HITRUST CSF

Summary

HITRUST CSF is both risk and compliance-based, making it possible for organizations of varying risk profiles to customize their security and privacy control baselines. It is sensitive to data protection compliance and the challenges of assembling and maintaining various programs. Therefore, it provides the structure, transparency, guidance and cross-references to authoritative sources that organizations need in order to check their data protection compliance, as well as an approach to ensure the proper alignment, maintenance and comprehensiveness of components. The version used in this section is HITRUST CSF v9.6.0.

Definitions

Definition	Requirements
01_a. Access control policy	331. Guarantee legal compliance
01_c. Privilege management	033. Restrict administrative access 034. Manage user accounts 035. Manage privilege modifications 095. Define users with privileges 096. Set user's required privileges
01_d. User password management	126. Set a password regeneration mechanism 129. Validate previous passwords 130. Limit password lifespan 131. Deny multiple password changing attempts 133. Passwords with at least 20 characters 136. Force temporary password change 137. Change temporary passwords of third parties 138. Define lifespan for temporary passwords 209. Manage passwords in cache 238. Establish safe recovery 332. Prevent the use of breached passwords 367. Proper generation of temporary passwords 380. Define a password management tool
01_e. Review of user access rights	315. Provide processed data information
01_h. Clear desk and clear screen policy	176. Restrict system objects 221. Disconnect unnecessary input devices 340. Use octet stream downloads
01_i. Policy on the use of network services	250. Manage access points 253. Restrict network access 257. Access based on user credentials
01_j. User authentication for external connections	092. Use externally signed certificates 262. Verify third-party components 284. Define maximum number of connections 324. Control redirects 330. Verify Subresource Integrity
01_k. Equipment identification in networks	232. Require equipment identity 351. Assign unique keys to each device
01_l. Remote diagnostic and configuration port protection	154. Eliminate backdoors 249. Locate access points 250. Manage access points 255. Allow access only to the necessary ports 284. Define maximum number of connections
01_m. Segregation in networks	259. Segment the organization network
01_n. Network connection control	033. Restrict administrative access 249. Locate access points 257. Access based on user credentials 284. Define maximum number of connections
01_o. Network routing control	249. Locate access points 250. Manage access points 320. Avoid client-side control enforcement
01_p. Secure log-on procedures	377. Store logs based on valid regulation 378. Use of log management system
01_q. User identification and authentication	096. Set user's required privileges 143. Unique access credentials 264. Request authentication
01_r. Password management system	380. Define a password management tool
01_t. Session time-out	023. Terminate inactive user sessions 031. Discard user session data
01_u. Limitation of connection time	072. Set maximum response time 236. Establish authentication time 369. Set a maximum lifetime in sessions
01_v. Information access restriction	176. Restrict system objects 265. Restrict access to critical processes 280. Restrict service root directory
01_w. Sensitive system isolation	159. Obfuscate code 180. Use mock data 265. Restrict access to critical processes 374. Use of isolation methods in running applications
01_x. Mobile computing and communications	205. Configure PIN 229. Request access credentials 264. Request authentication 336. Disable insecure TLS versions 351. Assign unique keys to each device
01_y. Teleworking	153. Out of band transactions 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
02_d. Management responsibilities	302. Declare dependencies explicitly 331. Guarantee legal compliance
03_a. Risk management program development	075. Record exceptional events in logs 161. Define secure default options 262. Verify third-party components 266. Disable insecure functionalities
04_a. Information security policy document	331. Guarantee legal compliance
05_c. Allocation of information security responsibilities	095. Define users with privileges
05_d. Authorization process for information assets and facilities	314. Provide processing confirmation 315. Provide processed data information
05_i. Identification of risks related to external parties	262. Verify third-party components
05_k. Addressing security in third party agreements	033. Restrict administrative access 137. Change temporary passwords of third parties 142. Change system default credentials 155. Application free of malicious code 161. Define secure default options 178. Use digital signatures 302. Declare dependencies explicitly 316. Allow rectification requests 318. Notify third parties of changes
06_a. Identification of applicable legislation	331. Guarantee legal compliance
06_b. Intellectual property rights	331. Guarantee legal compliance
06_c. Protection of organizational records	075. Record exceptional events in logs 080. Prevent log modification 377. Store logs based on valid regulation
06_d. Data protection and privacy of covered information	176. Restrict system objects 178. Use digital signatures 181. Transmit data using secure protocols 185. Encrypt sensitive information 300. Mask sensitive data 305. Prioritize token usage 365. Avoid exposing technical information
06_f. Regulation of cryptographic controls	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 331. Guarantee legal compliance
06_g. Compliance with security policies and standards	331. Guarantee legal compliance
07_b. Ownership of assets	077. Avoid disclosing technical information 096. Set user's required privileges
08_b. Physical entry controls	229. Request access credentials 231. Implement a biometric verification component 232. Require equipment identity 235. Define credential interface 237. Ascertain human interaction
08_c. Securing offices, rooms and facilities	249. Locate access points 250. Manage access points 255. Allow access only to the necessary ports 257. Access based on user credentials
08_f. Public access, delivery and loading areas	249. Locate access points 250. Manage access points 257. Access based on user credentials
08_g. Equipment siting and protection	213. Allow geographic location 249. Locate access points 250. Manage access points
09_c. Segregation of duties	096. Set user's required privileges 176. Restrict system objects 186. Use the principle of least privilege 341. Use the principle of deny by default
