CSF Roadmap2015 and Beyond

Presented ByBryan S. Cline, Ph.D.

Presented ForHITRUST

Page 2

Introduction

Information Security Implementation Manual

Compliance Reporting System

U.S. Healthcare Industry Implementation Standards

Control ObjectivesPrimary Ref: ISO/IEC 27002:2005

& ISO/IEC 27001:2005

Self Assessment Process

Certification Process

Standards and Regulations Cross Reference Matrix

HITRUST NIST COBIT HIPAA

Control 1 X X

Control 2 X X

Control 3 X

Standards and Materials Leveraged

HIPAA/HITECH

HITRUST member experience

NIST 800 Series

CMS

The Joint Commission

Others

FTC Red Flags

Mass. 201 CMR 17.00

Page 3

Outline

Page 3

Page 4

2014 CSF v6

Page 4

• NIST SP 800-53 r4 (Apr 2013 FPD)• CMS IS ARS v1.5 (2012)• NIST-CMS Harmonization (Publication Updates)• Title 1 TX Admin. Code 390.2 (TX Standards),

– Privacy requirements to support TX certification of the HIPAA Privacy Rule

– Dozens of other federal and state legislation and regulations related to the protection of health information

Page 5

Something new – 2014 CSF v6.1

Page 5

• PCI-DSS v3.0 (2013)• HIPAA Omnibus Rule (2013)• ISO/IEC 27001:2013 (2013)• ISO/IEC 27002:2013 (2013)• NIST Cybersecurity Framework v1 (2014)

Page 6

Something new – 2014 CSF v6.2

Page 6

• Minimum Acceptable Risk Safeguards–Exchanges (MARS-E) (2012)– Catalog of Minimum Acceptable Risk Controls for

Exchanges v1 (2012)– Includes references to IRS Pub 1075 requirements for FTI,

which also supports TX Covered Entity Privacy & Security Certification requirements

• NIST HSR Toolkit v1 (2011)– Unknown if NIST plans to update the tool

• OCR Audit Protocol v2 (2014)– When released– May also impact CSF Assurance Program

Page 7

• Considering COBIT 5, but …

2015 CSF v7 and beyond …

Page 8

See you in 2015!

Page 8

Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPPHITRUST Advisor

Bryan.Cline@HITRUSTalliance.net