could have as few as twenty to thirty controls assessed in the second year, which means the costs of your r two second year is much less. And the the, the name of the r two in the second year is called the interim assessment. I wanted to make sure to have that. Another question, that people ask is how much work or hours or resources are gonna take to prep?
And, I think this might be good to introduce the fact that if you're going it alone, and you're doing your own readiness work, it could it could be several hours a week to to work on this. This is one of the reasons why SecurityMetrics, brought privacy in as a partner to to work on this is because a lot of our customers simply were almost throwing their hands up saying this is this is crazy. We don't have time for this. So, Peter, talk about how your team works on a weekly basis and the work you do if you don't do it, the hours that the company themselves would have to be doing for readiness work and prepping for this type of, validation.
Yeah. We we created a model around the need for for clients to be able to focus on your day to day operation, not having to worry about all the intricacies and and, you know, around the HITRUST program. Right? What does that mean that when we when you engage with the Probaixe and, and, SecurityMetrics, we provide, you know, the full support from a to z.
What does that mean for the organization that we become an extension of the organization's team for the time of the project? Right? Throughout that time frame, we basically break down, you know, the the domains each you know, domain by domain. We perform a gap analysis to make sure that we identify current state, versus future state.
Right? We leverage any any of the work that was purely done if you, the company has done any PCI and in this three hundred fifty three ISO twenty seven zero one. We try to leverage as much of that as possible in order for us to be able to cross reference what the work that was done to the current, you know, requirements for HITRUST. Right?
We develop policies and procedures for the organization. Right? We just don't give you a template. Right?
We make sure that we gather the evidence as required, perform the gap analysis required, and develop those policy procedures accordingly. At the same time, we assist the organization with, the technical controls that are required. We are traditionally a managed service security provider that became a Hytron's ratings and revenues assessor. We also have expertise in AWS and Azure.
So we could definitely go down into the into the weaves with the clients and and identify the technology that is required, tell them how to, you know, pretty much configure those technologies to meet their requirements for HITRUST. Right? From an operational standpoint, then we, you know, then as mentioned, we address anything that has to do with the policy procedures, make sure that we massage it accordingly to the organization's need. It's presented to the to the organization so they can understand what they have.
And then once that's done, then we make sure that, you know, we upload everything that needs to get done, through myCFS, make sure we work with, you know, with security measures for the validation as well. Right? So we provide both the a a to z complete solution from, you know, like, that the client is not lost in transition and then, you know, they're nervous about, hey. Listen.
I don't know what to do with this.
Do I have the expertise internally?
Do you don't really need the resources internally as much as usually you would you would need with other other other firms?
And that and that's a lot of work that, privacy does with the readiness effort. When you're engaged with a customer for readiness, what type of, time constraints are they looking at each week to engage with you to make sure the project's going forward in the readiness and remediation?
Typically, the time engaged with us is maybe once or twice a week, an hour, you know, per day.
So we could pretty much go over the domains and and and gather, you know, the the requirements. Right?
So one or two hours a week then?
Exactly. We we like to understand the environment. Again, nobody understands the environment like the client. Right?
So for us, it's it's it's crucial and essential to understand the business operations and their environment so we can identify what's processing EPHI, who it touches, the systems that it has, and so forth. Right? So, yeah, it is a one or two hours engagement on the front end. On the back end, we provide the full spectrum of support with our HITRUST auditors, our policy and procedures folks, and our technology folks.
Okay. Another question that people ask is how do I prioritize? How do I know what to do first? If you could talk a little bit about the incubation period and, how we need to make sure we have things buttoned down and in place for a time period that might help understand how to prioritize the effort?
That's a great question, Lee.
And and, you know, HITRUST has a famous ninety sixty day incubation period. What does that mean that, in order for you to present to the other, in this case, a validation team, which is SecurityMetrics, the evidence, for technology, the technology has to be in place for ninety days.
That what does that mean? That doesn't that means that, you know, let's say you don't have a a, you know, firewall. You cannot install a firewall yesterday and then provide that as evidence to the auditor the next day. Right?
It needs to be in place for at least ninety days. Right? So what do we do? We already have a predefined list of requirements that we know that are standard throughout the framework that we ask prior you know, once we engage in in the program.
