0% found this document useful (0 votes)

654 views481 pages

Hitrust

hitrust

Uploaded by

Lakshmanaraj Sankaralingam

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

654 views481 pages

Hitrust

hitrust

Uploaded by

Lakshmanaraj Sankaralingam

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 481

HITRUST

Common Security Framework

2014 – Version 6.0

This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 1 of 488
Summary of Changes

Version Description of Change Author Date Published

1.0 Final Version of Initial Release HITRUST September 11, 2009
2.0 NIST SP 800-53 r2 HITRUST January 12, 2010
PCI-DSS v1.2
HITECH
ISO/IEC 27002 Rework
2.1 (State of Mass.) 201 CMR 17.00 HITRUST March 1, 2010
CMR 17.00
2.2 Cloud Security Alliance Controls HITRUST September 10, 2010
Matrix v1.0,
Joint Commission (formerly JCAHO)
Information Management
State of Nevada (NRS 603A)
3.0 CMS IS ARS v1-Appendix A (HIGH) HITRUST December 1, 2010
3.1 PCI-DSS v2.0 HITRUST August 4, 2011
4.0 NIST SP 800-53 r3 HITRUST December 28, 2011
HIE WG Recommendations
NIST-ISO-HIPAA Harmonization
5.0 NIST SP 800-53 r4 (Feb 2012 IPD) HITRUST January 28, 2013
Texas Gen. Laws § 181 (“TX HB 300”)
HITECH (MU Stage 2)
CAQH Committee on Operating Rules
for Information Exchange (CORE)
NIST-CMS Harmonization
Implementation Requirement
Harmonization for CSF 2013
Certification-required Controls
6.0 NIST SP 800-53 r4 (Apr 2013 FPD) HITRUST February 12, 2014
CMS IS ARS v1.5 (2012)
Title 1 TX Admin. Code 390.2 (TX
Standards), including privacy
requirements to support
TX certification of the HIPAA
Privacy Rule
NIST-CMS Harmonization
(Publication Updates)

Page 2 of 488
CSF Table of Contents
Introduction ...................................................................................................................................................................................... 11
Organization of the CSF................................................................................................................................................................ 13
Key Components ........................................................................................................................................................................ 13
Control Categories ..................................................................................................................................................................... 14
Implementation Requirement Levels................................................................................................................................ 15
Segment Specific Requirements .......................................................................................................................................... 16
Risk Factors .................................................................................................................................................................................. 16
Alternate Controls ..................................................................................................................................................................... 18
Evolution of the CSF.................................................................................................................................................................. 18
CSF Assurance and MyCSF ..................................................................................................................................................... 19
Implementing the CSF .................................................................................................................................................................. 21
Management Commitment .................................................................................................................................................... 21
Scope ............................................................................................................................................................................................... 21
Organization ................................................................................................................................................................................ 21
Systems .......................................................................................................................................................................................... 21
Implementation .......................................................................................................................................................................... 22
Critical Success Factors ........................................................................................................................................................... 22
Primary Reference Material ....................................................................................................................................................... 23
Control Category: 0.0 - Information Security Management Program ....................................................................... 27
Objective Name: 0.01 Information Security Management Program..................................................................... 27
Control Reference: 0.a Information Security Management Program ...........................................27
Control Category: 01.0 - Access Control................................................................................................................................ 31
Objective Name: 01.01 Business Requirement for Access Control ....................................................................... 31
Control Reference: 01.a Access Control Policy ...........................................................................31
Objective Name: 01.02 Authorized Access to Information Systems..................................................................... 33
Control Reference: 01.b User Registration ...................................................................................33
Control Reference: 01.c Privilege Management ...........................................................................37
Control Reference: 01.d User Password Management .................................................................42
Control Reference: 01.e Review of User Access Rights ..............................................................46
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 3 of 488
Objective Name: 01.03 User Responsibilities ................................................................................................................ 48
Control Reference: 01.f Password Use .........................................................................................48
Control Reference: 01.g Unattended User Equipment .................................................................51
Control Reference: 01.h Clear Desk and Clear Screen Policy......................................................53
Objective Name: 01.04 Network Access Control .......................................................................................................... 55
Control Reference: 01.i Policy on the Use of Network Services ..................................................55
Control Reference 01.j User Authentication for External Connections .......................................58
Control Reference 01.k Equipment Identification in Networks ...................................................61
Control Reference 01.l Remote Diagnostic and Configuration Port Protection ...........................63
Control Reference: 01.m Segregation in Networks ......................................................................66
Control Reference: 01.n Network Connection Control ................................................................69
Control Reference: 01.o Network Routing Control ......................................................................72
Objective Name: 01.05 Operating System Access Control ........................................................................................ 74
Control Reference: 01.p Secure Log-on Procedures.....................................................................74
Control Reference 01.q User Identification and Authentication ..................................................78
Control Reference 01.r Password Management System ...............................................................82
Control Reference 01.s Use of System Utilities ...........................................................................85
Control Reference: 01.t Session Time-out ....................................................................................88
Objective Name: 01.06 Application and Information Access Control .................................................................. 91
Control Reference: 01.v Information Access Restriction .............................................................91
Control Reference: 01.w Sensitive System Isolation ....................................................................95
Objective Name: 01.07 Mobile Computing and Teleworking .................................................................................. 97
Control Reference: 01.x Mobile Computing and Communications .............................................97
Control Reference: 01.y Teleworking.........................................................................................100
Control Category: 02.0 - Human Resources Security.....................................................................................................104
Objective Name: 02.01 Prior to Employment ..............................................................................................................104
Control Reference: 02.a Roles and Responsibilities ...................................................................104
Control Reference: 02.b Screening ……………………………………………………………106
Objective Name: 02.02 During On-Boarding ................................................................................................................109
Control Reference: 02.c Terms and Conditions of Employment ................................................109
Objective Name: 02.03 During Employment ................................................................................................................113

Page 4 of 488
Control Reference: 02.d Management Responsibilities..............................................................113
Control Reference: 02.e Information Security Awareness, Education and Training .................116
Control Reference: 02.f Disciplinary Process .............................................................................120
Objective Name: 02.04 Termination or Change of Employment .........................................................................123
Control Reference: 02.g Termination or Change Responsibilities .............................................123
Control Reference: 02.h Return of Assets ..................................................................................125
Control Reference: 02.i Removal of Access Rights ...................................................................127
Control Category: 03.0 - Risk Management .......................................................................................................................131
Objective Name: 03.01 Risk Management Program ..................................................................................................131
Control Reference: 03.a Risk Management Program Development ...........................................131
Control Reference: 03.b Performing Risk Assessments .............................................................134
Control Reference: 03.c Risk Mitigation ....................................................................................137
Control Reference: 03.d Risk Evaluation ...................................................................................140
Control Category: 04.0 - Security Policy .............................................................................................................................143
Objective Name: 04.01 Information Security Policy .................................................................................................143
Control Reference: 04.a Information Security Policy Document ...............................................143
Control Reference 04.b Review of the Information Security Policy ..........................................146
Control Category: 05.0 - Organization of Information Security ................................................................................151
Objective Name: 05.01 Internal Organization .............................................................................................................151
Control Reference: 05.a Management Commitment to Information Security ............................151
Control Reference: 05.b Information Security Coordination .....................................................154
Control Reference 05.d Authorization Process for Information Assets and Facilities ...............163
Control Reference: 05.e Confidentiality Agreements .................................................................165
Control Reference: 05.f Contact with Authorities ......................................................................168
Control Reference: 05.g Contact with Special Interest Groups ..................................................170
Control Reference: 05.h Independent Review of Information Security .....................................172
Objective Name: 05.02 External Parties.........................................................................................................................174
Control Reference: 05.i Identification of Risks Related to External Parties ..............................174
Control Reference: 05.j Addressing Security When Dealing with Customers ...........................178
Control Reference: 05.k Addressing Security in Third Party Agreements .................................181
Control Category: 06.0 – Compliance ...................................................................................................................................187
Objective Name: 06.01 Compliance with Legal Requirements .............................................................................187
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 5 of 488
Control Reference: 06.a Identification of Applicable Legislation ..............................................187
Control Reference: 06.b Intellectual Property Rights .................................................................189
Control Reference: 06.c Protection of Organizational Records ..................................................191
Control Reference: 06.d Data Protection and Privacy of Covered Information .........................195
Control Reference: 06.e Prevention of Misuse of Information Assets .......................................198
Control Reference: 06.f Regulation of Cryptographic Controls .................................................201
Objective Name: 06.02 Compliance with Security Policies and Standards and Technical Compliance
.........................................................................................................................................................................................................204
Control Reference: 06.g Compliance with Security Policies and Standards ..............................204
Control Reference: 06.h Technical Compliance Checking.........................................................207
Objective Name: 06.03 Information System Audit Considerations ....................................................................209
Control Reference: 06.i Information Systems Audit Controls....................................................209
Control Reference: 06.j Protection of Information Systems Audit Tools ..................................212
Control Category: 07.0 - Asset Management .....................................................................................................................214
Objective Name: 07.01 Responsibility for Assets .......................................................................................................214
Control Reference: 07.a Inventory of Assets ..............................................................................214
Control Reference: 07.b Ownership of Assets ............................................................................218
Control Reference: 07.c Acceptable Use of Assets ....................................................................221
Control Reference: 07.d Classification Guidelines .....................................................................223
Control Reference: 07.e Information Labeling and Handling ....................................................225
..............................................................................................................................................................................................................229
Control Category: 08.0 - Physical and Environmental Security ................................................................................230
Objective Name: 08.01 Secure Areas ...............................................................................................................................230
Control Reference: 08.a Physical Security Perimeter .................................................................230
Control Reference: 08.b Physical Entry Controls .......................................................................233
Control Reference: 08.c Securing Offices, Rooms, and Facilities .............................................237
Control Reference: 08.d Protecting Against External and Environmental Threats ....................239
Control Reference: 08.e Working in Secure Areas .....................................................................242
Objective Name: 08.02 Equipment Security .................................................................................................................246
Control Reference: 08.g Equipment Siting and Protection .........................................................246
Control Reference: 08.h Supporting Utilities .............................................................................249
Control Reference: 08.i Cabling Security ...................................................................................253
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 6 of 488
Control Reference: 08.j Equipment Maintenance .......................................................................255
Control Reference: 08.k Security of Equipment Off-Premises ..................................................260
Control Reference: 08.l Secure Disposal or Re-Use of Equipment ............................................262
Control Reference: 08.m Removal of Property ..........................................................................264
Control Category: 09.0 - Communications and Operations Management.............................................................266
Objective Name: 09.01 Documented Operating Procedures .................................................................................266
Control Reference: 09.a Documented Operations Procedures ...................................................266
Control Reference: 09.b Change Management ...........................................................................268
Control Reference 09.c Segregation of Duties ...........................................................................270
Control Reference: 09.e Service Delivery ..................................................................................275
Control Reference: 09.f Monitoring and Review of Third Party Services .................................278
Control Reference: 09.g Managing Changes to Third Party Services ........................................280
Objective Name: 09.03 System Planning and Acceptance ......................................................................................282
Control Reference: 09.h Capacity Management .........................................................................282
Control Reference: 09.i System Acceptance ..............................................................................284
Objective Name: 09.04 Protection Against Malicious and Mobile Code ...........................................................286
Control Reference: 09.j Controls Against Malicious Code ........................................................286
Control Reference: 09.k Controls Against Mobile Code ............................................................290
Objective Name: 09.05 Information Back-Up ..............................................................................................................293
Control Reference: 09.l Back-up ................................................................................................293
Objective Name: 09.06 Network Security Management ..........................................................................................296
Control Reference: 09.m Network Controls ...............................................................................296
Control Reference: 09.n Security of Network Services ..............................................................304
Objective Name: 09.07 Media Handling .........................................................................................................................306
Control Reference: 09.o Management of Removable Media .....................................................306
Control Reference: 09.p Disposal of Media ...............................................................................310
Control Reference: 09.q Information Handling Procedures .......................................................312
Objective Name: 09.08 Exchange of Information .......................................................................................................317
Control Reference: 09.s Information Exchange Policies and Procedures ..................................317
Control Reference: 09.t Exchange Agreements ..........................................................................323
Control Reference: 09.u Physical Media in Transit ....................................................................325
Control Reference: 09.v Electronic Messaging ..........................................................................328
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 7 of 488
Control Reference: 09.w Interconnected Business Information Systems ...................................329
Objective Name: 09.09 Electronic Commerce Services ...........................................................................................332
Control Reference: 09.x Electronic Commerce Services ...........................................................332
Control Reference: 09.y On-Line Transactions ..........................................................................335
Control Reference: 09.z Publicly Available Information ...........................................................337
Objective Name: 09.10 Monitoring...................................................................................................................................340
Control Reference: 09.aa Audit Logging ....................................................................................340
Control Reference: 09.ac Protection of Log Information ...........................................................351
Control Reference: 09.ad Administrator and Operator Logs ......................................................353
Control Reference: 09.ae Fault Logging .....................................................................................355
Control Reference: 09.af Clock Synchronization .......................................................................357
Control Category: 10.0 - Information Systems Acquisition, Development, and Maintenance......................360
Objective Name: 10.01 Security Requirements of Information Systems .........................................................360
Control Reference: 10.a Security Requirements Analysis and Specification .............................360
Objective Name: 10.02 Correct Processing in Applications ...................................................................................363
Control Reference: 10.b Input Data Validation ..........................................................................364
Control Reference: 10.c Control of Internal Processing .............................................................367
Control Reference: 10.d Message Integrity ................................................................................371
Control Reference: 10.e Output Data Validation ........................................................................372
Objective Name: 10.03 Cryptographic Controls .........................................................................................................374
Control Reference: 10.f Policy on the Use of Cryptographic Controls ......................................374
Control Reference: 10.g Key Management ................................................................................377
Objective Name: 10.04 Security of System Files .........................................................................................................380
Control Reference: 10.h Control of Operational Software .........................................................381
Control Reference: 10.i Protection of System Test Data ............................................................383
Control Reference: 10.j Access Control to Program Source Code .............................................385
Objective Name: 10.05 Security in Development and Support Processes .......................................................387
Control Reference: 10.k Change Control Procedures .................................................................387
Control Reference: 10.l Outsourced Software Development .....................................................394
Objective Name: 10.06 Technical Vulnerability Management ..............................................................................396
Control Reference: 10.m Control of Technical Vulnerabilities ..................................................396
Control Category: 11.0 - Information Security Incident Management ...................................................................402
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 8 of 488
Objective Name: 11.01 Reporting Information Security Incidents and Weaknesses ..................................402
Control Reference: 11.a Reporting Information Security Events ...............................................402
Control Category: 11.0 - Information Security Incident Management .......................................409
Objective Name: 11.02 Management of Information Security Incidents and Improvements .................412
Control Reference: 11.c Responsibilities and Procedures ..........................................................412
Control Reference: 11.d Learning from Information Security Incidents ....................................418
Control Reference: 11.e Collection of Evidence ........................................................................420
Control Category: 12.0 - Business Continuity Management .......................................................................................424
Objective Name: 12.01 Information Security Aspects of Business Continuity Management ...................424
Control Reference: 12.a Including Information Security in the Business Continuity Management
Process ........................................................................................................................................424
Control Reference: 12.b Business Continuity and Risk Assessment ..........................................426
Control Reference: 12.c Developing and Implementing Continuity Plans Including Information
Security .......................................................................................................................................429
Control Reference: 12.d Business Continuity Planning Framework ..........................................436
Control Reference: 12.e Testing, Maintaining and Re-Assessing Business Continuity Plans ...439
Control Category: 13.0 – Privacy Practices ........................................................................................................................444
Objective Name: 13.01 – Openness and Transparency............................................................................................444
Control Reference: 13.a Notice of Privacy Practices..................................................................444
Control Reference: 13.b Rights to Protection and Confidentiality .............................................446
Control Reference: 13.c Authorization Required .......................................................................449
Control Reference: 13.d Opportunity Required ..........................................................................453
Control Reference: 13.e Authorization or Opportunity Not Required .......................................455
Objective Name: 13.02 – Individual Choice and Participation..............................................................................459
Control Reference: 13.f Access to Individual Information .........................................................459
Control Reference: 13.g Accounting of Disclosures ..................................................................461
Control Reference: 13.h Correction of Records .........................................................................463
Control Reference: 13.i Required Uses and Disclosures ............................................................465
Control Reference: 13.j Permitted Uses and Disclosures ...........................................................467
Objective Name: 13.03 - Correction .................................................................................................................................472
Control Reference: 13.k Prohibited or Restricted Uses and Disclosures....................................472
Control Reference: 13.l Minimum Necessary Use .....................................................................474
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 9 of 488
Control Reference: 13.m Confidential Communications............................................................476
Control Reference: 13.n Organizational Requirements ..............................................................479

Page 10 of 488
Introduction
The Health Information Trust Alliance (HITRUST) exists to ensure that information security
becomes a core pillar of, rather than an obstacle to, the broad adoption of health information
systems and exchanges.

All organizations within the healthcare industry currently face multiple challenges regarding
information security. These challenges include:

 Public and regulatory concern over the increasing number of breaches in the industry
 Redundant and inconsistent requirements and standards for healthcare organizations
 Inconsistent adoption of minimum controls
 Inability to implement security in medical devices and healthcare applications
 Rapidly changing business, technology and regulatory environment
 Ineffective and inefficient internal compliance management processes
 Inconsistent business partner requirements and compliance expectations
 Increasing scrutiny from regulators, auditors, underwriters, customers and business
partners
 Growing risk and liability associated with information security.

HITRUST collaborated with healthcare, business, technology, and information security leaders
and established the Common Security Framework (CSF) to be used by any and all organizations
that create, access, store, or exchange protected health information. HITRUST is driving
adoption and widespread confidence in the CSF and sound risk mitigation practices through the
HITRUST Central community that provides awareness, education, advocacy, support,
knowledge‐sharing, and additional leadership and outreach activities.

The HITRUST CSF addresses these industry challenges by leveraging and enhancing existing
standards and regulations to provide organizations of varying sizes and risk profiles with
prescriptive implementation requirements. In doing so, the HITRUST CSF accomplishes the
following:

 Establishes a single benchmark for organizations to facilitate internal and external

measurement that incorporates the requirements of applicable standards and
regulations including ISO, PCI, COBIT, HIPAA, HITECH, and NIST
 Increases trust and transparency among business partners and consumers by
incorporating best practices, building confidence, and streamlining interactions across
the industry

Page 11 of 488
 Obtains industry consensus on the most effective way to address information security
while containing the cost of compliance and the number, complexity, and degree of
variation in security audits or reviews.

By engaging HITRUST, implementing the CSF, and getting assessed, organizations will have a
common security baseline and mechanism for communicating validated security controls to a
variety of constituents without redundant, overlapping, frequent, and costly audits.

The following HITRUST documents located under the Downloads section on HITRUST Central
should be referenced for additional program background and using the CSF:

 HITRUST CSF Executive Summary

 HITRUST CSF Assurance Program Requirements
 HITRUST CSF Assessment Methodology
 HITRUST CSF Standards and Regulations Cross-Reference
 HITRUST CSF Assessor Requirements
 HITRUST Risk Analysis Guide for HITRUST Organizations

Page 12 of 488
Organization of the CSF
HIPAA is not prescriptive, which makes it open to interpretation and difficult to apply.
Organizations must necessarily reference additional standards for guidance on how to
implement the requirements specified by HIPAA. It is also not the only set of security
requirements healthcare organizations need to address (e.g., PCI, state, business partner
requirements).

The HITRUST Common Security Framework (CSF) is not a new standard. The CSF is a
framework that normalizes the security requirements of healthcare organizations including
federal legislation (e.g., ARRA and HIPAA), federal agency rules and guidance (e.g., NIST, FTC
and CMS), state legislation (e.g., Nevada, Massachusetts and Texas), and industry frameworks
(e.g., PCI and COBIT), so the burden of compliance with the CSF is no more than what already
applies to healthcare organizations. The CSF was built to simplify these issues by providing
direction for security tailored to the needs of the organization. The CSF is the only framework
built to provide scalable security requirements based on the different risks and exposures of
organizations in the industry.

The HITRUST CSF also supports the requirements for an industry-specific cybersecurity
program outlined in the new Cybersecurity Framework, developed as part of a public-private
sector partnership between NIST and representatives from multiple critical infrastructure
industries. The NIST framework provides broad guidance to critical infrastructure industries
on the development and implementation of industry, sector, or organizational-level risk
management programs that are holistic, based upon a common set of principles, and can be
communicated with stakeholders regardless of organization, sector or industry. The HITRUST
CSF, along with the CSF Assurance Program and associated methodologies and tools, provides a
model implementation of the Cybersecurity Framework for the healthcare industry.

Key Components
The HITRUST CSF includes but is not limited to the following major components:

 Information Security Implementation Requirements: Certifiable and best‐practice

based specifications that include sound security governance practices (e.g., organization
and policies.) and security control practices (e.g., people, process, and technology) that
scale according to the type, size, and complexity of each organization.
 Standards and Regulations Mapping: A reconciliation of the framework to common
and unique aspects of generally adopted standards.

Page 13 of 488
The CSF includes the control objectives and control specifications based on the ISO/IEC
27001:2005 and ISO/IEC 27002:2005 standards. These guidelines from ISO were enhanced,
leveraging the NIST 800-series framework documents, ISO/IEC 27799:2008 Health Informatics
(guidance for information security management for healthcare organizations using ISO/IEC
27002), HIPAA, PCI, COBIT, HITECH, State requirements, and the experience and best practices
of the HITRUST community.

The CSF normalizes all of this material into the requirements of the CSF, referencing the
applicable standards and regulations as authoritative sources.

Control Categories
The CSF contains 13 security Control Categories comprised of 42 Control Objectives and 135
Control Specifications1. The CSF Control Categories, accompanied with the number of objectives
and specifications, are:

0. Information Security Management Program (1, 1)

1. Access Control (7, 25)
2. Human Resources Security (4, 9)
3. Risk Management (1, 4)
4. Security Policy (1, 2)
5. Organization of Information Security (2, 11)
6. Compliance (3, 10)
7. Asset Management (2, 5)
8. Physical and Environmental Security (2, 13)
9. Communications and Operations Management (10, 32)
10. Information Systems Acquisition, Development and Maintenance (6, 13)
11. Information Security Incident Management (2, 5)
12. Business Continuity Management (1, 5)

It should be noted that the order of the control categories does not necessarily imply their
importance, and all security controls should be considered important. However, the full
implementation of an Information Security Management Program (Control Category 0) will

1
Although not formally a part of CSF 2014 (v6), HITRUST has proposed a new Control Category, 13.0 Privacy
Practices, to support Texas certification of the HIPAA Privacy Rule. Formal incorporation of privacy requirements into
the CSF will occur once the HITRUST Board of Directors approves of the Privacy Working Group’s recommendations.
However, some of the supporting privacy requirements, which map to the existing 13 Control Categories, are included in
this release
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 14 of 488
allow an organization to better identify and understand their needs, objectives, and
requirements for information security. This will in turn allow the organization to identify,
define, and manage the processes and resources that are necessary for the implementation of
the rest of the CSF.

Each control category contains the following:

Control Reference: Control number and title.

Control Objective: Statement of the desired result or purpose of what is to be achieved.

Control Specification: The policies, procedures, guidelines, practices or organizational

structures, which can be of administrative, technical, management, or legal nature to meet the
control objective.

Risk Factor: Listing of organizational, system, and regulatory factors that drive requirements
for a higher level of control.

Implementation Requirement: Detailed information to support the implementation of the

control and meeting the control objective. Up to three (3) levels of requirements are defined
based on the relevant organizational or system applicability factors. Level 1 provides the
minimum baseline control requirements as determined by the industry. Each additional level
encompasses the lower levels and includes additional requirements commensurate with
increasing levels of risk.

Control Assessment Guidance: Guidance in performing an assessment is included in the

online version of the CSF, available as Illustrative Procedures in MyCSF, to provide clarity to
both assessor organizations and those adopting the CSF (e.g., internal audit) when validating
the security controls implemented by the organization against the requirements of the CSF.
This guidance includes examination of documentation, interviewing of personnel, and testing of
technical implementation. These procedures exist solely as guidance and are neither
comprehensive nor required for assessments submitted to HITRUST for review.

Standard Mapping: The cross-reference between each Implementation Requirement Level and
the requirements and controls of other common standards and regulations.

Implementation Requirement Levels

The HITRUST CSF follows a risk-based approach by practically applying security resources
commensurate with level of risk or as required by applicable regulations or standards.
HITRUST addresses risk by defining multiple levels of implementation requirements, which
increase in restrictiveness. Three levels of requirements are defined based on organizational,
system, or regulatory risk factors. Level 1 is considered the baseline level of control

Page 15 of 488
requirements as determined by the industry; each subsequent level encompasses the lower
levels and includes additional requirements commensurate with increased risk.

Segment Specific Requirements

Certain industry segments have specific requirements that do not apply to other segments or would
not be considered reasonable and appropriate from a general controls perspective. For example, the
HITRUST CSF contains a CMS Contractors category which outlines additional controls and
requirements that contractors of CMS will need to implement in addition to those controls listed in
the Implementation Requirement Levels. An example of this would be requiring specific
authorization or approval from the CMS CIO. New for 2014 are segment specific requirements for
Texas covered entities and Federal Tax Information (FTI) custodians.

Risk Factors
The HITRUST CSF defines a number of organizational, system, and regulatory risk factors that
increase the inherent risk to an organization or system, necessitating a higher level of control.

Organization Factors: The Organizational Factors are defined based on the size of the
organization and complexity of the environment as follows:

 Volume of business
o Health Plan / Insurance – Number of Covered Lives
o Medical Facilities / Hospital – Number of Licensed Beds
o Pharmacy Companies – Number of Prescriptions Per Year
o Physician Practice – Number of Visits Per Year
o Third Party Processor – Number of Records Processed Per Year
o Biotech Companies – Annual Spend on Research and Development
o IT Service Provider / Vendor – Number of Employees
o Health Information Exchange – Number of Transactions Per Year
 Geographic scope
o State
o Multi-state
o Off-shore (outside U.S.)

Regulatory Factors: The regulatory factors are defined based on the compliance requirements
applicable to an organization and systems in its environment:

 Subject to PCI Compliance

 Subject to FISMA Compliance
 Subject to FTC Red Flags Rules
 Subject to HITECH Breach Notification Requirements
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 16 of 488
 Subject to the State of Massachusetts Data Protection Act
 Subject to the State of Nevada Security of Personal Information Requirements
 Subject to the State of Texas Medical Records Privacy Act
 Subject to Joint Commission Accreditation
 Subject to CMS Minimum Security Requirements (High-level Baseline)

System Factors: The system factors are defined considering various system attributes that
would increase the likelihood or impact of a vulnerability being exploited. These factors are to
be assessed for each system or system grouping to determine the associated level of control.
The System Factors are:

 Stores, processes, or transmits PHI

 Accessible from the Internet
 Accessible by a third party
 Exchanges data with a third party/business partner
 Publicly accessible
 Mobile devices are used
 Connects with or exchanges data with an HIE
 Number of interfaces to other systems
 Number of users
 Number of transactions per day

For a system to increase from a Level 1 Implementation Requirement to a Level 2 or 3

Implementation Requirement, the system must be processing ePHI AND include at least one of
the other system factors associated with the control.

For example, if a system is accessible from the Internet, exchanges data with a business partner,
and has the Level 2 threshold number of users, but DOES NOT process ePHI, that system is only
required to meet the Level 1 Implementation Requirements. However, if another system DOES
process ePHI AND is accessible from the Internet, then that system must meet an
Implementation Requirement level higher than Level 1.

Factor Logic: If a control contains more than one category of factors, the organization must
adhere to the highest level of Implementation Requirements that the factors drive it to.

For example, if a health plan is at the Level 2 threshold for a control based on their number of
covered lives but must also be FISMA compliant (implementing and adhering to the controls of
NIST), the organization must implement the Level 3 requirements of the CSF since FISMA is a
Level 3 Regulatory Factor for that control.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 17 of 488
Alternate Controls
With the diverse nature of today’s information systems, organizations may have systems in
their environments that do not have the capability to meet the CSF requirements. Consequently,
organizations may need to employ alternate security controls to mitigate risk or compensate
for a system control failure. HITRUST defined the alternate control process to provide the
means for organizations to meet CSF requirements by deploying alternate controls as a
substitute for control weaknesses. An alternate control is defined as a management,
operational, or technical control (i.e., safeguard or countermeasure) employed by an
organization in lieu of a security control for the Level 1, 2 or 3 Implementation Requirements
described in the CSF, and provides equivalent or comparable protection for an information
system.

An alternate control for a system, application or device may be employed by an organization

only under the following conditions:

1. The organization selects the alternate control(s) from the CSF, or if an appropriate
alternate control is not available, the organization proposes a suitable alternate control,
2. The organization provides a complete and convincing rationale to HITRUST addressing
how the alternate control provides an equivalent security capability or level of
protection for the information system, why the related minimum security control could
not be employed, and information about the associated application or device,
3. The HITRUST Alternate Controls Committee reviews and approves the alternate control,
and
4. The organization assesses and formally accepts the risk associated with employing the
alternate control for the information system.

Evolution of the CSF

Fundamental to HITRUST’s mission is the availability of a framework that provides the needed
structure, clarity, functionality and cross-references to authoritative sources. HITRUST will
ensure the CSF stays relevant and current to the needs of healthcare organizations based on the
demands of the industry.

The CSF is designed to easily adapt based on changes to the healthcare environment to address
and incorporate new standards and regulations. HITRUST has done extensive work in the past
two releases to harmonize NIST and CMS requirements, track inconsistencies due to CMS’s
current reliance on an older release of NIST SP 800-53, and better align and eliminate
redundant requirements within the framework. HITRUST will continue streamlining the
framework based on continued analysis of the framework’s implementation requirements and

Page 18 of 488
recommendations from the HITRUST Community, and plans to add the following sources in
2014 in two interim releases (versions 6.1 and 6.2):

 PCI DSS v3.0 (changes from v2.0)

 NIST Cybersecurity Framework v1.0
 ISO/IEC 27001:2013 and 27002:2013 (changes from 2005 releases)
 MARS-E Harmonized Security and Privacy Framework – Exchange Reference
Architecture Supplement v1
 NIST HSR Toolkit (harmonization) (held over from 2013 pending updates from the 2013
release of NIST SP 900-53 r4 (final))
 OCR Audit Protocol (harmonization) (held over from 2013 pending release of new
version)
 Recommendations from the HITRUST Privacy WG (including NIST SP 800-53 App J,
HIPAA and GAPP) (pending completion of its work and formal Board approval)

CSF Assurance and MyCSF

HITRUST has developed a set of resources that allows an organization or CSF Assessor to
efficiently assess the high risk areas of an environment, and/or apply the CSF’s Risk Factors and
Implementation Requirements to create a custom set of requirements tailored to an
environment.

Organizations can now utilize this approach with a subscription to MyCSF.

This fully integrated, optimized, and powerful tool marries the content and methodologies of
the HITRUST CSF and CSF Assurance program with the technology and capabilities of a
governance risk and compliance (GRC) tool. The new user-friendly MyCSF tool provides
healthcare organizations of all types and sizes with a secure, web-based solution for accessing
the CSF, performing assessments, managing remediation activities, and reporting and tracking
compliance. Managed and supported by HITRUST, MyCSF provides organizations with up-to-
date content, accurate and consistent scoring, reports validated by HITRUST and benchmarking
data unavailable anywhere else in the industry, thus going far beyond what a traditional GRC
tool can provide.

Through MyCSF organizations both large and small will maintain complete access to the CSF
and authoritative sources, and now have the expanded benefit of a complete picture of not only
their current state of compliance, but also the support and direction needed to track and
manage their remediation efforts and report on their progress. Organizations will also be able
to easily collaborate and work with HITRUST CSF Assessor organizations to share

Page 19 of 488
documentation already in the tool, incorporate necessary corrective action plans, and monitor
progress.

In addition to the CSF, MyCSF incorporates several other “building blocks.”

GRC Capabilities and Functionality: MyCSF provides organizations with a sophisticated and
user-friendly tool in which to scope, assess and manage their environment. This new tool
increases the efficiency with which organizations can implement and assess against the CSF by
utilizing advanced workflows, custom criteria and notifications, and enhanced navigation and
search tools. The tool also provides a user-friendly interface with the availability of dashboards
and reports and acts as a central repository for managing documents, corrective action plans,
test plans, and system scoping.

CSF Assurance Methodology: The CSF Assurance program provides simplified and consistent
compliance assessment and reporting against the HITRUST CSF and the authoritative sources it
incorporates. This risk-based approach, which is governed and managed by HITRUST, is
designed for the unique regulatory and business needs of the healthcare industry and provides
organizations with an effective, standardized and streamlined assessment process to manage
compliance. HITRUST CSF Assessments utilize a maturity level scoring model and risk ratings
similar to PRISMA which provide more accurate, consistent and repeatable scoring, and help
organizations to prioritize their remediation efforts. This is a more effective process than that
used by other assessment approaches and toolkits which only support limited requirements
and use classic checkbox approaches.

