855.HITRUST • www.HITRUSTalliance.net v.HT-501-03

Regardless of the industry served, organizations are challenged with managing information security risks, data governance, complying

with the numerous information protection regulations, and adhering to national and international standards and best practices. HITRUST®

understands that addressing these challenges is a priority for organizations of all sizes, in all industries and geographies. Implementing

an information risk management framework, performing a thorough and accurate information risk assessment, streamlining remediation

activities, and reporting and tracking compliance is resource intensive and complicated at best and in many instances overwhelming.

We’ve leveraged our unique position and experience in framework development and information risk management and compliance,

combined with processing hundreds of thousands of risk assessments to design the most efficient solution for assessing, managing, and

reporting information risk and compliance.

Best in Class Information Risk Management Platform for Assessing and Reporting Information Risk and Compliance

HITRUST CSF – The HITRUST MyCSF

incorporates the HITRUST CSF allowing

organizations to perform assessments and

report against the privacy and security controls

of the HITRUST CSF or any one of the over 40

authoritative sources currently included in the

framework, such as NIST 800-53, ISO 27000,

NIST Cybersecurity Framework, HIPAA, PCI,

FFIEC, and GDPR.

Key Components of MyCSF

CSF A

ssurance Methodology

HITRUST CSF AssessmentPlatform

HITRUST CSF Assurance Methodology – The HITRUST CSF Assurance Program provides

a simplified and consistent approach to assessments and reporting against the HITRUST

CSF and any of the over 40 authoritative sources it incorporates. This risk-based assurance

approach, which is governed and managed by HITRUST, is designed to address evolving

information threats and unique regulatory and business needs of organizations while

delivering an effective, standardized and streamlined assessment process for reporting

compliance and information risk posture. Since the HITRUST CSF synthesizes numerous

standards and frameworks into a single comprehensive and harmonized framework,

it eliminates the need for multiple assessments or answering redundant assessment

questions, an approach we refer to as “Assess Once, Report Many.”

HITRUST MyCSF Assessment Platform – The HITRUST MyCSF makes it easy and cost-

effective for an organization to manage information risk and meet international, federal, and

state regulations concerning privacy and security. The HITRUST MyCSF tool provides global

organizations of all sizes with a purposefully designed and engineered SaaS solution for

performing risk assessments, and corrective action plan management, including enhanced

benchmarking and dashboards as well as integration with major GRC platforms and the

HITRUST Assessment XChange™. The HITRUST MyCSF is a solution that will support an

organization’s evolving assessment needs that align with managing risk in the ever-changing

cyber threat, information risk, and global regulatory landscape.

v.HT-501-03855.HITRUST • www.HITRUSTalliance.net

Overview

MyCSF – Features

ü Assessment Navigation – Provides an intuitive application

design coupled with dynamic logic that guides users

ü CSF Assessment Preview – Provides an understanding

of the implications that changes in scope, authoritative

sources or CSF version will have on an assessment

ü Evidence Support – Maintain a library of supporting

documentation and link them to control requirements and

maturity domains

ü Aggregated Respondent Answers – Aggregates

scoring for assessment questions that have been

delegated to multiple respondents based on weights you

determine

ü Advanced Analytics & Dashboards – Includes the

ability to create customized charts and dashboards

ü Benchmarking – Customized benchmarks against

populations that you choose

ü UI and Platform Support – Enables full functionality for

desktop, tablet and mobile use

ü Control Inheritance – Supports the ability to inherit

control scores from internal and external assessments

ü Comprehensive Reporting – Includes compliance

reporting on various authoritative sources

ü Robust API – Enables integration and exchange of

assessment related information with GRC tools and the

HITRUST Assessment XChange

By utilizing MyCSF, an organization can reduce resources, improve efficiencies, enhance reporting and dashboards, streamline assessment modeling and share assessment information with other applications relating

to information risk management and compliance.

v.HT-501-03855.HITRUST • www.HITRUSTalliance.net

Overview

Below are some of the advanced subscription features of MyCSF that simplify the process of sharing information, provide a comparison of your

organization’s assessment scores, and streamline analytics and reporting.

