Skip to main content

HITRUST CSF

logo

Summary

HITRUST CSF is both risk and compliance-based, making it possible for organizations of varying risk profiles to customize their security and privacy control baselines. It is sensitive to data protection compliance and the challenges of assembling and maintaining various programs. Therefore, it provides the structure, transparency, guidance and cross-references to authoritative sources that organizations need in order to check their data protection compliance, as well as an approach to ensure the proper alignment, maintenance and comprehensiveness of components. The version used in this section is HITRUST CSF v9.6.0.

Definitions

DefinitionRequirements
01_a. Access control policy331. Guarantee legal compliance
01_c. Privilege management033. Restrict administrative access
034. Manage user accounts
035. Manage privilege modifications
095. Define users with privileges
096. Set user's required privileges
01_d. User password management126. Set a password regeneration mechanism
129. Validate previous passwords
130. Limit password lifespan
131. Deny multiple password changing attempts
133. Passwords with at least 20 characters
136. Force temporary password change
137. Change temporary passwords of third parties
138. Define lifespan for temporary passwords
209. Manage passwords in cache
238. Establish safe recovery
332. Prevent the use of breached passwords
367. Proper generation of temporary passwords
380. Define a password management tool
01_e. Review of user access rights315. Provide processed data information
01_h. Clear desk and clear screen policy176. Restrict system objects
221. Disconnect unnecessary input devices
340. Use octet stream downloads
01_i. Policy on the use of network services250. Manage access points
253. Restrict network access
257. Access based on user credentials
01_j. User authentication for external connections092. Use externally signed certificates
262. Verify third-party components
284. Define maximum number of connections
324. Control redirects
330. Verify Subresource Integrity
01_k. Equipment identification in networks232. Require equipment identity
351. Assign unique keys to each device
01_l. Remote diagnostic and configuration port protection154. Eliminate backdoors
249. Locate access points
250. Manage access points
255. Allow access only to the necessary ports
284. Define maximum number of connections
01_m. Segregation in networks259. Segment the organization network
01_n. Network connection control033. Restrict administrative access
249. Locate access points
257. Access based on user credentials
284. Define maximum number of connections
01_o. Network routing control249. Locate access points
250. Manage access points
320. Avoid client-side control enforcement
01_p. Secure log-on procedures377. Store logs based on valid regulation
378. Use of log management system
01_q. User identification and authentication096. Set user's required privileges
143. Unique access credentials
264. Request authentication
01_r. Password management system380. Define a password management tool
01_t. Session time-out023. Terminate inactive user sessions
031. Discard user session data
01_u. Limitation of connection time072. Set maximum response time
236. Establish authentication time
369. Set a maximum lifetime in sessions
01_v. Information access restriction176. Restrict system objects
265. Restrict access to critical processes
280. Restrict service root directory
01_w. Sensitive system isolation159. Obfuscate code
180. Use mock data
265. Restrict access to critical processes
374. Use of isolation methods in running applications
01_x. Mobile computing and communications205. Configure PIN
229. Request access credentials
264. Request authentication
336. Disable insecure TLS versions
351. Assign unique keys to each device
01_y. Teleworking153. Out of band transactions
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
02_d. Management responsibilities302. Declare dependencies explicitly
331. Guarantee legal compliance
03_a. Risk management program development075. Record exceptional events in logs
161. Define secure default options
262. Verify third-party components
266. Disable insecure functionalities
04_a. Information security policy document331. Guarantee legal compliance
05_c. Allocation of information security responsibilities095. Define users with privileges
05_d. Authorization process for information assets and facilities314. Provide processing confirmation
315. Provide processed data information
05_i. Identification of risks related to external parties262. Verify third-party components
05_k. Addressing security in third party agreements033. Restrict administrative access
137. Change temporary passwords of third parties
142. Change system default credentials
155. Application free of malicious code
161. Define secure default options
178. Use digital signatures
302. Declare dependencies explicitly
316. Allow rectification requests
318. Notify third parties of changes
06_a. Identification of applicable legislation331. Guarantee legal compliance
06_b. Intellectual property rights331. Guarantee legal compliance
06_c. Protection of organizational records075. Record exceptional events in logs
080. Prevent log modification
377. Store logs based on valid regulation
06_d. Data protection and privacy of covered information176. Restrict system objects
178. Use digital signatures
181. Transmit data using secure protocols
185. Encrypt sensitive information
300. Mask sensitive data
305. Prioritize token usage
365. Avoid exposing technical information
06_f. Regulation of cryptographic controls147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
331. Guarantee legal compliance
06_g. Compliance with security policies and standards331. Guarantee legal compliance
07_b. Ownership of assets077. Avoid disclosing technical information
096. Set user's required privileges
08_b. Physical entry controls229. Request access credentials
231. Implement a biometric verification component
232. Require equipment identity
235. Define credential interface
237. Ascertain human interaction
08_c. Securing offices, rooms and facilities249. Locate access points
250. Manage access points
255. Allow access only to the necessary ports
257. Access based on user credentials
08_f. Public access, delivery and loading areas249. Locate access points
250. Manage access points
257. Access based on user credentials
08_g. Equipment siting and protection213. Allow geographic location
249. Locate access points
250. Manage access points
09_aa. Audit logging075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
