Most businesses in the healthcare industry are required to meet HIPAA regulations and for these efforts their big benefit is they can avoid hefty fines. Companies in the healthcare industry are expected to protect their customer data and those who build this customer trust get rewarded with new business opportunities. To proactively build trust with customers many companies provide proof of their data security compliance with a HITRUST CSF Validation with Certification.
This webinar — hosted by HITRUST, NCC Group, and Aptible — clarifies how participating in the HITRUST CSF Assurance Program works, why obtaining a HITRUST CSF Validation with Certification is valuable to your organization, and explain how to achieve validation with less work effort.
Watch now to learn:
By adopting the HITRUST CSF, your organization can obtain peace of mind that it abides by a comprehensive compliance framework that can account for several different industry regulations, standards, frameworks, and best practices. Aptible and NCC Group can help achieve that peace of mind more efficiently and cost effectively.
Vice President Assurance Strategy & Community Development, HITRUST
Technical Director Risk Management & Governance North America, NCC Groups
Product Manager, Aptible
Chris Gomes (00:00):
Welcome, everybody. This is the Aptible, NCC Group, HITRUST joint webinar on Building Customer Trust with HITRUST in Comply. I'm just going to give participants a couple seconds to trickle in here, I see our number quickly climbing. We'll give folks about 20 to 30 seconds to get settled, and then we'll dive in. Okay. Looks like attendance has just about leveled off, so we've got everyone in the room now. I wanted to welcome everyone, and start it off with some introductions. This is the joint webinar between Aptible, NCC group, and the HITRUST Alliance about Building Customer Trust, with HITRUST, in Comply. My name is Chris Gomes, I'm Project Manager here at Aptible, and I'm joined by Michael Parisi from HITRUST, and Jay Trinckes from the NCC Group. Michael and Jay, I'd love for each of you to take a moment to introduce yourselves, and how your companies help in the process of building customer trust. Michael, starting with you, if you don't mind.
Michael Parisi (01:44):
Sure. Thanks, Chris. Welcome, everyone. Glad to be here with all of you today. My name is Michael Parisi, I'm the Vice President of Strategy and Community Development at HITRUST. I've got the responsibility for looking at our current programs, and figuring out how to enhance them, make them better for organizations to leverage, and also determine new programs that we should be standing up to address common security and privacy challenges. Part of that is identifying critical partners that we want to work with, that help enable our organizations to achieve HITRUST compliance, for which one of those is Aptible. In addition to identifying assessors that we can work with to provide that independent assurance for organizations relative to security and privacy posture, which is NCC Group, as an example. Glad to be joined by my colleagues here today, looking forward to the discussion.
Jay Trinckes (02:41):
Great. Hello, everyone. My name is Jay Trinckes, I'm an Information Security and Privacy Professional with over 15 years of experience in these two fields, and with the many different types of industries. I'm a Technical Director with NCC Groups Risk Management and Governance Team, leading the privacy practice, which includes privacy, HIPAA, and of course, HITRUST. I am a published author of three books, and I maintain a multitude of certifications to include a HITRUST CCSFP and CHQP certifications. I've been a HITRUST practitioner since August of 2015, and have performed QA and/or managed several HITRUST engagements during this time. NCC Group is an approved external assessor, we assist clients in obtaining and maintaining their HITRUST validation with certification, as part of the HITRUST Assurance Program.
Chris Gomes (03:29):
Great. Thank you Michael and Jay. In today's webinar, we're going to cover all of these topics. The value of the HITRUST certification, the HITRUST process end to end, and then we'll bring in NCC Group and Jay to talk about the goal of the auditor, and what auditors look for. And finally, we at Aptible will talk about how to streamline audit readiness. Before we dive in, though, I realize that with the three groups that are on this call, folks might want a better understanding of how do these different pieces of the puzzle fit together. You've got HITRUST, you've got NCC Group, and you have Aptible, who are all co-hosting this. The takeaway is that, HITRUST brings a lot of value, but it is a journey with moving parts, components, and partners. First you have the HITRUST Alliance, themselves, who define the standards. That's Michael. You also have the assessor partners, and that's Jay, who take you through the process, and then there are partners and solutions that can help you achieve that compliance more efficiently and effectively, and that's us here at Aptible. For high level overview of the process before we dive in, this is what the HITRUST journey looks like.
Chris Gomes (04:47):
You use the HITRUST framework to identify your security and privacy controls, you use the CSF software to conduct a readiness assessment, then you work with an authorized external assessor to prepare for the validated assessment. You undergo the validated assessment, using the MyCSF software, and then if all goes well, you get that HITRUST letter of certification. By the end of today's call, we hope that you'll understand how this step number three, how the three groups of us working together, can make this whole process a lot smoother, especially in step number three, which is going to look more like this, using Aptible Comply, and an assessor, such as NCC Group, to prepare for this validated assessment. That's how we're going to help this whole process run a lot more efficiently and effectively. By the end of today's webinar, that will be a lot more clear, how we all work together to do that. Without further ado, I'm going to hand it over to Michael to talk about HITRUST.