Inheritance - Benchmarking - Advanced Analytics

Inheritance

Inheritance allows scores from one assessment to be applied to another assessment. This can occur within an organization (internal) or from

another organization (external).

Response inheritance enables hosting, cloud, and service

providers* to make assessment scores available for inheritance into

any organization’s assessment—easily, seamlessly, and automatically.

This simplifies the process and

reduces the effort necessary for

hosting and service organization

customers to be assessed. By

working with a participating

service provider, customers can

reduce the required testing and

associated costs for inherited controls in a fully automated manner.

External inheritance allows an organization to inherit assessment

controls from a service provider’s HITRUST CSF Validated Assessment

into their own assessment as long as the services they are providing

are covered under the scope of the original assessment.

Key Benefits of Response and External Inheritance:

ü Reduces risk

ü Gain higher assurance when relying on third-party

service providers

ü Gain another layer of protection

ü Reduces data entry and effort

ü Reduces testing required

Internal inheritance gives organizations the ability to inherit

control scores from one of their assessments and apply them to

another of their assessments, streamlining the assessment process.

Key Benefits: ü Flexibility of approach by allowing organizations to assess

parts of their organization and build upon them through

inheritance into subsequent assessments

ü Only assess an application, infrastructure component,

server, or location once, then leverage it as part of

other assessments

Benchmarking

Basic – Enables a comparison of your organization’s assessment scores against all HITRUST CSF Validated Assessments to understand how

you compare to the average scores.

Advanced – With advanced benchmarking, organizations can compare assessment scores against specific types of population segments,

sizes, types and number of employees yielding a more relevant analysis. The ability to accurately compare to appropriate peer groups

provides a more precise comparison which is ideal for management communication.

* To take advantage of this offering, service providers must have an appropriate MyCSF subscription and a current HITRUST CSF Validated Assessment in good standing.

855.HITRUST • www.HITRUSTalliance.net

Overview

v.HT-501-03

Advanced Analytics, Dashboards and Comprehensive Reporting

The MyCSF analytics and reporting solution is essential to enabling

actionable discussions across the entire organization. Management and users

can easily create and collaborate on the progress and outcomes of a HITRUST

CSF assessment. MyCSF analytics streamlines analysis and reporting for all

levels of management and Board of Directors.

Analytics and Reporting Packages:

Basic – This option provides pre-defined, static reports that are similar to the

dashboards and allows for effective communication.

Advanced – Enables reporting on administrative details and factors,

assessment status, illustrative procedures and CAPs. This reporting option

allows access to the full suite of dashboards and reports.

Premium – In addition to the Advanced package, the Premium package allows

for the creation of customized reports and defined dashboards, enabling

organizations to tailor specific reporting and analysis to fit their needs.

Robust API

Streamline integration with GRC or other risk management tools.

The MyCSF API allows you to exchange information with risk management and GRC tools. By providing API access, HITRUST allows for assessment data to

be exchanged in an automated fashion allowing organizations to manage risk in their native toolsets.

© 2020 HITRUST All rights reserved. Any commercial uses or creations of derivative works are prohibited. No part of this publication may be reproduced or utilized other than being shared as is in full, in any form or by any means, electronical or mechanical, without HITRUST’s prior written permission.

Overview

Subscription Options:

MyCSF is available at various subscription levels. Report only access limits you to the functionality required to perform an assessment and

submit to HITRUST for processing. Annual subscriptions to MyCSF afford access to more enhanced features that streamline and enhance the

process of performing an assessment, thereby managing your HITRUST CSF adoption. Subscription level and associated features are:

HITRUST’s management and support of the MyCSF tool set it apart as a one-of-a-kind resource.

MyCSF is offered in varying subscription levels. For more information, visit the MyCSF webpage or contact sales@hitrustalliance.net.