Page 20 of 488
Implementing the CSF
The CSF is applicable to all healthcare organizations, of varying size and complexity, as the
framework encompasses the fundamental security controls required by all relevant standards
and regulations for which healthcare organizations are accountable.

The CSF incorporates the concept of an “Information Security Management System (ISMS)”
from the ISO 27001 standard, and it describes the need for this detailed framework of controls
when meeting the security objectives defined within the CSF. Industry experience and
professional best practice principles indicate that ongoing information security and compliance
is best met by the implementation of a formal management program.

Management Commitment
It is essential that an organization have the visible support and commitment of management
before attempting to implement the CSF. Management's active involvement and support are
essential for success and, at minimum, should include written and verbal statements of
commitment to the importance of information security and recognition of its benefits.
Management's clear understanding of purpose and their dedication to adopting the CSF will
help manage expectations and minimize problems around implementation efforts.

Scope
The CSF applies to covered information (i.e., information that organizations deem necessary to
secure, such as Protected Health Information (PHI)) in all its aspects, regardless of the form the
information takes (e.g., words and numbers, sound recordings, drawings, video and medical
images), the means used to store it (e.g. printing or writing on paper or electronic storage), and
the means used to transmit it (e.g., by hand, via fax, over computer networks or by post).

Organization
HITRUST allows organizations to break up their organization into auditable business units. An
auditable business unit is defined as units or departments within the organization that can
operate distinctly from one another. However, depending on the size and complexity of the
organization, they may also represent geographical regions or associations with other
(external) groups. Both distinctions are acceptable for the purposes of a CSF Validated or CSF
Certified assessment.

Systems
The controls of the HITRUST CSF are designed to apply to all information systems irrelevant of
classification or function. This includes all critical business systems and applications that store,
process, or transmit covered information regardless of whether they are standalone systems or
connected to the network. Supporting systems and applications are also within the scope of the
CSF, including application software components, databases, operating systems, interfaces, tools,

Page 21 of 488
and servers. For the purposes of the CSF, there is a clear distinction between medical devices
and systems; however, medical devices are within the scope of the assessment.

When implementing the CSF, it is appropriate to aggregate assets into one observation if the
management, function, and environment allow the assets to be logically grouped.

Implementation
Implementation of the HITRUST CSF and assessment process will vary by organization in both
time commitment and level of effort, as a product of the following factors:

 Complexity of the environment: Considering the size, amount of data processed, type
of data processed, and sophistication of information systems technology;
 Security maturity: Considering the adequacy of people devoted to the security
organization, processes defined and controls currently implemented; and
 Resources: Considering the number of resources available and budgetary constraints.

Critical Success Factors

In addition to management commitment and consistent application across systems and defined
business units, experience has shown that the following factors are often critical to the
successful implementation of information security within an organization:

 A good understanding of the information security requirements, risk assessment, and

risk management structure of the organization
 Effective marketing of information security to all managers, employees, and other
parties to achieve awareness
 Distribution of guidance on information security policy and standards to all managers,
employees and other parties
 Provisions to fund information security management activities
 Implementation of a measurement system that is used to evaluate performance in
information security management and provide suggestions for improvement.

Page 22 of 488
Primary Reference Material
For the HITRUST CSF, a broad base of U.S. federal regulations and international information
protection standards and frameworks were used to ensure the CSF addresses all areas of
InfoSec governance and control as it relates to the healthcare industry.

The CSF integrates and normalizes these different authoritative sources, incorporating key
objectives under one umbrella framework that also provides prescriptive implementation
requirements for meeting the objectives.

For the 2014 CSF, eighteen (18) of the major information security related standards,
regulations and frameworks are included as the major supporting references to ensure
appropriate coverage, consistency, and alignment:

 16 CFR Part 681 - Identity Theft Red Flags

 201 CMR 17.00 – State of Massachusetts Data Protection Act
Standards for the Protection of Personal Information of Residents of the Commonwealth
 Cloud Security Alliance (CSA) Cloud Controls Matrix Version 1.1
 CMS Information Security ARS 2010 v1.5
CMS Minimum Security Requirements for High Impact Data
 COBIT 4.1 and 5
Deliver and Support Section 5 – Ensure Systems Security
 Encryption / Destruction Guidance – Federal Register 45 CSF Parts 160 and 164
Guidance Specifying the Technologies and Methodologies That Render Protected Health
Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for
Purposes of the Breach Notification Requirements
 Federal Register 21 CFR Part 11
Electronic Records; Electronic Signatures
 HIPAA - Federal Register 45 CFR Part 164 Sections 308, 310, 312, 314 and 316
Health Insurance Reform: Security Standards
 ISO/IEC 27001:2005
Information technology - Security techniques - Information security management systems
– Requirements
 ISO/IEC 27002:2005
Information technology — Security techniques — Code of practice for information security
management
 ISO/IEC 27799:2008
Health informatics — Information security management in health using ISO/IEC 27002
 HITECH Act – Federal Register 45 CFR Parts 160 and 164
Breach Notification for Unsecured Protected Health Information; Interim Final Rule
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 23 of 488
 Joint Commission (formerly the Joint Commission on the Accreditation of Healthcare
Organizations, JCAHO)
 NIST Special Publication 800-53 Revision 4 (Final)
Security Controls for Federal Information Systems and Organizations
 NIST Special Publication 800-66
An Introductory Resource Guide for Implementing the Health Insurance Portability and
Accountability Act (HIPAA) Security Rule
 NRS: Chapter 603A – State of Nevada
Security of Personal Information
 Payment Card Industry (PCI) Data Security Standard Version 2.0
Information Management (IM) Standards, Elements of Performance, and Scoring
 Texas Gen. Laws § 181 – State of Texas (aka “TX HB 300”)
Texas Medical Records Privacy Act

Page 24 of 488
Questions and Comments on the CSF

HITRUST encourages organizations to provide their comments to ensure the CSF continues to
evolve as the most relevant framework for information security in the healthcare industry.
Organizations who wish to provide HITRUST with feedback on the CSF can do so by sending
their comments via email to [email protected]. The forum contains instructions
and a template to document your comments. Any questions about use or distribution of the CSF
should be sent to [email protected].

About HITRUST

The Health Information Trust Alliance or HITRUST was born out of the belief that information
security is critical to the broad adoption, utilization and confidence in health information
systems, medical technologies and electronic exchanges of health information, and in turn
realizing the promise for quality improvement and cost containment in America's healthcare
system.

About HITRUST Central

The CSF in PDF format can be accessed through HITRUST Central – the industry’s first managed
online community for healthcare information security professionals. HITRUST Central is a
resource for individuals who seek to enhance their organization’s knowledge of information
security and interact and collaborate with their peers. HITRUST Central boasts resources such
as user forums, blogs, downloads, and education for all qualified subscribers.

COPYRIGHT (c) 2010-2014 HITRUST

This document has been provided AS IS, without warranty. HITRUST and its agents and
affiliates are not responsible for content of third parties.

HITRUST and CSF are trademarks of HITRUST Alliance LLC. HITRUST CENTRAL is a trademark
of HITRUST Service Corporation. All other marks contained herein are the property of their
respective owners.

Page 25 of 488
[This page intentionally left blank]

Page 26 of 488
Control Category: 0.0 - Information Security Management Program

Objective Name: 0.01 Information Security Management Program

Control To implement and manage an Information Security Management Program.

Objective:

Control Reference: 0.a Information Security Management Program

Control An Information Security Management Program (ISMP) shall be defined in

Specification: terms of the characteristics of the business, and established and managed
including monitoring, maintenance and improvement.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Audit and Accountability
Documentation and Records
IT Organization and Management Roles and Responsibilities
Monitoring
Planning
Policies and Procedures
Risk Management and Assessments

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 An Information Security Management Program (ISMP) shall be documented
Implementation: that addresses the overall Security Program of the
organization. Management support for the ISMP shall be demonstrated
through signed acceptance or approval by management. The ISMP shall
consider all the HITRUST Control Objectives and document any excluded
control domains and the reasons for their exclusion. The ISMP shall be

Page 27 of 488
updated at least annually or when there are significant changes in the
environment.
Level 1 Control  COBIT 4.1 R2 DS5.2
Standard  COBIT 5 APO13.02
Mapping:  CSA IS-01
 HIPAA §164.308(a)(1)(i)
 HIPAA §164.308(a)(1)(ii)(A)
 HIPAA §164.308(a)(1)(ii)(B)
 HIPAA §164.308(a)(8)
 HIPAA §164.316(b)(1)(i)
 HIPAA §164.316(b)(2)(iii)
 ISO/IEC 27001-2005 4.1
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 Geographic Scope: Multi-state, BioTech Organizations: > $100,000 Spend on

The ISMP shall be formally documented, and such records shall be

protected, controlled and retained according to federal, state and
organizational requirements.

The ISMP shall incorporate a Plan, Do, Check, Act (PDCA) cycle for
continuous improvement in the ISMP, particularly as information is

Page 28 of 488
obtained that could improve the ISMP, or indicates any shortcomings of the
ISMP.
Level 2 Control  COBIT 4.1 R2 DS5.5
Standard  COBIT 5 DSS05.07
Mapping:  ISO/IEC 27001-2005 4.2.1
 ISO/IEC 27001-2005 4.2.2
 ISO/IEC 27001-2005 4.2.3
 ISO/IEC 27001-2005 4.2.4
 ISO/IEC 27001-2005 4.3.1
 ISO/IEC 27001-2005 4.3.2
 ISO/IEC 27001-2005 4.3.3
 ISO27799-2008 6.4
 ISO 27799-2008 6.5
 ISO 27799-2008 6.6
 ISO 27799-2008 6.7
 NIST SP800-53 R4 PM-1
 (State of Mass.) 201 CMR 17.03(1)

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

The organization shall determine and provide the resources needed to

establish, implement, operate, monitor, review, maintain and improve an
ISMP.

The organization shall ensure that all personnel who are assigned
responsibilities defined in the ISMP are competent to perform the required
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 29 of 488
tasks. The organization shall also ensure that all relevant personnel are
aware of the relevance and importance of their information security
activities and how they contribute to the achievement of the ISMP
objectives.
The organization shall conduct internal ISMP audits at planned intervals to
determine the continuing suitability, adequacy and effectiveness of the
program.

Management shall review the organization's ISMP at planned intervals (at

least once a year) to ensure its continuing suitability, adequacy and
effectiveness. This review shall include assessing opportunities for
improvement and the need for changes to the ISMP, including the
information security policy and information security objectives. The results
of the reviews shall be clearly documented and records maintained.

The organization shall continually improve the effectiveness of the ISMP

through the use of the information security policy, information security
objectives, audit results, analysis of monitored events, corrective and
preventive actions and management review.
Level 3 Control  ISO/IEC 27001-2005 5.1
Standard  ISO/IEC 27001-2005 5.2.1
Mapping:  ISO/IEC 27001-2005 5.2.2
 ISO/IEC 27001-2005 6
 ISO/IEC 27001-2005 7.1
 ISO/IEC 27001-2005 7.2
 ISO/IEC 27001-2005 7.3
 ISO/IEC 27001-2005 8.1
 ISO/IEC 27001-2005 8.2
 ISO/IEC 27001-2005 8.3
 NIST SP800-53 R4 PM-6
 NIST SP800-53 R4 PM-2
 NIST SP800-53 R4 PM-3
 NIST SP800-53 R4 PM-4
 NIST SP800-53 R4 PM-6
 NIST SP800-53 R4 PM-9
 NIST SP800-53 R4 PM-13
 (State of Mass.) 201 CMR 17.03(2)(b)
 (State of Mass.) 201 CMR 17.03(2)(h)
 (State of Mass.) 201 CMR 17.03(2)(i)

Page 30 of 488
Control Category: 01.0 - Access Control

Objective Name: 01.01 Business Requirement for Access Control

Control To control access to information, information assets, and business

Objective: processes based on business and security requirements.

Control Reference: 01.a Access Control Policy

Control An access control policy shall be established, documented, and reviewed

Specification: based on business and security requirements for access.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Audit and Accountability
Authentication
Authorization
Policies and Procedures
User Access

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance, Subject to Joint Commission Accreditation,
Regulatory Subject to the CMS Minimum Security Requirements (High)
Factors:
Level 1 Access control rules shall account for and reflect the organization's policies
Implementation: for information dissemination and authorization, and these rules shall be
supported by formal procedures and clearly defined responsibilities. Access
control rules and rights for each user or group of users shall be clearly
stated in an access control policy. Access controls are both logical and
physical and these shall be considered together. Users and service
providers shall be given a clear statement of the business requirements to
be met by access controls.

Specifically the policy shall take account of the following:

Page 31 of 488
i. security requirements of individual business applications;
ii. policies for information dissemination and authorization (e.g., need-to-
know, need to share, and least privilege principles; security levels; and
classification of information.)
iii. relevant legislation and any contractual obligations regarding
protection of access to data or services;
iv. standard user access profiles for common job roles in the organization;
v. requirements for formal authorization of access requests;
vi. requirements for emergency access;
vii. requirements for periodic review of access controls; and
viii. removal of access rights.

The organization shall develop, disseminate, and review and update the
access control policy and procedures annually.
Level 1 Control  CMSRs 2012v1.5 AC-1 (HIGH)
Standard  CSA IS-07
Mapping:  HIPAA §164.308 (a)(3)(i)
 HIPAA §164.308 (a)(3)(ii)(a)
 HIPAA §164.308 (a)(4)(i)
 HIPAA §164.308 (a)(4)(ii)(A)
 HIPAA §164.308 (a)(4)(ii)(B)
 HIPAA §164.308 (a)(4)(ii)(C)
 HIPAA §164.312 (a)(1)
 JCAHO IM.02.01.03, EP 1
 NIST SP800-53 R4 AC-1
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 32 of 488
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
All information related to the business applications and the risks the
information is facing shall be identified. The access control and information
classification policies of different systems and networks shall be consistent.

Access rights shall be managed in a distributed and networked

environment ensuring all types of connections available are
recognized. Access control roles (e.g. access request, access authorization,
access administration) shall be segregated.
Level 2 Control  ISO/IEC 27002-2005 11.1.1
Standard  ISO 27799-2008 7.8.1.2
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Objective Name: 01.02 Authorized Access to Information Systems

Control To ensure authorized user accounts are registered, tracked and periodically
Objective: validated to prevent unauthorized access to information systems.

Control Reference: 01.b User Registration

Control There shall be a formal documented and implemented user registration and
Specification: de-registration procedure for granting and revoking access.

*Required for HITRUST Certification 2014

Page 33 of 488
Factor Type: System
Topics: Authorization
Monitoring
Policies and Procedures
User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 Subject to State of Massachusetts Data Protection Act, Subject to Joint
Regulatory Commission Accreditation
Factors:
Level 1 The access control procedure for user registration and de-registration shall
Implementation: include policies and procedures for establishing, activating, modifying,
reviewing, disabling, and removing accounts. Account types shall be
identified (individual, shared/group, system, application,
guest/anonymous, emergency and temporary) and conditions for group
and role membership shall be established.

Access to the information systems shall be granted based on a valid need-

to-know/need-to-share that is determined by assigned official duties and
intended system usage. Access granted shall satisfy all personnel security
criteria. Proper identification shall be required for requests to establish
information system accounts and approval of all such
requests. Guest/anonymous, shared/group, emergency and temporary
accounts shall be specifically authorized and use monitored. Unnecessary
accounts shall be removed, disabled or otherwise secured. Account
managers shall be notified when users are terminated or transferred,
their information system usage or need-to-know/need-to-share changes, or
when accounts (including shared/group, emergency, and temporary
accounts) are no longer required. Shared/group account credentials shall
be modified when users are removed from the group.

The access control procedure for user registration and de-registration shall:
i. communicate password procedures and policies to all users who have
system access
ii. check that the user has authorization from the system owner for the use
of the information system or service;
iii. separate approval for access rights from management;

Page 34 of 488
iv. check that the level of access granted is appropriate to the business
purpose and is consistent with organizational security policy (e.g. it
does not compromise segregation of duties);
v. give users a written statement of their access rights;
vi. require users to sign statements indicating that they understand the
conditions of access;
vii. ensure service providers do not provide access until authorization
procedures have been completed;
viii. ensure default accounts are removed and/or renamed;
ix. maintain a formal record of all persons registered to use the service;
x. remove or block critical access rights of users who have changed roles
or jobs or left the organization immediately and remove or block non-
critical access within 24 hours; and
xi. automatically remove or disable accounts that have been inactive for a
period of sixty (60) days or more.
Level 1 Control  COBIT 4.1 DS05.03
Standard  CMSRs 2012v1.5 AC-2 (HIGH)
Mapping:  CMSRs 2012v1.5 AC-2(3) (HIGH)
 CMSRs 2012v1.5 IA-1 (HIGH)
 CMSRs 2012v1.5 IA-4 (HIGH)
 CMSRs 2012v1.5 IA-5 (HIGH)
 CSA IS-08
 HIPAA §164.312(a)(2)(i)
 HIPAA §164.312(a)(2)(ii)
 HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.308(a)(3)(ii)(B)
 HIPAA §164.308(a)(4)(i)
 HIPAA §164.308(a)(4)(ii)(B)
 HIPAA §164.308(a)(4)(ii)(C)
 HIPAA §164.308(a)(5)(ii)(C)
 HIPAA §164.308(a)(5)(ii)(D)
 JCAHO IM.02.01.03, EP 5
 NIST SP800-53 R4 AC-2
 NIST SP800-53 R4 AC-2 (3)
 NIST SP800-53 R4 IA-1
 NIST SP800-53 R4 IA-4
 NIST SP800-53 R4 IA-5
 PCI DSS v2 8.1
 PCI DSS v2 8.2
 PCI DSS v2 8.5.1
 PCI DSS v2 8.5.4
 PCI DSS v2 8.5.5
 PCI DSS v2 8.5.7
 PCI DSS v2 12.5.4

Page 35 of 488
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v.2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.04(2)(a)
 (State of Mass.) 201 CMR 17.04(2)(b)
 (State of Mass.) 201 CMR 17.04(1)(d)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Accessible from the Internet: Yes
Factors:
Level 2 Subject to PCI Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The organization shall require that the registration process to receive
hardware administrative tokens and credentials used for two (2)-factor
authentication be verified in person before a designated registration
authority with authorization by a designated organizational official (e.g., a
supervisor).

Organizations shall not use group, shared or generic accounts and

passwords.
Level 2 Control  CMSRs 2012v1.5 IA-5(3) (HIGH)
Standard  COBIT 4.1 DS5.4
Mapping:  COBIT 5 DSS05.03
 COBIT 5 DSS05.04
 ISO/IEC 27002-2005 11.2.1
 ISO 27799-2008 7.8.2.1
 NIST SP800-53 R4 IA-5(3)
 NRS 603A.215.1
 PCI DSS v1.2 8.5
 PCI DSS v1.2 8.5.8

Level 3 Implementation Requirements

Page 36 of 488
Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
The organization shall employ automated mechanisms to support the
management of information system accounts. Account creation,
modification, disabling, and removal actions shall be automatically logged
and audited providing notification, as required, to appropriate individuals.

In addition to assigning a unique ID and password, at least one of the

following methods shall be employed to authenticate all users:
i. token devices (e.g. SecureID, certificates, or public key); or
ii. biometrics.

The organization shall automatically remove emergency accounts within

twenty-four (24) hours and temporary accounts with a fixed duration not to
exceed thirty (30) days.
Level 3 Control  CMSRs 2012v1.5 AC-2(1) (HIGH)
Standard  CMSRs 2012v1.5 AC-2(2) (HIGH)
Mapping:  NIST SP800-53 R4 AC-2(1)
 NIST SP800-53 R4 AC-2(2)

CMS Contractor Requirements

CMS Contractors Disable user accounts after sixty (60) days of inactivity.
Disabled accounts shall be deleted during the annual re-certification
process.

Control Reference: 01.c Privilege Management

Control The allocation and use of privileges to information systems and services
Specification: shall be restricted and controlled. Special attention shall be given to the
allocation of privileged access rights, which allow users to override system
controls.
Factor Type: System

Page 37 of 488
Topics: Authorization
User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 Subject to State of Massachusetts Data Protection Act, Subject to Joint
Regulatory Commission Accreditation
Factors:
Level 1 The allocation of privileges shall be controlled through a formal
Implementation: authorization process. The access privileges associated with each system
product (e.g. operating system, database management system and each
application) and the users to which they need to be allocated shall be
identified. Privileges shall be allocated to users on a need-to-use basis and
on an event-by-event basis in line with the access control policy (e.g. the
minimum requirement for their functional role only when needed).

At a minimum, the organization explicitly authorizes access to the following

list of security functions (deployed in hardware, software, and firmware)
and security-relevant information:
- Setting/modifying audit logs and auditing behavior;
- Setting/modifying boundary protection system rules;
- Configuring/modifying access authorizations (i.e., permissions,
privileges);
- Setting/modifying authentication parameters; and
- Setting/modifying system configurations and parameters.

An authorization process and a record of all privileges allocated shall be

maintained.
Level 1 Control  CMSRs 2012v1.5 AC-6 (HIGH)
Standard  CMSRs 2012v1.5 AC-6(1) (HIGH)
Mapping:  COBIT 4.1 DS5.4
 COBIT 5 DSS05.04
 CSA IS-08
 HIPAA §164.308(a)(3)(i)
 HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.308(a)(4)(i)
 HIPAA §164.308(a)(4)(ii)(A)
 HIPAA §164.308(a)(4)(ii)(B)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 38 of 488
 HIPAA §164.308(a)(4)(ii)(C)
 HIPAA §164.308(a)(5)(ii)(C)
 HIPAA §164.312(a)(1)
 HIPAA §164.312(a)(2)(i)
 HIPAA §164.312(a)(2)(ii)
 ISO/IEC 27002-2005 11.2.2
 JCAHO IM.02.01.03, EP 5
 NIST SP800-53 R4 AC-6
 NIST SP800-53 R4 AC-6(1)
 PCI DSS v2 7.1
 PCI DSS v2 7.1.3
 PCI DSS v2 7.2.1
 PCI DSS v2 7.2.2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.04(2)(a)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Accessible from the Internet: Yes, Number of
Factors: Users: > 500, Number of Interfaces to Other Systems: > 25
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Access controls are implemented via an automated access control system.
Role-based access control shall be implemented and capable of mapping
each user to one or more roles, and each role to one or more system
functions.

The development and use of system routines shall be promoted to avoid the
need to grant privileges to users. The development and use of programs
which avoid the need to run with elevated privileges shall be promoted.

Elevated privileges shall be assigned to a different user ID from those used

for normal business use. All users shall access privileged services in a single
role (users registered with more than one role shall designate a single role
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 39 of 488
during each system access session). The use of system administration
privileges (any feature or facility of an information system that enables the
user to override system or application controls) shall be minimized. Access
to privileged functions (e.g., system-level software, administrator tools,
scripts, utilities) deployed in hardware, software, and firmware shall be
restricted. Security relevant information shall be restricted to explicitly
authorized individuals.

Administrator or operator registration and de-registration shall be in

accordance with the defined process and the sensitivity and risks associated
with the system (see 01.b).

The organization shall facilitate information sharing by enabling authorized

users to determine whether access authorizations assigned to business
partners match the access restrictions on information for specific
circumstances in which user discretion is allowed. Also employs manual
processes or automated mechanisms to assist users in making information
sharing/collaboration decisions.

The access control system for the system components storing, processing or
transmitting covered information shall be set with a default "deny-all"
setting.
Level 2 Control  CMSRs 2012v1.5 AC-2 (HIGH)
Standard  CMSRs 2012v1.5 AC-6(2) (HIGH)
Mapping:  ISO 27799-2008 7.8.2.2
 NIST SP800-53 R4 AC-2
 NIST SP800-53 R4 AC-6(2)
 NIST SP800-53 R4 AC-21
 PCI DSS v2 7.1.1
 PCI DSS v2 7.1.2
 PCI DSS v2 7.1.4
 PCI DSS v2 7.2
 PCI DSS v2 7.2.3

Level 3 Implementation Requirements

Page 40 of 488
Level 3 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to the CMS
Regulatory Minimum Security Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
The organization shall limit authorization to privileged accounts on
information systems to a pre-defined subset of users and shall track and
monitor privileged role assignments. The organization shall audit the
execution of privileged functions on information systems and ensure
information systems prevent non-privileged users from executing
privileged functions to include disabling, circumventing, or altering
implemented security safeguards.

At a minimum, the organization requires that users of information system

accounts, or roles, with access to the following list of security functions or
security-relevant information, use non-privileged accounts, or roles, when
accessing other system functions, and if feasible, audits any use of
privileged accounts, or roles, for such functions:
- Setting/modifying audit logs and auditing behavior;
- Setting/modifying boundary protection system rules;
- Configuring/modifying access authorizations (i.e., permissions,
privileges);
- Setting/modifying authentication parameters; and
- Setting/modifying system configurations and parameters.

All file system access not explicitly required for system, application, and
administrator functionality shall be disabled.

Contractors shall be provided with minimal system and physical access, and
shall agree to and support the organization's security requirements. The
contractor selection process shall assess the contractor's ability to adhere
to and support the organization's security policy and procedures.

The organization shall restrict the use of database management utilities to

only authorized database administrators. Users shall be prevented from
accessing database data files at the logical data view, field, or field-value
levels. Column-level access controls shall be implemented to restrict
database access.

The organization ensure only authorized users are permitted to access

those files, directories, drives, workstations, servers, network shares, ports,
protocols, and services that are expressly required for the performance of
the users' job duties.

Page 41 of 488
Level 3 Control  CMSRs 2012v1.5 AC-2(7) (HIGH)
Standard  CMSRs 2012v1.5 AC-6 (HIGH)
Mapping:  NIST SP800-53 R4 AC-6(5)
 NRS 603A.215.1
 PCI DSS v2 8.5.16

CMS Contractor Requirements

CMS All system and removable media boot access shall be disabled unless it is
Contractors: explicitly authorized by the organizational CIO for compelling operational
needs. If system and removable media boot access is authorized, boot
access is password protected.

Health Information Exchange Requirements

Health HIEs shall, for all employees and for all employees of connecting
Information organizations, define and assign roles to each individual with access to the
Exchanges: HIE. The roles shall be based on the individual’s job function and
responsibilities. The roles shall specify the type of access and level of access.

Control Reference: 01.d User Password Management

Control Passwords shall be controlled through a formal management process.

Specification:
*Required for HITRUST Certification 2014
Factor Type: System
Topics: Authentication
Authorization
Cryptography
User Access
Password Management

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:

Page 42 of 488
Level 1 Subject to State of Massachusetts Data Protection Act, Subject to the CMS
Regulatory Minimum Security Requirements (High)
Factors:
Level 1 The following controls shall be implemented to maintain the security of
Implementation: passwords:
i. passwords shall be prohibited from being displayed when entered;
ii. passwords shall be changed whenever there is any indication of
possible system or password compromise; and
iii. user identity shall be verified before performing password resets.

The allocation of passwords shall be controlled through a formal

management process:
i. the use of third parties or unprotected (clear text) electronic mail
messages shall be avoided;
ii. users shall acknowledge receipt of passwords;
iii. default vendor passwords shall be altered following installation of
systems or software;
iv. when users are required to maintain their own passwords they shall be
provided initially with a secure temporary password, which they are
forced to change immediately;
v. temporary passwords shall be changed at the first log-on;
vi. temporary passwords shall be given to users in a secure manner;
vii. passwords shall be changed at least every 90 days or based on the
number of accesses;
viii. passwords for privileged accounts shall be changed at least every 60
days;
ix. passwords shall require at least eight (8) characters which are:
1. easy to remember;
2. not based on anything somebody else could easily guess or
obtain using person related information (e.g. names, telephone
numbers, and dates of birth etc.);
3. not vulnerable to dictionary attack (do not consist of words
included in dictionaries);
4. free of consecutive identical characters; and
5. a combination of alphabetic, upper and lower case characters,
numbers, and special characters (combination of any three [3]
of the above four [4] listed is acceptable).
x. passwords shall be prohibited from being reused for at least six (6)
generations; and
xi. at least four (4) changed characters are changed when new passwords
are created.
Level 1 Control  CSA SA-02
Standard  HIPAA §164.308(a)(5)(ii)(D)
Mapping:  PCI DSS v2.0 2.1
 PCI DSS v2.0 8.5.2
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 43 of 488
 PCI DSS v2.0 8.5.3
 PCI DSS v2 8.5.8
 PCI DSS v2 8.5.10
 PCI DSS v2 8.5.11
 PCI DSS v2 8.5.12
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 1 CORE 153: Eligibility and Benefits Connectivity Rule v1.1.0
Subsection 5.1
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.04(1)(b)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Accessible from the Internet: Yes, Number of
Factors: Interfaces to Other Systems: > 25
Level 2 Subject to PCI Compliance, Subject to FISMA Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The following controls shall be implemented to maintain the security of
passwords:
i. passwords shall be protected from unauthorized disclosure and
modification when stored and transmitted;
ii. passwords shall not be included in any automated log-on process (e.g.
stored in a macro or function key);
iii. all passwords shall be encrypted during transmission and storage on all
system components;
iv. users shall sign a statement to keep personal passwords confidential
and to keep group passwords solely within the members of the group;
and
v. temporary passwords shall be unique to an individual and shall not be
guessable;

Persons who use electronic signatures based upon use of identification

codes in combination with passwords shall employ controls to ensure their
security and integrity. Such controls shall include:

Page 44 of 488
i. maintaining the uniqueness of each combined identification code and
password, such that no two individuals have the same combination of
identification code and password.
ii. ensuring that identification code and password issuances are
periodically checked, recalled, or revised (e.g. to cover such events as
password aging);
iii. following loss management procedures to electronically de-authorize
lost, stolen, missing or otherwise potentially compromised tokens,
cards and other devices that bear or generate identification code or
password information, and to issue temporary or permanent
replacements using suitable, rigorous controls;
iv. use of transaction safeguards to prevent unauthorized use of passwords
and/or identification codes, and to detect and report in an immediate
and urgent manner any attempts at their unauthorized use to the
system security unit, and, as appropriate, to organization management;
and
v. initial and periodic testing of devices, such as tokens or cards, that bear
or generate identification code or password information to ensure that
they function properly and have not been altered in an unauthorized
manner.
Level 2 Control  21 CFR Part 11.30
Standard  CMSRs 2012v1.5 IA-5 (HIGH)
Mapping:  CMSRs 2012v1.5 IA-5(1) (HIGH)
 ISO 27002-2005 11.2.3
 ISO 27799-2008 7.8.2.3
 NIST SP800-53 R4 IA-5
 NIST SP800-53 R4 IS-5(1)
 NRS 603A.215.1
 PCI DSS v2 8.4
 PCI DSS v2 8.5.9

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 45 of 488
CMS Contractors

CMS The organization enforces the following minimum password requirements

Contractors: (User/Privileged):
i. Minimum Password Age = 1/1;
ii. Maximum Password Age = 60/60;
iii. Minimum Password Length = 8/8;
iv. Password Complexity = 1/1 (minimum one (1) character from the four
(4) character categories (A-Z, a-z, 0-9, special characters); and
xii. Password History Size = 6.

Passwords for non-privileged and privileged accounts are valid for no

longer than sixty (60) days; PIV compliant access cards are valid for no
longer than five (5) years; and PKI certificates issued in accordance with the
Federal PKI Common Policy are valid for no longer than three (3) years

Control Reference: 01.e Review of User Access Rights

Control All access rights shall be regularly reviewed by management via a formal
Specification: documented process.
Factor Type: System
Topics: Audit and Accountability
Monitoring
User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 Subject to State of Massachusetts Data Protection Act
Regulatory
Factors:
Level 1 The following procedures shall be carried out to ensure the regular review
Implementation: of access rights by management:
i. user's access rights shall be reviewed after any changes, such as
promotion, demotion, or termination of employment; and
ii. user's access rights shall be reviewed and re-allocated when moving
from one employment to another within the same organization.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 46 of 488
Level 1 Control  CSA IS-10
Standard  HIPAA §164.312(a)(2)(i)
Mapping:  HIPAA §164.312(a)(2)(ii)
 HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.308(a)(3)(ii)(B)
 HIPAA §164.308(a)(3)(ii)(C)
 HIPAA §164.308(a)(4)(i)
 HIPAA §164.308(a)(4)(ii)(B)
 HIPAA §164.308(a)(5)(ii)(C)
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.03(2)(h)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -
Factors:
Level 2 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
The organization shall maintain a documented list of authorized users of
information assets. In addition:

i. all types of accounts shall be reviewed at least every 90 days;

ii.critical system accounts shall be reviewed at least every 60 days;
iii.
user's access rights shall be reviewed at least every 90 days;
iv.changes to access authorizations shall be reviewed at least every 90
days; and
v. authorizations for special privileged access rights shall be reviewed at
least every 60 days.
Level 2 Control  CMSRs 2012v1.5 AC-2 (HIGH)
Standard  COBIT 4.1 DS5.3
Mapping:  COBIT 4.1 DS5.4
 COBIT 5 DSS05.04
 ISO/IEC 27002-2005 11.2.4
 ISO 27799-2008 7.8.2.4
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 47 of 488
 NIST SP800-53 R4 AC-2

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS All information system accounts shall be reviewed to receive annual

Contractors: certification.

