HITRUST is pioneering a new approach to infosec control maturity scoring

HITRUST, a leading data protection standards development and certification organization, announced a new initiative to incentivize information security teams working towards better information security control maturity.

HITRUST also disclosed findings confirming that control maturity scoring is a valid method of evaluating and predicting ongoing control effectiveness and residual information risk.

Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above a HITRUST CSF maturity level of 79, there is a 99 percent likelihood these controls will continue to operate in a similar manner going forward.

This finding is significant in two ways: CSF Assessments above a maturity score of 79 are prospective, and organizations with higher HITRUST CSF maturity scores have fewer control failures, posing less risk to their customers.

As part of the new initiative, HITRUST is updating its CSF Assurance program with guidance on what qualifies as mature information security control scores.

HITRUST is also offering more flexibility for organizations that have obtained CSF control maturity by extending the period between CSF Assessments and giving organizations incentives and credit for implementing an effective continuous monitoring program.

Conversely, those organizations that demonstrate a low level of information security control maturity, typically implementation level or a CSF maturity score below 79, will undergo annual CSF Assessments.

“HITRUST is pioneering a new approach to control maturity scoring,” said Kevin Charest, divisional vice president and chief information security officer, Health Care Service Corporation.

“These updates to the CSF Assurance program will continue to support organizations who are striving to enhance their information security programs by achieving higher levels of control maturity and making improved, risk-based decisions that help enhance security frameworks and meet their stakeholders’ information risk management needs.”

While information control maturity scores are integral to understanding control effectiveness, that is only the case when the scores are accurate and reliable, based on a comprehensive methodology, such as the HITRUST CSF Assurance and Assessor programs.

HITRUST is unique and has been a leader with its assurance program having incorporated control maturity for the last 12 years along with annual updates and enhancements to improve its accuracy, consistency and quality.

“The HITRUST CSF, and CSF Assurance programs, were designed to provide transparency, integrity, consistency and ultimately ‘rely-ability’ of maturity scores in the CSF Assessment Report,” said Bryan Cline, chief research officer, HITRUST. “This additional guidance should provide further incentives for organizations to increase their CSF maturity scores.”

The failure of security controls in recent high-profile breaches highlights the importance and urgency of the problem, re-emphasizing why self-attestations, rudimentary third-party assessments, and reputational risk evaluation scoring methods are limited, often inaccurate and subjective while not providing a means to evaluate or predict future control effectiveness.

“We see the use of information security control maturity scores as a driver for internal discussions on risk tolerance and external discussions for requirements on third-party vendors, as well as with cyber insurance underwriters as the basis for coverage and premiums,” said Michael Parisi, vice president of assurance strategy & community development, HITRUST.

HITRUST intends to formally release the program updates in 2020, which will include changes to the CSF, CSF Assurance, and the MyCSF platform.