Michael Parisi (05:46):
Great. Thanks, Chris. If you can move to the next slide for a second. I think Chris teed it up really well for us. When you look at all the different stakeholders that are involved in this journey, we are the standard's organization. Our job is to standup programs, and also resources that are available for organizations to leverage, to make this concept of "compliance" more effective and more efficient, for organizations. When you look at number of challenges that we face, as organizations in the marketplace, either as customers of third parties or providers, or third parties ourselves, for which many of us, I think, will be both. We all have organizations that we need to work with and we're working with a number of organizations. There's a number of challenges that are facing us today. This concept of providing assurances over goods security and privacy posture, isn't going away. Matter of fact, it's only getting stronger. It's becoming more and more of a requirement for organizations that are looking to do business with stakeholders in general. However, as that builds, it's become more and more of a burden to do in an efficient and effective way.
Michael Parisi (07:02):
What we strive to do here at HITRUST, as a risk management organization, is to establish programs that can be leveraged in the most efficient and effective way possible, and provide the highest level of assurances to stakeholders that are needing those assurances, relative to security and privacy. Chris, if you don't mind moving on for me, please. I talk about the market need, and if we dive into that in a little more detail for a minute, the number of different things that are diving the market needs for assurances, everything from regulations, to stakeholder expectations, to new types of business relationships that exist within the marketplace. This is industry agnostic, whether it's within the technology space, the healthcare space, manufacturing space, you're talking about the same challenges that everyone is being faced with, relative to compliance. There's a number of non-value add commoditized activities that organizations are probably taking on themselves, when we believe they don't have to. Leverage a standards organization is doing that work for you. Identifying what are the relevant authoritative sources and requirements that we need to provide assurances over, maintaining that set of standards and framework to put you in a position where you can do one assessment against one centralized set of standards, that allows you to pivot and produce assurances over any type of authoritative source that organizations may be asking for.
Michael Parisi (08:33):
Figure out this process around providing the highest level of reliability, so that when you do provide those assurances in the form of third party assurance reports, you know it has multiple eyes that have been on it, multiple levels of quality assurance review. Now, you are arming your stakeholders to use those assurances in place of doing their own propietary procedures, questionnaires, onsite audits, et cetera. That's everything that we've built here at HITRUST as part of our overall combined suites of services and programs that I'll talk about in a few minutes. If you could move on for me, please, Chris.
Chris Gomes (09:12):
Yes. And I just want to give a shout out to the Q&A. I should have mentioned that upfront. You can always submit a question as we go along here, and we're going to save questions until the end. Feel free to use that Q&A button to submit questions. Sorry, for interrupting, Michael.
Michael Parisi (09:27):
No worries, Chris.
Chris Gomes (09:29):
There we go. There you go.
Michael Parisi (09:30):
Okay, great. Our tagline, "One framework, one assessment." It's recognized globally. I'll talk about the different components that HITRUST has, and how all these fit together. I think Chris did a great job of teeing it up. And Jay, in a few minutes, is going to talk to us about what does this journey look like, what are the different types of things you need to do in order to provide the information necessary, for us, the independent certifying body, to issue you, hopefully, what is a certification, with minimum necessary security and privacy standards and requirements. When you look at what we do in a marketplace, it all starts with our framework, which we refer to as the CSF. As we know, there's a lot of frameworks out there in the marketplace. The approach that we take is an arms open approach. We don't believe in this religious debate, "Well, it should be NIST or it should be ISO, or it should be some other type of framework." We also don't believe in the religious debate of different reporting standards, whether it's a SOC 2 or whether it's an AUP, or whether it's some other type of certification. We believe in supporting all of them, which is what I think makes us unique, relative to the framework we have.
Michael Parisi (10:44):
Over 46 different authoritative sources are included within the framework. When I talk about authoritative sources, they really fall into three different categories. Those could be other control frameworks or standards, different flavors of NIST, ISO, COBIT, COSO, all included within there. They could also be regulations, and those regulations could be international regulations, such as GDPR, APEC cross border protection, they could be federal regulations, like HIPAA, is one that I think a lot of us are familiar with, or heard of. Or, they could be statutory regulations. Things like CCPA, MH01, seems like every week there's a new one on the docket that's going to be coming out. All of those are included within the framework. Then, lastly, what I like to refer to as other standards. Things such as PCI, FedRAMP, some of the new CMMC requirements, that are going to be coming down the pike. We strive to standardize across all these different authoritative sources as part of our framework, so that allows you to know if you use one set of requirements and standards, you can pivot and produce various reporting that you need, in order to provide assurances over any of those authoritative sources, or multiple authoritative sources. Think of it as a one stop shot, if you will. Chris, you can move onto the next one, please.