Health Information Exchange Requirements

Health HIEs shall, for all employees and for all employees of connecting
Information organizations, review users with access and the appropriateness of each
Exchanges: user’s role every 90 days. Any discrepancies shall be remediated
immediately following the review.

Objective Name: 01.03 User Responsibilities

Control To prevent unauthorized user access, and compromise or theft of

Objective: information and information assets.

Control Reference: 01.f Password Use

Control Users shall be made aware of their responsibilities for maintaining effective
Specification: access controls and shall be required to follow good security practices in
the selection and use of passwords and security of equipment.

*Required for HITRUST Certification 2014

Factor Type: Organizational
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 48 of 488
Topics: Authentication
Awareness and Training
Password Management

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to State of
Regulatory Massachusetts Data Protection Act, Subject to Joint Commission
Factors: Accreditation, Subject to the CMS Minimum Security Requirements (High)
Level 1 Password management policies shall be developed and adopted and
Implementation: communicated to all users to address the need to:
i. keep passwords confidential;
ii. avoid keeping a record (e.g. paper, software file or hand-held device) of
passwords, unless this can be stored securely and the method of storing
has been approved;
iii. change passwords whenever there is any indication of possible system
or password compromise;
iv. not share individual user accounts or passwords;
v. not provide their password to anyone for any reason (to avoid
compromising their user credentials through social engineering
attacks)
vi. not use the same password for business and non-business purposes;
and
vii. select quality passwords (see requirements in 01.d).

Services, systems, and platforms shall:

i. force users to change passwords every 90 days or based on the number
of accesses;
ii. passwords for privileged accounts shall be changed every 60 days;
iii. prevent users from re-using or cycling the last four passwords;
iv. enforce password quality (see above);
v. force users to change temporary passwords at the first log-on;
vi. not include passwords in any automated log-on process (e.g. stored in a
macro or function key);
vii. store and transmit only encrypted representations of passwords.

If users need to access multiple services, systems or platforms, and are

required to maintain multiple separate passwords, they shall be advised
that they may use a single, quality password for all services where the user
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 49 of 488
is assured that a reasonable level of protection has been established for the
storage of the password within each service, system or platform.
Level 1 Control  CMSRs 2012v1.5 IA-5 (HIGH)
Standard  CMSRs 2012v1.5 IA-5(1) (HIGH)
Mapping:  HIPAA §164.308 (a)(5)(ii)(D)
 ISO/IEC 27002-2005 11.3.1
 ISO 27799-2008 7.8.3
 JCAHO IM.02.01.03, EP 5
 NIST SP800-53 R4 IA-5
 NIST SP800-53 R4 IA-5(1)
 NRS 603A.215.1
 PCI DSS v2 8.5.3
 PCI DSS v2 8.5.7
 PCI DSS v2 8.5.9
 PCI DSS v2 8.5.10
 PCI DSS v2 8.5.11
 PCI DSS v2 8.5.12
 PCI DSS v2 8.5.13
 PCI DSS v2 8.5.14
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 1 CORE 153: Eligibility and Benefits Connectivity Rule v1.1.0
Subsection 5.1
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.04(1)(b)
 (State of Mass.) 201 CMR 17.04(1)(e)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Page 50 of 488
Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS A password minimum age of one (1) and maximum age of sixty (60) days
Contractors: (one hundred eighty (180) days for a system account maximum) shall
be set.

Control Reference: 01.g Unattended User Equipment

Control Users shall ensure that unattended equipment has appropriate protection.
Specification:
Factor Type: Organizational
Topics: Awareness and Training
Media and Assets

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance
Regulatory
Factors:

Page 51 of 488
Level 1 All users shall be made aware of the security requirements and procedures
Implementation: for protecting unattended equipment, as well as their responsibilities for
implementing such protection.

Users shall be advised to:

i. terminate active sessions when finished, unless they can be secured by
an appropriate locking mechanism (e.g. a password protected screen
saver);
ii. log-off mainframe computers, servers, and office PCs when the session
is finished (e.g. not just switch off the PC screen or terminal);
iii. secure PCs or terminals from unauthorized use by a key lock or an
equivalent control (e.g. password access) when not in use.

The organization shall safeguard information system output devices (e.g.,

printers) to help prevent unauthorized individuals from obtaining the
output.
Level 1 Control  CMSRs 2012v1.5 AC-11 (HIGH)
Standard  CMSRs 2012v1.5 PE-5 (HIGH)
Mapping:  CSA IS-16
 HIPAA §164.310(a)(1)
 HIPAA §164.310(b)
 HIPAA §164.310(c)
 ISO/IEC 27002-2005 11.3.2
 ISO 27799-2008 7.8.3
 NIST SP800-53 R4 AC-11
 NIST SP800-53 R4 PE-5
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Page 52 of 488
Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 01.h Clear Desk and Clear Screen Policy

Control A clear desk policy for papers and removable storage media and a clear
Specification: screen policy for information assets shall be adopted.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Awareness and Training
Data Loss Prevention
Documentation and Records
Media and Assets
Policies and Procedures

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance
Regulatory
Factors:
Level 1 A clear desk policy for papers and removable storage media and a clear
Implementation: screen policy for information assets shall be developed and adopted, and
communicated to all users. The clear desk and clear screen policy shall take
into account the information classifications, legal and contractual
requirements, and the corresponding risks and cultural aspects of the
organization.

Page 53 of 488
The following practices shall be established:
i. covered or critical business information (e.g. on paper or on electronic
storage media) shall be locked away (ideally in a safe or cabinet or
other forms of security furniture) when not required, especially when
the office is vacated;
ii. computers and terminals shall be left logged off or protected with a
screen and keyboard locking mechanism controlled by a password,
token or similar user authentication mechanism that conceals
information previously visible on the display when unattended and
shall be protected by key locks, passwords or other controls when not
in use;
iii. incoming and outgoing mail points and unattended facsimile machines
shall be protected;
iv. unauthorized use of photocopiers and other reproduction technology
(e.g., scanners, digital cameras) shall be prevented;
v. documents containing covered or classified information shall be
removed from printers, copiers, and facsimile machines immediately;
and
vi. when transporting documents with covered information within
facilities and through inter-office mail, information shall not be visible
through envelope windows, and envelopes shall be marked according to
its classification level (e.g. "Confidential").
Level 1 Control  CMSRs 2012v1.5 AC-11 (HIGH)
Standard  CSA IS-17
Mapping:  HIPAA §164.310(b)
 HIPAA §164.312(a)(2)(i)
 ISO/IEC 27002-2005 11.3.3
 ISO 27799-2008 7.8.3
 NIST SP800-53 R4 AC-11
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 2.2: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 54 of 488
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Objective Name: 01.04 Network Access Control

Control To prevent unauthorized access to networked services.

Objective:

Control Reference: 01.i Policy on the Use of Network Services

Control Users shall only be provided with access to internal and external network
Specification: services that they have been specifically authorized to use. Authentication
and authorization mechanisms shall be applied for users and equipment.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Authentication
Authorization
Network Segmentation
User Access

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:

Page 55 of 488
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance
Regulatory
Factors:
Level 1 The organization shall specify the networks and network services to which
Implementation: users are authorized access.
Level 1 Control  CMSRs 2012v1.5 AC-1 (HIGH)
Standard  HIPAA §164.308(a)(3)(i)
Mapping:  HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.308(a)(4)(i)
 HIPAA §164.308(a)(4)(ii)(B)
 HIPAA §164.308(a)(4)(ii)(C)
 HIPAA §164.312(a)(1)
 ISO/IEC 27001-2005 A:11.4.1
 NIST SP800-53 R4 AC-1
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

The use of network services shall be consistent with the organization’s

business access control requirements.

Page 56 of 488
Use of external information systems shall be managed effectively including:
i. information systems or components of information systems that are
outside of the accreditation boundary established by the organization
shall be identified as external information systems including:
1. information systems or components of information systems for
which the organization typically has no direct control over the
application of required security controls or the assessment of
security control effectiveness shall be identified as external
information systems;
2. personally owned information systems (e.g. computers, cellular
telephones, or personal digital assistants) shall be identified as
external information systems; and
3. privately owned computing and communications devices
resident in commercial or public facilities (e.g. hotels,
convention centers, or airports) shall be identified as external
information systems.
ii. authorized individuals shall be prohibited from using an external
information system to access the information system or to process,
store or transmit organization-controlled information except in
situations where the organization:
1. can verify the employment of required security controls on the
external system as specified in the organization’s information
security policy and system security plan; or
2. has approved information system connection or processing
agreements with the organizational entity hosting the external
information system.

The organization shall identify ports, services, and similar applications (e.g.,
protocols) necessary for business and provide the rationale or identify
compensating controls implemented for those protocols considered to be
insecure.
Level 2 Control  CMSRs 2012v1.5 AC-20 (HIGH)
Standard  CMSRs 2012v1.5 CM-7 (HIGH)
Mapping:  CSA IS-08
 CSA SA-08
 ISO/IEC 27002-2005 11.4.1
 ISO 27799-2008 7.8.4
 NIST SP800-53 R4 AC-20
 NIST SP800-53 R4 CM-7

Level 3 Implementation Requirements

Page 57 of 488
Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference 01.j User Authentication for External Connections

Control Appropriate authentication methods shall be used to control access by

Specification: remote users.
*Required for HITRUST Certification 2014
Factor Type: Organizational
Topics: Authentication
Authorization
Third Parties and Contractors
User Access
Network Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FTC Red Flags Rule Compliance
Regulatory
Factors:
Level 1 Authentication of remote users shall be implemented using a password or
Implementation: passphrase and at least one of the following methods:
i. a cryptographic based technique;
ii. biometric techniques;
iii. hardware tokens;
iv. software tokens;
v. a challenge/response protocol; or
vi. certificate agents.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 58 of 488
Additional authentication controls shall be implemented to control access
to wireless networks. In particular, special care is needed in the selection of
controls for wireless networks due to the greater opportunities for
undetected interception and insertion of network traffic.

The organization shall monitor for unauthorized wireless connections to

the information system and take organization-defined actions in response,
if unauthorized connections are discovered.

Remote access to business information across public networks shall only

take place after successful identification and authentication. Vendors'
accounts for remote maintenance shall be disabled unless specifically
authorized by the management. If remote maintenance is performed, the
organization shall closely monitor and control any activities, with
immediate deactivation after use.

Use Radius or Kerberos to enable user privilege/resources to access the

organization's network. For dial-up connections, use CHAP negotiation for
encryption of user authentication. Configure CHAP instead of PAP for user
authentication in dialup connection for encryption and security. If
encryption is not used for dial-up connections, the CIO or his/her
designated representative must provide specific written authorization.
Level 1 Control  16 CFR Part §681 Appendix A III(b)
Standard  CMSRs 2010v1.0 AC-18 (HIGH)
Mapping:  CMSRs 2010v1.0 AC-18(1) (HIGH)
 CSA SA-07
 HIPAA §164.310(c)
 NIST SP800-53 R4 AC-18
 NIST SP800-53 R4 AC-18(1)
 PCI DSS v2 8.3
 PCI DSS v2 8.5.6
 PCI DSS v2 12.3.9
 1 TAC § 390.2(a)(1)
 1 TAC § 390.2(a)(3)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 59 of 488
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to FISMA Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Authentication of remote users shall be implemented via virtual private
network (VPN) solutions that support a cryptographic based technique,
hardware tokens, or a challenge/response protocol. Dedicated private lines
may also be used to provide assurance of the source of connections. Control
all remote access through a limited number of managed access control
points.

Periodic monitoring shall be implemented to ensure that installed

equipment does not include unanticipated dial-up capabilities. Require
callback capability with re-authentication to verify connections from
authorized locations. For application systems and turnkey systems that
require the vendor to log-on, the vendor shall be assigned a User ID and
password and enter the network through the standard authentication
process. Access to such systems shall be authorized and logged. User IDs
assigned to vendors will be reviewed in accordance with the organization's
access review policy, at a minimum annually.

Node authentication may serve as an alternative means of authenticating

groups of remote users where they are connected to a secure, shared
computer facility. Cryptographic techniques (e.g. based on machine
certificates) can be used for node authentication. This is part of several VPN
based solutions.
Level 2 Control  CMSRs 2012v1.5 AC-17 (HIGH)
Standard  CMSRs 2012v1.5 AC-17(3) (HIGH)
Mapping:  CMSRs 2012v1.5 IA-8 (HIGH)
 ISO/IEC 27002-2005 11.4.2
 ISO 27799-2008 7.8.4
 NIST SP800-53 R4 AC-17
 NIST SP800-53 R4 AC-17(3)
 NIST SP800-53 R4 IA-8

Level 3 Implementation Requirements

Page 60 of 488
Level 3 BioTech Organizations: > $200,000,000 Spend on Research and
Organizational Development Per Year, Pharmaceutical Companies: > 70,000,000
Factors: Prescriptions Per Year, Third Party Processor: > 60,000,000 Records
Processed Per Year, Physician Practice: > 180,000 Visits Per Year, Medical
Facilities / Hospital: > 10,000 Licensed Beds, Health Plan / Insurance /
PBM: > 7,500,000 Covered Lives, IT Service Providers (Vendors): > 2,500
Employees, Pharmacy Companies: > 70,000,000 Prescriptions Per Year,
Health Information Exchange: >6,000,000 Transactions Per Year
Level 3 System None
Factors:
Level 3 Subject to PCI Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
Automated mechanisms shall be employed to facilitate the monitoring and
control of remote access methods.

The execution of privileged commands and access to security-relevant

information via remote access shall only be authorized for compelling
operational needs and rationale documented.
Level 3 Control  CMSRs 2012v1.5 AC-17(1) (HIGH)
Standard  CMSRs 2012v1.5 AC-17(4) (HIGH)
Mapping:  CMSRs 2012v1.5 AC-17(5) (HIGH)
 CMSRs 2012v1.5 AC-17(7) (HIGH)
 CMSRs 2012v1.5 SC-14 (HIGH)
 NIST SP800-53 R4 AC-17(1)
 NIST SP800-53 R4 AC-17(4)
 NRS 603A.215.1
 PCI DSS v2 2.3

CMS Contractor Requirements

CMS If e-authentication is implemented as a remote access solution or associated

Contractors: with remote access, refer to the Risk Management Handbook (RMH),
Volume III, Standard 3.1, “CMS Authentication Standards.”.
Remote sessions authorized for use for remote administration shall employ
additional security measures (e.g., Secure Shell [SSH]], Virtual Private
Networking [VPN] with blocking mode enabled) and encryption.

Control Reference 01.k Equipment Identification in Networks

Page 61 of 488
Control Automatic equipment identification shall be used as a means to
Specification: authenticate connections from specific locations and equipment.
Factor Type: System
Topics: Authentication
Communications and Transmissions
Media and Assets
Network Security

Level 1 Implementation Requirements

Physical protection of the equipment shall be required to maintain the

security of the equipment identifier. The identifier shall be stored and
transported in an encrypted format to protect it from unauthorized access.
Level 1 Control  CMSRs 2012v1.5 IA-3 (HIGH)
Standard  COBIT 4.1 DS5.7
Mapping:  COBIT 5 DSS05.05
 CSA SA-13
 HIPAA §164.312(a)(2)(i)
 HIPAA §164.312(d)
 ISO/IEC 27002-2005 11.4.3
 ISO 27799-2008 7.8.4
 NIST SP800-53 R4 IA-3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Page 62 of 488
Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements.
Implementation:

Control Reference 01.l Remote Diagnostic and Configuration Port Protection

Control Physical and logical access to diagnostic and configuration ports shall be
Specification: controlled.
Factor Type: Organizational
Topics: Authorization
Media and Assets
Physical and Facility Security
Network Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:

Page 63 of 488
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Access to network equipment shall be physically protected (e.g. a router
Implementation: must be stored in a room that is only accessible by authorized employees or
contractors).

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Supporting procedures to control physical access to the port shall be

implemented including ensuring that diagnostic and configuration ports are
only accessible by arrangement between the manager of the computer
service and the hardware/software support personnel requiring access.
Level 2 Control  CMSRs 2012v1.5 MA-4 (HIGH)
Standard  CMSRs 2012v1.5 MA-4(2) (HIGH)
Mapping:  CMSRs 2012v1.5 MA-4(3) (HIGH)
 COBIT 4.1 DS5.7
 COBIT 5 DSS05.05
 CSA IS-30
 ISO/IEC 27002-2005 11.4.4
 ISO 27799-2008 7.8.4

Page 64 of 488
 NIST SP800-53 R4 MA-4
 NIST SP800-53 R4 MA-4(2)
 NIST SP800-53 R4 MA-4(3)

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

The organization shall disable Bluetooth and peer-to-peer networking

protocols within the information system determined unnecessary or non-
secure.

The organization shall identify unauthorized software on the information

system; employ an allow-all, deny-by-exception policy to prohibit the
execution of known unauthorized software on the information system; and
review and update the list of unauthorized software periodically but no less
than annually.
Level 3 Control  CMSRs 2012v1.5 CM-7 (HIGH)
Standard  CMSRs 2012v1.5 CM-7(1) (HIGH)
Mapping:  CMSRs 2012v1.5 CM-7(2) (HIGH)
 NIST SP800-53 R4 CM-7
 NIST SP800-53 R4 CM-7(1)
 NIST SP800-53 R4 CM-7(4)

Page 65 of 488
CMS Contractor Requirements

CMS A list of specifically needed system services, ports, and network protocols
Contractors: will be maintained and documented in the security plan.

If collaborative computing is authorized, the information system shall

provide physical disconnect of collaborative computing devices in a manner
that supports ease of use.

The organization shall employ automated mechanisms to prevent program

execution in accordance with list of authorized or unauthorized software
programs and rules authorizing the terms and conditions of software
program usage.

Control Reference: 01.m Segregation in Networks

Control Groups of information services, users, and information systems should be

Specification: segregated on networks.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Network Segmentation
Network Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance
Regulatory
Factors:
Level 1 Security gateways (e.g. a firewall) shall be used between the internal
Implementation: network, external networks (Internet and 3rd party networks), and any
demilitarized zone (DMZ).

An internal network perimeter shall be implemented by installing a secure

gateway (e.g. a firewall) between two interconnected networks to control
access and information flow between the two domains. This gateway shall
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 66 of 488
be capable of enforcing security policies, be configured to filter traffic
between these domains, and block unauthorized access in accordance with
the organization's access control policy.

Wireless networks shall be segregated networks from internal and private

networks.

The organization shall require a firewall between any wireless network and
the covered information systems environment.
A web-application firewall shall be placed in front of public-facing web
application to detect and prevent web-based attacks.
Level 1 Control  CSA SA-08
Standard  HIPAA §164.308(a)(3)(ii)(A)
Mapping:  HIPAA §164.308(a)(3)(ii)(B)
 HIPAA §164.310(b)
 PCI DSS v2.1.1.3
 PCI DSS v2.6.6
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 Geographic Scope: Multi-state, BioTech Organizations: > $100,000 Spend on

Organizational Research and Development Per Year, Third Party Processor: > 10,000,000
Factors: Records Processed Per Year, Physician Practice: > 60,000 Visits Per Year,
Medical Facilities / Hospital: > 1,000 Licensed Beds, Health Plan / Insurance
/ PBM: > 1,000,000 Covered Lives, IT Service Providers (Vendors): > 500
Employees, Pharmacy Companies: > 10,000,000 Prescriptions Per Year,
Health Information Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The criteria for segregation of networks into domains shall be based on the
access control policy and access requirements, and also takes account of the
relative cost and performance impact of incorporating suitable network
routing or gateway technology. In addition, segregation of networks shall be
based on the value and classification of information stored or processed in
the network, levels of trust, or lines of business, in order to reduce the total
impact of a service disruption.

Page 67 of 488
Networks shall be divided into separate logical network domains (e.g. an
organization's internal network domains and external network domains)
each protected by a defined security perimeter. A graduated set of controls
shall be applied in different logical network domains to further segregate
the network security environments (e.g. publicly accessible systems,
internal networks, and critical assets).

Segregations of separate logical domains shall be achieved by restricting

network access using virtual private networks for user groups within the
organization. Networks shall also be segregated using network device
functionality (e.g. IP switching).

Separate domains shall then be implanted by controlling the network data

flows using routing/switching capabilities, including access control lists,
according to applicable flow control policies.

The domains shall be defined based on a risk assessment and the different
security requirements within each of the domains.

The organization shall physically allocate publicly accessible information

system components to separate subnetworks with separate physical
network interfaces.
Level 2 Control  CMSRs 2012v1.5 AC-4 (HIGH)
Standard  CMSRs 2012v1.5 SC-7 (HIGH)
Mapping:  CMSRs 2012v1.5 SC-7(1) (HIGH)
 CMSRs 2012v1.5 SC-7(2) (HIGH)
 COBIT 4.1 DS5.10
 COBIT 5 DSS05.02
 CSA SA-09
 ISO/IEC 27002-2005 11.4.5
 NIST SP800-53 R4 AC-4
 NIST SP800-53 R4 SC-7

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 68 of 488
Level 3 System None
Factors:
Level 3 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
Level 3 Control  CMSRs 2012v1.5 AC-4 (HIGH)
Standard  CMSRs 2012v1.5 SC-32 (HIGH)
Mapping:  ISO 27799-2008 7.8.4
 NIST SP800-53 R4 SC-32

CMS Contractor Requirements

CMS The organization shall partition the information system into components
Contractors: residing in separate physical domains (or environments) as deemed
necessary.

Control Reference: 01.n Network Connection Control

Control For shared networks, especially those extending across the organization's
Specification: boundaries, the capability of users to connect to the network shall be
restricted, in line with the access control policy and requirements of the
business applications.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Network Segmentation
User Access
Network Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to State of Massachusetts Data Protection Act
Regulatory
Factors:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 69 of 488
Level 1 At managed interfaces, network traffic is denied by default and allowed by
Implementation: exception (i.e., deny all, permit by exception).

The organization shall restrict the ability of users to connect to the internal
network in accordance with the access control policy and the requirements
of the clinical and business applications.
Level 1 Control  CMSRs 2012v1.5 SC-7 (HIGH)
Standard  CMSRs 2012v1.5 SC-7(5) (HIGH)
Mapping:  CSA DG-07
 HIPAA §164.310(b)
 NIST SP800-53 R4 SC-7
 NIST SP800-53 R4 SC-7(5)
 NRS 603A.215.1
 (State of Mass.) 201 CMR 17.04(6)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Restrictions shall be applied to:

i. messaging (e.g. electronic mail);
ii. file transfer (e.g. peer-to-peer, FTP);
iii. interactive access (e.g. where a user provides input to the system); and
iv. common Windows applications.

Page 70 of 488
v. review exceptions to the traffic flow policy within every three hundred
sixty-five (365) days or implementation of a major new systems; and

Linking network access rights to certain times of day or dates shall be

implemented.

The organization shall limit the number of access points to the information
system (e.g., prohibiting desktop modems) to allow for more
comprehensive monitoring of inbound and outbound communications and
network traffic.

The organization shall:

i. implement a managed interface for each external telecommunication
service;
ii. establish a traffic flow policy for each managed interface;
iii. employ security controls as needed to protect the confidentiality and
integrity of the information being transmitted;
iv. document each exception to the traffic flow policy with a supporting
mission/business need and duration of that need;
v. review exceptions to the traffic flow policy within every three hundred
sixty-five (365) days; and
vi. remove traffic flow policy exceptions that are no longer supported by an
explicit mission/business need.

The organization shall use strong cryptography and security protocols, such
as SSL/TLS or IPSEC, to safeguard covered information during transmission
over open, public networks.

Examples of open, public networks that are in scope are:

i. the Internet;
ii. wireless technologies;
iii. Global System for Mobile communications (GSM); and
iv. General Packet Radio Services (GPRS).

"External telecommunication services" addresses transmissions of data to

or from entities external to the secure site, including to other secure sites
using networks or any other communication resources outside of the
physical control of the secure site to transmit information.

Remote devices that have established a non-remote connection shall be

prevented from communicating outside of that communications path (e.g.,
with resources in external networks).
Level 2 Control  CMSRs 2012v1.5 AC-17 (HIGH)
Standard  CMSRs 2012v1.5 AC-17(3) (HIGH)
Mapping:  CMSRs 2012v1.5 AC-17(8) (HIGH)

Page 71 of 488
 CMSRs 2012v1.5 SC-7(3) (HIGH)
 CMSRs 2012v1.5 SC-7(4) (HIGH)
 CMSRs 2012v1.5 SC-7(7) (HIGH)
 CSA SA-08
 CSA SA-11
 ISO/IEC 27002-2005 11.4.6
 ISO/IEC 27002-2005 12.5.4
 ISO 27799-2008 7.8.4
 NIST SP800-53 R4 AC-17
 NIST SP800-53 R4 AC-17(3)
 NIST SP800-53 R4 SC-7(3)
 NIST SP800-53 R4 SC-7(4)
 NIST SP800-53 R4 SC-7(7)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The information system shall route all user-initiated internal

Contractors: communications traffic to untrusted external networks through
authenticated proxy servers within the managed interfaces of boundary
protection devices.

Control Reference: 01.o Network Routing Control

Control Routing controls shall be implemented for networks to ensure that

Specification: computer connections and information flows do not breach the access
control policy of the business applications.
*Required for HITRUST Certification 2014
Factor Type: Organizational

Page 72 of 488
Topics: Network Segmentation
Network Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Security gateways (e.g., a firewall) shall be used between internal and
Implementation: external networks (Internet and 3rd party networks).

The organization implements routing controls at the network perimeter.

Level 1 Control  HIPAA §164.308(a)(3)(ii)(A)
Standard  HIPAA §164.308(a)(4)(ii)(B)
Mapping:  HIPAA §164.310(b)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 73 of 488
proxy and/or network address translation technologies (e.g. DNS) are
employed.

The requirements for network routing control shall be based on the access
control policy. Routing controls shall also be based on positive source and
destination address checking mechanisms.

Internal directory services and internal IP addresses shall be protected and

hidden from any external access.
Level 2 Control  CMSRs 2012v1.5 AC-4 (HIGH)
Standard  ISO/IEC 27002-2005 11.4.7
Mapping:  ISO 27799-2008 7.8.4
 NIST SP800-53 R4 AC-4
 NRS 603A.215.1
 PCI DSS v2 1.2
 PCI DSS v2 1.2.1

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Objective Name: 01.05 Operating System Access Control

Control To prevent unauthorized access to operating systems.

Objective:

Control Reference: 01.p Secure Log-on Procedures

Control Access to operating systems shall be controlled by a secure log-on

Specification: procedure.
Factor Type: System

Page 74 of 488
Topics: Authorization
Policies and Procedures
User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 Subject to PCI Compliance
Regulatory
Factors:
Level 1 A secure log-on procedure shall:
Implementation: i. display a general notice warning that the computer shall only be
accessed by authorized users;
ii. limit the number of unsuccessful log-on attempts allowed to six
attempts;
iii. enforce recording unsuccessful and successful attempts;
iv. force a time delay of 30 minutes before further log-on attempts are
allowed or rejecting any further attempts without specific
authorization; and
v. not display the password being entered by hiding the password
characters with symbols.
vi. force a time delay of 30 minutes before further log-on attempts are
allowed or rejecting any further attempts without specific authorization
from an administrator;
Level 1 Control  HIPAA §164.308(a)(5)(ii)(D)
Standard  NRS 603A.215.1
Mapping:  PCI DSS v2 8.5.13
 PCI DSS v2 8.5.14
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Exchanges Data with a
Factors: Business Partner: Yes, Third Party Support (Vendor Access or

Page 75 of 488
Maintenance): Yes, Publicly Accessible: Yes, System Connects with or
Exchanges Data with an HIE: Yes
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The procedure for logging into an operating system shall be designed to
minimize the opportunity for unauthorized access. The log-on procedure
shall therefore disclose the minimum of information about the system, in
order to avoid providing an unauthorized user with any unnecessary
assistance.

The log-on procedures shall:

i. limit the number of unsuccessful log-on attempts allowed to three
attempts, and enforce:
1. disconnecting data link connections;
2. sending an alarm message to the system console if the
maximum number of log-on attempts is reached; and
3. setting the number of password retries in conjunction with the
minimum length of the password and the value of the system
being protected;
ii. limit the maximum and minimum time allowed for the log-on
procedure, if exceeded, the system shall terminate the log-on;
iii. not transmit passwords in clear text over the network;
iv. not display system or application identifiers until the log-on process has
been successfully completed;
v. not provide help messages during the log-on procedure that would aid
an unauthorized user; and
vi. validate the log-on information only on completion of all input data. If
an error condition arises, the system shall not indicate which part of the
data is correct or incorrect.
Level 2 Control  CMSRs 2012v1.5 AC-7 (HIGH)
Standard  CMSRs 2012v1.5 IA-6 (HIGH)
Mapping:  NIST SP800-53 R4 AC-7
 NIST SP800-53 R4 IA-6

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:

Page 76 of 488
Level 3 System Processing PHI: Yes - AND -, Accessible from the Internet: Yes
Factors:
Level 3 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
Configure the information system to lock out the user account automatically
after three failed log-on attempts by a user during a one hour time period.
Require the lock out to persist for a minimum of three hours.

Training shall include reporting procedures and responsibility for

authorized users to report unauthorized log-ons and unauthorized attempts
to log-on.

The number of concurrent sessions shall be limited to a specified number

for all account types defined by the organization.
Level 3 Control  CMSRs 2012v1.5 AC-9 (HIGH)
Standard  CMSRs 2012v1.5 AC-9(1) (HIGH)
Mapping:  CMSRs 2012v1.5 AC-10
 ISO/IEC 27002-2005 11.5.1
 ISO 27799-2008 7.8.4
 NIST SP800-53 R4 AC-9
 NIST SP800-53 R4 AC-9(1)
 NIST SP800-53 R4 AC-10

CMS Contractor Requirements

CMS The number of concurrent network sessions for a user shall be limited and
Contractors: enforced to one (1) session. The number of concurrent application/process
sessions shall be limited and enforced to the number of sessions expressly
required for the performance of job duties. The requirement and use of
more than one (1) application/process session for each user shall be
documented in the system security profile.

The system shall display the following information on completion of a

successful log-on:
i. date and time of the previous successful log-on; and
ii. details of any unsuccessful log-on attempts since the last successful
log-on.

The organization shall configure the information system to lock out the user
account automatically after three (3) invalid login attempts during a one (1)
hour time period. The lock out shall persist for a minimum of three (3)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 77 of 488
hours unless unlocked by an administrator. The control applies whether
the login occurs via a local or network connection.

Control Reference 01.q User Identification and Authentication

Control All users shall have a unique identifier (user ID) for their personal use only,
Specification: and an authentication technique shall be implemented to substantiate the
claimed identity of a user.

*Required for HITRUST Certification 2014

Factor Type: System
Topics: Authentication
User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 Subject to State of Massachusetts Data Protection Act
Regulatory
Factors:
Level 1 The organization shall require verifiable unique ID's for all types of users
Implementation: including, but not limited to:
i. technical support personnel;
ii. operators;
iii. network administrators;
iv. system programmers; and
v. database administrators.

The following shall be required for each category of User ID:

i. regular User IDs:
1. user IDs shall be used to trace activities to the responsible
individual; and
2. regular user activities shall not be performed from privileged
accounts.
ii. shared User IDs:
1. in exceptional circumstances, where there is a clear business
benefit, the use of a shared user ID for a group of users or a
specific job can be used;

Page 78 of 488
2. approval by management shall be documented for such cases;
and
3. additional controls are required to maintain accountability.
iii. generic IDs:
1. generic IDs for use by an individual shall only be allowed either
where the functions accessible or actions carried out by the ID
do not need to be traced (e.g. read only access).

The organization shall ensure:

i. that redundant user IDs are not issued to other users;
ii. unique user IDs shall be used to enable users to be linked to and held
responsible for their actions; and
iii. use of group IDs shall only be permitted where they are necessary for
business or operational reasons and shall be approved and
documented.

Appropriate authentication methods shall be used and assigned to users

(see 01.d or 01.j). A formal identification and authentication policy shall be
developed, disseminated, and reviewed and updated annually. The
identification and authentication policy shall address purpose, scope, roles,
responsibilities, management commitment, coordination among
organizational entities, and compliance.

Non-organizational users (all information system users other than

organizational users, such as patients or customers) determined to need
access to information residing on the organization’s information systems,
shall be uniquely identified and authenticated in accordance with the
requirements outlined above and 01.d.

