HITRUST, a leading data protection standards development and certification organization, continues to expand and enhance its services and support in the Asia Pacific region as part of a global information protection approach to streamline information risk management and compliance for organizations of any type, size, or geography delivering services locally, nationally, or internationally.
This strategy builds on the HITRUST Approach and the vision of One Framework, One Assessment, Globally.
To accomplish this important global objective, HITRUST is announcing several activities:
- Establishing the Asia Advisory Council and releasing a call for member nominations
- Updating the HITRUST CSF framework with additional Asia-specific authoritative sources
- Supporting data localization within HITRUST MyCSF
- Submission to be an Accountability Agent under the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules System (CBPRS) and Privacy Recognition for Processors System (PRPS)
HITRUST Asia Advisory Council
The members selected will have extensive experience in security, privacy, and/or risk management, as well as an understanding of security and privacy laws and standards relevant to organizations conducting business in Asia.
Council seats will be available for organizations from industry, government, or academia in the region. The creation of the Asia Advisory Council ensures that the HITRUST Approach remains current and relevant to the needs of the HITRUST community in Asia.
HITRUST CSF framework with additional Asia-specific authoritative sources
The HITRUST CSF currently contains 44 authoritative sources covering various privacy and security standards and laws, including Singapore’s PDPA.
HITRUST has committed to incorporating additional sources that align in these three areas: data privacy, banking and financial services, and cybersecurity/IT. HITRUST will work with the Asia Advisory Council to identify and prioritize additional standards and laws for future inclusion.
These Asia-specific authoritative sources will be introduced in three phases:
- Phase 1 will include data privacy regulations. In addition to Singapore’s PDPA, we will introduce Hong Kong’s Personal Data Privacy Ordinance (PDPO), Malaysia’s Personal Data Protection Act 2010, and the Philippines Data Privacy Act of 2012 in the HITRUST CSF version 10.
- Phase 2 will include banking and financial services regulations. This will include Singapore’s Monetary Authority of Singapore (MAS) Technology Risk Guidelines, Malaysia Bank Negara Malaysia Risk Management in Technology (RMIT), Hong Kong’s Monetary Authority (HKMA) General Principles for Technology Risk Management, the Philippines Bangko Sentral Guidelines on Information Technology Risk Management for all Banks and other BSP-supervised Institutions, and Indonesia’s Financial Services Authority Risk Management in Use of Information Technology Banks 2017 Circular.
- Phase 3 will include cybersecurity/IT focused regulations, such as Singapore’s Cybersecurity Act (CSA) and GovTech requirements.
HITRUST MyCSF data localization
The MyCSF platform is being enhanced to enable subscribers to specify the locale(s) in which their data resides, which will include locales in Asia. This is important not only for an organization’s sense of security, but also to comply with any relevant data localization requirements.
Accountability Agent for Asia-Pacific Economic Cooperation (APEC)
HITRUST has submitted an application to become an Accountability Agent for the CBPRS and PRPS, which allows HITRUST organizations to demonstrate compliance with these key data transfer rules as part of their HITRUST CSF Validated Report. The global economy runs on data, and being able to appropriately transfer personal data across borders is critical to success.
HITRUST is committed to increasing risk management, privacy, and security globally
HITRUST is committed to ensuring that businesses of all sizes have access to the world’s most comprehensive and globally-relevant information protection framework and services, giving them the ability to demonstrate the breadth and strength of their information risk management and mitigation programs to third-party vendors and stakeholders.
As the volume of data being shared internationally increases, so does the need for a scalable, integrated, and mature information protection framework and assurance program that is recognized internationally.
“The mass adoption of data protection laws and increased need for heightened security postures around the world make information protection a key aspect of participating in the global economy,” says Anne Kimbol, Assistant General Counsel and Chief Privacy Officer, HITRUST.
“The HITRUST CSF and CSF Assurance Program address information risk management and relevant regulatory requirements through a single integrated approach that documents an organization’s information risk management program in a way that can be shared with customers, authorities, and other stakeholders efficiently.”
HITRUST offers organizations a cost-effective, streamlined framework and solution with the ability to incorporate information protection, risk management, and regulatory requirements as necessary on a global scale. As international business ecosystems grow, HITRUST remains focused on securing the future of the digital world™.
“HITRUST is taking a focused approach to our Asia engagement to better assist organizations in the region in addressing their global information risk management and compliance priorities, increasing our already growing momentum in the market relating to CSF adoption, assessments and training,” explained Steve Baram, Senior Vice President, HITRUST.
“As the global privacy and security landscape expands, so will HITRUST’s framework and services.”