Michael Parisi (12:13):
Thank you. We refer to this as our overall, the solution set, and the approach, as the HITRUST Approach. The HITRUST Approach is really focused on how do we manage risk, not only internally, but externally, relative to our third parties, and maybe fourth parties, and fifth parties. You know how those relationships go in today's day and age, how do you do that in, again, the most efficient and effective way possible, and in a complete fashion. There's various steps that we need to think about. Start by identify and defining what those risks are that are relevant to our organization. Everything starts with risk. Everything starts with the risk assessment. You notice that as part of our process, one of the things that Jay will take you through in a few minutes, how do you start from scoping. Well, it starts with the risk assessment in order to determine how much you should be doing. Further, specify the different types of controls and safeguards that you need to put in place in order to address those risks. Then, and actually implement them and manage that program, and in the continuous process, assess against them to make sure they are working, report effectively, rinse and repeat as you go through that process.
Michael Parisi (13:30):
A number of different benefits that our HITRUST Approach provides, I won't go through all of them here, but I did highlight a number of them already. It's really about this concept of providing assurances at the end of the day. Whether that's internally to management, the board, our co-workers, or whether it be externally, to stakeholders, which could include customers, could include regulators, and a number of other types of organizations. How do you do that? By leveraging an approach that you know is maintained and up to date. When you look at a lot of other control frameworks that exist within the marketplace, they're often not updated that frequently. As we know, the threat landscape is changing by the second. One of the things that makes us unique, there is a team of individuals that we have to update, not only our own framework, but to make sure that reflects any of the changes at the underlying authoritative sources, as well. You don't have to do that exercise every time that there is a change or a version update within a particular authoritative source. You don't now need to go back and redo all the mappings and figure out, are you doing everything that you're supposed to be doing from an organizational perspective, we take that on for you.
Michael Parisi (14:47):
Chris, you can move forward, please. Some of the things, how do we do that? What are the elements to the approach, and what are the different programs that are available to organizations to leverage in order to achieve that? The way I like to refer to the HITRUST Approach is that, it is integrated, yet modular. We have many organizations that may use just bits and pieces, or certain programs, to help them address and manage risk, and we have others that use the entire integrated suite of programs. Some of them here that I'll highlight, I already talked about the framework, the assurance program, is what we put in place to really support that process of providing assurances to your stakeholders. When you look at our program, it is a defined process that organizations must go through in order to produce viable assurances and assessments. Jay will tell you, in all the assessments that he does, our assessors, our independent third party assessors, that are tried, and true, and vetted, they go through a very vigorous process in order to be approved as an assessor, to make sure they understand our framework and the program. Jay can talk to you a little bit about that in a few minutes.
Michael Parisi (16:03):
That's part of our assurance program, making sure we have a set of independent organizations that can go in and execute testing, not in any which way they choose, it must follow a well defined process that we have put in place, that ultimately bolsters that reliability associated with that assessment. The assessment reports, for which there are many, there's many different types and flavors, and it really depends on what the needs of the organization are. Also, the timeline. When we think about this concept of assurances, many organizations will start small, and they'll move along that assurance continuum as they continue to mature as an organization. We've also built our program that way, where organizations can start, for example, with a self attestation, or a readiness assessment, or a facilitated readiness assessment. As Chris mentioned before, that's often the first step, working with consultative partner, like NCC Group, to help you think through that, and also having partners that can help enable those aspects of compliance. Remember, in leveraging somebody like Aptible, sure that's going to help you with aspects of HITRUST compliance, but it helps you with everything else that's included within the HITRUST framework. It's so much more than just HITRUST as its own authoritative source.
Michael Parisi (17:27):
We do have a platform, as Chris mentioned, which is the MyCFS platform. What that really does is help organizations to scope how much they need to do, what's enough, what's too much, relative to the risk that that organization has. It builds your profile, and it tells you what you need to implement, and then puts you in a position where now, you can work with somebody like Aptible, to actually enable the monitoring and the evidence port associated with what that profile is. Talked already about the external assessors. We have several, they're listed on our website. You must work with an approved external assessor, which NCC Group is one of those. All assessors are created equal, relative to the quality standards they are held to. However, I would tell you not all assessors are created equal relative to the experience. We have some assessors that have been doing this a long time, and have done a number of assessments, as Jay mentioned. Just something to think about as you're going down that journey, in terms of who you're going to select. We also have a series of training programs. Jay had mentioned he's a CCSFP, that's an individual certification that you can achieve around the implementation of the framework, and the tailoring of the framework. Our threat catalog links to our overall framework, so if this concept of understanding what threats may be applicable to your organization that we maintain.
Michael Parisi (18:58):
Some organizations may just use the threat catalog, or just the framework, as an example. Then, lastly, the assessment exchanges our third party risk management program. That's what we've built to help you, not only achieve aspects of third party risk management as part of the HITRUST framework and requirements, but overall from an organizational perspective. That's something we've been spending a lot of time on, especially considering recent times and challenges organizations have had. Chris, I think we can move on, please. Thank you. This concept of reliability, let me spend a few minutes on this because I want to make sure I drive home the other aspects that I mentioned. When you think about providing assurances to stakeholders, as we know there are a lot of different types of assessments that are out there. Not all assessments are created equal, either relative to the process that organizations must go through to prove that assessment, really relative to the levels of quality assurance that are built within that. Our program provides five different levels of quality assurance review and checkpoints that are placed, which is above and beyond any other type of assurance report that exists within the marketplace. For example, SOC reports. SOC reports really only have two, I guess you can argue two and a half, we have five different levels.