Users shall be uniquely identified and authenticated for both local and
remote accesses to information systems.
Level 1 Control  CMSRs 2012v1.5 IA-4 (HIGH)
Standard  CMSRs 2012v1.5 IA-8 (HIGH)
Mapping:  COBIT 4.1 DS5.3
 COBIT 5 DSS05.04
 HIPAA §164.308(a)(3)(i)
 HIPAA §164.312(a)(2)(i)
 HIPAA §164.312(d)
 NIST SP800-53 R4 IA-2
 NIST SP800-53 R4 IA-4
 NIST SP800-53 R4 IA-8
 NRS 603A.215.1
 PCI DSS v2 8.1
 PCI DSS v2 8.3
 PCI DSS v2 8.5.8
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 79 of 488
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 1 CORE 153: Eligibility and Benefits Connectivity Rule v1.1.0
Subsection 5.1
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.04(1)(a)
 (State of Mass.) 201 CMR 17.04(2)(b)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Accessible from the Internet: Yes, Third Party
Factors: Support (Vendor Access or Maintenance): Yes
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Appropriate authentication methods including strong authentication
methods in addition to passwords shall be used for communicating through
an external, non-organization-controlled network (e.g., the Internet).

Help desk support shall require user identification for any transaction that
has information security implications.

Sensitive authentication data shall not be stored after authorization (even if

encrypted).

During the registration process to provide hardware tokens, in-person

verification shall be required in front of a designated registration authority
with authorization by a designated organizational official (e.g., a
supervisor).

When PKI-based authentication is used, the information system: validates

certificates by constructing a certification path with status information to
an accepted trust anchor;
i. validates certificates by constructing a certification path with status
information to an accepted trust anchor;
ii. enforces authorized access to the corresponding private key; and
iii. maps the authenticated identity to the user account.

Page 80 of 488
The information system shall use replay-resistant authentication
mechanisms such as nonce, one-time passwords, or time stamps (e.g.,
Kerberos, TLS, etc.) for network access to privileged accounts implement
multifactor authentication for remote such that one of the factors is
provided by a device separate from the system gaining access.
Level 2 Control  CMSRs 2012v1.5 IA-2 (HIGH)
Standard  CMSRs 2012v1.5 IA-2(8) (HIGH)
Mapping:  CMSRs 2012v1.5 IA-5 (HIGH)
 CMSRs 2012v1.5 IA-5(2) (HIGH)
 CMSRs 2012v1.5 IA-5(3) (HIGH)
 CSA SA-07
 ISO/IEC 27002-2005 11.5.2
 ISO 27799-2008 7.8.4
 ISO 27799-2008 7.8.5.1
 NIST SP800-53 R4 IA-2(3)
 NIST SP800-53 R4 IA-2(8)
 NIST SP800-53 R4 IA-5
 NIST SP800-53 R4 IA-5(2)
 NIST SP800-53 R4 IA-5(3)
 NIST SP800-53 R4 IA-2(11)
 PCI DSS v2 3.2

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 The organization shall employ multifactor authentication for network
Implementation: access to privileged and non-privileged accounts and for local access to
privileged accounts (including those used for non-local maintenance and
diagnostic sessions).
Level 3 Control  CMSRs 2012v1.5 IA-2(1) (HIGH)
Standard  CMSRs 2012v1.5 IA-2(2) (HIGH)
Mapping  CMSRs 2012v1.5 IA-2(3) (HIGH)
 CMSRs 2012v1.5 IA-2(4) (HIGH)
 CMSRs 2012v1.5 IA-2(9) (HIGH)
 CMSRs 2012v1.5 SC-14 (HIGH)

Page 81 of 488
 NIST SP800-53 R4 IA-2(1)
 NIST SP800-53 R4 IA-2(2)
 NIST SP800-53 R4 IA-2(3)

CMS Contractor Requirements

CMS The information system shall use multifactor authentication for local access
Contractors: to non-privileged accounts.

The information system shall use replay-resistant authentication

mechanisms such as nonce, one-time passwords, or time stamps (e.g.,
Kerberos, TLS, etc.) for network access to non-privileged accounts.

Non-organizational users include all CMS information system users other

than organizational users explicitly covered by IA-2. Users are uniquely
identified and authenticated for all accesses other than those accesses
explicitly identified and documented by the organization in accordance with
AC-14. In accordance with the E-Authentication E-Government initiative,
authentication of non-organizational users accessing federal information
systems may be required to protect federal, proprietary, or privacy-related
information (with exceptions noted for national security systems).
Accordingly, a risk assessment is used in determining the authentication
needs of the organization. Scalability, practicality and security are
simultaneously considered in balancing the need to ensure ease of use for
access to federal information and information systems with the need to
protect and adequately mitigate risk to CMS operations, CMS assets,
individuals, other organizations, and the Nation. Identification and
authentication requirements for CMS information system access by
organizational users are described in IA-2. If E-Authentication is used, refer
to the Risk Management Handbook (RMH), Volume III, Standard 3.1, “CMS
Authentication Standards.”

The system shall display the following information on completion of a

successful log-on:
i. date and time of the previous successful log-on; and Details of any
unsuccessful log-on attempts since the last successful log-on.

Control Reference 01.r Password Management System

Control Systems for managing passwords shall be interactive and shall ensure
Specification: quality passwords.

*Required for HITRUST Certification 2014

Factor Type: System
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 82 of 488
Topics: Cryptography
Password Management

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Refer to Sections 1.b and 1.f for a full list of password controls.
Implementation:
In addition, a password management system shall be implemented to:
i. require the use of individual user IDs and passwords to maintain
accountability;
ii. allow users to select and change their own passwords and include a
confirmation procedure to allow for input errors;
iii. force users to change temporary passwords at the first log-on (see 1.b);
iv. not display passwords on the screen when being entered; and
v. always change vendor-supplied defaults before installing a system on
the network including passwords, simple network management
protocol (SNMP) community strings and the elimination of unnecessary
accounts.
Level 1 Control  HIPAA §164.308 (a)(5)(ii)(D)
Standard  PCI DSS v2 2.1
Mapping:  PCI DSS v2 8.5.8
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 1 CORE 153: Eligibility and Benefits Connectivity Rule v1.1.0
Subsection 5.1
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.04(1)(b)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:

Page 83 of 488
Level 2 System Processing PHI: Yes - AND -, Accessible from the Internet: Yes, Number of
Factors: Users: > 500, Exchanges Data with a Business Partner: Yes, Third Party
Support (Vendor Access or Maintenance): Yes, Publicly Accessible: Yes,
Number of Interfaces to Other Systems: > 25, System Connects with or
Exchanges Data with an HIE: Yes
Level 2 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to State of
Regulatory Massachusetts Data Protection Act
Factors:
Level 2 Level 1 plus:
Implementation:
Refer to Sections 1.b and 1.f for a full list of password controls.

The password management system shall:

i. store and transmit passwords in protected (e.g. encrypted or hashed)
form;
ii. store password files separately from application system data;
iii. enforce a choice of quality passwords (see 01.b);
iv. enforce password changes (see 01.b); and
v. maintain a record of previous user passwords and prevent re-use (see
01.b).
Level 2 Control  CMSRs 2012v1.5 IA-5 (HIGH)
Standard  ISO/IEC 27002-2005 11.5.3
Mapping:  ISO 27799-2008 7.8.4
 NIST SP800-53 R4 IA-5
 NRS 603A.215.1
 PCI DSS v2 8.4
 (State of Mass.) 201 CMR 17.04(1)(c)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:

Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 84 of 488
CMS Contractor Requirements

CMS The CMS information system, for PKI-based authentication shall:

Contractors: i. validate certificates by constructing a certification path with status
information to an accepted trust anchor;
ii. enforce authorized access to the corresponding private key; and
iii. map the authenticated identity to the user account.

Control Reference 01.s Use of System Utilities

Control The use of utility programs that might be capable of overriding system and
Specification: application controls shall be restricted and tightly controlled.
Factor Type: System
Topics: Authorization
Monitoring
Network Segmentation

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The use of system utilities (e.g., administrative tools in Windows, the
Implementation: settings section--specifically network/device/security configuration--on
VoIP phones, etc.) shall be controlled by implementing the following:
i. use of identification, authentication, and authorization procedures for
system utilities;
ii. segregation of system utilities from applications software; and
iii. limitation of the use of system utilities to the minimum practical
number of trusted, authorized users (see 1.b-1.o).
Level 1 Control  CMSRs 2012v1.5 AC-6 (HIGH)
Standard  CSA IS-34
Mapping:  HIPAA §164.308(a)(3)(i)
 HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.308(a)(4)(i)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 85 of 488
 HIPAA §164.308(a)(4)(ii)(A)
 HIPAA §164.308(a)(4)(ii)(B)
 HIPAA §164.308(a)(4)(ii)(C)
 HIPAA §164.310(a)(2)(iii)
 HIPAA §164.310(b)
 HIPAA §164.312(a)(1)
 HIPAA §164.312(a)(2)(i)
 HIPAA §164.312(a)(2)(ii)
 HIPAA §164.312(a)(2)(iv)
 NIST SP800-53 R4 AC-6
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Accessible from the Internet: Yes, Exchanges
Factors: Data with a Business Partner: Yes, Third Party Support (Vendor Access or
Maintenance): Yes, Publicly Accessible: Yes, Number of Interfaces to Other
Systems: > 25, System Connects with or Exchanges Data with an HIE: Yes
Level 2 Subject to PCI Compliance; Subject to FISMA Compliance; Subject to the
Regulatory CMS Minimum Security Requirements (HIGH)
Factors:
Level 2 Level 1 plus:
Implementation:
The use of system utilities shall be controlled by implementing the
following:
i. authorization for ad hoc use of systems utilities;
ii. limitation of the availability of system utilities (e.g. limitation of
availability by setting restrictive file system level permissions for the
access and execution of system utilities such as cmd.exe, ping, tracert,
ipconfig, ifconfig, etc.).
iii. disable public "read" access to files, objects, and directories;
iv. logging of all use of system utilities;
v. defining and documenting authorization levels for system utilities;
vi. deletion of, or file system file execution permission denial of, all
unnecessary software based utilities and system software; and
vii. not making system utilities available to users who have access to
applications on systems where segregation of duties is required.

The information system owner shall regularly review the system utilities
available to identify and eliminate unnecessary functions, such as scripts,

Page 86 of 488
drivers, features, subsystems, file systems, and unnecessary web servers.
Public "read" and "write" access to all system files, objects, and directories
shall be disabled.
Level 2 Control  CMSRs 2012v1.5 AC-3 (HIGH)
Standard  COBIT 4.1 DS5.7
Mapping:  COBIT 5 DSS05.05
 ISO/IEC 27002-2005 11.5.4
 ISO 27799-2008 7.8.4
 NIST SP800-53 R4 AC-3
 NRS 603A.215.1
 PCI DSS v2 2.2.4

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 None
Implementation:
Level 3 Control None
Standard
Mapping:

CMS Contractor Requirements

CMS The organization shall prohibit the use of Voice over Internet Protocol
Contractors: (VoIP) technologies, unless explicitly authorized, in writing, by the CMS CIO
or his/her designated representative.

If VoIP is authorized, the organization shall:

i. establish usage restrictions and implementation guidance for VoIP
technologies based on the potential to cause damage to the information
system if used maliciously; and
ii. authorize, monitor, and control the use of VoIP within the information
system; and
iii. ensure VoIP equipment used to transmit or discuss sensitive
information is protected with FIPS 140-2 encryption standards.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 87 of 488
Control Reference: 01.t Session Time-out

Control Inactive sessions shall shut down after a defined period of inactivity.
Specification:
Factor Type: System
Topics: User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 Subject to PCI Compliance, Subject to FISMA Compliance
Regulatory
Factors:
Level 1 A time-out system that conceals information previously visible on the
Implementation: display with a publically viewable image (e.g. a screen saver) shall pause
the session screen after 15 minutes of inactivity and closes network
sessions after 30 minutes of inactivity. The system shall require the user to
reestablish access using appropriate identification and authentication
procedures.

A limited form of time-out system can be provided for legacy systems that
cannot be modified to accommodate this requirement, which clears the
screen and prevents unauthorized access through re-authentication
requirements to continue the active session but does not close down the
application or network sessions.
Level 1 Control  CMSRs 2012v1.5 AC-11 (HIGH)
Standard  CMSRs 2012v1.5 AC-12 (HIGH)
Mapping:  CSA SA-03
 HIPAA §164.310(b)
 HIPAA §164.312(a)(2)(iii)
 ISO/IEC 27002-2005 11.5.5
 ISO 27799-2008 7.8.4
 NIST SP800-53 R4 AC-12
 NIST SP800-53 R4 AC-11
 NIST SP800-53 R4 SC-10
 NRS 603A.215.1
 PCI DSS v2 8.5.15
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 88 of 488
 PCI DSS v2 12.3.8
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Publicly Accessible: Yes
Factors:
Level 2 Subject to the CMS Minimum Security Requirements (High)
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
A time-out system (e.g. a screen saver) shall pause the session screen
after 2 minutes of inactivity and closes network sessions after 30 minutes of
inactivity.
Level 2 Control  CMSRs 2012v1.5 SC-10 (HIGH)
Standard
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

Page 89 of 488
CMS The information system shall automatically terminate the network
Contractors: connection associated with a communications session at the end of the
session (as specified by the appropriate CSF level), OR:
i. forcibly de-allocates communications session Dynamic Host
Configuration Protocol (DHCP) leases after seven (7) days or other
organization-defined time period; AND
ii. forcibly disconnects inactive Virtual Private Network (VPN) connections
after thirty (30) minutes of inactivity or other organization-defined time
period.

Control Reference 01.u Limitation of Connection Time

Control Restrictions on connection times shall be used to provide additional

Specification: security for high-risk applications.
Factor Type: System
Topics: Authentication
Authorization
User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Processing PHI: Yes -AND-, Accessible from the Internet: Yes, Exchanges
Factors: Data with a Business Partner: Yes, Third Party Support (Vendor Access or
Maintenance): Yes, Publicly Accessible: Yes, System Connects with or
Exchanges Data with an HIE: Yes
Level 1 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 1 Connection time controls shall be implemented for sensitive computer
Implementation: applications, especially from high risk locations (e.g. public or external
areas that are outside the organization's security management) including:
i. using predetermined time slots (e.g. for batch file transmissions or
regular interactive sessions of short duration);
ii. restricting connection times to normal office hours if there is no
requirement for overtime or extended-hours operation; and
iii. re-authentication at timed intervals.
Level 1 Control  CMSRs 2012v1.5 AC-10 (HIGH)
Standard  ISO/IEC 27002-2005 11.5.6
Mapping:  ISO 27799-2008 7.8.4
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 90 of 488
Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements.
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Objective Name: 01.06 Application and Information Access Control

Control To prevent unauthorized access to information held in application systems.

Objective:

Control Reference: 01.v Information Access Restriction

Control Logical and physical access to information and application systems

Specification: and functions by users and support personnel shall be restricted in
accordance with the defined access control policy.

*Required for HITRUST Certification 2014

Page 91 of 488
Topics: Authentication
Policies and Procedures
User Access
Viruses and Malware

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Restrictions to access shall be based on individual business application
Implementation: requirements. The access control policy shall also be consistent with the
organizational access policy.

The following guidelines shall be implemented in order to support access

restriction requirements:
i. providing menus to control access to application system functions; and
ii. controlling the access rights of users (e.g. read, write, delete, and
execute).

A formal procedure shall be implemented to facilitate the access

control policy.

Associated identification and authentication controls shall be developed,

disseminated, and periodically reviewed and updated, including:
i. specific user actions that can be performed on the information system
without identification or authentication shall be identified and
supporting rationale documented;
ii. actions to be performed without identification and authentication shall
be permitted only to the extent necessary to accomplish mission
objectives;
Level 1 Control  CMSRs 2012v1.5 AC-6 (HIGH)
Standard  CSA IS-08
Mapping:  CSA SA-11
 HIPAA §164.308(a)(3)(i)
 HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.308(a)(4)(i)
 HIPAA §164.308(a)(4)(ii)(A)

Page 92 of 488
 HIPAA §164.308(a)(4)(ii)(B)
 HIPAA §164.308(a)(4)(ii)(C)
 HIPAA §164.310(a)(2)(iii)
 HIPAA §164.310(b)
 HIPAA §164.312(a)(1)
 HIPAA §164.312(a)(2)(i)
 HIPAA §164.312(a)(2)(ii)(i)
 HIPAA §164.312(a)(2)(ii)(iv)
 NIST SP800-53 R4 AC-6
 NIST SP800-53 R4 CM-2(7)
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of Interfaces
Factors: to Other Systems: > 25
Level 2 Subject to FISMA Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The following guidelines shall be implemented in order to support access
restriction requirements:
i. controlling access rights to other applications according to applicable
access control policies;
ii. ensuring that outputs from application systems handling covered
information contain only the information relevant to the use of the
output and are sent only to authorized terminals and locations; and
iii. periodic reviews of such outputs to ensure that redundant information
is removed.

When encryption of stored information is employed as an access

enforcement mechanism, it shall be encrypted using validated
cryptographic modules (see 06.d).

Data stored in the information system shall be protected with system access
controls and shall be encrypted when residing in non-secure areas.

Page 93 of 488
Specific user actions that can be performed on the information system
without identification or authentication shall be identified and supporting
rationale documented. Actions to be performed without identification and
authentication shall be permitted only to the extent necessary to
accomplish mission objectives.
Level 2 Control  CMSRs 2012v1.5 AC-3 (HIGH)
Standard  CMSRs 2012v1.5 AC-14 (HIGH)
Mapping:  CMSRs 2012v1.5 SC-15 (HIGH)
 ISO/IEC 27002-2005 11.6.1
 NIST SP800-53 R4 AC-3
 NIST SP800-53 R4 AC-14
 NIST SP800-53 R4 SC-15

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System Processing PHI: Yes - AND -, Accessible from the Internet: Yes, Third Party
Factors: Support (Vendor Access or Maintenance): Yes
Level 3 Subject to PCI Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
For individuals accessing covered information from a remote location,
prohibit the copy, move, print (and print screen) and storage of cardholder
data onto local hard drives and removable electronic media, unless
explicitly authorized for a defined business need.
Level 3 Control  NRS 603A.215.1
Standard  PCI DSS v2 12.3.10
Mapping:

CMS Contractor Requirements

CMS Encryption as access enforcement shall extend to all government and non-
Contractors: government furnished desktop computers that store sensitive information.

While encryption is the preferred technical solution for protection of

sensitive information on all desktop computers, adequate physical security
controls and other management controls are acceptable mitigations for the
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 94 of 488
protection of desktop computers with the approval of the CIO or his/her
designated representative.

If encryption is used as an access control mechanism it must meet CMS

approved (FIPS 140-2 compliant and a NIST validated module) encryption
standards.

Control Reference: 01.w Sensitive System Isolation

Control Sensitive systems shall have a dedicated and isolated computing

Specification: environment.

*Required for HITRUST Certification 2014

Factor Type: System
Topics: IT Organization and Management Roles and Responsibilities
Network Segmentation
Network Security

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The sensitivity of an application system shall be explicitly identified and
Implementation: documented by the application owner.

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500
Factors:
Level 2 None
Regulatory
Factors:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 95 of 488
Level 2 Level 1 plus:
Implementation:
The sensitive application system shall run on a dedicated computer, or only
share resources with trusted applications systems. Isolation shall be
achieved using physical or logical methods. When a sensitive application is
to run in a shared environment, the application systems with which it will
share resources and the corresponding risks should be identified and
accepted by the owner of the sensitive application.
Level 2 Control  ISO/IEC 27002-2005 11.6.2
Standard  ISO 27799-2008 7.8.5.2
Mapping:  NIST SP800-53 R4 SC-4

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System Processing PHI: Yes - AND -, Number of Users: > 5,500
Factors:
Level 3 Subject to the CMS Minimum Security Requirements (High); Subject to PCI
Regulatory Compliance
Factors:
Level 3 Level 2 plus:
Implementation:
Users of shared system resources cannot intentionally or unintentionally
access information remnants, including encrypted representations of
information, produced by the actions of a prior user or system process
acting on behalf of a prior user.

System resources shared between two (2) or more users are released back
to the information system, and are protected from accidental or purposeful
disclosure.

Implement only one primary function per server to prevent functions that
require different security levels from co-existing on the same server. (For
example, web servers, database servers, and DNS should be implemented
on separate servers.) If virtualization technologies are used, verify that one
component or primary function is implemented per virtual system device.
Level 3 Control  CMSRs 2012v1.5 SC-4 (HIGH)
Standard  PCI DSS v2 2.2.1
Mapping:  1 TAC § 390.2(a)(4)(A)(xi)

Page 96 of 488
FTI Custodians Requirements

FTI Custodians: Organizations transmitting FTI from one computer to another need only
identify the bulk records transmitted. This identification will contain the
approximate number of personal records, the date of the transmissions, the
best possible description of the records, and the name of the individual
making/receiving the transmission.

Objective Name: 01.07 Mobile Computing and Teleworking

Control To ensure the security of information when using mobile computing devices
Objective: and teleworking facilities.

Control Reference: 01.x Mobile Computing and Communications

Control A formal policy shall be in place, and appropriate security measures shall be
Specification: adopted to protect against the risks of using mobile computing and
communication devices.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Communications and Transmissions
Cryptography
Data Loss Prevention
Media and Assets
Physical and Facility Security
Policies and Procedures
Network Security

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Mobile Devices Used: Yes, Processing PHI: Yes -AND-
Factors:
Level 1 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to State of
Regulatory Massachusetts Data Protection Act, Subject to the CMS Minimum Security
Factors: Requirements (High)

Page 97 of 488
Level 1 The organization shall use full-disk encryption to protect the confidentiality
Implementation: of information on laptops and other mobile devices that support full-disk
encryption. Encryption shall be required for all other mobile computing
devices in accordance with the organization's data protection policy (see
06.d). If it is determined that encryption is not reasonable and appropriate,
the organization shall document its rationale and acceptance of risk.

A mobile computing policy shall be developed and include the requirements

for physical protection, access controls, cryptographic techniques, back-ups,
and virus protection. This policy shall also include rules and advice on
connecting mobile devices to networks and guidance on the use of these
devices in public places.

Protection shall be in place when using mobile computing devices in public

places, meeting rooms and other unprotected areas outside of the
organization's premises to avoid the unauthorized access to or disclosure of
the information stored and processed by these devices (e.g. using
cryptographic techniques). Users of mobile computing devices in public
places shall take care to avoid the risk of overlooking by unauthorized
persons.

The organization shall install personal firewall software on any mobile

and/or employee-owned computers with direct connectivity to the Internet
(for example, laptops used by employees), which are used to access the
organization's network.

Suitable protection shall be given to the use of mobile devices connected to

networks.

The organization shall only authorize connections of mobile devices

meeting organizational usage restrictions and implementation guidance;
enforce requirements for the connection of mobile devices to sensitive
information systems; and monitor for unauthorized connections.
Information system functionality on mobile devices that provides the
capability for automatic execution of code without user direction shall be
disabled.

Individuals shall be issued specifically configured mobile devices for travel

to locations the organization deems to be of significant risk in accordance
with organizational policies and procedures. The devices shall be checked
for malware and physical tampering upon return from these locations.

Mobile computing devices shall also be physically protected against theft

especially when left, for example, in cars and other forms of transport, hotel
rooms, conference centers, and meeting places. A specific procedure taking
into account legal, insurance and other security requirements of the
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 98 of 488
organization shall be established for cases of theft or loss of the mobile
computing devices. Equipment carrying important, covered, and/or critical
business information shall not be left unattended without being physically
protected.

Training shall be arranged for personnel using mobile computing to raise

their awareness on the additional risks resulting from this way of working
and the controls that shall be implemented.
Level 1 Control  CMSRs 2012v1.5 AC-19 (HIGH)
Standard  CSA IS-32
Mapping:  HIPAA §164.310 (b)
 ISO/IEC 27002-2005 11.7.1
 ISO 27799-2008 7.8.6.1
 NIST SP800-53 R4 AC-19
 NIST SP800-53 R4 AC-19(5)
 NRS 603A.215.1
 PCI DSS v2 1.4
 (State of Mass.) 201 CMR 17.04(5)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:

Page 99 of 488
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization shall monitor for unauthorized mobile device connections
Contractors: and prohibit the connection of portable and mobile devices ...

If authorized, the organization shall:

i. establish usage restrictions and implementation guidance for mobile
devices;
ii. employ an approved method of cryptography to protect information
residing on portable and mobile information devices, and utilizes
whole-disk encryption solution for laptops;
iii. protect the storage and transmission of information on portable and
mobile information devices with activities such as scanning the devices
for malicious code, virus protection software.;
iv. implement a time-out function for mobile devices that requires a user to
re-authenticate after no more than 30 minutes of inactivity; and
v. scan, review, or reformat mobile devices as applicable to protect CMS
from the introduction of unapproved and/or malicious modifications.

Control Reference: 01.y Teleworking

Control A policy, operational plans and procedures shall be developed and

Specification: implemented for teleworking activities.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Authorization
Communications and Transmissions
IT Organization and Management Roles and Responsibilities
Media and Assets
Personnel
User Access
Network Security

Level 1 Implementation Requirements

Page 100 of 488

Level 1 Applicable to all organizations
Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance
Regulatory
Factors:
Level 1 Organizations shall only authorize teleworking activities if they are satisfied
Implementation: that appropriate security arrangements and controls are in place, and that
these comply with the organization's security policy. Suitable protection of
the teleworking site shall be in place to protect against the theft of
equipment and information, the unauthorized disclosure of information,
unauthorized remote access to the organization's internal systems or
misuse of facilities.

The following matters shall be addressed:

i. the communications security requirements, taking into account the
need for remote access to the organization's internal systems, the
sensitivity of the information that will be accessed and pass over the
communication link and the sensitivity of the internal system;
ii. the use of home networks and requirements or restrictions on the
configuration of wireless network services including encryption (WPA
at a minimum);
iii. anti-virus protection, operating system and application patching, and
firewall requirements consistent with corporate policy; and
iv. revocation of authority and access rights, and the return of equipment
when the teleworking activities are terminated.

Verifiable unique ID's shall be required for all teleworkers accessing the
organization's network via a remote connection. The connection between
the organization and the teleworker's location shall be secured via an
encrypted channel. The organization shall maintain ownership over the
assets used by the teleworker in order to achieve the requirements of this
control (e.g. issuance of a USB device to allow for remote access via an
encrypted tunnel).

Teleworking activities shall both be authorized and controlled by

management, and it shall be ensured that suitable arrangements are in
place for this way of working. Training on security awareness, privacy and
teleworker responsibilities shall be required prior to authorization and
training methods shall be reviewed in accordance with the organization's
policy (see 02.e).

Page 101 of 488

Level 1 Control  CMSRs 2012v1.5 AC-17 (HIGH)
Standard  HIPAA §164.310(a)(2)(i)
Mapping:  HIPAA §164.310 (b)
 NIST SP800-53 R4 AC-17
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 102 of 488

Level 3 System None
Factors:
Level 3 Subject to PCI Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
The following matters shall be addressed prior to authorizing teleworking:
i. a definition of the work permitted, the hours of work, the classification
of information that may be held and the internal systems and services
that the teleworker is authorized to access;
ii. the provision of suitable equipment and storage furniture for the
teleworking activities, where the use of privately owned equipment that
is not under the control of the organization is not allowed;
iii. the provision of suitable communication equipment, including methods
for securing remote access;
iv. rules and guidance on family and visitor access to equipment and
information;
v. the provision of hardware and software support and maintenance;
vi. the provision of insurance;
vii. the procedures for back-up and business continuity; and
viii. audit and security monitoring.

The organization shall instruct all personnel working from home to

implement fundamental security controls and practices, including
passwords, virus protection, and personal firewalls. Remote access shall be
limited only to information resources required by home users to complete
job duties. Any organization-owned equipment shall only be used only for
business purposes by authorized employees.
Level 3 Control  CMSRs 2012v1.5 PE-17 (HIGH)
Standard  ISO/IEC 27002-2005 11.7.2
Mapping:  ISO 27799-2008 7.8.6.2

Page 103 of 488

Control Category: 02.0 - Human Resources Security

Objective Name: 02.01 Prior to Employment

Control To ensure that employees, contractors and third party users are suitable for
Objective: the roles for which they are being considered, to reduce the risk of fraud,
theft, or misuse of facilities.

Control Reference: 02.a Roles and Responsibilities

Control Security roles and responsibilities of employees, contractors and third party
Specification: users shall be defined and documented in accordance with the
organization's information security policy.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Awareness and Training
Incident Response
IT Organization and Management Roles and Responsibilities
Personnel
Policies and Procedures

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance
Regulatory
Factors:
Level 1 The organization shall develop, disseminate, and review/update annually:
Implementation: i. a formal, documented personnel security policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination
among organizational entities, and compliance; and
ii. formal, documented procedures to facilitate the implementation of the
personnel security policy and associated personnel security controls.

Security roles and responsibilities shall include the following requirements:

Page 104 of 488

i. implement and act in accordance with the organization's information
security policies;
ii. protect assets from unauthorized access, disclosure, modification,
destruction or interference;
iii. execute particular security processes or activities;
iv. ensure responsibility is assigned to the individual for actions taken; and
v. report security events or potential events or other security risks to the
organization.

Security roles and responsibilities shall be defined and clearly

communicated to job candidates during the pre-employment process.
Security roles and responsibilities, as laid down in the organization's
information security policy, as well as any involvement in processing
covered information shall be documented in relevant job descriptions.
Level 1 Control  CMSRs 2012v1.5 PS-1 (HIGH)
Standard  CSA IS-13
Mapping:  HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.308(a)(3)(ii)(B)
 HIPAA §164.308(a)(3)(ii)(C)
 ISO/IEC 27002-2005 8.1.1
 ISO 27799-2008 7.5.1.1
 NIST SP800-53 R4 PS-1
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 105 of 488

criticality/sensitivity risk designations as appropriate, establish screening
criteria, and review and revise designations annually.

The organization shall define the roles, responsibilities and authority of all
security personnel.
Level 2 Control  CMSRs 2012v1.5 PS-2 (HIGH)
Standard  NIST SP800-53 R4 PS-2
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 None
Implementation:

Control Reference: 02.b Screening

Control Background verification checks on all candidates for employment,

Specification: contractors, and third party users shall be carried out in accordance with
relevant laws, regulations and ethics, and proportional to the business
requirements, the classification of the information to be accessed, and the
perceived risks.
Factor Type: Organizational
Topics: Authorization
IT Organization and Management Roles and Responsibilities
Personnel
Requirements (Legal and Contractual)
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 106 of 488

Level 1 System None
Factors:
Level 1 Subject to PCI Compliance
Regulatory
Factors:
Level 1 Verification checks shall take into account all relevant privacy, protection
Implementation: of covered data and/or employment based legislation, and where permitted
and appropriate, include the following:
i. availability of satisfactory character references (e.g. one business and
one personal);
ii. a check (for completeness and accuracy) of the applicant's curriculum
vitae;
iii. confirmation of claimed academic and professional qualifications; and
iv. independent identity check (passport or similar document).

All applicants shall be required to complete an I-9 form to verify that they
are eligible to work in the United States. Where a job, either on initial
appointment or on promotion, involves the person having access to
information assets, and in particular those handling covered information
(e.g. financial information, personal health information or highly
confidential information) the organization shall, at a minimum, verify the
identity, current address and previous employment of such staff.

Procedures shall define criteria and limitations for verification checks (e.g.
who is eligible to screen people, and how, when and why verification checks
are carried out).

Information on all candidates being considered for positions within the

organization shall be collected and handled in accordance with any
appropriate legislation existing in the relevant jurisdiction. Depending on
applicable legislation, the candidates shall be informed beforehand about
the screening activities.
Level 1 Control  CSA HR-01
Standard  HIPAA §164.308(a)(3)(ii)(B)
Mapping:  ISO/IEC 27002-2005 8.1.2
 ISO 27799-2008 7.5.1.2
 NIST SP800-53 R4 PS-3
 NRS 603A.215.1
 PCI DSS v2 12.7
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Page 107 of 488

The organization shall develop a standard criteria screening process to be

carried out on all applicants. The organization shall screen individuals
requiring access to organizational information and before authorizing
access. The organization shall assign risk designation to all positions and
established criteria for individuals filling those positions.

Applicants shall be screened in accordance with applicable regional

policies/procedures that may require screening in the following areas:
i. health screening;
ii. drug screening; and
iii. motor vehicle driving record (in accordance with job requirements).

Criminal background checks shall be undertaken prior to employment. The

organization shall rescreen individuals periodically, consistent with the
criticality/sensitivity rating of the position and, when an employee moves
from one position to another, any higher level of access (clearance) should
be adjudicated.

The organization shall consider applicable state and federal law (reference
02.b, level 1) with regards to information exchanged in the notification
process with business associates described in 05.k, level 1, which is meant
to ensure third party workforce members pass verification checks prior to
employment.

If there has been a long gap, at a minimum five years, between recruitment
and the date of the employee starting, the organization shall repeat the
screening process, or its key elements.

Page 108 of 488

Level 2 Control  CMSRs 2010v1.0 PS-3 (HIGH)
Standard
Mapping:

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Credit checks shall be carried out for personnel who will have access to
financial information.

