HITRUST releases Threat Catalogue to improve risk management

HITRUST is releasing its Threat Catalogue to provide organizations with visibility into the threats and risks targeting their information, assets and operations. In addition to helping organizations understand the threats targeting their organization and their associated risks, the Threat Catalogue also identifies the technical, physical and administrative controls needed to address these risks. This improves an organization’s visibility into how it manages threats and better enables management to prioritize security programs and align budgets and resources.

Identifying threats is a component of a risk analysis process for any organization seeking to protect their sensitive data. Following an asset inventory, information classification, and system categorization, the threat identification process helps determine what adverse events are relevant to the organization and must be controlled. For example, the frequency of ransomware intrusions required organizations – of all types and sizes – to re-examine their controls around data backup and restoration and ensure they could recover their data if such an attack occurred.

“Unfortunately, a comprehensive threat list that could support risk analysis and help organizations better understand and mitigate threats to sensitive information was essentially unavailable,” says Dr. Bryan Cline, vice president of standards and analytics at HITRUST. “Given its significance to the risk management process, we invested years identifying a complete set of threats at a level consistent with the controls used to address them.”

The HITRUST Threat Catalogue will be available free of charge and becomes an integral part of HITRUST’s risk management and compliance suite. It will help organizations ease the burden of analyzing and managing security and privacy risk by mapping these threats directly to the controls in the HITRUST CSF framework. By ensuring organizations can identify threats to their sensitive information, assets and operations, they can prioritize and focus on controls that are relevant to them, and in turn, reduce risk.

The Threat Catalogue will also be used to help ensure the HITRUST CSF remains current and relevant to the changing environment by linking requirements to active threat intelligence. A thorough understanding of how well the CSF controls address existing and emerging threats will help HITRUST identify new control requirements or enhancements to requirements that may be needed to further mitigate associated risk.

In addition to mapping specific threats to controls used to limit organization’s exposure to risk, the catalogue also provides mappings to threat lists from other frameworks, such as the National Institute of Standards and Technology (NIST) Special Publication 800-30 and the European Network and Information Security Agency (ENISA) Threat Taxonomy.

HITRUST will update the Threat Catalogue regularly alongside the HITRUST CSF. This early release of the HITRUST Threat Catalogue allows public and private sector organizations to provide feedback prior to the document’s general release.

HITRUST risk management and compliance suite

Designed to leverage and integrate the components for information risk management and compliance program – including a privacy and security framework, a scalable and transparent assurance program, catalogue of threats, shared security control responsibility assignment and assurance, an assessment and corrective action plan management platform, a third-party risk management process, and an assessment exchange.

The HITRUST Suite offers organizations an integrated, updated and supported approach for information risk management and compliance which includes the following HITRUST programs and services – HITRUST CSF, HITRUST CSF Assurance, HITRUST Assessor Program, HITRUST Threat Catalogue, HITRUST Shared Responsibility Program, HITRUST MyCSF, HITRUST Third Party Assurance Program and the HITRUST Assessment XChange.