Michael Parisi (20:20):
Starts with the management assertion manifestation, followed by that independent assessor. We require our independent assessor to have their own quality assurance function, which is separate from an engagement team. Then you have HITRUST as the independent certifying body, where we review 100% of all assessments that come in the door. We do not take a sample. Jay sends me 100 assessments this year, we're picking up every one of those, just to make sure Jay's done everything that he's needed to do. Then, lastly, we have our own internal audit compliance function, that audits our auditors who audits the auditors, who audits management. You know, whenever you pick up a HITRUST assessment in the marketplace, it comes with the highest level of reliability associated with that security and privacy posture that an organization is sharing with you. Next line, please, Chris.
Michael Parisi (21:14):
A lot of value to pursuing a certification. Unfortunately, I think, a lot of organizations go down this path because somebody told me I have to get it. It's checkbox exercise. Don't stop there, and this is where working with partners like Aptible, and NCC, they can help you see the value of the implementation and going down that path of beyond just a checkbox exercise. There are a lot of barriers to entry. There are many organizations that require HITRUST certifications. You cannot do business with them, unless you have it. Those exist today, and there are more and more that are coming out to the marketplace with that requirement. What they are focused on, is making sure they can do it in the most efficient and effective way possible. They don't like working with 400 proprietary information security questionnaires, just as much as we don't like responding to them. They're all trying to get to the same thing, and they're all worded a little differently. How do we stop the madness? #killthequestionnaire. I'm going to do this is the most efficient and effective way possible.
Michael Parisi (22:27):
When you look and security and privacy, it's becoming more and more of a differentiation point in the marketplace. It's no longer necessarily something that's thought of after the fact, it's something that's being looked at up front in order to make decisions around what third parties we may actually be working with. Number of other ancillary benefits, as well, of being in a position to demonstrate what your organization is doing, relative to security and privacy. And some one-offs like cybersecurity insurance. We have some customers, that just by doing a HITRUST certification, they have reduced their cybersecurity insurance premiums by over 50%. You take somebody like a large hospital system, where that can be millions and millions of dollars, making the investment to do something like this, pays for itself over and over again. Just some things to think about in terms of the value of the certification itself. Move on, Chris. Now, I'd like to hand it to Jay, to give you his perspective, in terms of how to go through this process, things to consider, and the types of things you want to potentially leverage in going through the assessment process. Jay, I'll hand it to you.
Jay Trinckes (23:44):
All right. Great. Thank you, Michael. Next slide, please. I'm going to take just a few minutes here to discuss our role, here as an external assessor, and then provide you some good advice, as it relates to going through the assurance program. Next slide. NCC Group is one of the external assessors, approved by HITRUST, to perform assessment services associated with this CSF assurance program, as well as validate compliance with the HITRUST CSF. NCC Group, as an approved external assessor is uniquely qualified to deliver CSF assurance program services to assist in the documentation of findings and preparation of reports. HITRUST CSF validated assessments can only be performed by approved external assessors, and as mentioned, we have passed and must maintain rigorous standards to maintain our approved external assessor status. We must also follow and adhere to a strict set of rules, established by HITRUST, in performing these HITRUST assessments. Next slide.
Jay Trinckes (24:47):
As Michael previously mentioned, the HITRUST Approach to information risk management and compliance provides and integrated process to ensure all programs are aligned, maintained, and comprehensibly supports an organization's information risk management and compliance objectives. This approach assists global organizations across all industries, and throughout third party supply chains, to safeguard their sensitive information, and manage their information risks. The control set that an organization will be assessed against is determined by many factors, to include organizational factors, geographic factors, technical factors, and regulatory factors. You'll definitely want to work with your assessor to help you scope out your assessment and discuss your specific needs. Next slide.
Jay Trinckes (25:33):
HITRUST specifically addresses specific roles and responsibilities, as well as qualifications of team members performing a HITRUST assessment. These roles include the client point of contact, our engagement lead, our QA reviewer, our engagement executive, of course, our assessors and project management. HITRUST maintains very high expectations of the qualitive work it expects from their approved external assessors. As examples, the executive role oversees the project, ensures appropriate documentation is obtained, reviews the test results, and acts as a first line of QA, or quality assurance. A QA reviewer under HITRUST must hold a CCSFP certification, as well as the new CHQP certification. The QA reviewer for HITRUST will perform the second or final level QA of a validated assessment, prior to submitting to HITRUST through MyCSF. Once a validated report is submitted to HITRUST, HITRUST will also go through multiple iterations of QA to ensure the validated assessment report is of the highest quality. Next slide.
Jay Trinckes (26:42):
Due to the high mark HITRUST sets within their CSF assurance program, as an external assessor, there are specific items that we'll want to see from our clients. An assessed entity will be reviewed against five categories. Policy, process, implemented, measured, and managed, for each CSF control statement that is in scope for the assessment. Each of these categories will be rated against a maturity rating, from not compliant to fully compliant. Without going through all of the specific calculations and formulas behind the scoring here, HITRUST has implemented a new scoring matrix that looks at both the strength and the coverage of the controls against each of the criteria. Let's take a quick look at what we expect from an entity as it relates to policy, process, and implementation, for example. Next slide.