CMS Contractor Requirements

CMS Appropriate personnel shall be required to obtain and hold a high-risk

Contractors: security clearance as defined in the DHHS Personnel Security/Suitability
Handbook.

Objective Name: 02.02 During On-Boarding

Control To ensure agreements are signed by employees, contractors and third party
Objective: users of information assets on their security roles and responsibilities at the
time of their employment or engagement, prior to access being granted.

Control Reference: 02.c Terms and Conditions of Employment

Page 109 of 488

Control As part of their contractual obligation, employees, contractors and third
Specification: party users shall agree and sign the terms and conditions of their
employment contract, which shall include their responsibilities for
information security.
Factor Type: Organizational
Topics: Documentation and Records
IT Organization and Management Roles and Responsibilities
Personnel
Requirements (Legal and Contractual)
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance, Subject to FISMA Compliance
Regulatory
Factors:
Level 1 The terms and conditions of employment shall reflect the organization's
Implementation: security policy, in addition to clarifying and stating the following:
i. that all employees, contractors and third party users who are given
access to covered information shall sign a confidentiality or non-
disclosure agreement prior to being given access to information assets;
ii. the employee's, contractor's and any other user's legal responsibilities
and rights (e.g. regarding copyright laws or data protection legislation);
iii. responsibilities for the classification of information and management of
organizational assets associated with information systems and services
handled by the employee, contractor or third party user;
iv. responsibilities of the employee, contractor or third party user for the
handling of information received from other companies or external
parties;
v. responsibilities of the organization for the handling of covered
information, including covered information created as a result of, or in
the course of, employment with the organization;
vi. responsibilities that are extended outside the organization's premises
and outside normal working hours (e.g. in the case of home-working);
vii. actions to be taken if the employee, contractor or third party user
disregards the organization's security requirements; and
viii. ensure that conditions relating to security policy survive the completion
of the employment in perpetuity.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 110 of 488

The organization shall ensure that employees, contractors and third party
users agree to terms and conditions concerning information security
appropriate to the nature and extent of access they will have to the
organization's assets associated with information systems and services.

Privileges shall not be granted until the terms and conditions of

employment have been satisfied and agreements have been signed.
Level 1 Control  CMSRs 2012v1.5 PL-4 (HIGH)
Standard  CMSRs 2012v1.5 PS-6 (HIGH)
Mapping:  CSA HR-02
 HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.308(a)(3)(ii)(B)
 HIPAA §164.308(a)(4)(ii)(B)
 HIPAA §164.308(b)(1)
 HIPAA §164.310(b)
 HIPAA §164.310(d)(2)(ii)
 1 TAC § 390.2(a)(1)
 HIPAA §164.314(a)(1)
 HIPAA §164.314(a)(2)(i)
 HIPAA §164.314(a)(2)(ii)
 NIST SP800-53 R4 PL-4
 NIST SP800-53 R4 PS-6
 NRS 603A.215.1
 PCI DSS v2 12.4

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 111 of 488

The organization shall maintain a list of all authorized signed non-
disclosure agreement (NDA) forms. This list shall be kept up to date to
reflect personnel changes and departures.

Responsibilities contained within the terms and conditions of employment

shall continue for a defined period after the end of the employment.

The terms and conditions of employment should:

i. include reference to the penalties that are possible when breach of the
information security policy is identified;
ii. ensure that conditions relating to confidentiality of personal health
information survive the completion of the employment for the
maximum period allowed under applicable federal and state laws and
regulations.

With respect to clinical staff, the terms and conditions of employment

should specify what rights of access such staff will have to the records of
subjects of care and to the associated health information systems in the
event of third-party claims.
Level 2 Control  ISO/IEC 27002-2005 8.1.3
Standard  ISO 27799-2008 7.5.1.3
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 None
Implementation:
Level 3 Control None
Standard
Mapping:

CMS Contractor Requirements

Page 112 of 488

CMS The organization shall review/update the access agreements as part of the
Contractors: system security authorization or when a contract is renewed or extended,
but minimally within every three hundred sixty-five (365) days, whichever
occurs first.

The organization shall:

i. ensure that individuals requiring access to CMS information or
information systems sign appropriate access agreements prior to being
granted access; and
ii. review and update the access agreements as part of the system security
authorization or when a contract is renewed or extended.

Objective Name: 02.03 During Employment

Control To ensure that employees, contractors and third party users are aware of
Objective: information security threats and concerns, their responsibilities and
liabilities, and are equipped to support organizational security policy in the
course of their normal work, and to reduce the risk of human error.

Control Reference: 02.d Management Responsibilities

Control Management shall require employees, and where applicable contractors

Specification: and third party users, to apply security in accordance with established
policies and procedures of the organization.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: IT Organization and Management Roles and Responsibilities
Personnel
Policies and Procedures
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:

Page 113 of 488

Level 1 None
Regulatory
Factors:
Level 1 The organization shall develop usage policies for critical employee-facing
Implementation: technologies to define proper use of these technologies for all employees
and contractors.

Management responsibilities shall include ensuring that employees,

contractors and third party users:
i. are properly briefed on their information security roles and
responsibilities prior to being granted access to covered information or
information systems;
ii. are provided with guidelines to state security expectations of their role
within the organization;
iii. are motivated and comply with the security policies of the organization;
iv. achieve a level of awareness on security relevant to their roles and
responsibilities within the organization
v. conform to the terms and conditions of employment, which includes the
organization's information security policy and appropriate methods of
working; and
vi. continue to have the appropriate skills and qualifications.

The organization shall establish an information security workforce

development and improvement program.

The organization shall:

i. implement a process for ensuring that organization plans for
conducting security testing, training, and monitoring activities
associated with organizational information systems:
1. are developed and maintained; and
2. continue to be executed in a timely manner;
ii. review testing, training, and monitoring plans for consistency with the
organization risk management strategy and organization-wide
priorities for risk response actions.
Level 1 Control  CMSRs 2012 v1.5 PS-7 (HIGH)
Standard  CSA IS-14
Mapping:  CSA IS-16
 HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.308(a)(3)(ii)(B)
 HIPAA §164.308(a)(4)(ii)(B)
 HIPAA §164.308(b)(1)
 HIPAA §164.310(b)
 HIPAA §164.310(d)(2)(iii)
 HIPAA §164.314(a)(1)
 HIPAA §164.314(a)(2)(i)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 114 of 488

 HIPAA §164.314(a)(2)(ii)
 ISO/IEC 27002-2005 8.2.1
 NIST SP800-53 R4 PM-13
 NIST SP800-53 R4 PM-15
 NIST SP800-53 R4 PS-7
 PCI DSS v2 12.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

For all system connections that allow customers to access the computing
assets such as web sites, kiosks and public access terminals, the
organization shall ensure the following:
i. provide appropriate text or a link to the privacy policy for data use and
protection as well as the customer's responsibilities when accessing the
data; and
ii. have a formal mechanism to authenticate the customer's identity prior
to granting access to covered information.

These usage policies shall address the following if applicable:

i. explicit management approval;
ii. authorization for use of the technology;
iii. acceptable uses of the technologies;
iv. acceptable network locations for the technologies;
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 115 of 488

v. list of company- approved products
vi. activation of modems for vendors only when needed by vendors, with
immediate deactivation after use; and
vii. prohibition of storage of covered data onto local hard drives, floppy
disks, or other external media.
Level 2 Control  CMSRs 2012v1.5 PL-4 (HIGH)
Standard  ISO 27799-2008 7.5.2.1
Mapping:  NIST SP800-53 R4 PL-4
 NRS 603A.215.1
 PCI DSS v2 12.3.1
 PCI DSS v2 12.3.2
 PCI DSS v2 12.3.6
 PCI DSS v2 12.3.7

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Control Reference: 02.e Information Security Awareness, Education and Training

Control All employees of the organization and contractors and third party users
Specification: shall receive appropriate awareness training and regular updates in
organizational policies and procedures, as relevant for their job function.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Awareness and Training
IT Organization and Management Roles and Responsibilities

Page 116 of 488

Personnel
Policies and Procedures

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to State of Massachusetts Data Protection Act
Regulatory
Factors:
Level 1 Awareness training shall commence with a formal induction process
Implementation: designed to introduce the organization's security and privacy policies,state
and federal laws, and expectations before access to information or services
is granted and no later than 60 days after the date the employee is hired.

Ongoing training shall include security and privacy requirements (e.g.

objective, scope, roles and responsibilities, coordination, compliance, legal
responsibilities and business controls) as well as training in the correct use
of information assets and facilities (e.g. log-on procedures, use of software
packages and information on the disciplinary process). The organization
shall train personnel in their contingency role and responsibilities with
respect to the information system and provide refresher training no less
than annually.

The organization shall document that the training has been provided to the
individual.

The organization shall establish and implement an Operations Security

(OPSEC) program.

The organization shall provide contingency training to information system

users consistent with assigned roles and responsibilities before authorizing
access to the information system and provide refresher training no less
than annually.
Level 1 Control  CMSRs 2012v1.5 CP-3 (HIGH)
Standard  CMSRs 2012v1.5 CP-3(1) (HIGH)
Mapping:  CMSRs 2012v1.5 IR-2 (HIGH)
 CSA IS-11
 HIPAA §164.308 (a)(5)(i)
 HIPAA §164.308 (a)(5)(ii)(A)

Page 117 of 488

 HIPAA §164.308 (a)(5)(ii)(B)
 HIPAA §164.308 (a)(6)(i)
 HIPAA §164.308 (a)(7)(ii)(D)
 HITECH Act, Subpart D 164.414(a)
 ISO/IEC 27002-2005 8.2.2
 ISO 27799-2008 7.5.2.2
 NIST SP800-53 R4 AT-1
 NIST SP800-53 R4 CP-3
 NIST SP800-53 R4 IR-2
 NIST SP800-53 R4 PM-14
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.04(8)
 1 TAC § 390.2(a)(2)
 1 TAC § 390.2(a)(1)
 HIPAA §164.530(b)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

The organization manages a security and privacy education and training

program for all employees and contractors with tracking of completion and
a requirement for refresher training at least every three hundred and sixty-

Page 118 of 488

five (365) days. Employees shall be required to acknowledge they have
received training and are aware their responsibilities through signoff.

The organization shall include security awareness training on recognizing

and reporting potential indicators of an insider threat.

The organization’s security personnel, including organizational business

unit security points of contact, shall receive specialized security education
and training appropriate to their role/responsibilities.
Level 2 Control  16 CFR Part §681.2(e)(3)
Standard  CMSRs 2012v1.5 AT-2 (HIGH)
Mapping:  CMSRs 2012v1.5 IR-2(1) (HIGH)
 CMSRs 2012v1.5 IR-2(2) (HIGH)
 NIST SP800-53 R4 AT-2
 NIST SP800-53 R4 AT-2(2)
 NRS 603A.215.1
 PCI DSS v2 12.6
 PCI DSS v2 12.6.1
 PCI DSS v2 12.6.2
 1 TAC § 390.2(a)(2)
 1 TAC § 390.2(a)(3)

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Organizational Development Per Year, Pharmaceutical Companies: > 70,000,000
Factors: Prescriptions Per Year, Third Party Processor: > 60,000,000 Records
Processed Per Year, Physician Practice: > 180,000 Visits Per Year, Medical
Facilities / Hospital: > 10,000 Licensed Beds, Health Plan / Insurance /
PBM: > 7,500,000 Covered Lives, IT Service Providers (Vendors): > 2,500
Employees, Pharmacy Companies: > 70,000,000 Prescriptions Per Year,
Health Information Exchange: >6,000,000 Transactions Per Year
Level 3 System None
Factors:
Level 3 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
The organization shall provide role-based security-related training:
i. before authorizing access to the system or performing assigned duties;
ii. when required by system changes; and
iii. refresher training annually thereafter.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 119 of 488

Personnel with significant information security roles and responsibilities
shall be required to undergo appropriate information system security
training:
i. prior to authorizing access to the organization's networks, systems,
and/or applications;
ii. when required by significant information system or system
environment changes;
iii. when an employee enters a new position that requires additional role-
specific training; and
iv. refresher training annually thereafter.

The organization shall maintain a documented list of each individual who

completes the on-boarding process. Training records shall be retained for at
least five (5) years thereafter.
Level 3 Control  CMSRs 2012v1.5 AT-3 (HIGH)
Standard  CMSRs 2012v1.5 AT-4 (HIGH)
Mapping:  NIST SP800-53 R4 AT-3
 NIST SP800-53 R4 AT-4
 1 TAC § 390.2(a)(2)
 1 TAC § 390.2(a)(3)

CMS Contractor Requirements

CMS The organization shall incorporate simulated events into incident response
Contractors: training to facilitate effective response by personnel in crisis situations.

The organization employs automated mechanisms to provide a more

thorough and realistic training environment

Control Reference: 02.f Disciplinary Process

Control There shall be a formal disciplinary process for employees who have
Specification: violated security policies and procedures.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Documentation and Records
Incident Response
IT Organization and Management Roles and Responsibilities
Personnel
Policies and Procedures
Requirements (Legal and Contractual)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 120 of 488

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance, Subject to State of Massachusetts Data
Regulatory Protection Act, Subject to the CMS Minimum Security Requirements (High)
Factors:
Level 1 The organization employs a formal sanctions process for personnel failing
Implementation: to comply with established information security policies and procedures.
The disciplinary process shall not be commenced without prior verification
that a security breach has occurred. The formal disciplinary process shall
ensure correct and fair treatment for employees who are suspected of
committing breaches of security. The formal disciplinary process shall
provide for a graduated response that takes into consideration factors such
as the nature and gravity of the breach and its impact on business, whether
or not this is a first or repeat offense, whether or not the violator was
properly trained, relevant legislation, business contracts and other factors
as required.

The organization shall include specific procedures for license, registration,

and certification denial or revocation and other disciplinary action.

The organization shall maintain a list or document an indication of

employees involved in security incident investigations and the resulting
outcome in their HR folder.
Level 1 Control  CMSRs 2012v1.5 PS-8 (HIGH)
Standard  CSA IS-06
Mapping:  HIPAA §164.308(a)(1)(ii)(C)
 HITECH Act, Subpart D 164.414(a)
 ISO/IEC 27002-2005 8.2.3
 ISO 27799-2008 7.5.2.3
 NIST SP800-53 R4 PS-8
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v2.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.03(2)(d)
 1 TAC § 390.2(a)(1)
 1 TAC § 390.2(a)(4)(B)(xviii)(II)
 1 TAC § 390.2(a)(4)(B)(xviii)(III)

Page 121 of 488

 HIPAA §164.530(e)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Level 2 System None

Factors:
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The organization shall create an incident management investigation
procedure for all incidents. The organization shall create a point of contact
from HR to handle any incidents relating to employees. The organization
shall have a disciplinary action policy that is enforced for all employees
based on the severity of the incident.

The organization shall notify the CISO or a designated representative of the

application of a formal employee sanctions process, identifying the
individual and the reason for the sanction
Level 2 Control None
Standard
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 122 of 488

Level 3 No additional requirements
Implementation:

Objective Name: 02.04 Termination or Change of Employment

Control To ensure that the access rights are properly removed, and assets
Objective: recovered for terminated employees and contractors, and for employees
who have changed employment.

Control Reference: 02.g Termination or Change Responsibilities

Control Responsibilities for performing employment termination or change of

Specification: employment shall be clearly defined and assigned.
Factor Type: Organizational
Topics: Awareness and Training
IT Organization and Management Roles and Responsibilities
Personnel
Requirements (Legal and Contractual)
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Access to systems and equipment shall be reviewed, updated or revoked
Implementation: when there is any change in responsibility or employment.

Policies and procedures shall be implemented for terminating access when

the access is no longer needed. The termination policies and procedures
shall assign responsibility for removing information system and/or physical
access. The termination policies and procedures shall include timely
communication of termination actions to ensure that the termination
procedures are appropriately followed (see 02.1).

Page 123 of 488

When an employee moves to a new position of trust, logical and physical
access controls must be re-evaluated as soon as possible but not to exceed
thirty (30) days.
Level 1 Control  CSA HR-03
Standard  HIPAA §164.308(a)(3)(ii)(C)
Mapping:  NIST SP800-53 R4 PS-5
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)
 CMSRs 2012v1.5 PS-5 (HIGH)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

The organization shall define any valid duties after termination

employment and shall be included in the employee's contract. The
communication of termination responsibilities shall include ongoing
security requirements and legal responsibilities and, where appropriate,
responsibilities contained within any confidentiality agreement and the
terms and conditions of employment continuing for a defined period after
the end of the employee's, contractor's or third party user's employment.

Page 124 of 488

Level 2 Control  CMSRs 2012v1.5 PS-4 (HIGH)
Standard  ISO/IEC 27002-2005 8.3.1
Mapping:  ISO 27799-2008 7.5.3.1
 NIST SP800-53 R4 PS-4

CMS Contractor Requirements

CMS All access and privileges to CMS systems, networks, and facilities are
Contractors: suspended when employees or contractors temporarily separate from the
organization (e.g., leave of absence).

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Control Reference: 02.h Return of Assets

Control All employees, contractors and third party users shall return all of the
Specification: organization's assets in their possession upon termination of their
employment, contract or agreement.
Factor Type: Organizational
Topics: Media and Assets
Personnel
Third Parties and Contractors

Page 125 of 488

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

In cases where an employee, contractor or third party user purchases the

organization's equipment or uses their own personal equipment,
procedures shall be followed to ensure that all relevant information is
transferred to the organization and securely erased from the equipment. In
cases where an employee, contractor or third party user has knowledge
that is important to ongoing operations, that information shall be
documented and transferred to the organization.
Level 1 Control  CMSRs 2012v1.5 PS-4 (HIGH)
Standard  CSA IS-27
Mapping:  HIPAA §164.308 (a)(3)(ii)(C)
 ISO/IEC 27002-2005 8.3.2
 ISO 27799-2008 7.5.3.1
 NIST SP800-53 R4 PS-4
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.03(2)(e)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 126 of 488

Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 02.i Removal of Access Rights

Control The access rights of all employees, contractors and third party users to
Specification: information and information assets shall be removed upon termination of
their employment, contract or agreement, or adjusted upon a change of
employment (i.e. upon transfer within the organization).

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Authorization
Personnel
Third Parties and Contractors
User Access

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 127 of 488

Level 1 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to State of
Regulatory Massachusetts Data Protection Act
Factors:
Level 1 Upon termination, the access rights for the terminated individual shall be
Implementation: disabled in a timely manner, at least within 24 hours. Changes of
employment (e.g. transfers) shall be reflected in removal of all access rights
that were not approved for the new employment. Access changes due to
personnel transfer shall be managed effectively. Old accounts shall be
closed after 90 days, and new accounts shall be opened. The access rights
that shall be removed or adapted include physical and logical access, keys,
identification cards, IT systems and application, subscriptions, and removal
from any documentation that identifies them as a current member of the
organization. If a departing employee, contractor or third party user has
known passwords for accounts remaining active, these shall be changed
upon termination or change of employment, contract or agreement.

Access rights to information assets and facilities shall be reduced or

removed before the employment terminations or changes, depending on
the evaluation of risk factors including:
i. whether the termination or change is initiated by the employee,
contractor or third party user, or by management and the reason of
termination;
ii. the current responsibilities of the employee, contractor or any other
user; and
iii. the value of the assets currently accessible.
Level 1 Control  CMSRs 2012v1.5 AC-2 (HIGH)
Standard  CMSRs 2012v1.5 PS-5 (HIGH)
Mapping:  CSA IS-09
 HIPAA §164.308 (a)(3)(ii)(A)
 HIPAA §164.308 (a)(3)(ii)(B)
 HIPAA §164.308(a)(3)(ii)(C)
 HIPAA §164.308 (a)(4)(i)
 HIPAA §164.308 (a)(4)(ii)(B)
 HIPAA §164.308 (a)(4)(ii)(C)
 HIPAA §164.308 (a)(5)(ii)(C)
 HIPAA §164.312(a)(2)(i)
 HIPAA §164.312(a)(2)(ii)
 ISO/IEC 27002-2005 8.3.3
 NIST SP800-53 R4 AC-2
 NIST SP800-53 R4 PS-4
 NIST SP800-53 R4 PS-5
 NRS 603A.215.1
 PCI DSS v2 8.5.4

Page 128 of 488

 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.03(2)(e)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Level 3 Implementation Requirements

Level 3 Medical Facilities / Hospital: > 10,000 Licensed Beds, Health Information
Organizational Exchange: >6,000,000 Transactions Per Year
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:

Page 129 of 488

Level 3 Refer to the Provider specific requirements.
Implementation:
Level 3 Control  ISO 27799-2008 7.5.3.2
Standard
Mapping:

Page 130 of 488

Control Category: 03.0 - Risk Management

Objective Name: 03.01 Risk Management Program

Control To develop and implement a Risk Management Program that addresses

Objective: Risk Assessments, Risk Mitigation, and Risk Evaluations.

Control Reference: 03.a Risk Management Program Development

Control Organizations shall develop and maintain a risk management program to

Specification: manage risk to an acceptable level.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Policies and Procedures
Risk Management and Assessments

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 1 The organization shall:
Implementation: i. develop a comprehensive strategy to manage risk to organizational
operations and assets, individuals, and other organizations associated
with the operation and use of information systems; and
ii. implement the strategy consistently across the organization.
iii. Ensure that their information protection programs do not apply
safeguards unnecessarily, e.g., to de-identified information

Elements of the risk management program shall include:

1. the creation of a risk management policy for information
systems and paper records that is formally approved by
management. objectives of the risk management process;
2. management's stated level of acceptable risk;
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 131 of 488

3. the connection between the risk management policy and the
organization's strategic planning processes; and
4. documented risk assessment processes and procedures.
ii. regular performance of risk assessments;
iii. mitigation of risks identified from risk assessments;
iv. reassessment of the risk management policy to ensure management's
stated level of acceptable risk is still accurate, previously decided upon
security controls are still applicable and effective, and to evaluate the
possible risk level changes in the environment. Updates to the risk
management policy shall be made if any of these elements have
changed; and
v. repeat the risk management process prior to any significant change,
after a serious incident, whenever a new significant risk factor is
identified, or at a minimum annually.
Level 1 Control  CMSRs 2012v1.5 RA-1 (HIGH)
Standard  CSA RI-01
Mapping:  HIPAA §164.308 (a)(1)(i)
 HIPAA §164.316(a)
 NIST SP800-53 R4 PM-9
 NIST SP800-53 R4 PM-11
 NIST SP800-53 R4 RA-1
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)
 1 TAC § 390.2(b)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 132 of 488

Formal risk assessment and risk treatment processes shall be implemented,
including a repository and tracking system for risk assessments performed,
and risk mitigation completed or underway.

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 Subject to FTC Red Flags Rule Compliance
Regulatory
Factors:
Level 3 Level 2 plus:
Implementation:
The organization shall develop and implement a written Identity Theft
Prevention Program that is designed to detect, prevent, and mitigate
identity theft in connection with the opening of an account or any existing
account that involves or is designed to permit multiple payments or
transactions.

The organization shall define and incorporate existing policies and

implement procedures to:
i. identify relevant patterns, practices, or specific activities that indicate
the possible existence of identity theft for the accounts , and incorporate
those patterns, practices, and activities into its program;
ii. detect patterns, practices, and activities that have been incorporated
into the program;
iii. respond appropriately to any patterns, practices, and activities that are
detected to prevent and mitigate identity theft; and
iv. ensure the program and patterns, practices, and activities are updated
at least annually, to reflect changes in risks to customers and to the
safety and soundness of the organization.

Personal identifying information’ (PII) means information that alone or in

conjunction with other information identifies an individual, including an
individual’s :

i. Name, social security number, date of birth, or government-issued

identification number;
ii. Mother’s maiden name;
iii. Unique biometric data, including the individual’s fingerprint, voice
print, and retina or iris image;
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 133 of 488

iv. Unique electronic identification number, address, or routing code; and
v. Telecommunication access device.

The organization’s identity theft program shall include protections for

financial (PII) and medical (PHI) identity theft.
Level 3 Control  16 CFR Part §681.2 (d)(1)
Standard  16 CFR Part §681.2 (d)(2)
Mapping:  16 CFR Part §681.2 (g)
 16 CFR Part §681 Appendix A I
 1 TAC § 390.2(a)(3)

Control Reference: 03.b Performing Risk Assessments

Control Risk Assessments shall be performed to identify and quantify risks.

Specification:
*Required for HITRUST Certification 2014
Factor Type: Organizational
Topics: Risk Management and Assessments

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance, Subject to State of Massachusetts Data
Regulatory Protection Act
Factors:
Level 1 Risk assessments shall be performed that address all the major domains of
Implementation: the HITRUST CSF. Risk assessments shall be consistent and identify
information security risks to the organization. The organization shall
account for risks from sources including prior incidents experienced,
changes in the environment (e.g., new methods of attack, new sources of
attack, new vulnerabilities), and any supervisory guidance (e.g., third party
consultancy).

They may be quantitative or qualitative, but shall be consistent and

comparable, so the prioritization of resources to manage risk can be
performed. Risk assessments are to be performed at planned intervals, or
when major changes occur in the environment, and the results reviewed
annually.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 134 of 488

Level 1 Control  16 CFR Part §681 Appendix A II(b)
Standard  CSA DG-08
Mapping:  HIPAA §164.308 (a)(1)(ii)(A)
 HIPAA §164.308 (a)(1)(ii)(B)
 HIPAA §164.308 (a)(2)
 HIPAA §164.308 (a)(8)
 HIPAA §164.316(a)
 ISO/IEC 27002-2005 4.1
 ISO/IEC 27002-2005 6.2.1
 ISO/IEC 27002-2005 12.6.1
 ISO/IEC 27002-2005 14.1.2
 NRS 603A.215.1
 PCI DSS v2 12.1.2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.03(2)(b)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

A formal, documented process shall be in place for identifying risks and

performing risk assessments, and communicating the results of the risk
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 135 of 488

assessments to the affected parties, and to management. A repository and
tracking system shall be in place to manage risk assessments performed.
The likelihood and magnitude of harm from the unauthorized access, use,
disclosure, disruption, modification, or destruction of the information
system and the information it processes, stores, or transmits shall be
included in the risk assessment process. The likelihood and impact
associated with inherent and residual risk should be determined
independently, considering all risk categories (e.g., audit results, threat and
vulnerability analysis, and regulatory compliance).

Information security risk assessments shall require knowledge of the

following:
i. external environment factors that could exacerbate or moderate any or
all of the levels of the risk components described previously;
ii. the types of accounts offered by the organization;
iii. the methods the organization provides to open and access its accounts;
iv. knowledge and experiences of incident histories and actual case impact
scenarios; and
v. systems architectures.
Level 2 Control  16 CFR Part §681.2 (c)
Standard  16 CFR Part §681 Appendix A II(a)
Mapping:  CMSRs 2012v1.5 CA-2 (HIGH)
 CMSRs 2012v1.5 CA-2 (1) (HIGH)
 CMSRs 2012v1.5 RA-3 (HIGH)
 CSA RI-02
 NIST SP800-53 R4 RA-3
 NIST SP800-53 R4 CA-2
 NIST SP800-53 R4 CA-2(1)
 1 TAC § 390.2(a)(3)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 136 of 488

CMS Contractor Requirements

CMS The organization shall document the risk assessment results as part of
Contractors: issuing a new Authorization to Operate (ATO) package.
The organization shall assess the security controls in the information
system within every three hundred sixty-five (365) days in accordance with
the CMS Information Security (IS) Acceptable Risk Safeguards (ARS)
including CMS Minimum Security Requirements (CMSR) Standard, to
determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to
meeting the security requirements for the system.

The annual security assessment requirement as mandated by OMB requires

all CMSRs attributable to a system or application to be assessed over a 3-
year period. To meet this requirement, a subset of the CMSRs shall be tested
each year so that all security controls are tested during a 3-year period.

The Business Owner notifies the CMS CISO within thirty (30) days
whenever updates are made to system security authorization artifacts or
significant role changes occur (e.g., Business Owner, System
Developer/Maintainer, ISSO).

The use of independent security assessment agents or teams to monitor

security controls is not required. However, if the organization employs an
independent assessor or assessment team to monitor the security controls
in the information on an ongoing basis, this can be used to satisfy ST&E
requirements.

Control Reference: 03.c Risk Mitigation

Control Risks shall be mitigated to an acceptable level.

Specification:
*Required for HITRUST Certification 2014
Factor Type: Organizational
Topics: Documentation and Records
IT Organization and Management Roles and Responsibilities
Risk Management and Assessments

Level 1 Implementation Requirements

Page 137 of 488

Level 1 Applicable to all organizations
Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance; Subject to the CMS Minimum Security
Regulatory Requirements (HIGH)
Factors:
Level 1 Risks can be dealt with in one of four ways:
Implementation: i. avoidance - This approach eliminates the risk by avoidance of the
activity which provides the risk. For example, the risk associated with
utilization of wireless technologies can be mitigated by deciding not to
use wireless technologies at all.
ii. reduction - Risk can be reduced by way of controls that can reduce the
likelihood or impact of a risk. An example would be encryption of
network traffic to minimize risks that threaten the confidentiality of
data.
iii. transference - Risk can be reduced by shifting it to an outside entity. An
example would be the purchase of insurance against fire damage.
iv. acceptance - Organizations can choose to accept risk by not selecting
any of the aforementioned approaches. When acceptance is selected,
management acceptance must be documented.

Organizations shall define and document the criteria to determine whether

or not a risk shall be avoided, accepted, transferred or treated.

The factors to be taken into account shall include the following:

i. industry sector, industry or organizational laws, regulations and
standards;
ii. clinical or other priorities (in the case of health related organizations);
iii. cultural fit;
iv. patient reactions (in the case of health related organizations);
v. coherence with IT, corporate risk acceptance, and clinical strategy (in
the case of health organizations);
vi. cost;
vii. effectiveness;
viii. type of protection;
ix. number of threats covered;
x. risk level at which the controls become justified;
xi. risk level that led to the recommendation being made;
xii. alternatives already in place; and
xiii. additional benefits derived.

The organization implements a process for ensuring that corrective action

plans for the security program and the associated organizational
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 138 of 488

information systems are maintained and document the remedial
information security actions to mitigate risk to organizational operations
and assets, individuals, and other organizations.

The organization shall review corrective action plans (plans of action and
milestones) for consistency with the organizational risk management
strategy and organization-wide priorities for risk response actions.

The organization shall update existing remediation or corrective action

plans monthly based on the findings from security controls assessments,
security impact analyses, and continuous monitoring activities.

The covered entity mitigates any harmful effect that is known to the
covered entity of a use or disclosure of PHI by the covered entity or its
business associates, in violation of its policies and procedures.
Level 1 Control  CMSRs 2012 v1.5 CA-5 (HIGH)
Standard  CMSRs 2012 v1.5 CA-5(1) (HIGH)
Mapping:  CSA RI-03
 HIPAA § 164.306(e)
 HIPAA § 164.308(a)(ii)(B)
 HIPAA §164.530(f)
 ISO/IEC 27002-2005 4.2
 ISO/IEC 27002-2005 6.2.1
 NIST SP800-53 R4 CA-5
 NIST SP800-53 R4 PM-4
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 139 of 488

Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The organization shall develop a formal mitigation plan that shall include:
i. perform a cost/benefit analysis for identified countermeasures;
ii. document a risk treatment plan which provides recommended
countermeasures to management;
iii. document and present risk treatment summary reports to management;
iv. management shall approve countermeasures documented in the risk
treatment plan;
v. map decisions taken against the list of HITRUST CSF controls;
vi. plans for implementations (current and future) shall be documented in
the organization's security improvement plan; and
vii. implement the management approved risk treatment plan.
Level 2 Control  ISO/IEC 27002-2005 12.6.1
Standard  ISO/IEC 27002-2005 14.1.2
Mapping:  ISO/IEC 27002-2005 15.3.1

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization shall employ automated mechanisms to help ensure that
Contractors: the POA&M for the information system is accurate, up to date, and readily
available.

Control Reference: 03.d Risk Evaluation

Page 140 of 488

Control Risks shall be continually evaluated and assessed.
Specification:
Factor Type: Organizational
Topics: IT Organization and Management Roles and Responsibilities
Risk Management and Assessments

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The risk management program shall include the requirement that risk
Implementation: assessments be re-evaluated at least annually, or when there are significant
changes in the environment.

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 141 of 488

decisions within the change management process (e.g. approvals for
changes).

The privacy, security and risk management program(s) shall be updated to

reflect changes in risks based on:
i. any experiences with security incidents, weaknesses, breaches or
identity theft;
ii. changes in the environment (e.g., new methods of attack, new sources of
attack, new vulnerabilities);
iii. changes in prevention, detection or response methods for security;
iv. changes within the organization including:
1. organizational mergers, acquisitions, alliances, joint ventures or
service provider arrangements;
2. new systems or facilities;
3. new service offerings; and
4. new types of accounts.
Level 2 Control  16 CFR Part §681 Appendix A V(a)
Standard  16 CFR Part §681 Appendix A V(b)
Mapping:  16 CFR Part §681 Appendix A V(c)
 16 CFR Part §681 Appendix A V(d)
 16 CFR Part §681 Appendix A V(e)
 CSA RI-04
 1 TAC § 390.2(a)(3)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 142 of 488

Control Category: 04.0 - Security Policy

Objective Name: 04.01 Information Security Policy

Control To provide management direction in line with business objectives and

Objective: relevant laws and regulations, demonstrate support for, and commitment to
information security through the issue and maintenance of an information
security policy across the organization.

