Skip to main content

HITRUST CSF

logo

Summary

HITRUST CSF is both risk and compliance-based, making it possible for organizations of varying risk profiles to customize their security and privacy control baselines. It is sensitive to data protection compliance and the challenges of assembling and maintaining various programs. Therefore, it provides the structure, transparency, guidance and cross-references to authoritative sources that organizations need in order to check their data protection compliance, as well as an approach to ensure the proper alignment, maintenance and comprehensiveness of components. The version used in this section is HITRUST CSF v9.6.0.

Definitions

DefinitionRequirements
01_a. Access control policy
331. Guarantee legal compliance
01_c. Privilege management
033. Restrict administrative access
034. Manage user accounts
035. Manage privilege modifications
095. Define users with privileges
096. Set user's required privileges
01_d. User password management
126. Set a password regeneration mechanism
129. Validate previous passwords
130. Limit password lifespan
131. Deny multiple password changing attempts
133. Passwords with at least 20 characters
136. Force temporary password change
137. Change temporary passwords of third parties
138. Define lifespan for temporary passwords
209. Manage passwords in cache
238. Establish safe recovery
332. Prevent the use of breached passwords
367. Proper generation of temporary passwords
380. Define a password management tool
01_e. Review of user access rights
315. Provide processed data information
01_h. Clear desk and clear screen policy
176. Restrict system objects
221. Disconnect unnecessary input devices
340. Use octet stream downloads
01_i. Policy on the use of network services
250. Manage access points
253. Restrict network access
257. Access based on user credentials
01_j. User authentication for external connections
092. Use externally signed certificates
262. Verify third-party components
284. Define maximum number of connections
324. Control redirects
330. Verify Subresource Integrity
01_k. Equipment identification in networks
232. Require equipment identity
351. Assign unique keys to each device
01_l. Remote diagnostic and configuration port protection
154. Eliminate backdoors
249. Locate access points
250. Manage access points
255. Allow access only to the necessary ports
284. Define maximum number of connections
01_m. Segregation in networks
259. Segment the organization network
01_n. Network connection control
033. Restrict administrative access
249. Locate access points
257. Access based on user credentials
284. Define maximum number of connections
01_o. Network routing control
249. Locate access points
250. Manage access points
320. Avoid client-side control enforcement
01_p. Secure log-on procedures
377. Store logs based on valid regulation
378. Use of log management system
01_q. User identification and authentication
096. Set user's required privileges
143. Unique access credentials
264. Request authentication
01_r. Password management system
380. Define a password management tool
01_t. Session time-out
023. Terminate inactive user sessions
031. Discard user session data
01_u. Limitation of connection time
072. Set maximum response time
236. Establish authentication time
369. Set a maximum lifetime in sessions
01_v. Information access restriction
176. Restrict system objects
265. Restrict access to critical processes
280. Restrict service root directory
01_w. Sensitive system isolation
159. Obfuscate code
180. Use mock data
265. Restrict access to critical processes
374. Use of isolation methods in running applications
01_x. Mobile computing and communications
205. Configure PIN
229. Request access credentials
264. Request authentication
336. Disable insecure TLS versions
351. Assign unique keys to each device
01_y. Teleworking
153. Out of band transactions
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
02_d. Management responsibilities
302. Declare dependencies explicitly
331. Guarantee legal compliance
03_a. Risk management program development
075. Record exceptional events in logs
161. Define secure default options
262. Verify third-party components
266. Disable insecure functionalities
04_a. Information security policy document
331. Guarantee legal compliance
05_c. Allocation of information security responsibilities
095. Define users with privileges
05_d. Authorization process for information assets and facilities
314. Provide processing confirmation
315. Provide processed data information
05_i. Identification of risks related to external parties
262. Verify third-party components
05_k. Addressing security in third party agreements
033. Restrict administrative access
137. Change temporary passwords of third parties
142. Change system default credentials
155. Application free of malicious code
161. Define secure default options
178. Use digital signatures
302. Declare dependencies explicitly
316. Allow rectification requests
318. Notify third parties of changes
06_a. Identification of applicable legislation
331. Guarantee legal compliance
06_b. Intellectual property rights
331. Guarantee legal compliance
06_c. Protection of organizational records
075. Record exceptional events in logs
080. Prevent log modification
377. Store logs based on valid regulation
06_d. Data protection and privacy of covered information
176. Restrict system objects
178. Use digital signatures
181. Transmit data using secure protocols
185. Encrypt sensitive information
300. Mask sensitive data
305. Prioritize token usage
365. Avoid exposing technical information
06_f. Regulation of cryptographic controls
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
331. Guarantee legal compliance
06_g. Compliance with security policies and standards
331. Guarantee legal compliance
07_b. Ownership of assets
077. Avoid disclosing technical information
096. Set user's required privileges
08_b. Physical entry controls
229. Request access credentials
231. Implement a biometric verification component
232. Require equipment identity
235. Define credential interface
237. Ascertain human interaction
08_c. Securing offices, rooms and facilities
249. Locate access points
250. Manage access points
255. Allow access only to the necessary ports
257. Access based on user credentials
08_f. Public access, delivery and loading areas
249. Locate access points
250. Manage access points
257. Access based on user credentials
08_g. Equipment siting and protection
213. Allow geographic location
249. Locate access points
250. Manage access points
09_c. Segregation of duties
096. Set user's required privileges
176. Restrict system objects
186. Use the principle of least privilege
341. Use the principle of deny by default
09_d. Separation of development, test and operational environments