Jay Trinckes (27:33):
For policies, we are looking at the overall intention and direction formally expressed by management. This is generally documented as a high level principle, or a course of action. Policies need to cover the CSF requirement, and be approved by management. They need to also be communicated to stakeholders, and clearly communicated against expectations using statements such as will, shall, or must. This here, again, we'll go back and Chris will talk a lot about how Aptible can help with their program to help you design good policies. Next slide. What makes a good procedure? Procedures are detailed descriptions of the steps necessary to perform specific operations or processes to carry out the intent of the policy. Procedures need to be approved, of course. They need to be communicated, they need to outline responsibilities, and they need to discuss operational aspects of who, what, when, where, why. Can't forget about the why. That, again, should be addressed in policies, but we need to tell you what you need to do under that process. Any undocumented policies or procedures are those that are not well understood, they're not consistently observed, or they're not formally written. Any of those will, of course, score a not compliant and will jeopardize the ability to obtain certification. Next slide.
Jay Trinckes (28:59):
When we move into implementation, we're going to observe the control being applied to a population, or sample thereof. We look at implementation through observations interviews or test, to perform a healthy assessment we generally do examining of the controls, we ask questions, and again, we test. The motto here is, we trust but we verify, or validate, everything. That is really the key. As an external assessor, we are required to develop test plans as part of our audit process. These test plans are based on what we call the illustrative or the illustrative procedures provided by HITRUST, and are customized for the specific scopes and needs of the assessment. Each control will have documented test plans, and will be supported by the client interviews and walkthroughs. We'll observe or examine a control in action, and this may be done through interviews or analysis of evidence provided. These will be followed up by a specific test or sampling where applicable. Areas of inspection may include configurations, physical surroundings, manual processes, or other means to demonstrate the effectiveness of the control being implemented. I'm not showing here our specific sampling guidelines we must follow as part of our assessment. Next slide.
Jay Trinckes (30:18):
Through our experience, here are some tips or some rules we found to have a good, smooth assessment. The very first, and most important rule, is to be prepared. You'll want to ensure all evidence is readily available the first day we start work. You want to ensure your policies and procedures are strong, and they cover all the criteria of each of the controls and scope. These policies and procedures need to be clear, they need to be approved, they need to be communicated to stakeholders, and to obtain HITRUST validation, it takes time, and it takes some resources to make sure you allocate the necessary subject matter experts to answer any of the assessor questions. You'll also want to make sure these individuals know what subjects will be discussed, and what questions might be asked during our interviews, or ahead of time. As assessors, we'll generally have an interview outline prepared ahead of time as part of our testing plan. Last but not least, make sure to keep communication flowing to assist in staying on task, and levels that expectations. Hopefully, that helps you guys out. I'm going to turn it over to Chris to explain how their program and solutions might be able to assist, as well.
Chris Gomes (31:23):
Thank you, Jay. And thank you, Michael, for the overview of HITRUST. Again, my name is Chris and I'm a Project Manager here at Aptible. I'm going to talk a little bit about how our product, Aptible Comply, can help prepare for these assessments and keep everything organized as you move through the HITRUST journey. Little bit of background about Aptible's evolution. Aptible came into being because data consciousness fundamentally evolved from the early days of data networking and data sharing, through the era of data aggregation, to the era that we are in today, which is how do we lock down all this data, and communicate trust to external parties, that we can be trusted as good stewards of sensitive data. We've moved from on-prem models to hybrid models, to cloud models, and this has led to an evolving state of security, where SaaS sprawl means, it's harder and harder to run compliance programs efficiently and effectively, vendor lists and compliance needs grow exponentially as more and more resources are hosted on the cloud.
Chris Gomes (32:37):
Compliance is more important than ever before, but it's also more difficult than ever before, as a result. A lot of the problems that we hear from folks who are running compliance programs is that data is everywhere. Because you're relying on that ever growing stack of SaaS vendors, that complicates compliance management, fragments evidence collection, and can slow down audits. There's manual work required to run a strong compliance and security program, like multi-factor authentication enrollment, mobile device management configuration, SDLC change management, grant protection, employee onboarding and off boarding, it's a long list. Finally, adopting new tools every day, which is how your organization moves and grows quickly, creates a lot of burden for the security and compliance department. Of course, we don't want to get in the way of company growth and efficient processes, but that unchecked growth can lead to a lack of control, and a lack of visibility or oversight for security and compliance teams.