Control Reference: 04.a Information Security Policy Document

Control An information Security Policy document shall be approved by

Specification: management, and published and communicated to all employees and
relevant external parties. The Information Security Policy shall establish the
direction of the organization and align to best practices, regulatory,
federal/state and international laws where applicable. The Information
Security policy shall be supported by a strategic plan and a security
program with well-defined roles and responsibilities for leadership and
officer roles.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Awareness and Training
Contingency Planning
Documentation and Records
IT Organization and Management Roles and Responsibilities
Policies and Procedures
Requirements (Legal and Contractual)
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to HITECH
Regulatory Breach Notification Requirements, Subject to Joint Commission
Factors: Accreditation
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 143 of 488

Level 1 The information security policy document shall state management's
Implementation: commitment and establish the organization's approach to managing
information security.

The policy document shall contain statements concerning:

i. a definition of information security, its overall objectives and scope and
the importance of security as an enabling mechanism for information
sharing;
ii. a statement of management intent, supporting the goals and principles
of information security in line with the business strategy and objectives;
iii. a framework for setting control objectives and controls, including the
structure of risk assessment and risk management;
iv. the need for information security;
v. the goals of information security;
vi. compliance scope;
vii. legislative, regulatory, and contractual requirements, including those
for the protection of covered information and the legal and ethical
responsibilities to protect this information;
viii. arrangements for notification of information security incidents,
including a channel for raising concerns regarding confidentially,
without fear of blame or recrimination.
ix. a brief explanation of the security policies, principles, standards, and
compliance requirements of particular importance to the organization,
including:
1. compliance with legislative, regulatory, and contractual
requirements;
2. security education, training, and awareness requirements;
3. business continuity management;
4. consequences of information security policy violations;
x. a definition of general and specific responsibilities for information
security management, including reporting information security
incidents;
xi. prescribes the development, dissemination, and review/update of
formal, documented procedures to facilitate the implementation of
security policy and associated security controls; and
xii. references to documentation which may support the policy (e.g. more
detailed security policies and procedures for specific information
systems or security rules users shall comply with).

This information security policy shall be communicated throughout the

organization to users in a form that is relevant, accessible and
understandable to the intended reader.

In the instance of any acquisitions, re-organizations or mergers, or where

the organization obtains support from third party organizations or
collaborates with third parties, and especially if these activities involve
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 144 of 488

other jurisdictions, the policy framework shall include documented policy,
controls and procedures that cover such interactions and that specify the
responsibilities of all parties.
Level 1 Control  CMSRsv1.0 2012 (HIGH) SA-1
Standard  CMSRs 2012v1.5 SI-1 (HIGH)
Mapping:  COBIT 4.1 DS5.2
 COBIT 5 APO13.02
 CSA IS-03
 HIPAA §164.312(c)(1)
 HIPAA §164.316(b)(2)(i)
 HIPAA §164.530(i)
 HITECH Act, Subpart D 164.414(a)
 ISO/IEC 27002-2005 5.1.1
 ISO 27799-2008 7.2.1
 JCAHO IM.02.01.03, EP 1
 NIST SP800-53 R4 PM-1
 NIST SP800-53 r4 SA-1
 NIST SP800-53 R4 SI-1
 NRS 603A.215.1
 PCI DSS v2 12.1
 PCI DSS v2 12.1.1
 PCI DSS v2 12.8.2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Page 145 of 488

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

FTI Custodians

FTI Custodians: The organization shall develop and disseminate a formal, documented,
system and services acquisition policy that includes IRS documents
received and identified by:
i. taxpayer name
ii. tax year(s)
iii. type of information (e.g., revenue agent reports, Form 1040, work
papers)
iv. the reason for the request
v. date requested
vi. date received
vii. exact location of the FTI
viii. who has had access to the data, and
ix. if disposed of, the date and method of disposition.

Control Reference 04.b Review of the Information Security Policy

Control The information security policy shall be reviewed at planned intervals or if

Specification: significant changes occur to ensure its continuing adequacy and
effectiveness.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Audit and Accountability
Documentation and Records
IT Organization and Management Roles and Responsibilities
Policies and Procedures

Level 1 Implementation Requirements

Page 146 of 488

Level 1 Applicable to all organizations
Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 An information security policy shall be developed and implemented
Implementation: to provide the framework for setting management objectives for all aspects
of security.
The information security policy shall be reviewed at planned intervals or if
significant changes occur to ensure its continuing adequacy and
effectiveness.

Additional factors when developing or changing a security policy

shall include, but are not limited to, regulatory mandates, accreditation
requirements, and industry best practices. A process shall be defined and
implemented for individuals to make complaints concerning the
information security policies and procedures or the organization's
compliance with the policies and procedures. All complaints and requests
for changes shall be documented, and their disposition, if any.
Level 1 Control  CMSRsv1.0 2012 (HIGH) SA-1
Standard  CMSRs 2012v1.5 PL-1 (HIGH)
Mapping:  CSA IS-05
 HIPAA §164.316(a)
 HIPAA §164.530(i)
 HITECH Act, Subpart D 164.414(a)
 ISO/IEC 27002-2005 5.1.2
 NIST SP800-53 R4 PL-1
 NIST SP800-53 r4 SA-1
 PCI DSS v2 12.1
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 147 of 488

Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to PCI Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The information security policy shall be reviewed at planned intervals, at a
minimum annually, or if significant changes occur to ensure its continuing
adequacy and effectiveness and that the totality of the policy has been
addressed at least annually.

The information security policy shall have an owner who has approved
management responsibility for the development, review, and evaluation of
the security policy. The review shall include assessing opportunities for
improvement of the organization's information security policy and
approach to managing information security in response to changes to the
organizational environment, business circumstances, legal conditions, or
technical environment. There shall be defined management review
procedures of the information security policy including a schedule to re-
evaluate, at least annually or upon significant changes to the operating or
business environment, to assess their adequacy and appropriateness, and
amended as necessary.

The input to the management review shall include information on:

i. feedback from interested parties;
ii. results of independent reviews (see 5.h);
iii. status of preventive and corrective actions (see 5.h and 6.g);
iv. results of previous management reviews;
v. process performance and information security policy compliance;
vi. changes that could affect the organization's approach to managing
information security, including changes to the organizational
environment, business circumstances, resource availability, contractual,
regulatory, and legal conditions, or to the technical environment;
vii. trends related to threats and vulnerabilities;
viii. reported information security incidents (see 11.a); and
ix. recommendations provided by relevant authorities (see 5.f).

The output from the management review shall include any decisions and
actions related to:
i. improvement of the organization's approach to managing information
security and its processes;
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 148 of 488

ii. improvement of control objectives and controls; and
iii. improvement in the allocation of resources and/or responsibilities.

A record of the management review shall be maintained. Management

approval for the revised policy shall be obtained.
Level 2 Control  NRS 603A.215.1
Standard  PCI DSS v2 12.1.3
Mapping:

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Organizational Development Per Year, Third Party Processor: > 60,000,000 Records
Factors: Processed Per Year, Physician Practice: > 180,000 Visits Per Year, Medical
Facilities / Hospital: > 10,000 Licensed Beds, Health Plan / Insurance /
PBM: > 7,500,000 Covered Lives, IT Service Providers (Vendors): > 2,500
Employees, Pharmacy Companies: > 70,000,000 Prescriptions Per Year,
Health Information Exchange: >6,000,000 Transactions Per Year
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 Level 2 plus:
Implementation:
The review shall address the following:
i. the changing nature of the organization's operations and thus risk
profile and risk management needs;
ii. the changes made to the IT infrastructure of the organization, with the
changes these bring to the organization's risk profile;
iii. the changes identified in the external environment that similarly impact
the organizations risk profile;
iv. the latest controls, compliance and assurance requirements and
arrangements of national bodies and of new legislation or regulation;
v. the latest guidance and recommendations from professional
associations and from information privacy commissioners regarding the
protection of covered information;
vi. the results of legal cases tested in courts, that thereby establish or
cancel precedents and established practices; and
vii. the challenges and issues regarding the policy, as expressed to the
organization by its staff, customers, and their partners and care givers,
researchers, and governments, e.g., privacy commissioners.

Page 149 of 488

Level 3 Control  ISO 27799-2008 7.2.2
Standard
Mapping:

FTI Custodians

FTI Custodians: The organization shall periodically review/update a formal, documented,

system and services acquisition policy that includes IRS documents
received and identified by:
i. taxpayer name
ii. tax year(s)
iii. type of information (e.g., revenue agent reports, Form 1040, work
papers)
iv. the reason for the request
v. date requested
vi. date received
vii. exact location of the FTI
viii. who has had access to the data, and
ix. if disposed of, the date and method of disposition.

Page 150 of 488

Control Category: 05.0 - Organization of Information Security

Objective Name: 05.01 Internal Organization

Control To maintain the security of the organization's information and information

Objective: assets (data centers or offices that process covered information).

Control Reference: 05.a Management Commitment to Information Security

Control Management shall actively support security within the organization

Specification: through clear direction, demonstrated commitment, explicit assignment,
and acknowledgment of information security responsibilities.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Audit and Accountability
Awareness and Training
IT Organization and Management Roles and Responsibilities
Risk Management and Assessments

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance, Subject to State of Massachusetts Data
Regulatory Protection Act, Subject to Joint Commission Accreditation
Factors:
Level 1 The organization's senior management shall:
Implementation: i. appoint a senior-level information security official;
ii. ensure that the organization's information security processes are in
place, are communicated to all stakeholders, and consider and address
organizational requirements;
iii. formally assign an organization single point of contact or group to
evaluate and accept information security risk on behalf of the
organization (e.g. CEO, COO, Security Steering Committee, etc.);

Page 151 of 488

iv. formulate, review, and approve information security policy and a policy
exception process;
v. periodically, at a minimum, annually, review and assess the
effectiveness of the implementation of the information security policy;
vi. provide clear direction and visible management support for security
initiatives;
vii. provide the resources needed for information security;
viii. initiate plans and programs to maintain information security
awareness;
ix. ensure that all appropriate measures are taken to avoid cases of identity
theft targeted at patients, employees and third parties;
x. ensure that the implementation of information security controls is
coordinated across the organization; and
xi. determine and coordinate, as needed, internal or external information
security specialists, and review and coordinate results of the specialists'
advice throughout the organization.
The organization shall:
i. ensure that all capital planning and investment requests include the
resources needed to implement the information security program and
documents all exceptions to this requirement;
ii. employ a business case/Exhibit 300/Exhibit 53 to record the resources
required; and
iii. ensure that information security resources are available for
expenditure as planned.
Level 1 Control  CMSRs 2012v1.5 PS-1 (HIGH)
Standard  COBIT 4.1 DS5.1
Mapping:  COBIT 5 APO13.01
 COBIT 5 APO13.02
 CSA IS-02
 HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.308(a)(3)(ii)(B)
 HIPAA §164.308(a)(3)(ii)(C)
 HIPAA §164.316(a)
 JCAHO IM.02.01.03, EP 5
 NIST SP800-53 R4 PS-1
 NIST SP800-53 R4 PM-2
 NIST SP800-53 R4 PM-3
 NRS 603A.215.1
 PCI-DSS v2 12.5
 PCI-DSS v2 12.5.1
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.03(2)(a)
 1 TAC § 390.2(a)(1)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 152 of 488

 1 TAC § 390.2(a)(3)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to FISMA Compliance, Subject to FTC Red Flags Rule Compliance,
Regulatory Subject to the CMS Minimum Security Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
i. ensure that organization's information security strategy and goals are
identified and consider and address organizational requirements, and
verify that appropriate processes are in place to meet the organization's
strategy and goals;
ii. formally review and approve in writing the establishment
and administration of any information privacy, security and risk
management programs;
iii. formally approve in writing the assignment of specific roles and
responsibilities for information security across the organization;
iv. formally appoint an employee or group as the point of contact for
oversight, development, implementation and administration of security
matters. The appointed lead shall demonstrate professional competency
in security matters via a recognized security industry certification,
appropriate vendor certifications or a minimum of five years of security
related experience;
v. document its risk acceptance process; and
vi. conduct an annual review (may be performed by a third party) of the
effectiveness of its security program.

The security planning policy shall be reviewed/updated annually.

The organization shall formally appoint in writing non-professional or

professional security contacts by name in each major organizational area or
business unit.

Page 153 of 488

Level 2 Control  16 CFR Part §681.2 (e)(1)
Standard  16 CFR Part §681.2 (e)(2)
Mapping:  CMSRs 2012v1.5 PL-1 (HIGH)
 ISO/IEC 27002-2005 6.1.1
 NIST SP800-53 R4 PL-1

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Organizational Development Per Year, Third Party Processor: > 60,000,000 Records
Factors: Processed Per Year, Physician Practice: > 180,000 Visits Per Year, Medical
Facilities / Hospital: > 10,000 Licensed Beds, Health Plan / Insurance /
PBM: > 7,500,000 Covered Lives, IT Service Providers (Vendors): > 2,500
Employees, Pharmacy Companies: > 70,000,000 Prescriptions Per Year,
Health Information Exchange: >6,000,000 Transactions Per Year
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 Level 2 plus:
Implementation:
i. the organization formally creates a dedicated security management
forum and publishes the forum's member list and charter. Such
responsibilities can be handled by a Security Advisory Board, Security
Steering Committee or by an existing management body, such as the
board of directors;
ii. the organization conducts an annual assessment of the effectiveness of
its security program performed by a qualified outside organization;
iii. the organization shall publish security guidelines and/or daily
operational procedures relating to processes that complement, clarify
and enforce security policies.
Level 3 Control  ISO 27799-2008 7.3.2.1
Standard
Mapping:

Control Reference: 05.b Information Security Coordination

Control Information security activities shall be coordinated by representatives from

Specification: different parts of the organization with relevant roles and job functions.

*Required for HITRUST Certification 2014

Page 154 of 488

Factor Type: Organizational
Topics: Awareness and Training
IT Organization and Management Roles and Responsibilities
Personnel
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to Joint Commission Accreditation
Regulatory
Factors:
Level 1 The organization shall:
Implementation: i. determine information security requirements for the information
system in mission/business process planning;
ii. determine, document and allocate the resources required to protect the
information system as part of its capital planning and investment
control process; and
iii. establish a discrete line item for information security in organizational
programming and budgeting information.

Information security coordination shall involve the active cooperation and

collaboration across the entire organization. This activity shall:
i. ensure that security activities across the entire organization are
executed in compliance with the information security policy and that
deviations are identified and reviewed;
ii. identify how to handle non-compliance (such as sanctions or
disciplinary action);
iii. assess the adequacy and coordinate the implementation of information
security controls;
iv. effectively promote information security education, training and
awareness throughout the organization.

If the organization does not use a separate cross-functional group because

such a group is not appropriate for the organization's size, the actions
described above shall be undertaken by another suitable management body
or individual security representative.

Page 155 of 488

Security-related activities affecting the information system environment
shall be planned and coordinated before conducting such activities in order
to reduce the impact on the organization's operations.

When FTI is incorporated into a data warehouse, additional controls

described in IRS Pub. 1075 are to be implemented in addition to the
controls required of typical system and networked environments.
Level 1 Control  CMSRs 2012v1.5 SA-2 (HIGH)
Standard  COBIT 4.1 DS5.1
Mapping:  COBIT 5 APO13.01
 COBIT 5 APO13.02
 HIPAA §164.308(a)(1)(ii)(B)
 HIPAA §164.310(a)(2)(ii)
 HIPAA §164.316(a)
 HIPAA §164.316(b)(1)
 HIPAA §164.316(b)(2)(iii)
 JCAHO IM.02.01.03, EP 8
 NIST SP800-53 R4 PL-2
 NIST SP800-53 R4 SA-2
 1 TAC § 390.2(a)(1)
 1 TAC § 390.2(a)(4)(A)(xi)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 156 of 488

Information security coordination shall also include specialist skills in areas
such as insurance, legal issues, human resources, privacy, IT or risk
management.

This activity shall:

i. address deviations via a risk acceptance process;
ii. approve methodologies and processes for information security
management activities (e.g. risk acceptance, information classification,
security incidents);
iii. identify and promptly report to senior management significant threat
changes and exposure of information and information processing
resources to threats;
iv. evaluate information received from the monitoring and reviewing of
information security incidents to conduct "lessons learned" activities,
and recommend to senior management appropriate actions in response
to identified information security incidents.
v. create an internal security information sharing mechanism, such as an
e-mail group, periodic conference call or standing meeting;
vi. establish an internal reporting mechanism, such as a telephone hotline
or dedicated e-mail address, to allow security contacts to report
information security incidents or obtain security policy clarifications on
a timely basis

The organization develops a security plan for the information system that:
i. is consistent with the organization’s enterprise architecture;
ii. explicitly defines the authorization boundary for the system;
iii. describes the operational context of the information system in terms of
missions and business processes;
iv. provides the security categorization of the information system including
supporting rationale;
v. describes the operational environment for the information system;
vi. describes relationships with or connections to other information
systems;
vii. provides an overview of the security requirements for the system;
viii. describes the security controls in place or planned for meeting those
requirements including a rationale for tailoring and supplementation
decisions;
ix. is reviewed and approved by the authorizing official or designated
representative prior to plan implementation;

The organization shall update the system security plan:

i. at lease every three (3) years;
ii. when substantial changes are made to the system;
iii. when changes in requirements result in the need to process data of a
higher sensitivity;

Page 157 of 488

iv. after the occurrence of a serious security violation which raises
questions about the validity of an earlier security authorization; and
v. prior to expiration of a previous security authorization.

The organization shall plan and coordinate security-related activities

affecting the information system before conducting such activities in order
to reduce the impact on other organizational entities.
The organization shall:
i. distribute copies of the information system’s security plan to
appropriate individuals and offices (e.g., CCO, CIO, business units) and
ii. communicate any changes to the security plans (see 05.b) to
appropriate individuals and offices.
Level 2 Control  CMSRs 2012v1.5 PL-2 (HIGH)
Standard  ISO/IEC 27002-2005 6.1.2
Mapping:  NIST SP800-53 R4 PL-2 (3)
 NRS 603A.215.1
 PCI DSS v2 12.5.2
 PCI DSS v2 12.5.3
 1 TAC § 390.2(a)(4)(A)(xi)

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 158 of 488

FTI Custodians

FTI Custodians: The organization shall develop and submit a Safeguard Procedures Report
(SPR) that describes the procedures established and used by the
organization for ensuring the confidentiality of the information received
from the IRS. Annually thereafter, the organization must file a Safeguard
Activity Report (SAR). Whenever significant changes occur in the safeguard
program the SPR will be updated and resubmitted. (See IRS Pub. 1075,
sections 7 & 8) The SAR advises the IRS of minor changes to the procedures
or safeguards described in the SPR. It also advises the IRS of future actions
that will affect the organization’s current efforts to ensure the
confidentiality of FTI, and certifies that the organization is protecting FTI
pursuant to IRC Section 6103(p)(4) and the organization’s own security
requirements.

CMS Contractors

CMS The organization shall establish a discrete line item in CMS’ programming
Contractors: and budgeting documentation for the implementation and management of
information systems security.

The organization shall develop a security plan for the information system
that is consistent with the CMS System Security Plan (SSP) Procedure.

(For FTI only) When FTI is incorporated into a Data Warehouse, the
controls described in IRS Pub. 1075, Exhibit 11 are to be followed, in
addition to those specified in other controls. The organization shall develop
and submit a Safeguard Procedures Report (SPR) that describes the
procedures established and used by the organization for ensuring the
confidentiality of the information received from the IRS. Annually
thereafter, the organization must file a Safeguard Activity Report (SAR). The
SAR advises the IRS of minor changes to the procedures or safeguards
described in the SPR. It also advises the IRS of future actions that will affect
the organization’s current efforts to ensure the confidentiality of FTI, and
certifies that the organization is protecting FTI pursuant to IRC Section
6103(p)(4) and the organization’s own security requirements. Whenever
significant changes occur in the safeguard program the SPR will be updated
and resubmitted. (See IRS Pub. 1075, section 7)

Control Reference: 05.c Allocation of Information Security Responsibilities

Control All information security responsibilities shall be clearly defined.

Specification:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 159 of 488

Factor Type: Organizational
Topics: Authorization
IT Organization and Management Roles and Responsibilities
Media and Assets

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance
Regulatory
Factors:
Level 1 The organization’s senior-level information security official shall
Implementation: coordinate, develop, implement, and maintain an organization-wide
information security program.

The organization shall clearly assign responsibilities to identify all IT assets

that need protection and apply controls to meet security policy. The
allocation of information security responsibilities shall be done in
accordance with the information security policy. Responsibilities for the
protection of individual assets and for carrying out specific security
processes shall be clearly identified.

This responsibility shall be supplemented, where necessary, with more

detailed guidance for specific assets and facilities. Individuals with allocated
security responsibilities may delegate security tasks to others. Nevertheless
they remain accountable and shall determine that any delegated tasks have
been correctly performed.
Level 1 Control  COBIT 4.1 DS5.1
Standard  COBIT 5 APO13.01
Mapping:  COBIT 5 APO13.02
 CSA IS-13
 HIPAA § 164.308(a)(2)
 ISO/IEC 27002-2005 6.1.3
 ISO 27799-2008 7.3.2.1
 NIST SP800-53 R4 PM-2
 NRS 603A.215.1
 PCI DSS v2 12.4
 PCI DSS v2 12.5

Page 160 of 488

 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

The organization shall clearly define the roles, responsibilities and

authority of each security contact including the administration and
implementation of the organization's security programs. Each security
contact shall annually document compliance related
to identified legal requirements (see CSF 06.a) and report to the
organization's single point of contact for security.

The reports shall include:

i. evaluations on the effectiveness of the policies and procedures
implemented in addressing risk;
ii. evaluations of service provider arrangements (see CSF 09.e, 09.f, 09.g);
iii. significant incidents and the response; and
iv. recommendations for material changes to the security programs for
which they are responsible.

The organization's single point of contact for security matters shall provide
supplemental security awareness and training. The contact for security
shall be responsible for review reports related to the security organization,
network, systems and programs implemented. Any material changes to
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 161 of 488

these items shall be formally approved by the contact for security prior to
implementation.

The organization's security points of contact, as well as all other employees,

are able to freely report security weaknesses (real and perceived) without
fear of repercussion.

Local responsibilities for the protection of assets and for carrying out
specific security processes, such as business continuity planning, shall be
clearly defined.

Additionally, the following shall take place:

i. the assets and security processes associated with each particular
system shall be identified and clearly defined;
ii. the entity responsible for each asset or security process shall be
assigned and the details of this responsibility shall be documented (see
7.b);
iii. authorization levels shall be clearly defined and documented.
Level 2 Control  16 CFR Part §681 Appendix A VI (a)
Standard  16 CFR Part §681 Appendix A VI (b)
Mapping:  1 TAC § 390.2(a)(3)

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 162 of 488

Control Reference 05.d Authorization Process for Information Assets and
Facilities

Control A management authorization process for new information assets (e.g.

Specification: systems and applications) (see Other Information), and facilities (e.g. data
centers or offices where covered information is to be processed) shall be
defined and implemented.
Factor Type: Organizational
Topics: Authorization
IT Organization and Management Roles and Responsibilities
Media and Assets
Physical and Facility Security
Policies and Procedures
Requirements (Legal and Contractual)

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The following shall be required for the authorization process:
Implementation: i. new information processing assets (internal to the organization or via a
service provided by a third party) shall have appropriate user
management authorization of their purpose and use. Authorization shall
also be obtained from the manager responsible for maintaining the local
information system security environment to ensure that all relevant
security policies and requirements are met;
ii. information assets shall have appropriate security measures
commensurate with the type of information it will store, process or
transmit;
iii. the assets shall address all applicable laws, regulations, standards
policies and other applicable sections of the HITRUST Common Security
Framework;
iv. hardware and software shall be checked to ensure that they are
compatible with other system components; and
v. the use of personal or privately owned information processing
equipment (e.g. laptops, home-computers or hand-held devices) for
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 163 of 488

processing business information, may introduce new vulnerabilities and
necessary controls shall be identified and implemented.
Level 1 Control  CSA RM-01
Standard  HIPAA §164.308(a)(2)
Mapping:  HIPAA §164.308(a)(8)
 ISO/IEC 27002-2005 6.1.4
 ISO 27799-2008 7.3.2.2
 NIST SP800-53 R4 PM-10
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 164 of 488

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Control Reference: 05.e Confidentiality Agreements

Control Requirements for confidentiality or non-disclosure agreements reflecting

Specification: the organization's needs for the protection of information shall be identified
and regularly reviewed.
Factor Type: Organizational
Topics: Documentation and Records
Personnel
Requirements (Legal and Contractual)
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Page 165 of 488

Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Confidentiality or non-disclosure agreements shall address the requirement
Implementation: to protect confidential information using legally enforceable terms.

Confidentiality or nondisclosure agreements shall include, but are not

limited to, the following:
i. a definition of the information to be protected (e.g. confidential
information);
ii. expected duration of an agreement, including cases where
confidentiality might need to be maintained indefinitely;
iii. required actions when an agreement is terminated;
iv. responsibilities and actions of signatories to avoid unauthorized
information disclosure (such as 'need to know');
v. disclosures required to be limited to the limited data set (see 07.d) or
the minimum necessary to accomplish the intended purpose of such
use, disclosure, or request;
vi. ownership of information, trade secrets and intellectual property, and
how this relates to the protection of confidential information;
vii. the permitted use of confidential information, and rights of the
signatory to use information;
viii. individuals' rights to obtain a copy of the individual's information in an
electronic format;
ix. individuals' rights to have the individual's information transmitted to
another entity or person designated by the individual, provided the
request is clear, conspicuous, and specific;
x. the right to audit and monitor activities that involve confidential
information;
xi. the process for notification and reporting of unauthorized disclosure or
confidential information breaches;
xii. terms for information to be returned or destroyed at agreement
cessation; and
xiii. expected actions to be taken (i.e. penalties that are possible) in case of a
breach of this agreement.

The confidentiality agreement shall be applicable to all personnel accessing

covered information. Confidentiality and non-disclosure agreements shall
comply with all applicable laws and regulations for the jurisdiction to which
it applies (see 6.a). Requirements for confidentiality and non-disclosure
agreements shall be reviewed at least annually and when changes occur
that influence these requirements.

Page 166 of 488

Level 1 Control  CSA LG-01
Standard  ISO/IEC 27002-2005 6.1.5
Mapping:  ISO 27799-2008 7.3.2.3

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Health Information Exchange Requirements

Page 167 of 488

Health As part of the agreement with the connecting organizations, the HIE shall
Information specify which organization owns the data and any restrictions as part of
Exchanges: that ownership such as retention, integrity, and accuracy of data. If the HIE
is the owner of the data, all federal and state requirements associated with
the patients’ information shall be met.

Control Reference: 05.f Contact with Authorities

Control Appropriate contacts with relevant authorities shall be maintained.

Specification:
Factor Type: Organizational
Topics: Documentation and Records
Incident Response
Policies and Procedures
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The organization should define a plan with associated contact information
Implementation: for reporting security incidents to law enforcement if it is expected that
laws may have been broken. The organization shall include key contacts
including phone numbers and e-mail addresses as part of its incident
management and/or business continuity plan. The organization shall
designate a point of contact to review the list at least annually to keep it
current.

Organizations under attack from the Internet may need external third
parties (e.g. an Internet service provider or telecommunications operator)
to take action against the attack source. The appropriate contact
information for these third parties shall be documented, and instances
when they must be contacted to take action shall be communicated.
Level 1 Control  CSA CO-04
Standard
Mapping:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 168 of 488

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

The organization shall conduct an exercise at least annually and make

contact with a majority (at least 80 percent) of the listed contacts. During
this incident/continuity plan exercise the organization shall document that
the contact person and information are current.
Level 2 Control  ISO/IEC 27002-2005 6.1.6
Standard  ISO 27799-2008 7.3.2.4
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 169 of 488

Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 05.g Contact with Special Interest Groups

Control Appropriate contacts with special interest groups or other specialist

Specification: security forums and professional associations shall be maintained.
Factor Type: Organizational
Topics: Incident Response
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Membership in organization-defined special interest groups or forums shall
Implementation: be considered as a means to:
i. improve knowledge about best practices and staying up to date with
relevant security information;
ii. ensure the understanding of the information security environment is
current and complete;
iii. receive early warnings of alerts, advisories, and patches pertaining to
attacks and vulnerabilities;
iv. gain access to specialist information security advice;
v. share and exchange information about new technologies, products,
threats, or vulnerabilities;
vi. provide suitable liaison points when dealing with information security
incidents (see 11.c).
Level 1 Control  CSA CO-04
Standard  CSA IS-12
Mapping:  HIPAA §164.308(a)(5)(i)
 HIPAA §164.308(a)(5)(ii)(A)

Page 170 of 488

 ISO/IEC 27002-2005 6.1.7
 ISO 27799-2008 7.3.2.4
 NIST SP800-53 R4 SI-5
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

The organization shall have a process to quickly identify newly discovered

security vulnerabilities such as a credible subscription service. The
organization shall have a process to map new vulnerabilities into its
security policies, guidelines and daily operational procedures.

The organization shall employ automated mechanisms to make security

alert and advisory information available throughout the organization as
needed.
Level 2 Control  CMSRs 2012v1.5 AT-5 (HIGH)
Standard  CMSRs 2012v1.5 SI-5 (HIGH)
Mapping:  CMSRs 2012v1.5 SI-5(1) (HIGH)
 NIST SP800-53 R4 PM-15
 NIST SP800-53 R4 SI-5 (1)

Level 3 Implementation Requirements

Page 171 of 488

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization shall implement security directives in accordance with

Contractors: established time frames, or notifies CMS of the degree of noncompliance.

Control Reference: 05.h Independent Review of Information Security

Control The organization's approach to managing information security and its

Specification: implementation (control objectives, controls, policies, processes, and
procedures for information security) shall be reviewed independently at
planned intervals, at a minimum annually, or when significant changes to
the security implementation occur.
Factor Type: Organizational
Topics: Audit and Accountability
Documentation and Records
IT Organization and Management Roles and Responsibilities

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The independent review shall be initiated by management. Such an
Implementation: independent review is necessary to ensure the continuing suitability,

Page 172 of 488

adequacy, and effectiveness of the organization's approach to managing
information security.

The review shall:

i. include an assessment of opportunities for improvement;
ii. address the need for changes to the approach to security, including the
policy and control objectives.
iii. be carried out by individuals independent of the area under review (e.g.
the internal audit function, an independent manager or a third party
organization specializing in such reviews); and
iv. be carried out by individuals who have the appropriate skills and
experience.

The results of the independent review shall:

i. be recorded and reported to the management who initiated the review;
and
ii. be maintained for a predetermined period of time as determined by the
organization, but not less than three years.

If the independent review identifies that the organization's approach and

implementation to managing information security is inadequate or not
compliant with the direction for information security stated in the
information security policy document (see 4.a), management shall take
corrective actions.
Level 1 Control  CMSRs 2012v1.5 CA-7 (HIGH)
Standard  CMSRs 2012v1.5 CA-7(1) (HIGH)
Mapping:  COBIT 4.1 DS5.5
 COBIT 5 DSS05.07
 CSA CO-02
 HIPAA §164.308(a)(1)(ii)(D)
 HIPAA §164.308(a)(8)
 ISO/IEC 27002-2005 6.1.8
 ISO 27799-2008 7.3.2.4
 NIST SP800-53 R4 CA-7
 NIST SP800-53 R4 CA-7(1)
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Page 173 of 488

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 Subject to State of Massachusetts Data Protection Act
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The independent review of the information security management program
and information security controls shall be conducted at least annually or
whenever there is a material change to the business practices that may
implicate the security or integrity of records containing personal
information.
Level 2 Control  (State of Mass.) 201 CMR 17.03(2)(a)
Standard
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Objective Name: 05.02 External Parties

Control To ensure that the security of the organization's information and

Objective: information assets, are not reduced by the introduction of external party
products or services.