09_d. Separation of development, test and operational environments	159. Obfuscate code 180. Use mock data 265. Restrict access to critical processes 374. Use of isolation methods in running applications
09_e. Service delivery	155. Application free of malicious code 161. Define secure default options 262. Verify third-party components 314. Provide processing confirmation 315. Provide processed data information 317. Allow erasure requests
09_f. Monitoring and review of third-party services	142. Change system default credentials 302. Declare dependencies explicitly
09_g. Managing changes to third party services	137. Change temporary passwords of third parties 316. Allow rectification requests 318. Notify third parties of changes
09_h. Capacity management	083. Avoid logging sensitive data 177. Avoid caching and temporary files 322. Avoid excessive logging 323. Exclude unverifiable files
09_i. System acceptance	331. Guarantee legal compliance
09_j. Controls against malicious code	039. Define maximum file size 041. Scan files for malicious code 115. Filter malicious emails 155. Application free of malicious code 340. Use octet stream downloads
09_k. Controls against mobile code	205. Configure PIN
09_m. Network controls	077. Avoid disclosing technical information 147. Use pre-existent mechanisms 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 251. Change access point IP 252. Configure key encryption 253. Restrict network access 255. Allow access only to the necessary ports 257. Access based on user credentials 259. Segment the organization network
09_p. Disposal of media	183. Delete sensitive data securely 360. Remove unnecessary sensitive information 375. Remove sensitive data from client-side applications
09_q. Information handling procedures	314. Provide processing confirmation 315. Provide processed data information 329. Keep client-side storage without sensitive data
09_r. Security of system documentation	095. Define users with privileges 096. Set user's required privileges 176. Restrict system objects
09_s. Information exchange policies and procedures	030. Avoid object reutilization 145. Protect system cryptographic keys 147. Use pre-existent mechanisms 206. Configure communication protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
09_v. Electronic messaging	032. Avoid session ID leakages 160. Encode system outputs 206. Configure communication protocols 348. Use consistent encoding
09_x. Electronic commerce services	325. Protect WSDL files
09_y. On-line transactions	084. Allow transaction history queries 145. Protect system cryptographic keys 147. Use pre-existent mechanisms 153. Out of band transactions 174. Transactions without a distinguishable pattern 223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms 300. Mask sensitive data 335. Define out of band token lifespan 346. Use initialization vectors once
09_z. Publicly available information	045. Remove metadata when sharing files 261. Avoid exposing sensitive information 364. Provide extended validation (EV) certificates
09_aa. Audit logging	075. Record exceptional events in logs 079. Record exact occurrence time of events 376. Register severity level
09_ab. Monitoring system use	077. Avoid disclosing technical information 080. Prevent log modification 083. Avoid logging sensitive data 322. Avoid excessive logging 377. Store logs based on valid regulation 378. Use of log management system
09_ac. Protection of log information	046. Manage the integrity of critical files 080. Prevent log modification
09_ad. Administrator and operator logs	046. Manage the integrity of critical files 075. Record exceptional events in logs 079. Record exact occurrence time of events
09_af. Clock synchronization	079. Record exact occurrence time of events 363. Synchronize system clocks
10_b. Input data validation	173. Discard unsafe inputs 342. Validate request parameters
10_c. Control of internal processing	122. Validate credential ownership 330. Verify Subresource Integrity 364. Provide extended validation (EV) certificates 373. Use certificate pinning
10_d. Message integrity	030. Avoid object reutilization 062. Define standard configurations 145. Protect system cryptographic keys 147. Use pre-existent mechanisms 178. Use digital signatures 224. Use secure cryptographic mechanisms 321. Avoid deserializing untrusted data
10_e. Output data validation	160. Encode system outputs 348. Use consistent encoding
10_f. Policy on the use of cryptographic controls	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms
10_g. Key management	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 151. Separate keys for encryption and signatures 223. Uniform distribution in random numbers 346. Use initialization vectors once 361. Replace cryptographic keys 370. Use OAEP padding with RSA 371. Use GCM Padding with AES 372. Proper Use of Initialization Vector (IV)
10_i. Protection of system test data	171. Remove commented-out code 180. Use mock data
10_j. Access control to program source code	051. Store source code in a repository 096. Set user's required privileges 158. Use a secure programming language 159. Obfuscate code 161. Define secure default options
10_l. Outsourced software development	262. Verify third-party components
11_a. Reporting information security events	313. Inform inability to identify users
13_a. Privacy notice	189. Specify the purpose of data collection 311. Demonstrate user consent 314. Provide processing confirmation 315. Provide processed data information
13_b. Openness and transparency	314. Provide processing confirmation 315. Provide processed data information
13_c. Accounting of disclosures	314. Provide processing confirmation 315. Provide processed data information
13_d. Consent required	189. Specify the purpose of data collection 310. Request user consent
13_e. Choice	312. Allow user consent revocation
13_f. Principle access	084. Allow transaction history queries 085. Allow session history queries
13_g. Purpose legitimacy	331. Guarantee legal compliance
13_h. Purpose specification	315. Provide processed data information
13_j. Data minimization	360. Remove unnecessary sensitive information
13_k. Use and disclosure	173. Discard unsafe inputs 300. Mask sensitive data
13_l. Retention and disposal	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
13_m. Accuracy and quality	310. Request user consent 315. Provide processed data information 316. Allow rectification requests 318. Notify third parties of changes 326. Detect rooted devices 360. Remove unnecessary sensitive information
13_n. Participation and redress	301. Notify configuration changes 316. Allow rectification requests
13_s. Privacy monitoring and auditing	075. Record exceptional events in logs 079. Record exact occurrence time of events 085. Allow session history queries 376. Register severity level 377. Store logs based on valid regulation

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.