Cybersecurity Framework
Status:
Final
Informative Reference Version:
1.0.0
Focal Document Version:
1.1
Summary:
A mapping of Cybersecurity Framework version 1.1 Core Subcategories to HITRUST CSF v9.3.1 control references.
Target Audience:
All industries and subsectors, U.S. or international.
Comprehensive:
Yes
Comments:
The HITRUST CSF is a highly tailored, industry-level overlay of the NIST SP 800-53 moderate impact control baseline structured on ISO 27001:2005 Appendix A. Additional baselines of the overlay may be generated based on an entity's organizational, system and regulatory risk factors.
Point of Contact:
Bryan Cline +1 469-269-1118 bryan.cline@hitrustalliance.org
Category of Submitter:
Private Sector
Dependencies/Requirements:
Citations:
16 CFR Part 681 – Identity Theft Red Flags
201 CMR 17.00 – State of Massachusetts Data Protection Act: Standards for the Protection of Personal Information of Residents of the Commonwealth
American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria: Security, Confidentiality and Availability
California Civil Code § 1798.81.5(b) (mapped to CIS CSC v6): CA Attorney General Interpretation of “Reasonable Security Procedures”
Center for Internet Security (CIS) Critical Security Controls (CSC) v6: Critical Security Controls for Effective Cyber Defense
Cloud Security Alliance (CSA) Cloud Controls Matrix Version 1.1
CMS Information Security ARS 2013 v2: CMS Minimum Security Requirements for High Impact Data
COBIT 4.1 (with associated mappings to COBIT 5): Deliver and Support Section 5 – Ensure Systems Security
Department of Homeland Security (DHS) Critical Resilience Review (CRR)
EU General Data Protection Regulation (GDPR)
Federal Register 21 CFR Part 11: Electronic Records; Electronic Signatures
Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements
Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook – Information Security, September 2016
Federal Register 21 CFR Part 11: Electronic Records; Electronic Signatures
Federal Risk and Authorization Management Program (FedRAMP)
Health Information Trust Alliance (HITRUST) De-Identification (De-ID) Framework: De-identification Controls Assessment (DCA)
HIPAA – Federal Register 45 CFR Part 164, Subpart C: HIPAA Administrative Simplification: Security Standards for the Protection of Electronic Protected Health Information (Security Rule)
HIPAA – Federal Register 45 CFR Part 164, Subpart D: HIPAA Administrative Simplification: Notification in the Case of Breach of Unsecured Protected Health Information (Breach Notification Rule)
HIPAA – Federal Register 45 CFR Part 164, Subpart E: HIPAA Administrative Simplification: Privacy of Individually Identifiable Health Information (Privacy Rule)
IRS Publication 1075 v2014: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for protecting Federal Tax Returns and Return Information
ISO/IEC 27001:2005: Information technology – Security techniques – Information security management systems – Requirements
ISO/IEC 27001:2013: Information technology – Security techniques – Information security management systems – Requirements
ISO/IEC 27002:2005: Information technology – Security techniques – Code of practice for information security management
ISO/IEC 27002:2013: Information technology – Security techniques – Code of practice for information security controls
ISO/IEC 27799:2008: Health informatics – Information security management in health using ISO/IEC 27002
Joint Commission (formerly the Joint Commission on the Accreditation of Healthcare Organizations, JCAHO)
MARS-E v2.0: Catalog of Minimum Acceptable Risk Controls for Exchanges – Exchange Reference Architecture Supplement
New York State Department of Financial Services – Title 23 NYCRR Part 500
NIST Framework for Improving Critical Infrastructure Cybersecurity v1.0: Framework Core – Subcategories
NIST Special Publication 800–53 Revision 4 (Final), including Appendix J – Privacy Control Catalog: Security Controls for Federal Information Systems and Organizations
NIST Special Publication 800–66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NRS: Chapter 603A – State of Nevada: Security of Personal Information
Office of Civil Rights (OCR) Audit Protocol April 2016 – HIPAA Security Rule
Payment Card Industry (PCI) Data Security Standard Version 3.2: Information Management (IM) Standards, Elements of Performance, and Scoring
Personal Data Protection Act 2012 (PDPA)
Precision Medicine Initiative Data Security Policy Principles and Framework v1.0: Achieving the Principles through a Precision Medicine Initiative Data Security Policy Framework
Texas Health and Safety Code § 181 – State of Texas: Texas Medical Records Privacy Act
Title 1 Texas Administrative Code § 390.2 – State of Texas: Standards Relating to the Electronic Exchange of Health Information
338a0ac28a8467c1157af1b60b1fc98b4c2cf5963589c6c2d9bbe5167134838d
Reference Document Author:
Reference Document:
HITRUST CSF v9.3.1
Reference Document Date:
11/01/2019
Reference Document URL:
https://hitrustalliance.org/csf-license-agreement
Reference Developer:
HITRUST Alliance; Standards
Posted Date:
March 10, 2020