Chris Gomes (33:40):
This is what it looks like for a lot of our customers. There's a lot of different tools from which they're pulling evidence during audits, and trying to manage all those manual processes and keep a 30,000 foot view of everything that they are doing in a single place, and a single source of truth. It doesn't have to be complex, if you use Aptible Comply. The way Aptible Comply works, it's a compliance monitoring platform, mainly for B2B SaaS teams to ensure that they're always in compliance and ready for that next audit. Aptible Comply integrates with these cloud services to unify and automate as much of the compliance work as possible. We pull evidence from integrations in your stack. We are able to understand your vendors, through those integrations. The policies and procedures that Jay was just talking about, can live in Comply, so you have a single source of truth for your ISMS, for your information security management system, for all of your management approvals and all of that documentation to ensure it's effective. Your risk register and your risk management framework can live in Comply, as well as the specific controls, those specific statements that implement your policies and your procedures, in which are fundamentally going to make their way into a certification report, as well as an asset inventory.
Chris Gomes (35:05):
All of that can live in Comply. Comply, essentially, just acts the central data storer and you can pivot it based on the frameworks that you are compliant with. That includes ISO, SOC 2, HIPAA, CCPA, GDPR. We're pleased to announce with this work with HITRUST and NCC Group, we now support the HITRUST framework, the CSF framework. Essentially, the way it works is those integrations will stream in evidence for all of the different internal controls that you are running, and which in turn satisfy requirements of frameworks such as HITRUST. For a given task, such as say ensuring role changes trigger access reviews, that's something where through an integration with G-Suite we can detect if somebody has changed roles in your Google organization, and trigger an access control review, and trigger a ticket in Jira. These are the evidence integrations that will allow you to not just get that stage one, the policy, or the procedure, but actually show implementation and manage it, and indeed, measure the efficacy of your HITRUST controls.
Chris Gomes (36:23):
Through that continuous monitoring, you will be ready, and those audits will go faster, the assessments that you do with partners like NCC Group, rather than just a point in time of getting things ready because we're bringing in the external auditor, it's continuous monitoring. The phrase that we like to use is, "A SIM for compliance." All of your internal controls, you can understand what's working well, what's not working, which teams are falling behind in their tasks, what are my assets that are lacking the necessary controls, and just have that 365, 24/7 view of your compliance program. The nice thing about Comply is that it's not just integrations and automations focused, but it's really built with those end to end benefits in mind. Why are you going through these compliance and security processes? Of course, it's to maintain the security of your sensitive data, and the data that you manage on behalf of your customers, but you're also doing it to communicate to the market and to show that you can be trusted stewards of sensitive data.
Chris Gomes (37:29):
Comply makes it easy once you do obtain the HITRUST certification, or SOC 2 certification. It makes it easy to then manage and share those artifacts, gated by an NDA, with your prospects and customers. You can even see, "What was the added benefit of completing this compliance certification? What did it do for our sales cycle, lets say? Did it actually help our customers evaluate us faster, and increase our top line revenue?" Which is really neat, and no other GRC tool does this. Fundamentally, Comply is an end to end compliance management platform built on top of automations, integrations, workflows, and reporting, that can support multiple frameworks, but we're really excited about the way that it supports HITRUST.
Chris Gomes (38:17):
Coming full circle to the way that these entities play together, in order to support your HITRUST compliance, we've got the standards that are set by HITRUST, Aptible as an enabling organization, allows you to maintain a single source of truth for the output of your MyCSF scoping assessment. You know, "Here is what we are compliant with in order to meet the HITRUST guidelines, the output of that in MyCSF report." And then the enabling organization makes it easy for you and your assessor to prepare for those assessments, and actually do the validated assessment in order to get the HITRUST letter. Reviewing, again, just the letters... Excuse me, the steps of the certification journey. You'll use the HITRUST CSF framework to identify your security and privacy controls. The MyCSF software helps facilitate a readiness assessments, and we're pleased to announce a partnership with the NCC Group, such that you can use Comply and NCC Group is familiar with Comply, NCC Group is very involved in the Aptible Comply platform. That makes it really easy when you need to prepare for that validated assessment. Like Jay said, one of the most important things you can do for a successful experience is have the evidence prepared up front, and through Comply's integration and evidence management features, you'll have that evidence and you'll have continuous monitoring of the controls that in turn satisfy HITRUST.
Chris Gomes (39:49):
With that, you undergo a validated assessment using the MyCSF software, coming full circle, and get that HITRUST letter of certification, and start communicating to the market your trustworthiness and compliance. I wanted to make sure that our contact information was available to everyone here, and then we're going to move into Q&A in just a moment. We did want to take a moment to thank everyone, of course, for being here today before we move into Q&A. You've got Michael's contact information there, you've got my contact information there, and you've got Jay's contact information there, on behalf of NCC Group.
Michael Parisi (40:30):
Hey, Chris, this is Mike, if I may just add a few comments to your points, that I think is really important. We are seeing a movement by a number of organizations to not go this alone. I think that's really important because as Jay will tell you, when you go through your process of scoping out what this assessment needs to look like. A lot of that is obviously driven off of what authoritative sources are applicable to you. You're going to have a number of, what we refer to as control requirements, requirements statements, that you need to prove out for somebody like Jay, have documentation for or against all those different elements that he highlighted, and a lot of times you may look at them and say, "Wow, that's a big risk." As you start to go through it, you may identify a number of things that you're not currently doing as an organization. Instead of building it yourself, and starting from the ground up, I highly encourage that you consider working with enabling partners like Aptible, because if there's 400 things that you need to do, you'd be surprised just by leveraging a solution like this, maybe they're covering off on 200 of them already.