So we like to tackle the the technology because, again, you require ninety days for the technology and sixty days for for the, you know, policy and procedures. Right? They have to be in place for that time. So we like to get ahead of the game and and focus on those, you know, technology requirements so we could have that incubation period out of the way and focus on other other areas in in the actual framework.
That's great. Thank you.
Another question that is often asked is, how does this compare to other assessments that I've already done? They'll say, we've done SOC, or we've done NIST CSF, or eight hundred fifty three. How does this compare?
NIST is a prominent player in how the HITRUST standard was put together, and as well as ISO and HIPAA.
Peter, could you speak a little bit to that? How what your what your people see when they're working as a readiness and remediation team, how to leverage what what is already going on in their environment with NIST or ISO or SOC two or etcetera.
HITRUST is more comprehensively.
So but it integrates very well with other frameworks like the NIST, PCI, you know, ISO twenty seven zero one, and HIP. Right? Now what HITRUST does, it it covers a broader range of controls, right, for various domains like, you know, cybersecurity, privacy, risk management, and so forth. Right?
It also, you know, is is more rigorous on the documentation. I know we've had organizations that say, hey. You know? Yeah.
I just finished a hype a HIPAA audit, and I have some policy and procedures. Well, yeah. Yes. But, you know, when it comes to HITRUST, you have to show more evidence.
Right? You know, it it really you know, when it comes down to the evidence evidence collection, you know, it it it goes down to the nitty gritty. Right? So it's a more robust, you know, again, more, comprehensive.
I mean, I call it, you know, the, they call it the gold standard of of cybersecurity for a reason. Right? You know, it it you really have to, you know, customize, you know, those those procedures, those policies, and those evidence in order for you to meet the the the requirements for HITRUST.
Mhmm. Another thing that, is important to note is that, as people are working on evidence for other types of standards that are required like SOC or PCI or NIST, Privacy specializes in helping them map the controls so that they don't have to go back and redo efforts wherever possible, leveraging what they've already achieved through a mapping exercise.
Now another question people ask is, I'd like to get a validation.
Why why are you recommending a readiness assessment? And, I think it's really important to understand, when you're doing a readiness assessment, you're you're basically making sure the ground is fertile and ready for that validation.
Peter, have you been ever been in in your past experience involved with someone who does very little on preparation and they just wanna do evidence gathering with you and how that plays out?
Yes. Actually, you know, we we actually encounter that all the time. Right? There does again, and it boils down to resources internally and companies that sometimes they don't have the time.
Right? So, you know, they engage with us because they say, listen. We're we're preoccupied. We don't have the resources, and we would like to engage with you to just make sure we gather, you know, all the evidence that we need in policy and procedure.
So, you know, definitely, we do, you know, you know, come across a lot of folks that that require those services.
Yeah. And, I would say that's rather typical.
It is. They sometimes, they'll they'll be right in the middle of trying to get ready for something like this, and, you know, there's some fluidity in the marketplace, and people will actually leave and take another position, which leaves them in quite a large sometimes trying to keep the continuity going with the efforts that they were performing there.
Right. So, when it comes to privacy's involvement with their environment, some people are concerned. Like, well, I don't know about having an outside party helping me with this.
So we see anything from consulting. If they're very buttoned down on security, they don't like to have a lot of hands on going on, all the way into, read only access to actually pull evidence.
What would you say the breakdown is with your with your customers that are doing readiness with you? How many of them even allow read only access up to that point?
Many. Many allow only read access. Right? You know, again, the the readiness aspect of of HITRUST is a very crucial step, you know, to set the foundation into successful certification lead.
Right? So our our our program is extremely flexible. Right? We the client can provide us read only access so we could gather the evidence for them to take the screenshots that are required.
Or they could say, you know what? As long as all the legalities are in place, right, you guys come in again, become an extension of our team and, you know, gather all the evidence and implement the technology that that that they may require. As I mentioned earlier, we are, you know, we start I started this business as a managed service security provider. Right?
So we have expertise in AWS and Azure internally. So some clients, you know, don't don't understand what they need to enable, you know, in Azure or or AWS.