159. Obfuscate code
180. Use mock data
265. Restrict access to critical processes
374. Use of isolation methods in running applications
09_e. Service delivery
155. Application free of malicious code
161. Define secure default options
262. Verify third-party components
314. Provide processing confirmation
315. Provide processed data information
317. Allow erasure requests
09_f. Monitoring and review of third-party services
142. Change system default credentials
302. Declare dependencies explicitly
09_g. Managing changes to third party services
137. Change temporary passwords of third parties
316. Allow rectification requests
318. Notify third parties of changes
09_h. Capacity management
083. Avoid logging sensitive data
177. Avoid caching and temporary files
322. Avoid excessive logging
323. Exclude unverifiable files
09_i. System acceptance
331. Guarantee legal compliance
09_j. Controls against malicious code
039. Define maximum file size
041. Scan files for malicious code
115. Filter malicious emails
155. Application free of malicious code
340. Use octet stream downloads
09_k. Controls against mobile code
205. Configure PIN
09_m. Network controls
077. Avoid disclosing technical information
147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
251. Change access point IP
252. Configure key encryption
253. Restrict network access
255. Allow access only to the necessary ports
257. Access based on user credentials
259. Segment the organization network
09_p. Disposal of media
183. Delete sensitive data securely
360. Remove unnecessary sensitive information
375. Remove sensitive data from client-side applications
09_q. Information handling procedures
314. Provide processing confirmation
315. Provide processed data information
329. Keep client-side storage without sensitive data
09_r. Security of system documentation
095. Define users with privileges
096. Set user's required privileges
176. Restrict system objects
09_s. Information exchange policies and procedures
030. Avoid object reutilization
145. Protect system cryptographic keys
147. Use pre-existent mechanisms
206. Configure communication protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
09_v. Electronic messaging
032. Avoid session ID leakages
160. Encode system outputs
206. Configure communication protocols
348. Use consistent encoding
09_x. Electronic commerce services
325. Protect WSDL files
09_y. On-line transactions
084. Allow transaction history queries
145. Protect system cryptographic keys
147. Use pre-existent mechanisms
153. Out of band transactions
174. Transactions without a distinguishable pattern
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
300. Mask sensitive data
335. Define out of band token lifespan
346. Use initialization vectors once
09_z. Publicly available information
045. Remove metadata when sharing files
261. Avoid exposing sensitive information
364. Provide extended validation (EV) certificates
09_aa. Audit logging
075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
09_ab. Monitoring system use
077. Avoid disclosing technical information
080. Prevent log modification
083. Avoid logging sensitive data
322. Avoid excessive logging
377. Store logs based on valid regulation
378. Use of log management system
09_ac. Protection of log information
046. Manage the integrity of critical files
080. Prevent log modification
09_ad. Administrator and operator logs
046. Manage the integrity of critical files
075. Record exceptional events in logs
079. Record exact occurrence time of events
09_af. Clock synchronization
079. Record exact occurrence time of events
363. Synchronize system clocks
10_b. Input data validation
173. Discard unsafe inputs
342. Validate request parameters
10_c. Control of internal processing
122. Validate credential ownership
330. Verify Subresource Integrity
364. Provide extended validation (EV) certificates
373. Use certificate pinning
10_d. Message integrity
030. Avoid object reutilization
062. Define standard configurations
145. Protect system cryptographic keys
147. Use pre-existent mechanisms
178. Use digital signatures
224. Use secure cryptographic mechanisms
321. Avoid deserializing untrusted data
10_e. Output data validation
160. Encode system outputs
348. Use consistent encoding
10_f. Policy on the use of cryptographic controls
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
10_g. Key management
145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
151. Separate keys for encryption and signatures
223. Uniform distribution in random numbers
346. Use initialization vectors once
361. Replace cryptographic keys
370. Use OAEP padding with RSA
371. Use GCM Padding with AES
372. Proper Use of Initialization Vector (IV)
10_i. Protection of system test data
171. Remove commented-out code
180. Use mock data
10_j. Access control to program source code
051. Store source code in a repository
096. Set user's required privileges
158. Use a secure programming language
159. Obfuscate code
161. Define secure default options
10_l. Outsourced software development
262. Verify third-party components
11_a. Reporting information security events
313. Inform inability to identify users
13_a. Privacy notice
189. Specify the purpose of data collection
311. Demonstrate user consent
314. Provide processing confirmation
315. Provide processed data information
13_b. Openness and transparency
314. Provide processing confirmation
315. Provide processed data information
13_c. Accounting of disclosures
314. Provide processing confirmation
315. Provide processed data information
13_d. Consent required
189. Specify the purpose of data collection
310. Request user consent
13_e. Choice
312. Allow user consent revocation
13_f. Principle access
084. Allow transaction history queries
085. Allow session history queries
13_g. Purpose legitimacy
331. Guarantee legal compliance
13_h. Purpose specification
315. Provide processed data information
13_j. Data minimization
360. Remove unnecessary sensitive information
13_k. Use and disclosure
173. Discard unsafe inputs
300. Mask sensitive data
13_l. Retention and disposal
183. Delete sensitive data securely
360. Remove unnecessary sensitive information
13_m. Accuracy and quality
310. Request user consent
315. Provide processed data information
316. Allow rectification requests
318. Notify third parties of changes
326. Detect rooted devices
360. Remove unnecessary sensitive information
13_n. Participation and redress
301. Notify configuration changes
316. Allow rectification requests
13_s. Privacy monitoring and auditing
075. Record exceptional events in logs
079. Record exact occurrence time of events
085. Allow session history queries
376. Register severity level
377. Store logs based on valid regulation
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on