Michael Parisi (41:54):
We're seeing a big move in that direction, looking for HITRUST enabling partners to springboard you, so that there's less you need to do yourself as an organization. I think is a really important approach to consider. Oftentimes, not only is it cheaper, in many instances, but you can get it done quicker, and oftentimes better. I think that's a really good important point that you had brought up before.
Chris Gomes (42:25):
Absolutely. Thank you for that insight, Michael. The benefit of Aptible as one of those enabling organizations, as it pertains to HITRUST, as you can see, this webinar evidence is that we are collaborating as much as we can to make sure the experience, while of course, we have to maintain certain arms distance relationships because there's an external need for the validated assessment, NCC Group, HITRUST Alliance, and Aptible are working together to make sure that we can have as streamlined as possible with an experience for the customer.
Michael Parisi (43:05):
Yeah. Chris, actually, it looks like we have a question pop in. Maybe we could address that one, because it's related to what you just said. What are HITRUST, NCC Group, and Aptible doing to ensure the information is current? I'll start on my end, and then you guys can take it. As I mentioned before, we are constantly updating our standards and our framework. We usually have a release about every six months, major release, and then we've got some minor releases, as well. Those are driven off either updates to the underlying authoritative sources. As a regulation changes, or as NIST or ISO, for example, produces an update, we make sure we incorporate that within our framework. That's one. Two, would be the addition of new authoritative sources. As new things come up in the marketplace, like CCPA, that obviously wasn't in the framework before, because it didn't exist, as those things come up, we will incorporate those as an additional authoritative sources.
Michael Parisi (44:16):
Three, would be, market specific asks, or customers specific asks. If there is enough demand from a specific customer that may have their own unique requirements around security and privacy, we will work with that organization to include what we refer to as a segment, or an overleg, that would be that delta of controls requirements that can satisfy those expectation. CMMC is a great example of that, and the things we're doing there. That's what we do. I could tell you the partnership that we have in place with Aptible is to make sure they have immediate access to any updates that we make to our framework, so they can update their platform accordingly. Actually, I think you guys are on 9.4, which is the most recent one. Chris, I don't know if you have anything else to add to that.
Chris Gomes (45:14):
I think you summarized it well. One thing that I wanted to add, and maybe you can elaborate on this Michael, you mentioned, for example, with the emergence of CCPA, updating the HITRUST CSF framework accordingly. One question that also came in on chat here, in which we hear from customers is, if I'm moving through HITRUST CSF, and 9.4 respects the fact that CCPA is now out there, does that mean I am getting credit for CCPA, or that I'm prepared and compliant with the CCPA regulation?
Michael Parisi (45:52):
Yeah, that's a great question. I think Jay can help elaborate on this, as well. When you think about the framework, there's almost 2000 different control requirements that are included within the overall framework. There isn't one organization in the world that's doing all 2000. It really starts with what authoritative sources are relevant to you. The framework is designed so that you can tailor it based upon your organization. What that means is, Chris, we'll use your example, CCPA, that's relevant for you, as long as you're going through the scope and process appropriately, and you select that as an authoritative source, the answer is yes. That will pull in all the requirements that are associated with CCPA. A lot of times when we produce updates to the framework, many organizations get a little nervous, because they're like, "Oh my gosh, I got to do more than what I'm doing now." Not necessarily, with the addition of some of those requirements, that authoritative source is not applicable to you, then you may not have the need to do anymore. I don't know, Jay, if you have anything to add there.
Jay Trinckes (47:01):
It goes back to communication right up front with your assessor, having them help you along the way, making sure that you have the appropriate scope, and the regulatory factors, and so on. We, again, stay up with your changes, and then from there we modify our test plans, our working papers, so on, to meet those needs. We have to customize... Each assessment is going to be different, each organization is different, so we have to customize our assessment to tailor it to that organization as it relates to complying with the control requirements and so on. If that means bringing in additional requirements through CCPA and other regulatory factors, then we modify it and make sure we make those changes accordingly.
Chris Gomes (47:47):
That's great. Thank you for that. Another question that came in, which I think, Jay, you might be in a good position to help answer is, during that initial scoping with MyCFS, is that something that an assessor like yourself helps with, or is that up to the end customer to, basically, determine their scoping through MyCFS themselves?
Jay Trinckes (48:10):
Yeah. To be frankly honest, we generally, right in our pre-scoping, and as far as you working with us, we will run through those scoping questionnaires and determine our level of effort it's going to take, and that's generally how we set up our statement of work, and our pricing model, for our clients. It's essential for us to understand the environment, to understand what we need to put in scope, and then hopefully, it will stay that way throughout the assessment. Sometimes it does change, and we have to go back and determine what those changes are. That's generally how we work with the client, right up front, to make sure we understand what that scope and the environment is.