So our engagement is all encompassing.
So we do provide those services as we progress through through the readiness stage.
Okay. And when it comes to the milestones of a readiness assessment, we start off with kind of predictable steps. Right? So there's a gap. There's a ready overall understanding of the environment.
There's a review.
Could you walk us through the the typical milestones of a readiness assessment?
Well, the first thing that we have to do is is create the scoping. Right? We have to understand the scope. Right? And I think it's crucial to mention that that you do require to purchase a MyCFS subscription, which actually will we'll break down the cost shortly. Right? So as we, you know, as we engage with the client, the client, you know, obtains a MyCFS and we create, you know, a a scoping.
We do a scoping call to create the actual, framework or the or the object. Right? In this case, there are whole requirements for HITRUST. It there's gonna break down the, the domains and the control requirements.
Right? If it's an e one, again, as we know, it's a static predefined controls, right, for the I one as well. Right? So, once we have all all the defined scope, then, you know, we start collecting their technical requirements as mentioned, which are, you know, I think for us is key to do the technology first as mentioned because of the incubation period.
Right? Once we start breaking that down, then we start cat gathering the evidence, you know, for both the technology, Right? And we start reviewing the policy and procedures.
Then, you know, the breakdown is pretty simple. Do the readiness, estimate a timeline for the readiness to gather all the information. Once we get there that we have purchased a myCFS portal, then we select a validation date that we would like to, submit all the evidence and documentation technology over to SecurityMetrics. Right?
That validation needs to be defined within the myCFS subscription, right, or portal. Right? Once that validation is set, we also need to set a QA slot with for HITRUST to be submitted. Okay.
Again, we you cannot go through the certification progress unless you go over the validation firm like SecurityMetrics.
Alright. And so myCSF with a subscription from the HITRUST Alliance themselves is is not optional. It's if you wanna work toward, HITRUST certification, you're you're going to be working the myCSF portal. And customers will often ask us, okay. So how much does that cost me? And it's important to note that your your readiness and your validation assessors do not do not bill you for the, myCSF or the QA scheduling with HITRUST. You do that directly with them.
Last January twenty twenty four, I received some information from them regarding pricing. This could be fluid, so, you know, don't hold me to it as of right now, today, in September twenty twenty two.
At least.
Yeah. Yeah. Don't hold me to it. But, basically, they offer a yearly subscription to the myCSF portal.
It can be probably between sixteen and eighteen thousand dollars. There's some discounting involved that they'll provide you if you choose to do a two year agreement with them. And then there's also the, establishing the evaluation on QA that they will perform on the validation submission that we would perform.
And that QA is an additional cost that you schedule with them, e one around fifty seven hundred, I one sixty six fifty, and r two seventy seven fifty. And this pay basically pays for their time to review our validation, which which brings me to another, element. How long does it take after we've submitted it? I hope I'm not jumping ahead. But, basically, when we complete the validation and and submit it to them, it can take several weeks for them to do the QA depending on the load that they have in their Right. In their queue as well as whatever questions they might have of the validation assessor regarding evidence, follow-up on things.
So it's not an automatic, you know, we do the validation and you're done. There there definitely is a time element that HITRUST picks up the ball then at the end and and works through the the review of that. One thing I might mention here is is, corrective action plans.
So when you're doing your readiness assessment, you wanna do so in a way that you're cleaning cleaning up the landscape of of potential corrective action plans or caps later, by the time the validation is complete. This is another reason why we're so excited to work with privacy is that, so far, our customers have had zero corrective action plans when we're done. When we use a combination of privacy for readiness remediation and SecurityMetrics on the validation, every single one of our customers as of this date, have had no corrective action plans. So we're pretty proud of that. And it makes for far fewer headaches for the customer as they're working through the next year of maintenance and prepping for their next their next anniversary on that.
Another question people ask us, Peter, is, is the on-site required, or can everything be achieved remotely when we're doing the validation?
And, it it's important to know that you do not have a requirement to do an on-site validation.
Occasionally, a customer will ask for some on-site work to be done, but it's very rare. It can all be achieved remotely.
Another thing to understand is that there are certain tools that we use to help you.
