Download Informative Reference Resource

https://hitrustalliance.org/nist-olir-program

Status:
Final

Informative Reference Version:
1.0.0

Focal Document Version:
1.1

Summary:
A mapping of Cybersecurity Framework version 1.1 Core Subcategories to HITRUST CSF v9.3.1 control references.

Target Audience:
All industries and subsectors, U.S. or international.

Comprehensive:
Yes

Comments:
The HITRUST CSF is a highly tailored, industry-level overlay of the NIST SP 800-53 moderate impact control baseline structured on ISO 27001:2005 Appendix A. Additional baselines of the overlay may be generated based on an entity's organizational, system and regulatory risk factors.

Point of Contact:
Bryan Cline +1 469-269-1118 bryan.cline@hitrustalliance.org

Category of Submitter:
Private Sector

Dependencies/Requirements:

Citations:
16 CFR Part 681 – Identity Theft Red Flags 201 CMR 17.00 – State of Massachusetts Data Protection Act: Standards for the Protection of Personal Information of Residents of the Commonwealth American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria: Security, Confidentiality and Availability California Civil Code § 1798.81.5(b) (mapped to CIS CSC v6): CA Attorney General Interpretation of “Reasonable Security Procedures” Center for Internet Security (CIS) Critical Security Controls (CSC) v6: Critical Security Controls for Effective Cyber Defense Cloud Security Alliance (CSA) Cloud Controls Matrix Version 1.1 CMS Information Security ARS 2013 v2: CMS Minimum Security Requirements for High Impact Data COBIT 4.1 (with associated mappings to COBIT 5): Deliver and Support Section 5 – Ensure Systems Security Department of Homeland Security (DHS) Critical Resilience Review (CRR) EU General Data Protection Regulation (GDPR) Federal Register 21 CFR Part 11: Electronic Records; Electronic Signatures Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook – Information Security, September 2016 Federal Register 21 CFR Part 11: Electronic Records; Electronic Signatures Federal Risk and Authorization Management Program (FedRAMP) Health Information Trust Alliance (HITRUST) De-Identification (De-ID) Framework: De-identification Controls Assessment (DCA) HIPAA – Federal Register 45 CFR Part 164, Subpart C: HIPAA Administrative Simplification: Security Standards for the Protection of Electronic Protected Health Information (Security Rule) HIPAA – Federal Register 45 CFR Part 164, Subpart D: HIPAA Administrative Simplification: Notification in the Case of Breach of Unsecured Protected Health Information (Breach Notification Rule) HIPAA – Federal Register 45 CFR Part 164, Subpart E: HIPAA Administrative Simplification: Privacy of Individually Identifiable Health Information (Privacy Rule) IRS Publication 1075 v2014: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for protecting Federal Tax Returns and Return Information ISO/IEC 27001:2005: Information technology – Security techniques – Information security management systems – Requirements ISO/IEC 27001:2013: Information technology – Security techniques – Information security management systems – Requirements ISO/IEC 27002:2005: Information technology – Security techniques – Code of practice for information security management ISO/IEC 27002:2013: Information technology – Security techniques – Code of practice for information security controls ISO/IEC 27799:2008: Health informatics – Information security management in health using ISO/IEC 27002 Joint Commission (formerly the Joint Commission on the Accreditation of Healthcare Organizations, JCAHO) MARS-E v2.0: Catalog of Minimum Acceptable Risk Controls for Exchanges – Exchange Reference Architecture Supplement New York State Department of Financial Services – Title 23 NYCRR Part 500 NIST Framework for Improving Critical Infrastructure Cybersecurity v1.0: Framework Core – Subcategories NIST Special Publication 800–53 Revision 4 (Final), including Appendix J – Privacy Control Catalog: Security Controls for Federal Information Systems and Organizations NIST Special Publication 800–66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule NRS: Chapter 603A – State of Nevada: Security of Personal Information Office of Civil Rights (OCR) Audit Protocol April 2016 – HIPAA Security Rule Payment Card Industry (PCI) Data Security Standard Version 3.2: Information Management (IM) Standards, Elements of Performance, and Scoring Personal Data Protection Act 2012 (PDPA) Precision Medicine Initiative Data Security Policy Principles and Framework v1.0: Achieving the Principles through a Precision Medicine Initiative Data Security Policy Framework Texas Health and Safety Code § 181 – State of Texas: Texas Medical Records Privacy Act Title 1 Texas Administrative Code § 390.2 – State of Texas: Standards Relating to the Electronic Exchange of Health Information