Control Reference: 05.i Identification of Risks Related to External Parties

Page 174 of 488

Control The risks to the organization's information and information assets from
Specification: business processes involving external parties shall be identified, and
appropriate controls implemented before granting access.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Authorization
Communications and Transmissions
Requirements (Legal and Contractual)
Risk Management and Assessments
Third Parties and Contractors
User Access

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FTC Red Flags Rule Compliance
Regulatory
Factors:
Level 1 Due diligence shall be carried out to identify any requirements for specific
Implementation: controls where access by external parties is required.
The identification of risks related to external party access shall take into
account the following issues:
i. the information asset(s) an external party is required to access;
ii. the type of access the external party will have to the information and
information asset(s), such as:
1. physical access (e.g. to offices, computer rooms, filing cabinets);
2. logical access (e.g. to an organization's databases, information
systems);
3. network connectivity between the organization's and the
external party's network(s) (e.g. permanent connection, remote
access);
4. whether the access is taking place on-site or off-site;
iii. the value and sensitivity of the information involved, and its criticality
for business operations;
iv. the controls necessary to protect information that is not intended to be
accessible by external parties;
v. the external party personnel involved in handling the organization's
information;
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 175 of 488

vi. how the organization or personnel authorized to have access can be
identified, the authorization verified, and how often this needs to be
reconfirmed;
vii. the different means and controls employed by the external party when
storing, processing, communicating, sharing and exchanging
information;
viii. the impact of access not being available to the external party when
required, and the external party entering or receiving inaccurate or
misleading information;
ix. practices and procedures to deal with information security incidents
and potential damages, and the terms and conditions for the
continuation of external party access in the case of an information
security incident;
x. legal and regulatory requirements and other contractual obligations
relevant to the external party that shall be taken into account;
xi. how the interests of any other stakeholders may be affected by the
arrangements.

Access by external parties to the organization's information shall not be

provided until the appropriate controls have been implemented and, where
feasible, a contract has been signed defining the terms and conditions for
the connection or access and the working arrangement. All security
requirements resulting from work with external parties or internal controls
shall be reflected by the agreement with the external party (see 5.i and 5.j).
All remote access connections between the organization and all external
parties shall be secured via encrypted channels (e.g. VPN). Any covered
information shared with an external party shall be encrypted prior to
transmission.

External parties shall be granted minimum necessary access to the

organization's information assets to minimize risks to security. All access
granted to external parties shall be limited in duration and revoked when
no longer needed.

It shall be ensured that the external party is aware of their obligations, and
accepts the responsibilities and liabilities involved in accessing, processing,
communicating, or managing the organization's information and
information assets.
Level 1 Control  16 CFR Part §681.2 (e)(4)
Standard  CSA RI-05
Mapping:  HIPAA §164.308(b)(1)
 HIPAA §164.308(b)(4)
 HIPAA §164.314(a)(2)(ii)
 ISO/IEC 27002-2005 6.2.1
 PCI DSS v2 12.8.3

Page 176 of 488

 1 TAC § 390.2(a)(1)
 1 TAC § 390.2(a)(3)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

The organization shall monitor the information system connections on an

ongoing basis, verifying enforcement of security requirements.
Level 2 Control  CMSRs 2012v1.5 CA-3 (HIGH)
Standard  ISO 27799-2008 7.3.3.1
Mapping:  NIST SP800-53 R4 CA-3
 NRS 603A.215.1
 PCI DSS v2 2.4

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:

Page 177 of 488

Level 3 None
Regulatory
Factors:
Level 3 No additional requirements.
Implementation:

CMS Contractor Requirements

CMS Each system interconnection shall be recorded in the security plan and
Contractors: Information Security (IS) Risk Assessment (RA) for the CMS system that is
connected to the remote location.

Control Reference: 05.j Addressing Security When Dealing with Customers

Control All identified security requirements shall be addressed before giving

Specification: customers access to the organization's information or assets.
Factor Type: Organizational
Topics: Authentication
Incident Response
Requirements (Legal and Contractual)
Third Parties and Contractors
User Access

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The following security terms shall be addressed prior to giving customers
Implementation: access to any of the organization's assets:
i. description of the product or service to be provided;
ii. the right to monitor, and revoke, any activity related to the
organization's assets; and
iii. the respective liabilities of the organization and the customer.

Page 178 of 488

It shall be ensured that the customer is aware of their obligations, and
accepts the responsibilities and liabilities involved in accessing, processing,
communicating, or managing the organization's information and
information assets.

The organization shall permit an individual to request to restrict the

disclosure of the individual's covered information to a business associate
for purposes of carrying out payment or health care operations, and is not
for purposes of carrying out treatment.

The organization shall respond to any requests from an individual on the

disclosure of the individual's covered information, providing the individual
with records (see 06.c) of disclosures of covered information that are made
by the organization and either:
i. records (see 06.c) of disclosures of covered information made by a
business associate acting on behalf of the organization; or
ii. a list of all business associates acting on behalf of the covered entity,
including contact information for such associates (such as mailing
address, phone, and email address).
Level 1 Control  CMSRs 2012v1.5 PL-4 (HIGH)
Standard  CSA SA-01
Mapping:  NIST SP800-53 R4 PL-4

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 179 of 488

1. procedures to protect the organization's assets, including
information and software, and management of known
vulnerabilities;
2. procedures to determine whether any compromise of the assets
(e.g. loss or modification of data) has occurred;
3. integrity; and
4. restrictions on copying and disclosing information;
ii. access control policy, covering:
1. permitted access methods, and the control and use of unique
identifiers such as user IDs and passwords;
2. an authorization process for user access and privileges;
3. a statement that all access that is not explicitly authorized is
forbidden;
4. a process for revoking access rights or interrupting the
connection between systems;
iii. arrangements for reporting, notification, and investigation of
information inaccuracies (e.g. of personal details), information security
incidents and security breaches;
iv. a description of each service to be made available;
v. the target level of service and unacceptable levels of service;
vi. the different reasons, requirements, and benefits for customer access;
vii. responsibilities with respect to legal matters and how it is ensured that
the legal requirements are met (e.g. data protection legislation),
especially taking into account different national legal systems if the
agreement involves co-operation with customers in other countries (see
6.1); and
viii. intellectual property rights (IPRs) and copyright assignment (see 6.b)
and protection of any collaborative work (see 5.e).

Access by customers to the organization's information shall not be provided

until the appropriate controls have been implemented and, where feasible,
a contract has been signed defining the terms and conditions for the
connection or access and the working arrangement. All security
requirements resulting from work with external parties or internal controls
shall be reflected by the agreement with the external party.

For all system connections that allow customers to access the

organization's computing assets such as Web Sites, kiosks and public access
terminals, the organization shall provide appropriate text or a link to the
organization's privacy policy for data use and protection as well as the
customer's responsibilities when accessing the data. The organization shall
have a formal mechanism to authenticate (see 01.b) the customer's identity
prior to granting access to covered information.
Level 2 Control  ISO/IEC 27002-2005 6.2.2
Standard  ISO 27799-2008 7.3.3.2
Mapping:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 180 of 488

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 05.k Addressing Security in Third Party Agreements

Control Agreements with third parties involving accessing, processing,

Specification: communicating or managing the organization's information or information
assets, or adding products or services to information assets shall cover all
relevant security requirements.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Authorization
Awareness and Training
Documentation and Records
IT Organization and Management Roles and Responsibilities
Policies and Procedures
Requirements (Legal and Contractual)
Third Parties and Contractors
User Access

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:

Page 181 of 488

Level 1 Subject to PCI Compliance, Subject to HITECH Breach Notification
Regulatory Requirements, Subject to State of Massachusetts Data Protection Act,
Factors: Subject to the State of Nevada Security of Personal Information
Requirements
Level 1 The agreement shall ensure that there is no misunderstanding between the
Implementation: organization and the third party. Organizations shall satisfy themselves as
to the indemnity of the third party.

The following terms shall be implemented for inclusion in the agreement in

order to satisfy the identified security requirements (see 5.i):
i. the information security policy;
ii. controls to ensure asset protection, including:
1. procedures to protect organizational assets, including
information, software and hardware;
2. any required physical protection controls and mechanisms;
3. controls to ensure protection against malicious software (see
9.j);
4. procedures to determine whether any compromise of the assets
(e.g. loss or modification of information, software and
hardware) has occurred;
5. controls to ensure the return or destruction of information and
assets at the end of, or at an agreed point in time during the
agreement;
6. confidentiality, integrity, availability, and any other relevant
property of the assets; and
7. restrictions on copying and disclosing information, and using
confidentiality agreements (see 5.b);
iii. user and administrator training in methods, procedures, and security;
iv. ensuring user awareness for information security responsibilities and
issues;
v. provision for the transfer of personnel, where appropriate;
vi. responsibilities regarding hardware and software installation and
maintenance;
vii. a clear reporting structure and agreed reporting formats;
viii. a clear and specified process of change management;
ix. access control policy, covering:
1. the different reasons, requirements, and benefits that make the
access by the third party necessary;
2. permitted access methods, and the control and use of unique
identifiers such as user IDs and passwords;
3. an authorization process for user access and privileges;
4. a requirement to maintain a list of individuals authorized to use
the services being made available, and what their rights and
privileges are with respect to such use;
5. a statement that all access that is not explicitly authorized is
forbidden; and
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 182 of 488

6. a process for revoking access rights or interrupting the
connection between systems;
x. arrangements for reporting, notification, and investigation of
information security incidents and security breaches, as well as
violations of the requirements stated in the agreement, stating:
1. the third party, following the discovery of a breach of unsecured
covered information, shall notify the organization of such
breach, including:
a. the identification of each individual whose unsecured
protected health information has been, or is reasonably
believed by the business associate to have been,
accessed, acquired, or disclosed during such breach;
2. all notifications shall be made without unreasonable delay and
in no case later than 60 calendar days after the discovery of a
breach; and
3. evidence shall be maintained demonstrating that all
notifications were made without unreasonable delay.
xi. a description of the product or service to be provided, and a description
of the information to be made available along with its security
classification (see CSF 7.d);
xii. the target level of service and unacceptable levels of service;
xiii. the definition of verifiable performance criteria, their monitoring and
reporting;
xiv. the right to monitor, and revoke, any activity related to the
organization's assets;
xv. the right to audit responsibilities defined in the agreement, to have
those audits carried out by a third party, and to enumerate the statutory
rights of auditors;
xvi. the penalties exacted in the event of any failure in respect of the above;
xvii. the establishment of an escalation process for problem resolution;
xviii. service continuity requirements, including measures for availability
and reliability, in accordance with an organization's business priorities;
xix. the respective liabilities of the parties to the agreement;
xx. responsibilities with respect to legal matters and how it is ensured that
the legal requirements are met (e.g. data protection legislation)
especially taking into account different national legal systems if the
agreement involves co-operation with organizations in other countries
(see 6.1);
xxi. intellectual property rights (IPRs) and copyright assignment (see 6. b)
and protection of any collaborative work (see 5.e);
xxii. involvement of the third party with subcontractors, and the security
controls these subcontractors need to implement; and
xxiii. conditions for renegotiation/termination of agreements:
1. a contingency plan shall be in place in case either party wishes
to terminate the relation before the end of the agreements;

Page 183 of 488

2. renegotiation of agreements if the security requirements of the
organization change; and
3. current documentation of asset lists, licenses, agreements or
rights relating to them.

The organization shall establish personnel security requirements including

security roles and responsibilities for third-party providers.

A screening process shall also be carried out for contractors and third party
users. Where contractors are provided through an organization the contract
with the organization shall clearly specify the organization’s responsibilities
for screening and the notification procedures they need to follow if
screening has not been completed or if the results give cause for doubt or
concern. In the same way, the agreement with the third party shall clearly
specify all responsibilities and notification procedures for screening.
Level 1 Control  CMSRs 2012v1.5 PS-7 (HIGH)
Standard  CSA LG-02
Mapping:  HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.308(a)(4)(ii)(B)
 HIPAA §164.308(b)(1)
 HIPAA §164.314(a)(2)(i)
 HITECH Act, Subpart D 164.404(b)
 HITECH Act, Subpart D 164.410(a)(1)
 HITECH Act, Subpart D 164.410(a)(2)
 HITECH Act, Subpart D 164.410(b)
 HITECH Act, Subpart D 164.410(c)(1)
 HITECH Act, Subpart D 164.414(b)
 ISO/IEC 27002-2005 6.2.3
 NIST SP800-53 R4 PS-7
 NRS 603A.210.2
 NRS 603A.215.1
 PCI DSS v2 2.4
 PCI DSS v2 12.8.2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.03(2)(f)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 184 of 488

1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to FISMA Compliance, Subject to FTC Red Flags Rule Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Organizations shall employ formal contracts that, at a minimum, specify:
i. the confidential nature and value of the covered information;
ii. the security measures to be implemented and/or complied with;
iii. limitations to access to these services by third parties;
iv. the service levels to be achieved in the services provided;
v. the format and frequency of reporting to the organization's Information
Security Management Forum;
vi. the arrangement for representation of the third party in appropriate
organization meetings and working groups;
vii. the arrangements for compliance auditing of the third parties;
viii. the penalties exacted in the event of any failure in respect of the above;
and
ix. the requirement to notify a specified person or office of any personnel
transfers or terminations of third-party personnel working at
organizational facilities with organizational credentials, badges, or
information system privileges within one (1) business day.
Level 2 Control  16 CFR Part §681.2 (e)(4)
Standard  ISO 27799-2008 7.3.3.3
Mapping:  NIST SP800-53 R4 PS-7 (1)
 1 TAC § 390.2(a)(3)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:

Page 185 of 488

Level 3 No additional requirements
Implementation:

Health Information Exchange Requirements

Health Ad part of the agreement with the connecting organizations, the HIE shall
Information specify the requirements of the connecting organization to define and
Exchanges: communicate to the HIE access roles for the connecting organization’s
employees. The agreement shall specify that it is the sole responsibility of
the connecting organization to appropriately restrict access in accordance
with federal and state requirements (e.g., mental health information). As
part of the agreement with the connecting organizations, the HIE shall
specify the requirements of connecting organizations to request and receive
detailed access logs (see 09.aa) related to the connecting organization’s
records.

Page 186 of 488

Control Category: 06.0 – Compliance

Objective Name: 06.01 Compliance with Legal Requirements

Control To ensure that the design, operation, use, and management of information
Objective: systems adheres to applicable laws, statutory, regulatory or contractual
obligations, and any security requirements.

Control Reference: 06.a Identification of Applicable Legislation

Control All relevant statutory, regulatory, and contractual requirements and the
Specification: organization's approach to meet these requirements shall be explicitly
defined, documented, and kept up to date for each information system and
the organization.
Factor Type: Organizational
Topics: Awareness and Training
Documentation and Records
Policies and Procedures
Requirements (Legal and Contractual)

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FTC Red Flags Rule Compliance, Subject to State of Massachusetts
Regulatory Data Protection Act
Factors:
Level 1 All relevant statutory, regulatory and contractual requirements shall be
Implementation: explicitly defined and documented within formal policies and procedures
for each information system type. The specific controls and individual
responsibilities to meet these requirements shall be similarly defined and
documented. These controls shall be communicated to the user community
through the documented security training and awareness programs.

Page 187 of 488

Level 1 Control  16 CFR Part §681 Appendix A VII(a)
Standard  16 CFR Part §681 Appendix A VII(b)
Mapping:  16 CFR Part §681 Appendix A VII(c)
 16 CFR Part §681 Appendix A VII(d)
 CSA CO-05
 ISO/IEC 27002-2005 15.1.1
 ISO 27799-2008 7.12.2.1
 (State of Mass.) 201 CMR 17.03(1)
 1 TAC § 390.2(a)(3)
 1 TAC § 390.2(a)(4)(B)(xviii)(I)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:

Page 188 of 488

Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 06.b Intellectual Property Rights

Control Detailed procedures shall be implemented to ensure compliance with

Specification: legislative, regulatory, and contractual requirements on the use of material
in respect of which there may be intellectual property rights and on the use
of proprietary software products.
Factor Type: Organizational
Topics: Documentation and Records
Policies and Procedures
Requirements (Legal and Contractual)

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Procedures shall be developed and implemented to ensure compliance with
Implementation: any legislative, regulatory, or contractual requirements that may place
restrictions on the copying of proprietary material including copyrights,
design rights, or trademarks.

Specifically, the following controls shall be in place:

i. acquiring software only through known and reputable sources, to
ensure that copyright is not violated;
ii. maintaining proof and evidence of ownership of licenses, master disks,
manuals, etc.;
iii. implementing controls to ensure that any maximum number of users
permitted is not exceeded;
iv. carrying out annual checks that only authorized software and licensed
products are installed;

Page 189 of 488

v. developing and providing a policy for maintaining agreed upon license
conditions;
vi. using manual audit tools;
vii. complying with terms and conditions for software and information
obtained from public networks; and
viii. use of proprietary software must also be in compliance with encryption,
export and local data privacy regulations.
Level 1 Control  CSA CO-06
Standard
Mapping:

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The following controls shall be in place:
i. publishing an intellectual property rights compliance policy which
defines the legal use of software and information products;
ii. maintaining awareness of policies to protect intellectual property
rights, and giving notice of the intent to take disciplinary action against
personnel breaching them;
iii. maintaining appropriate asset registers, and identifying all assets with
requirements to protect intellectual property rights;
iv. developing and providing a policy for disposing or transferring software
to others;
v. not duplicating, converting to another format or extracting from
commercial recordings (film, audio) other than permitted by copyright
law; and
vi. not copying in full or in part, books, articles, reports or other
documents, other than permitted by copyright law.

Page 190 of 488

Level 2 Control  ISO/IEC 27002-2005 15.1.2
Standard  ISO 27799-2008 7.12.2.1
Mapping:

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Automated auditing tools shall be used.

Level 3 Control  NIST SP800-53 R4 CM-10
Standard
Mapping:

Control Reference: 06.c Protection of Organizational Records

Control Important records shall be protected from loss, destruction, and

Specification: falsification, in accordance with statutory, regulatory, contractual, and
business requirements.
Factor Type: Organizational
Topics: Cryptography
Data Loss Prevention
Documentation and Records
Policies and Procedures
Requirements (Legal and Contractual)

Page 191 of 488

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to State of Massachusetts Data Protection Act, Subject to the State of
Regulatory Nevada Security of Personal Information Requirements, Subject to Joint
Factors: Commission Accreditation
Level 1 Important records, such as contracts, personnel records, financial
Implementation: information, patient records, etc., of the organization shall be protected
from loss, destruction and falsification. Security controls, such as access
controls, encryption, backups, electronic signatures, locked facilities or
containers, etc., shall be implemented to protect these essential records and
information.

Guidelines shall be issued by the organization on the ownership,

classification, retention, storage, handling and disposal of all records and
information. Designated senior management within the organization shall
review and approve the security categorizations and associated guidelines.

All regulatory and legislative retention requirements shall be met.

The organization's formal policies and procedures, other critical records

(e.g. results from a risk assessment) and disclosures of individuals'
protected health information made shall be retained for a minimum of 6
years. For electronic health records, the organization must retain records of
disclosures to carry out treatment, payment and health care operations for
a minimum of 3 years.

The covered entity documents compliance with the notice requirements by

retaining copies of the notices issues by the covered entity for a period of 6
years and, if applicable, any written acknowledgements of receipt of the
notice or documentation of good faith efforts to obtain such written
acknowledgement.

The covered entity shall document restrictions in writing and formally

maintain such writing, or an electronic copy of such writing, as an
organizational record for a period of six (6) years.

The covered entity documents and maintains the designated record sets
that are subject to access by individuals and the titles of the persons or

Page 192 of 488

office responsible for receiving and processing requests for access by
individuals as organizational records for a period of six (6) years.

The covered entity documents and maintains accountings of disclosure as

organizational records for a period of six (6) years, including the
information required for disclosure, the written accounting provided to the
individual, and the titles of the persons or offices responsible for receiving
and processing requests for an accounting.

The covered ensures PHI is safeguarded for a period of 50 years following

the death of the individual.
Level 1 Control  CMSRs 2012v1.0 AU-11
Standard  HIPAA §164.530(j)
Mapping:  HIPAA § 164.520(e)
 HIPAA § 164.522(a)(3)
 HIPAA § 164.524(e)
 HIPAA § 164.528(d)
 HIPAA § 164.502(f)
 HITECH Act, Subpart D 164.414(a)
 JCAHO IM.02.01.03, EP 6
 NRS 603A.210.1
 NRS 603A.210.3
 (State of Mass.) 201 CMR 17.03(2)(g)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 193 of 488

i. the secure disposal of data when no longer needed for legal, regulatory,
or business reasons, including disposal of covered information (see 09.p
and 08.l);
ii. coverage over all storage of covered information; and
iii. a programmatic review process (automatic or manual) to identify and
remove covered information that exceeds the requirements of the data
retention policy on a quarterly basis.

Detailed procedures for record storage, access, retention, and destruction

shall be implemented. In doing so, the following controls shall be
implemented:
i. a retention schedule shall be drawn up identifying essential record
types and the period of time for which they must be retained;
ii. an inventory of sources of key information shall be maintained;
iii. any related cryptographic keys shall be kept securely and made
available only when necessary; and
iv. any related cryptographic keying material and programs associated
with encrypted archives or digital signatures, shall also be stored to
enable decryption of the records for the length of time the records are
retained.
Level 2 Control  CMSRs 2012v1.5 SI-12 (HIGH)
Standard  ISO/IEC 27002-2005 15.1.3
Mapping:  ISO 27799-2008 7.12.2.1
 NRS 603A.215.1
 PCI DSS v2 3.1.1
 NIST SP800-53 R4 SI-12
 CMSRs 2012v1.5 (HIGH) AU-11
 NIST SP800-53 r4 AU-11

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 194 of 488

FTI Custodians

FTI Custodians: The organization shall employ a permanent system of standardized records
of request for disclosure of FTI and maintain the records for five (5) years
or the applicable records control schedule, whichever is longer.

CMS Contractor Requirements

CMS The organization shall retain output, including but not limited to audit
Contractors: records, system records, business and financial reports, and business
records, from the information system in accordance with CMS Policy and all
applicable National Archives and Records Administration (NARA)
requirements.

(For FTI only) The organization shall employ a permanent system of

standardized records of request for disclosure of FTI and maintain the
records for five (5) years or the applicable records control schedule,
whichever is longer.

Control Reference: 06.d Data Protection and Privacy of Covered Information

Control Data protection and privacy shall be ensured as required in relevant

Specification: legislation, regulations, and contractual clauses.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Awareness and Training
Data Loss Prevention
IT Organization and Management Roles and Responsibilities
Monitoring
Requirements (Legal and Contractual)
Risk Management and Assessments

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:

Page 195 of 488

Level 1 Subject to the State of Nevada Security of Personal Information
Regulatory Requirements, Subject to Joint Commission Accreditation
Factors:
Level 1 An organizational data protection and privacy policy shall be developed and
Implementation: implemented. This policy shall be communicated to all persons involved in
the processing of covered information. Compliance with this policy and all
relevant data protection legislation and regulations shall be supported by
management structure and control. Responsibility for handling covered
information and ensuring awareness of the data protection principles shall
be dealt with in accordance with relevant legislation and regulations.

Technical security controls, including access controls and monitoring, and

organizational measures to protect covered information shall be
implemented.
There shall be an appointment of a person responsible, such as a data
protection officer, who shall provide guidance to managers, users, and
service providers on their individual responsibilities and the specific
procedures that shall be followed.

Where required by legislation, consent shall be obtained before any

protected information (e.g. about a patient) is emailed, faxed, or
communicated by telephone conversation, or otherwise disclosed to parties
external to the organization.

If encryption is not applied because it is determined to not be reasonable or

appropriate, the organization shall document its rational for its decision.

Converted information, at minimum, shall be rendered unusable,

unreadable, or indecipherable anywhere it is stored, including on personal
computers (laptops, desktops) portable digital media, backup media,
servers, databases, or in logs, by using any of the following approaches:
i. full disk encryption (mandatory for laptops and other mobile devices
that support full-disk encryption, see 01.x)
ii. virtual disk encryption
iii. volume disk encryption
iv. file and folder encryption

The encryption approach shall be implemented using one or a combination

of the following:
i. one-way hashes based on strong cryptography
ii. truncation
iii. strong cryptography with associated key-management processes and
procedures

The system shall implement one of the following encryption algorithms:

Page 196 of 488

 AES-CBC (AES in Cipher Block Chaining mode) with a 128-bit key
minimum
 Triple DES (3DES-CBC)

If encryption is not applied because it is determined to not be reasonable or

appropriate, the organization shall document its rationale for its decision.
If disk encryption is used (rather than file- or column-level database
encryption), logical access shall be managed independently of native
operating system access control mechanisms, and decryption keys shall not
be tied to user accounts. See NIST SP800-111 Guide to Storage Encryption
Technologies for End User Devices for more information on implementing
strong cryptography technologies.

Organizations shall explicitly identify and ensure the implementation of

security and privacy protections for the transfer of organizational records,
or extracts of such records, containing sensitive personal information to a
state or federal agency or other regulatory body that lawfully collects such
information.
Level 1 Control  CSA IS-18
Standard  Guidance to render PHI unusable, unreadable, or indecipherable (a)(i)
Mapping:  Guidance to render PHI unusable, unreadable, or indecipherable (a)(ii)
 HIPAA §164.530(a)
 ISO/IEC 27002-2005 15.1.4
 ISO 27799-2008 7.12.2.2
 JCAHO IM.02.01.03, EP 2
 NRS 603A.210.1
 1 TAC § 390.2(a)(4)(A)(i)
 1 TAC § 390.2(a)(4)(A)(xv)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 Subject to PCI Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High), Subject to FISMA Compliance
Factors:
Level 2 Level 1 plus:
Implementation:

Page 197 of 488

Covered information storage shall be kept to a minimum. Limit storage
amount and retention time to that which is required for business, legal,
and/or regulatory purposes, as documented in the data retention policy.
Level 2 Control  CMSRs 2012v1.5 PL-5 (HIGH)
Standard  CMSRs 2012v1.5 SI-12 (HIGH)
Mapping:  Guidance to render PHI unusable, unreadable, or indecipherable (a)(i)
 Guidance to render PHI unusable, unreadable, or indecipherable (a)(ii)
 NIST SP800-53 R4 SI-12
 ISO 27799-2008 7.9.2.1
 NRS 603A.215.1
 PCI DSS v2 3.4
 PCI DSS v2 3.4.1

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements.
Implementation:

CMS Contractor Requirements

CMS The organization shall conduct a Privacy Impact Assessment (PIA) on the
Contractors: information system in accordance with OMB policy.

Control Reference: 06.e Prevention of Misuse of Information Assets

Control Users shall be deterred from using information assets for unauthorized
Specification: purposes.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Authorization
Awareness and Training
Documentation and Records
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 198 of 488

IT Organization and Management Roles and Responsibilities
Media and Assets
Personnel
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance
Regulatory
Factors:
Level 1 The following procedures shall be implemented to ensure proper
Implementation: authorization and use of computer information assets:
i. notification to all employees that their actions may be monitored and
that they consent to such monitoring (Note: the legality of such
monitoring must be verified in each legal jurisdiction);
ii. acceptable use agreements that shall be signed by all employees of an
organization, contractors, and third party users indicating that they
have read, understand, and agree to abide by the rules of behavior
before management authorizes access to the information system and its
resident information and retained by the organization; and
iii. requires users to read and sign the rules of behavior within every three
hundred and sixty-five (365) days thereafter.

Management shall approve the use of information assets. If any

unauthorized activity is identified by monitoring or other means, this
activity shall be brought to the attention of the individual manager
concerned for consideration of appropriate disciplinary and/or legal action.

All employees and contractors are informed in writing that violations of

security policies may result in sanctions or disciplinary action (see 02.f).
Level 1 Control  CMSRs 2012v1.5 PL-4 (HIGH)
Standard  CMSRs 2012v1.5 PS-8 (HIGH)
Mapping:  HIPAA §164.308(a)(1)(ii)(C)
 HIPAA §164.310(b)
 NIST SP800-53 R4 PL-4
 NIST SP800-53 R4 PS-8
 NRS 603A.215.1
 PCI DSS v2 12.5.5

Page 199 of 488

 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

The user shall be required to acknowledge the login banner to continue

with the log-on.

The organization shall enforce explicit rules governing the installation of

software by users.
Level 2 Control  CMSRs 2012v1.5 AC-8 (HIGH)
Standard  ISO/IEC 27002-2005 12.5.4
Mapping:  ISO/IEC 27002-2005 15.1.5
 ISO 27799-2008 7.12.2.3
 NIST SP800-53 R4 AC-8
 NIST SP800-53 R4 CM-11

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:

Page 200 of 488

Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements.
Implementation:

CMS Contractors

CMS The approved banner for CMS information systems shall read:
Contractors: i. you are accessing a U.S. Government information system, which
includes: (1) this computer, (2) this computer network, (3) all
computers connected to this network, and (4) all devices and storage
media attached to this network or to a computer on this network. This
information system is provided for U.S. Government-authorized use
only.
ii. unauthorized or improper use of this system may result in disciplinary
action, as well as civil and criminal penalties.
iii. by using this information system, you understand and consent to the
following:
1. you have no reasonable expectation of privacy regarding any
communication or data transiting or stored on this information
system. At any time, and for any lawful Government purpose,
the Government may monitor, intercept, and search and seize
any communication or data transiting or stored on this
information system.
2. any communication or data transiting or stored on this
information system may be disclosed or used for any lawful
Government purpose.

For publicly accessible systems:

i. displays the system use information when appropriate, before granting
further access;
ii. displays references, if any, to monitoring, recording, or auditing that are
consistent with privacy accommodations for such systems that
generally prohibit those activities; and
iii. includes in the notice given to public users of the information system, a
description of the authorized uses of the system.

Control Reference: 06.f Regulation of Cryptographic Controls

Page 201 of 488

Control Cryptographic controls shall be used in compliance with all relevant
Specification: agreements, laws, and regulations.
Factor Type: Organizational
Topics: Cryptography
IT Organization and Management Roles and Responsibilities
Requirements (Legal and Contractual)

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Legal advice shall be sought in relation to all relevant regulations by the
Implementation: organization. Compliance with all relevant regulations shall be reviewed on
an annual basis at a minimum.
Level 1 Control  HIPAA §164.308(a)(1)(ii)(D)
Standard  HIPAA §164.312(a)(2)(iv)
Mapping:  HIPAA §164.312(e)(2)(ii)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 Geographic Scope: Multi-state, Geographic Scope: Off-Shore (Outside U.S.)

Organizational
Factors:
Level 2 System None
Factors:
Level 2 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
The organization shall account for any country specific regulations
governing the use of cryptographic controls which may include the
following:

Page 202 of 488

i. import and/or export of computer hardware and software for
performing cryptographic functions;
ii. import and/or export of computer hardware and software which is
designed to have cryptographic functions added to it;
iii. restrictions on the usage of encryption;
iv. mandatory or discretionary methods of access by the countries to
information encrypted by hardware or software to provide
confidentiality of content.; and
v. mechanisms for authentication to a cryptographic module that meets
U.S. requirements for such authentication, if applicable.

Legal advice shall be specific to either the country where the cryptographic
controls are used, or the country to which such controls are imported or
exported.
Level 2 Control  CMSRs 2012v1.5 IA-7 (HIGH)
Standard  CMSRs 2012v1.5 SC-13 (HIGH)
Mapping:  CMSRs 2012v1.5 SC-13(1) (HIGH)
 ISO/IEC 27002-2005 15.1.6
 ISO 27799-2008 7.12.2.3
 NIST SP800-53 R4 IA-7
 NIST SP800-53 R4 SC-13

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS When cryptographic mechanisms are used, the organization employs, at a

Contractors: minimum, FIPS 140-2 compliant and NIST-validated cryptography to
protect unclassified information.

Page 203 of 488

Objective Name: 06.02 Compliance with Security Policies and Standards and Technical
Compliance

Control To ensure that the design, operation, use and management of information
Objective: systems adheres to organizational security policies and standards.

Control Reference: 06.g Compliance with Security Policies and Standards

Control Managers shall ensure that all security procedures within their area of
Specification: responsibility are carried out correctly to achieve compliance with security
policies and standards.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Audit and Accountability
Documentation and Records
Policies and Procedures
Requirements (Legal and Contractual)
Risk Management and Assessments

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to Joint Commission Accreditation
Regulatory
Factors:
Level 1 Reviews of the compliance of systems with security policies, standards and
Implementation: any other security requirements (HIPAA, legal, etc.) shall be supported by
system and information owners. Compliance reviews shall be conducted by
security or audit individuals and will incorporate reviews of documented
evidence. Automated tools shall be used where possible, but manual
processes are acceptable.

Annual compliance assessments shall be conducted. If any non-compliance

is found as a result of the review, managers shall:
i. determine the causes of the non-compliance;

Page 204 of 488

ii. evaluate the need for actions to ensure that non-compliance do not
recur;
iii. determine and implement appropriate corrective action; and
iv. review the corrective action taken.

The results and recommendations of these reviews shall be documented

and approved by management.
Level 1 Control  COBIT 4.1 DS5.5
Standard  COBIT 5 DSS05.07
Mapping:  CSA IS-13
 HIPAA §164.308(a)(1)(ii)(D)
 HIPAA §164.308(a)(8)
 ISO/IEC 27002-2005 15.2.1
 ISO 27799-2008 7.12.3
 JCAHO IM.02.01.03, EP 8
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v.2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

The organization shall employ assessors or assessment teams to monitor

the security controls in the information system on an ongoing basis as part
of a continuous monitoring program. These teams will have a level of
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 205 of 488

independence appropriate to the organization’s continuous monitoring
strategy. But at a minimum, annual compliance assessments shall be
conducted across the entire organization. Third party independent
compliance assessments shall be performed bi-annually.