We can we can use your tools, as our customer, or you can achieve great organizational success through some tools that privacy provides. It's like some of the tools that you provide, Peter, typically, that allows people to collaborate. What would those be?
Collaboration tools, like, you know, we we like to integrate our, you know, Asana. We use, you know, ServerLink for our document repository at times. Right? OneDrive for collaboration documentation, Microsoft Teams as well, just to make sure we, you know, have constant communication and also Slack.
Okay.
Right. So we like to make sure that the client is up to date with everything that's going on, constant communication between both the clients and the validation team, in your case, you know, SecurityMetrics, and also the Readiness team with with privacy.
Right? So the client could be up to date with everything that that's going on throughout the process on a daily, weekly, and monthly basis.
Yeah. That continuous momentum is really important when, teams are pulled in different directions to do things just running the business day to day. They need to feel continuity going on with their partner. So that's really important.
Another, important question to ask is, what happens if we have staff leave during our efforts? And I wanted to kinda highlight the positions that privacy provides, like virtual CISO.
We recently were speaking with someone. This just came to mind. Sorry. I just bring it up. But we were just speak recently speaking to somebody, and they they lost three, if I remember. Is that right? Three staff members.
And they were like, we're just gonna have to put everything on hold. And what we help them understand is when you actually have a readiness assessor partner like privacy, you're literally looking at the ability to add staffing, in such a way that we can get the job done for you even if if you're running on a skeleton crew in your own company.
Right. And and the reason why we partner with SecurityMetrics, Lee, is because we could provide with our services and yours the full spectrum of support for the clients.
Right? SecurityMasters provides pen testing, right, vulnerability testing, forensics, right, validation, PCI, and much more. We provide direct remediation technology, so the client could feel that, hey. Listen. Although I I don't have the resources or I lost some resources, we have a one a partner that could provide us the whole, you know, spectrum of support. Right?
So, again, we we saw a need for this in the market.
We understand that it is a very difficult process at times for clients, and and folks are preoccupied with other things that they have to do on a day to day basis. Right? That's why we created this model that a lot of folks are gravitating towards too.
Yeah. And I will say that our customers stay with us because they love us so much. So we have high high retention on it.
Like you more than me, Lee.
I don't know.
But we have we have great continuity with our customers. They come back. Yeah. They're happy with they're happy with the results of what they're getting.
Another question that people ask us is, who do I engage? We're talking with SecurityMetrics and privacy here. Do I have two separate master services agreements, statements of work? How does that work?
Basically, we partner together, and all of the legal documentation you'll receive will come from SecurityMetrics. That will include everything, statement of work, one single master services agreement, a carve out for you to, obtain full ownership rights to any intellectual property that is developed for you by privacy, everything, billing, invoicing, all comes through SecurityMetrics so you don't have to worry about managing two vendors in this effort. Another question people ask us about is, so I get this HITRUST validation certification.
Can that translate into other certifications? What what else can I get? It's important to note that if you're doing the r2, you're just a short set of steps away from the NIST 800-53. You can you can get that done.
A lot of the heavy lifting's already done in the HITRUST r2 assessments so that the eight hundred fifty three is not a super daunting task. Also, the ISO 27001 is also very achievable after obtaining the HITRUST r2 assessments.
Well, SOC two as well. We we, you know, we have a lot of folks across reference a lot of, you know, all those controls of SOC.
PCI Mhmm.
We have a lot of, you know, cross referencing as well, for, you know, endpoint protection. So for the certainly, when it comes to technology. Right? So there's a lot you can achieve, cross reference when you achieve the HITRUST certification.
Because, again, like I mentioned earlier, it is a gold gold standard of of compliance. Right? Because it's so robust, and it covers so much.
Mhmm.
Another thing that people will experience when they're just contemplating do doing the HITRUST is they may not like the the footprint of their technology at the given moment of of contemplation of this, and they may wanna go to cloud. That's another reason to have, our team helping you because privacy's team is fully certified in helping with inheritances with AWS, Azure, Google Cloud, advising, helping people make sure that they leverage everything that's there so you don't have to reinvent the wheel on on your efforts going into the cloud.