Michael Parisi (48:53):
Yeah. Chris, I would add, I would encourage exactly what Jay did, and we always encourage organizations to work with their assessor earlier as opposed to later. Don't wait. We're all good people, but sometimes I think we have a tendency to maybe think we're doing better than we actually are. If you're going down this path of doing a readiness assessment, self assessment, and think you knocked the ball out of the park, Jay comes in and says, "Not really." It would have been a much better story if you guys came to that conclusion together, up front. I always encourage engaging your assessor earlier as opposed to later. The other thing is, they could push it on you, and make sure you're making the right decisions. We have a customer, this happened about a month ago, where they got all the way through the assessment process, and found out that... Remind you, they did their self assessment on their own. Their scoping on their own. Brought in their assessor, all the way through the assessment process, and found out there were several requirements that they were failing.
Michael Parisi (50:00):
They happened to be associated with FedRAMP. After they looked at the assessment, the assessor was just executing like a good soldier, because the customer said, "No. We need FedRAMP." Once the assessor poked underneath the covers a little more, they found out it wasn't even relevant. This organization went through months and hours of work to scope in an authoritative source that wasn't even relevant to them, to go through all that testing, not even get the benefit of the certification over that, whereas if they had their assessor at the table earlier, probably could have poked on them a little more and said, "I don't think that's really relevant for you guys. Why are you going to do an additional 120 things?" I would foot stomp that. It's really important to work with your assessor up front.
Jay Trinckes (50:52):
We will definitely emphasize. We talked about different phases of readiness, and then move into the validated. HITRUST has some very strict works that that validated assessment is a point and time assessment, and we as the assessor firm cannot let you go back and correct. We are hoping that you are in a good position before we move into that validated phase.
Chris Gomes (51:14):
That's great. One last question here. What is the re certification process like, and how often is there a re certification or a concept of surveillance audit, or re certification audit, for HITRUST?
Jay Trinckes (51:31):
I can definitely take that for you. HITRUST validation with certification is good for two years. At the interim review, which is on the anniversary date of your report, we do what's called an interim review. It's basically a scale down version. We look at one control, generally a random control, from each of the 19 assessment domains. And then, of course, any corrective action plans, as part of our surveillance and continuous monitoring of that. As long as there has been no material changes, or any subsequential changes to your environment, we'll look through, retest all those controls, there's 19 plus whatever corrective action ones you have, submit that through HITRUST, and generally they're good about continuing on with your certification. If they do find a problem, then of course, they will come back with that. After the two years, once your certification expires, we'll need to redo an entire certification over again. Michael, you want to add anything else on that?
Michael Parisi (52:26):
No, I think you nailed it, Jay. I'll add a point onto that question, which is this concept of nurturing. I think, Chris alluded to this in the very beginning of our discussion, this isn't a one and done exercise. When you make the investment to implement the framework and provide assurances through this mechanism, you got to feed it and you got to water it, and you got to nurture it over time. You need to understand where changes within your environment could cause a degradation within the particular controls, or actually an increase, a maturity of those controls. Having a solution like Aptible, not only provides you that insight, it gives you that nurturing capability over that period of time, so when Jay comes back in to do the interim assessment, as you just outlined, right at an annual basis, the very first thing he's going to ask you is, "Where are you relative to your corrective action plans, or your gaps? Have you made any progress on those? Can you show me evidence over the last year that you have?"
Michael Parisi (53:39):
Having a solution that's tracking that for you, really real time, and you can show the increase in maturity within your organization, makes that a lot easier. Part of that, don't forget, third parties. Third parties absolutely critical. It's oftentimes one of the weakest domains that organizations encounter, as they try and go through this process. Naturally, because they don't have as much control. Having a strong third party risk management program in place, it's critical, especially in today's day and age, when we need to vet third parties and onboard them quicker than we ever have before, which is one of the reasons why we, through our third party risk management program, have really enhanced that over the last several months, and actually offering it to qualified organizations at no cost for a period of time. By the way, that also integrates with Aptible's solution. Don't forget about third parties.
Chris Gomes (54:40):
Absolutely. To round us out here, Aptible, in addition to your risk management, our policies and procedures, your continuous monitoring of your internal controls, it also has a robust vendor inventory to facilitate your vendor management and vendor risk, and third party risk review processes. That brings us to just about a couple minutes left here. I wanted to take this opportunity to think everyone for their attendance. This webinar will be made available on demand. We'll post it on the Aptible website, and we'll also be making sure that everyone attended has a link to where they can get a copy of this webinar, if you wanted to review any of the information contained herein. Michael, and Jay, I wanted to take this opportunity to thank both of you in turn. Thank you very much for helping us bare and communicate this great partnerships, everyone who attended. If you do have any questions, feel free to reach out to any of us. Again, here's our contact information on this slide, Michael, Chris, and Jay. With that, unless there's any last words from Michael and Jay, we'll give everyone two minutes back here.
Michael Parisi (55:55):
Great. Thanks, Chris.
Jay Trinckes (55:57):
Thank you, everyone.
Chris Gomes (55:59):
All righty. Thanks, everyone.