09_ab. Monitoring system use077. Avoid disclosing technical information
080. Prevent log modification
083. Avoid logging sensitive data
322. Avoid excessive logging
377. Store logs based on valid regulation
378. Use of log management system
09_ac. Protection of log information-
09_ad. Administrator and operator logs-
09_af. Clock synchronization079. Record exact occurrence time of events
363. Synchronize system clocks
09_c. Segregation of duties096. Set user's required privileges
176. Restrict system objects
186. Use the principle of least privilege
341. Use the principle of deny by default
09_d. Separation of development, test and operational environments159. Obfuscate code
180. Use mock data
265. Restrict access to critical processes
374. Use of isolation methods in running applications
09_e. Service delivery155. Application free of malicious code
161. Define secure default options
262. Verify third-party components
314. Provide processing confirmation
315. Provide processed data information
317. Allow erasure requests
09_f. Monitoring and review of third-party services142. Change system default credentials
302. Declare dependencies explicitly
09_g. Managing changes to third party services137. Change temporary passwords of third parties
316. Allow rectification requests
318. Notify third parties of changes
09_h. Capacity management083. Avoid logging sensitive data
177. Avoid caching and temporary files
322. Avoid excessive logging
323. Exclude unverifiable files
09_i. System acceptance331. Guarantee legal compliance
09_j. Controls against malicious code039. Define maximum file size
041. Scan files for malicious code
115. Filter malicious emails
155. Application free of malicious code
340. Use octet stream downloads
09_k. Controls against mobile code205. Configure PIN
09_m. Network controls077. Avoid disclosing technical information
147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
251. Change access point IP
252. Configure key encryption
253. Restrict network access
255. Allow access only to the necessary ports
257. Access based on user credentials
259. Segment the organization network
09_p. Disposal of media183. Delete sensitive data securely
360. Remove unnecessary sensitive information
375. Remove sensitive data from client-side applications
09_q. Information handling procedures314. Provide processing confirmation
315. Provide processed data information
329. Keep client-side storage without sensitive data
09_r. Security of system documentation095. Define users with privileges
096. Set user's required privileges
176. Restrict system objects
09_s. Information exchange policies and procedures030. Avoid object reutilization
145. Protect system cryptographic keys
147. Use pre-existent mechanisms
206. Configure communication protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
09_v. Electronic messaging032. Avoid session ID leakages
160. Encode system outputs
206. Configure communication protocols
348. Use consistent encoding
09_x. Electronic commerce services325. Protect WSDL files
09_y. On-line transactions084. Allow transaction history queries
145. Protect system cryptographic keys
147. Use pre-existent mechanisms
153. Out of band transactions
174. Transactions without a distinguishable pattern
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
300. Mask sensitive data
335. Define out of band token lifespan
346. Use initialization vectors once
09_z. Publicly available information045. Remove metadata when sharing files
261. Avoid exposing sensitive information
364. Provide extended validation (EV) certificates
10_b. Input data validation173. Discard unsafe inputs
342. Validate request parameters
10_c. Control of internal processing122. Validate credential ownership
330. Verify Subresource Integrity
364. Provide extended validation (EV) certificates
373. Use certificate pinning
10_d. Message integrity030. Avoid object reutilization
062. Define standard configurations
145. Protect system cryptographic keys
147. Use pre-existent mechanisms
178. Use digital signatures
224. Use secure cryptographic mechanisms
321. Avoid deserializing untrusted data
10_e. Output data validation160. Encode system outputs
348. Use consistent encoding
10_f. Policy on the use of cryptographic controls147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
10_g. Key management145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
151. Separate keys for encryption and signatures
223. Uniform distribution in random numbers
346. Use initialization vectors once
361. Replace cryptographic keys
370. Use OAEP padding with RSA
371. Use GCM Padding with AES
372. Proper Use of Initialization Vector (IV)
10_i. Protection of system test data171. Remove commented-out code
180. Use mock data
10_j. Access control to program source code051. Store source code in a repository
096. Set user's required privileges
158. Use a secure programming language
159. Obfuscate code
161. Define secure default options
10_l. Outsourced software development262. Verify third-party components
11_a. Reporting information security events313. Inform inability to identify users
13_a. Privacy notice189. Specify the purpose of data collection
311. Demonstrate user consent
314. Provide processing confirmation
315. Provide processed data information
13_b. Openness and transparency314. Provide processing confirmation
315. Provide processed data information
13_c. Accounting of disclosures314. Provide processing confirmation
315. Provide processed data information
13_d. Consent required189. Specify the purpose of data collection
310. Request user consent
13_e. Choice312. Allow user consent revocation
13_f. Principle access084. Allow transaction history queries
085. Allow session history queries
13_g. Purpose legitimacy331. Guarantee legal compliance
13_h. Purpose specification315. Provide processed data information
13_j. Data minimization360. Remove unnecessary sensitive information
13_k. Use and disclosure173. Discard unsafe inputs
300. Mask sensitive data
13_l. Retention and disposal183. Delete sensitive data securely
360. Remove unnecessary sensitive information
13_m. Accuracy and quality310. Request user consent
315. Provide processed data information
316. Allow rectification requests
318. Notify third parties of changes
326. Detect rooted devices
360. Remove unnecessary sensitive information
13_n. Participation and redress301. Notify configuration changes
316. Allow rectification requests
13_s. Privacy monitoring and auditing075. Record exceptional events in logs
079. Record exact occurrence time of events
085. Allow session history queries
376. Register severity level
377. Store logs based on valid regulation