Another thing to mention is HITRUST just, I believe, last week, so we're talking September twenty twenty four, they mentioned that there's a new add on for the I one, which is the middle tier of the validation choices you can make with HITRUST, where they're adding the HIPAA security rule and the HIPAA privacy rule. You can add that into your I one and make that even more effective in what you're trying to achieve if you're in the HIPAA space. That's something we wanted to make sure and mention because in the past, people have said, well, I really need the r two, but I don't know if I'm ready for it. I need that, but I guess I could do the I one. Well, the I one is becoming more versatile, so that might be a more viable choice for you in the future.
Another question we get is, what if we have significant changes at the completion of our validation?
What happens?
I know customers have come to you, Peter, in the past where they've made some significant changes.
There's a process. Right? Would you like to talk about that a little bit, Peter?
Well, if there are some changes, then, you know, again, we we identify those changes. And if it's significant enough, then we we have to notify HITRUST, you know, to make sure that we are on you know, they are aware of the changes. And if it's a significant change, then most likely, we have to undergo, you know, a reassessment of those changes. Right? So and, again, you know, make sure that we specify the the changes that were being done and then try to assess as much as we can. I mean, again, that's not to say you're gonna have to hold do everything all over again, but a significant part of that change needs to be documented, assessed, and and submitted to HITRUST.
Yeah. And it's important to note that we wanna include HITRUST themselves in this conversation because we don't want to overspeak or overestimate what is and isn't possible if significant changes have occurred. Or we were recently speaking with someone who was going through through a merger acquisition while they were doing their validation. And, like, what happens? What do we do? And the safest thing to do there is definitely involve HITRUST in the conversation because we wouldn't want to give you advice that HITRUST would slightly disagree with or even significantly disagree with. So we have our inclination of understanding of what would occur there, but we wanna definitely bring HITRUST into the conversation because they're the authoritative voice.
That is correct.
Mhmm. So another question people ask after they've completed it, our customers come to know a certain level of service and assurity after working with us on their validation.
There's something that they could do afterwards to keep their certification fresh throughout the year, keeping their preparations up to date. Would you talk a little bit about that, Peter? You have a service that, specifically addresses this.
Yeah. We established a service. It's called the CAMP, and CAMP stands for continuous assurance management program.
As we know, Ali, we we've discussed this many times. Security is a point in time certification. Right? So once you get certified, you know, the next day, something could change.
Right? So how do we know that we are going to be buttoned up for the next year, right, once HITRUST comes calling again and we have to go do the reassessment or the interim assessment or maybe the revalidation the second year. Right? So the program was designed to to determine, task or or, that need to get done throughout the year on a monthly basis, on a quarterly basis, right, to make sure that we keep ours our information security management program up to date.
Right? So camp was assigned to work with the clients, to make sure that the audits are getting done, the offboarding is getting done properly, and the onboarding, the security awareness of of of of the staff. Make sure that you're monitoring those logs. Make sure that you're doing your vulnerability testing.
Make sure you're doing your pen testing.
Things that that can affect your recertification. So that's why camp was established again with with, you know, with the point of view of assisting, those folks that don't have the time to really, really maintain this program and and and keep it updated. We come in there on a monthly basis, and we make sure that everything gets locked. We work with the business. Again, we become an extension of of the organization throughout the year.
That's great. And so it's important to know that you really do have a partner when you come with SecurityMetrics and privacy as the partner in your achieving, whether it's penetration testing, vulnerability assessment scanning, policies and procedures development and writing, review of your technology, keeping it fresh, and and, obviously, getting into the myCSF portal with HITRUST and and doing the validation, getting your certification.
We're very confident with the process that we have in place, and we're very happy with the results that we achieve.
Well, Peter, we thank you for coming on board today and talking with us a little bit about this. And, we're excited to provide scoping exercises for our customers that that contact us through our website. You can, reach out to us, and, we'll help you understand a little bit better how this all applies specifically to your company's needs. We can provide a specific quote and help you understand a timeline so that, you can get some traction on these next efforts that you need to go after. Thank you for your time today, and we'll wrap this up now. Thanks, Peter.
Thank you for having me. Take care. Hang on.
.svg)
