CSF Roadmap 2015 and Beyond Presented By Bryan S. Cline, Presented For HITRUST
Feb 15, 2016
CSF Roadmap2015 and Beyond
Presented ByBryan S. Cline, Ph.D.
Presented ForHITRUST
Page 2
Introduction
Information Security Implementation Manual
Compliance Reporting System
U.S. Healthcare Industry Implementation Standards
Control ObjectivesPrimary Ref: ISO/IEC 27002:2005
& ISO/IEC 27001:2005
Self Assessment Process
Certification Process
Standards and Regulations Cross Reference Matrix
HITRUST NIST COBIT HIPAA
Control 1 X X
Control 2 X X
Control 3 X
Standards and Materials Leveraged
HIPAA/HITECH
HITRUST member experience
NIST 800 Series
CMS
The Joint Commission
Others
FTC Red Flags
Mass. 201 CMR 17.00
Page 3
Outline
Page 3
Page 4
2014 CSF v6
Page 4
• NIST SP 800-53 r4 (Apr 2013 FPD)• CMS IS ARS v1.5 (2012)• NIST-CMS Harmonization (Publication Updates)• Title 1 TX Admin. Code 390.2 (TX Standards),
– Privacy requirements to support TX certification of the HIPAA Privacy Rule
– Dozens of other federal and state legislation and regulations related to the protection of health information
Page 5
Something new – 2014 CSF v6.1
Page 5
• PCI-DSS v3.0 (2013)• HIPAA Omnibus Rule (2013)• ISO/IEC 27001:2013 (2013)• ISO/IEC 27002:2013 (2013)• NIST Cybersecurity Framework v1 (2014)
Page 6
Something new – 2014 CSF v6.2
Page 6
• Minimum Acceptable Risk Safeguards–Exchanges (MARS-E) (2012)– Catalog of Minimum Acceptable Risk Controls for
Exchanges v1 (2012)– Includes references to IRS Pub 1075 requirements for FTI,
which also supports TX Covered Entity Privacy & Security Certification requirements
• NIST HSR Toolkit v1 (2011)– Unknown if NIST plans to update the tool
• OCR Audit Protocol v2 (2014)– When released– May also impact CSF Assurance Program
Page 7
• Considering COBIT 5, but …
2015 CSF v7 and beyond …
Page 8
See you in 2015!
Page 8
Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPPHITRUST Advisor