The organization shall report the security state of the information system to
appropriate organizational officials monthly.

Results of reviews and corrective actions carried out shall be recorded and
these records shall be maintained. The security organization shall maintain
records of the compliance results in order to better track security trends
within the organization and to address longer term areas of concern.

The security organization shall maintain records of the compliance results

(e.g., organization-defined metrics) in order to better track security trends
within the organization, respond to the results of correlation and analysis,
and to address longer term areas of concern.
Level 2 Control  CMSRs 2012v1.5 CA-1 (HIGH)
Standard  CMSRs 2012v1.5 CA-5 (HIGH)
Mapping:  CMSRs 2012v1.5 CA-5(1) (HIGH)
 CMSRs 2012v1.5 CA-7 (HIGH)
 NIST SP800-53 R4 CA-1
 NIST SP800-53 R4 CA-5
 NIST SP800-53 R4 CA-7
 NIST SP800-53 R4 CA-7(1)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

Page 206 of 488

CMS The organization shall:
Contractors: i. develop and submit a Plan of Action and Milestones (POA&M) for the
information system within thirty (30) days of the final results for every
internal/external audit/review or test (e.g., ST&E, penetration test) to
document the organization's planned remedial actions to correct
weaknesses or deficiencies noted during the assessment of the security
controls and to reduce or eliminate known vulnerabilities in the system;
and
ii. update and submit existing POA&M monthly until all the findings are
resolved based on the findings from security controls assessments,
security impact analyses, and continuous monitoring activities.

The organization shall employ automated mechanisms to help ensure that

the POA&M for the information system is accurate, up to date, and readily
available.

Control Reference: 06.h Technical Compliance Checking

Control Information systems shall be regularly checked for compliance with

Specification: security implementation standards.
Factor Type: Organizational
Topics: Audit and Accountability
Requirements (Legal and Contractual)
Risk Management and Assessments

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The organization shall check the technical security configuration of
Implementation: systems. Checking shall be performed either manually, by an individual
with experience with the systems, and/or with the assistance of automated
software tools. These compliance checks shall be performed annually.

If any non-compliance is found as a result of the review, the organization

shall:

Page 207 of 488

i. determine the causes of the non-compliance;
ii. evaluate the need for actions to ensure that non-compliance do not
recur;
iii. determine and implement appropriate corrective action; and
iv. review the corrective action taken.
Level 1 Control  COBIT 4.1 DS5.5
Standard  COBIT 5 DSS05.07
Mapping:  HIPAA §164.308(a)(1)(ii)(D)
 HIPAA §164.308(a)(8)
 ISO/IEC 27002-2005 15.2.2
 ISO 27799-2008 7.12.3
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Special attention shall be drawn to compliance for the purpose of technical

interoperability.

Page 208 of 488

Level 2 Control  CMSRs 2012v1.5 CA-2(2) (HIGH)
Standard  CMSRs 2012v1.5 CA-7 (HIGH)
Mapping:  CMSRs 2012v1.5 RA-5 (HIGH)
 NIST SP800-53 R4 CA-7
 NIST SP800-53 R4 RA-5

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization shall include as part of security control assessments,

Contractors: within every three hundred sixty-five (365) days, announced or
unannounced in-depth system monitoring and penetration testing.

The organization shall plan, schedule, and conduct automated or manual

assessments on a continuous and unannounced basis, of all CMS
information systems and information systems that are processing data on
behalf of or directly for CMS including, but not limited to, in-depth
monitoring of systems and networks, vulnerability and configuration
scanning, and announced penetration testing to ensure compliance with all
vulnerability mitigation procedures.

Objective Name: 06.03 Information System Audit Considerations

Control Ensure the integrity and effectiveness of the information systems audit
Objective: process.

Control Reference: 06.i Information Systems Audit Controls

Page 209 of 488

Control Audit requirements and activities involving checks on operational systems
Specification: shall be carefully planned and agreed to, to minimize the risk of disruptions
to business processes.
Factor Type: Organizational
Topics: Audit and Accountability
Documentation and Records
Monitoring

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 At a minimum, an annual audit planning and scoping process shall exist and
Implementation: give consideration to risk, involvement of technical and business staff, other
ongoing projects, and business impacts that may impact the effectiveness of
the audit.
If desired, a smaller quarterly process can be utilized to minimize impact to
operations. The quarterly process shall ensure the entire organization is
audited annually.
Level 1 Control  HIPAA §164.312(b)
Standard  HIPAA §164.316(b)(2)(iii)
Mapping:  Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 210 of 488

Level 2 System None
Factors:
Level 2 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
The organization shall develop, disseminate, and review/update annually:
i. a formal, documented audit and accountability policy that addresses
purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
ii. formal, documented procedures to facilitate the implementation of the
audit and accountability policy and associated audit and accountability
controls.

While planning and performing operational system audits, the following

shall be addressed:
i. audit requirements shall be agreed upon with appropriate
management;
ii. the scope of the checks shall be agreed and controlled;
iii. the checks shall be limited to read-only access to software and data;
iv. access other than read-only shall only be allowed for isolated copies of
system files, which shall be erased when the audit is completed;
v. IT resources for performing the checks shall be explicitly identified and
made available;
vi. requirements for special or additional processing shall be identified and
agreed;
vii. all access shall be monitored and logged to produce a reference trail;
viii. all procedures, requirements and responsibilities shall be documented;
ix. the person(s) carrying out the audit shall be independent of the
activities audited;
x. scheduling of the audits shall be performed during times of least impact
to business operations, for example, not during other audits such as
financial audits, end of major financial periods, deployments of major
systems, etc.;
xi. audits shall be scheduled in advance to ensure availability of proper
individuals and systems, and coordination of all business units.
Level 2 Control  CMSRs 2012v1.5 AU-1 (HIGH)
Standard  CMSRs 2012v1.5 PL-2 (HIGH)
Mapping:  CSA CO-01
 ISO/IEC 27002-2005 15.3.1
 ISO 27799-2008 7.12.4
 NIST SP800-53 R4 AU-1
 NIST SP800-53 R4 PL-2

Page 211 of 488

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 06.j Protection of Information Systems Audit Tools

Control Access to information systems audit tools shall be protected to prevent any
Specification: possible misuse or compromise.
Factor Type: Organizational
Topics: Audit and Accountability
Authorization
User Access
Products and 06.j Protection of Information Systems Audit Tools
Services Guide:

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Access to information systems audit tools shall be protected to prevent any
Implementation: possible misuse or compromise.
Level 1 Control  CSA IS-29
Standard
Mapping:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 212 of 488

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 213 of 488

Control Category: 07.0 - Asset Management

Objective Name: 07.01 Responsibility for Assets

Control To ensure that management requires ownership and defined

Objective: responsibilities for the protection of information assets.

Control Reference: 07.a Inventory of Assets

Control All assets including information shall be clearly identified and an inventory
Specification: of all assets drawn up and maintained.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Contingency Planning
Documentation and Records
IT Organization and Management Roles and Responsibilities
Media and Assets
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The organization shall identify all assets including information and
Implementation: document the importance of these assets. The asset inventories shall
include all information necessary in order to recover from a disaster,
including type or classification of the asset, format, location, backup
information, license information, and a business value. The inventory shall
not duplicate other inventories unnecessarily, but it shall be ensured that
the content is aligned.

Page 214 of 488

Specific policies shall exist for maintaining records of organizational
property (capital and non-capital) assigned to employees, contractors, or
volunteers. Organization management shall be responsible for establishing
procedures to issue and inventory property assigned to employees.

Records of property assigned to employees shall be reviewed and updated

annually. The record shall be used to document and ensure that all property
is returned to the organization upon employee termination or transfer out
of the organization or department.

Organizations that assign organization owned property to contractors shall

ensure that the procedures for assigning and monitoring the use of the
property are included in the contract. If organization owned property is
assigned to volunteer workers, there shall be a written agreement
specifying how and when the property will be inventoried and how it shall
be returned upon completion of the volunteer assignment.

The organization shall create and document the process/procedure the

organization intends to use for deleting data from hard-drives prior to
property transfer, exchange, or disposal/surplus. The organization shall
create and document the process/procedure the organization intends to
use, transfer, exchange or dispose of an IT-related asset (according to the
organization's established lifecycle).
Level 1 Control  CSA FS-08
Standard  HIPAA §164.310(d)(1)
Mapping:  HIPAA §164.310(d)(2)(iii)
 PCI DSS v2 12.3.3
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 215 of 488

Level 2 Subject to PCI Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Ownership and information classification shall be agreed and documented
for each of the assets. Based on the importance of the asset, its business
value and its security classification, levels of protection commensurate with
the importance of the assets shall be identified.
Level 2 Control  ISO/IEC 27002-2005 7.1.1
Standard  ISO 27799-2008 7.4.1
Mapping:  NRS 603A.215.1
 PCI DSS v2 9.9.1

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
The organization shall create, document, and maintain a process and
procedure to physically inventory and reconcile IT asset inventory
information on hand for:
i. capital Assets (Inventory must be conducted at least annually)
ii. non-Capital Assets

The asset inventory shall include:

i. Unique identifier and/or serial number;
ii. Information system of which the component is a part;
iii. Type of information system component (e.g., server, desktop,
application);
iv. Manufacturer/model information;
v. Operating system type and version/service pack Level;
vi. Presence of virtual machines;
vii. Application software version/license information;
viii. Physical location (e.g., building/room number);
ix. Logical location (e.g., IP address, position with the IS architecture);
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 216 of 488

x. Media access control (MAC) address;
xi. Ownership by position and role;
xii. Operational status;
xiii. Primary and secondary administrators; and
xiv. Primary user.

The organization shall:

i. employ automated mechanisms to scan the network no less than
weekly to detect the addition of unauthorized components/devices into
the information system; and
ii. disable network access by such components/devices or notify
designated organizational officials.

The organization shall implement an IT Asset Lifecycle Program, monitor its

effectiveness making changes as needed. The organization shall
implement six stages for the lifecycle of an IT Asset. The following activities
for each stage shall include:
i. planning – defining supporting processes, setting standards for
configuration and retention, aligning purchase plans to business goals,
collecting aggregate information on intended purchases, and
negotiating volume discounts.
ii. procurement – requisitioning, approving requisitions, ordering,
receiving, and validating orders
iii. deployment – tagging assets, entering asset information in a repository,
configuring and installing assets including:
1. disabling unnecessary or insecure services or protocols;
2. limiting servers to one primary function; and
3. defining system security parameters to prevent misuse
iv. management – inventory/counting, monitoring usage (some software),
managing contracts for maintenance and support, and monitoring age
and configuration.
v. support – adding and changing configurations, repairing devices, and
relocating equipment and software.
vi. disposition – removing assets from service, deleting storage contents,
disassembling components for reuse, surplusing equipment,
terminating contracts, disposing of equipment, and removing asset from
active inventory.
Level 3 Control  CMSRs 2012v1.5 CM-8 (HIGH)
Standard  CMSRs 2012v1.5 CM-8(1) (HIGH)
Mapping:  CMSRs 2012v1.5 CM-8(2) (HIGH)
 CMSRs 2012v1.5 CM-8(4) (HIGH)
 CMSRs 2012v1.5 CM-8(5) (HIGH)
 NIST SP800-53 R4 CM-8
 NIST SP800-53 R4 CM-8(1)
 NIST SP800-53 R4 CM-8(5)

Page 217 of 488

 NIST SP800-53 R4 PM-5

CMS Contractor Requirements

CMS The organization shall employ automated mechanisms to help maintain an

Contractors: up-to-date, complete, accurate and readily available inventory of
information system components.

In addition to the creation of the IT Asset Lifecycle Program, the

organization shall identify an owner to manage all organization IT asset
inventory and management related process and procedure documents.

This owner shall ensure that the IT Asset Lifecycle Program shall:
i. identify and document personnel with IT asset roles and
responsibilities;
ii. provide procurement training to personnel with IT asset roles and
responsibilities;
iii. provide procurement training material addressing the procedures and
activities necessary to fulfill IT asset roles and responsibilities;
iv. define the frequency of refresher training; and
v. provide refresher IT asset training in accordance with organization
defined frequency, at least on an annual basis.

Control Reference: 07.b Ownership of Assets

Control All information and assets associated with information processing systems
Specification: shall be owned by a designated part of the organization.
Factor Type: Organizational
Topics: IT Organization and Management Roles and Responsibilities
Media and Assets

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance
Regulatory
Factors:

Page 218 of 488

Level 1 All information systems shall be documented including an assigned owner
Implementation: of responsibility.
Level 1 Control  CSA DG-01
Standard  CSA FS-08
Mapping:  HIPAA §164.310(d)(1)
 HIPAA §164.310(d)(2)(iii)
 NRS 603A.215.1
 PCI DSS v2 12.3.4
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Responsibility may be allocated to:

i. a business process;
ii. a defined set of activities;
iii. an application; or
iv. a defined set of data.

The organization shall create and document the process/procedures the

organization intends to use to ensure that appropriate software licensing
agreements for software used by organization employees are in place and
that the organization is in compliance with those agreements. All

Page 219 of 488

information and assets associated with information processing systems
shall be assigned responsibility to a designated part of the organization. All
information shall have an information owner or owners (e.g. designated
individuals responsible) established within the organization's lines of
business.

The information owner(s) shall be responsible to:

i. create an initial information classification, including assigning
classification levels to all data;
ii. approve decisions regarding controls, access privileges of users, and
ongoing decisions regarding information management;
iii. ensure the information will be regularly reviewed for value and updates
to manage changes to risks due to new treats, vulnerabilities, or
changes in the environment;
iv. perform on an organization pre-defined time frame reclassification
based upon business impact analysis, changing business priorities
and/or new laws, regulations, and security standards; and
v. follow organization's archive document retention rules regarding
proper disposition of all information assets;

When a person(s) designated as information owner no longer has the

responsibility due to departure, transfer or reassignment, the organization
shall appoint a new information owner(s) in a timely manner to ensure no
lapse in accountability and responsibility for information assets.
Level 2 Control  CMSRs 2012v1.5 CM-8 (HIGH)
Standard  ISO/IEC 27002-2005 7.1.2
Mapping:  ISO 27799-2008 7.4.1
 NIST SP800-53 R4 CM-8

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 220 of 488

Control Reference: 07.c Acceptable Use of Assets

Control Rules for the acceptable use of information and assets associated with
Specification: information processing systems shall be identified, documented, and
implemented.
*Required for HITRUST Certification 2014
Factor Type: Organizational
Topics: Awareness and Training
Documentation and Records
Media and Assets
Personnel

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to State of
Regulatory Massachusetts Data Protection Act, Subject to Joint Commission
Factors: Accreditation, Subject to the CMS Minimum Security Requirements (High)
Level 1 The organization shall establish and make readily available to all
Implementation: information system users, a set of rules that describe their responsibilities
and expected behavior with regards to information and information system
usage. Employees, contractors and third party users using or having access
to the organization's assets shall be aware of the limits existing for their use
of organization's information and assets associated with information
processing facilities, and resources. They shall be responsible for their use
of any information processing resources, and of any such use carried out
under their responsibility.

Acceptable use shall address:

i. rules for electronic mail and Internet usages; and
ii. guidelines for the use of mobile devices, especially for the use outside
the
iii. premises of the organization.

The organization shall include in the rules of behavior, explicit restrictions

on the use of social media and networking sites, posting information on
commercial websites, and sharing information system account information.

Page 221 of 488

The organization shall include in the rules of behavior, explicit restrictions
on the use of social media and networking sites, posting information on
commercial websites, and sharing information system account information.
Level 1 Control  CMSRs 2012v1.5 PL-4 (HIGH)
Standard  CSA IS-26
Mapping:  ISO/IEC 27002-2005 7.1.3
 ISO 27799-2008 7.4.1
 JCAHO IM.02.01.03, EP 1
 NIST SP800-53 R4 PL-4
 NIST SP800-53 R4 PL-4 (1)
 NRS 603A.215.1
 PCI DSS v2 12.3
 PCI DSS v2 12.3.1
 PCI DSS v2 12.3.5
 (State of Mass.) 201 CMR 17.03(2)(c)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Page 222 of 488

Objective Name: 07.02 Information Classification

Control To ensure that information receives an appropriate and consistent level of

Objective: protection.

Control Reference: 07.d Classification Guidelines

Control Information shall be classified in terms of its value, legal requirements,

Specification: sensitivity, and criticality to the organization.
Factor Type: Organizational
Topics: Audit and Accountability
IT Organization and Management Roles and Responsibilities
Media and Assets

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Organizations processing protected health information shall uniformly
Implementation: classify such data as confidential, which means that there are limitations to
its disclosure within the organization and externally.
Level 1 Control  HIPAA §164.308(a)(1)(ii)(A)
Standard  HIPAA §164.308(a)(1)(ii)(B)
Mapping:  HIPAA §164.308(a)(1)(ii)(E)
 NIST SP800-53 R4 RA-2
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 223 of 488

Classifications and associated protective controls for information shall take

account of:
i. business needs for sharing or restricting information;
ii. the business impacts associated with such needs; and
iii. the aggregation effect (see 9.p).

Classification guidelines shall include conventions for initial classification

and reclassification over time in accordance with the access control policy.

It shall be the responsibility of the asset owner (see 7.b) to:

i. define the classification of an asset;
ii. periodically review the classification;
iii. ensure it is kept up to date; and
iv. ensure it is at the appropriate level.

Consideration shall be given to the number of classification categories and

the benefits to be gained from their use. Overly complex schemes can
become cumbersome and uneconomic to use or prove impractical.

The level of protection shall be assessed by analyzing confidentiality,

integrity and availability and any other requirements for the information
considered.

Organizations shall identify, record, and control inventory items that have a
high risk of loss such as computer and electronic equipment and hand tools
and instruments. Personal property meeting the definition of capital assets
shall be capitalized, tagged with an organization identification tag and
property control number, listed on the capital asset property inventory, and
physically inventoried at least annually. Discrepancies shall be investigated.

Page 224 of 488

Documentation that a physical inventory has been taken, for all locations,
shall be retained in the organization's central accounting office.

The organization shall create and document process and procedure to affix
an organization identification tag to:
i. newly purchased IT-related assets (Tagging required prior to
deployment in the computing environment)
ii. existing non-capital assets (Tagging required within 1 year);
iii. existing capital assets (Tagging required within 1 year)

Care shall be taken in interpreting classification labels on documents from

other organizations, which may have different definitions for the same or
similarly named labels.

The organization shall document security categorizations (including

supporting rationale) in the security plan for the information system.
Level 2 Control  CMSRs 2012v1.5 RA-2 (HIGH)
Standard  CSA DG-02
Mapping:  ISO/IEC 27002-2005 7.2.1
 ISO 27799-2008 7.4.2.1
 JCAHO IM.02.01.03, EP 5

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 07.e Information Labeling and Handling

Control An appropriate set of procedures for information labeling and handling

Specification: shall be developed and implemented in accordance with the classification
scheme adopted by the organization.
Factor Type: Organizational
Topics: Media and Assets
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 225 of 488

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to State of Massachusetts Data Protection Act
Regulatory
Factors:
Level 1 Organizations shall physically and/or electronically label and handle
Implementation: sensitive information commensurate with the risk of the information or
document. Care shall be given to ensure patient information subject to
special handling, e.g., HIV test results and mental health and substance
abuse-related records, is identified and appropriate labeling and handling
requirements are expressly defined and implemented consistent with
applicable federal and state legislative and regulatory requirements and
industry guidelines. The labeling shall reflect the classification according to
the rules in the information classification policy. Items to include are
printed reports, screen displays, recorded media (e.g. tapes, disks, CDs,
electronic messages, and file transfers).

All electronic, paper and physically recorded information assets shall be

disposed of in a manner consistent with the information asset classification
of the information and comply with applicable archive laws, rules and
regulations.
Level 1 Control  CSA DG-03
Standard  HIPAA §164.310(b)
Mapping:  HIPAA §164.310(c)
 HIPAA §164.310(d)(1)
 (State of Mass.) 201 CMR 17.03(2)(g)
 1 TAC § 390.2(a)(1)
 1 TAC § 390.2(a)(4)(A)(ii)
 1 TAC § 390.2(a)(4)(A)(vi)
 1 TAC § 390.2(a)(4)(A)(vii)
 1 TAC § 390.2(a)(4)(B)(iv)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 226 of 488

Agreements with other organizations that include information sharing shall

include procedures to identify the classification of that information and to
interpret the classification labels from other organizations.
Level 2 Control  CMSRs 2012v1.5 MP-3 (HIGH)
Standard  ISO/IEC 27002-2005 7.2.2
Mapping:  NIST SP800-53 R4 MP-3
 NRS 603A.215.1
 PCI DSS v2 9.7.1

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 227 of 488

Level 3 Level 2 plus:
Implementation:
Organizations shall establish a classification schema to differentiate
between various levels of sensitivity and value. Information assets shall be
classified according to their level of sensitivity as follows:
 Level 1: Low-sensitive information. Information that is not
protected from disclosure, that if disclosed will not jeopardize the
privacy or security of employees, clients, and partners. This includes
information regularly made available to the public via electronic,
verbal or hard copy.
 Level 2: Sensitive information that may not to be protected from
public disclosure but if made easily and readily available. The
organization shall follow its disclosure policies and procedures
before providing this information to external parties.
 Level 3: Sensitive information intending for limiting business use
that can be exempt from public disclosure because, among other
reasons, such disclosure will jeopardize the privacy or security of
employees, clients, or partners.
 Level 4: Information that is deemed extremely sensitive and is
intended for use by named individuals only. This information is
typically exempt from public disclosure. Users of health information
systems shall be notified and made aware when the data they are
accessing contains personal health information.
Information belonging to different classification levels shall be logically or
physically separated. Whenever possible information assets classified as
"Critical" shall be stored in a separate, secure area.

All information systems processing covered information (e.g. PHI) shall

inform users of the confidentiality of covered information accessible from
the system (e.g. at start-up or log-in).
Level 3 Control  ISO 27799-2008 7.4.2.2
Standard
Mapping:

Texas Covered Entities

Texas Covered Freestanding emergency medical facilities shall implement the Health and
Entities: Human Services Executive Commissioner’s minimum standards for the
contents, maintenance, and release of medical records and shall designate
an individual to be in charge of the creation, maintenance and disposal of
medical records per TAC § 131.53, including the confidentiality, security
and safe storage of medical records throughout the record’s lifecycle.

Page 228 of 488

CMS Contractor Requirements

CMS The organization may exempt specific types of media or hardware

Contractors: components, as specified, in writing, by the CIO or his/her designated
representative, from marking as long as the exempted items remain within
a secure environment.

Page 229 of 488

Control Category: 08.0 - Physical and Environmental Security

Objective Name: 08.01 Secure Areas

Control To prevent unauthorized physical access, damage, and interference to the

Objective: organization's premises and information.

Control Reference: 08.a Physical Security Perimeter

Control Security perimeters (barriers such as walls, card controlled entry gates or
Specification: manned reception desks) shall be used to protect areas that contain
information and information assets.
Factor Type: Organizational
Topics: Authorization
Physical and Facility Security
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Computers that store or process covered information shall not be located in
Implementation: areas that are unattended and have unrestricted access by the
public. These computers shall be located in rooms with doors and windows
that shall be locked when unattended and external protection shall be
considered for windows, particularly at ground level (public, sensitive and
restricted areas).

Perimeters of a building or site containing information assets shall be

physically sound; there shall be no gaps in the perimeter or areas where a
break-in could easily occur. The external walls of the site shall be of solid
construction and all external doors shall be protected against unauthorized
access with control mechanisms (e.g. bars, alarms, locks etc.).

Page 230 of 488

Level 1 Control  CSA FS-03
Standard  HIPAA §164.310(a)(1)
Mapping:  HIPAA §164.310(a)(2)(iii)
 HIPAA §164.310(b)
 HIPAA §164.310(c)
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

A manned reception area or other means to control physical access to the

site or building shall be in place. Access to sites and buildings shall be
restricted to authorized personnel only (sensitive and restricted areas).
Different levels of scrutiny shall be applied to public areas in which non-
employees are expected, such as, exam rooms, hallways, nurse stations,
and communications closet, data center.

Physical barriers shall, where applicable, be built to prevent unauthorized

physical access and environmental contamination (sensitive and restricted
areas). Any repairs or modifications to the physical components of a facility
which are related to security (for example, hardware, walls, doors, and

Page 231 of 488

locks) shall be documented and retained in accordance with the
organization's retention policy.

All fire doors on a security perimeter shall be alarmed, monitored, and

tested in conjunction with the walls to establish the required level of
resistance in accordance to suitable regional, national, and international
standards. They shall operate in accordance with local fire code in a fail
safe manner.
Level 2 Control  CMSRs 2012v1.5 SC-24 (HIGH)
Standard  NRS 603A.215.1
Mapping:  PCI DSS v2 9.1

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Two (2) barriers to access covered information under normal security shall
be required:
i. secured perimeter/locked container;
ii. locked perimeter/secured interior; or
iii. locked perimeter/security container.

Covered information shall be containerized in areas where other than

authorized employees may have access afterhours.
Level 3 Control  CMSRs 2012v1.5 PE-3 (HIGH)
Standard  CMSRs 2012v1.5 PE-3(1) (HIGH)
Mapping:  ISO/IEC 27002-2005 9.1.1
 ISO 27799-2008 7.6.1.1
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 232 of 488

 NIST SP800-53 R4 PE-3
 NIST SP800-53 R4 PE-3(1)

Control Reference: 08.b Physical Entry Controls

Control Secure areas shall be protected by appropriate entry controls to ensure that
Specification: only authorized personnel are allowed access.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Authentication
Authorization
Documentation and Records
Monitoring
Physical and Facility Security
Third Parties and Contractors
User Access

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 At a minimum, the organization:
Implementation: i. develops and maintains a list of individuals with authorized access to
the facility where the information system resides;
ii. issues authorization credentials; and
iii. reviews and approves the access list and authorization credentials
periodically but no less than quarterly, removing individuals from the
access list when access is no longer required.

For facilities where the information system resides, the organization shall
enforce physical access authorizations, maintain physical access audit logs,
and provide security safeguards the organization determines are necessary
for areas officially designated as publicly accessible.

Page 233 of 488

The organization shall maintain visitor access logs for facilities where
information systems reside (except those areas officially designated as
publicly accessible) and review visitor records periodically but no less than
quarterly

All visitors shall be escorted and supervised (their activities monitored)

unless their access has been previously approved. Access to areas where
covered information is processed or stored shall be controlled and
restricted to authorized persons only.

Third party support service personnel shall be granted restricted access to

secure areas or covered information processing facilities only when
required. This access shall be authorized and monitored. Any repairs or
modifications to the physical components of a facility which are related to
security (for example, hardware, walls, doors, and locks) shall be
documented and retained in accordance with the organization's retention
policy.
Level 1 Control  CMSRs 2012v1.5 PE-2 (HIGH)
Standard  CMSRs 2012v1.5 PE-3 (HIGH)
Mapping:  CMSRs 2012v1.5 PE-8 (HIGH)
 CSA FS-02
 CSA FS-04
 HIPAA §164.310(a)(1)
 HIPAA §164.310(a)(2)(iii)
 HIPAA §164.310(b)
 HIPAA §164.310(c)
 NIST SP800-53 R4 PE-3
 PCI DSS v2 9.3.1
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 234 of 488

Level 2 Subject to PCI Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
A visitor log shall be required including:
i. the date and time of entry and departure;
ii. the visitor's name;
iii. the organization represented; and
iv. the employee authorizing physical access.

The log shall be reviewed no less than monthly and upon occurrence of
organization-defined security events, and retained for at least three months
in accordance with the organization's retention policy. Visitors shall only
be granted access for specific and authorized purposes and shall be issued
with instructions on the security requirements of the area and on
emergency procedures.

Authentication controls (e.g. access control card plus PIN) shall be used to
authorize and validate all access. An audit trail of all access shall be securely
maintained. All employees, contractors and third party users and all visitors
shall be required to wear some form of visible identification and shall
immediately notify security personnel if they encounter unescorted visitors
and anyone not wearing visible identification. Visitors shall be given a
badge or access device that identifies them as non-employees, and they
shall be required to surrender the badge or device before leaving the facility
or upon expiration.

Access rights to secure areas shall be regularly reviewed, at a minimum

every 90 days, and updated and revoked when necessary.

A restricted area, security room, or locked room is used to control access to

areas containing covered information. These areas will be controlled
accordingly.
Level 2 Control  CMSRs 2012v1.5 PE-6 (HIGH)
Standard  ISO/IEC 27002-2005 9.1.2
Mapping:  ISO 27799-2008 7.6.1.2
 NIST SP800-53 R4 PE-6
 NRS 603A.215.1
 PCI DSS v2 9.1
 PCI DSS v2 9.2
 PCI DSS v2 9.3
 PCI DSS v2 9.3.2
 PCI DSS v2 9.3.3
 PCI DSS v2 9.4
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 235 of 488

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

The organization shall inventory physical access devices within every

ninety (90) days. Combinations and keys shall be changed within every
three hundred and sixty-five (365) days and when keys are lost,
combinations are compromised, or individuals are transferred or
terminated.

Intruder detection systems shall be installed to national, regional or

international standards and regularly tested, at a minimum annually, to
cover all external doors and accessible windows. Unoccupied areas shall be
alarmed at all times. Cover shall also be provided for other areas (e.g.
computer room or communications rooms) specifically sensitive and
restricted areas.

The organization shall monitor real-time physical intrusion alarms and

surveillance equipment.
Level 3 Control  CMSRs 2012v1.5 PE-3(1) (HIGH)
Standard  CMSRs 2012v1.5 PE-6 (1) (HIGH)
Mapping:  CMSRs 2012v1.5 PE-6 (2) (HIGH)
 NIST SP800-53 R4 PE-6 (1)

CMS Contractor Requirements

Page 236 of 488

CMS The organization enforces physical access authorizations to the information
Contractors: system independent of the physical access controls for the facility.

The organization shall employ automated mechanisms to facilitate the

maintenance the review of access records.

The organization employs automated mechanisms to recognize potential

intrusions and initiate designated response actions.

Control Reference: 08.c Securing Offices, Rooms, and Facilities

Control Physical security for offices, rooms, and facilities shall be designed and
Specification: applied.
Factor Type: Organizational
Topics: Physical and Facility Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Account shall be taken of relevant health and safety regulations and
Implementation: standards when securing facilities.
Level 1 Control  HIPAA §164.310(a)(1)
Standard  HIPAA §164.310(a)(2)(iii)
Mapping:  HIPAA §164.310(b)
 HIPAA §164.310(c)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 237 of 488

Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to PCI Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
Critical facilities shall be sited to avoid access by the public. For particularly
sensitive and restricted facilities (e.g. data centers and communication
closets) buildings shall be unobtrusive and give minimum indication of
their purpose, with no obvious signs, outside or inside the building
identifying the presence of information processing activities. Directories
and internal telephone books identifying locations of covered information
processing facilities shall not be readily accessible by the public.

Video cameras or other access control mechanisms shall be implemented

and secured to monitor individual physical access to sensitive areas. These
devices shall be protected from tampering or disabling of the device. The
results of the mechanisms shall be reviewed regularly and correlated with
other entries and access control information (e.g. audit trails, sign in sheets,
authorization levels, maintenance logs). The information from cameras or
other access control mechanisms shall be stored for at least three months in
accordance with the organizations retention policy.

Automated mechanisms shall be used to recognize potential intrusions and

initiate designated response actions. The organization shall coordinate the
results of reviews and investigations with the organization's incident
response capability.
Level 2 Control  CMSRs 2012v1.5 PE-3 (HIGH)
Standard  CMSRs 2012v1.5 PE-4 (HIGH)
Mapping:  COBIT 4.1 DS5.7
 COBIT 5 DSS05.05
 CSA FS-01
 ISO/IEC 27002-2005 9.1.3
 ISO 27799-2008 7.6.1.2
 NIST SP800-53 R4 PE-3
 NIST SP800-53 R4 PE-4
 NRS 603A.215.1
 PCI DSS v2 9.1.1

Page 238 of 488

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 08.d Protecting Against External and Environmental Threats

Control Physical protection against damage from fire, flood, earthquake, explosion,
Specification: civil unrest, and other forms of natural or man-made disaster shall be
designed and applied.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Awareness and Training
Physical and Facility Security
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The organization shall develop, disseminate, and review/update annually:
Implementation: i. formal, documented physical and environmental protection policy that
addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and
compliance; and
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 239 of 488

ii. formal, documented procedures to facilitate the implementation of the
physical and environmental protection policy and associated physical
and environmental protection controls.

The following controls shall be implemented to avoid damage from fire,

flood, earthquake, explosion, civil unrest, and other forms of natural or
man-made disaster:
i. appropriate fire extinguishers shall be located throughout the facility,
and shall be no more than 50 feet away from critical electrical
components; and
ii. fire detectors (e.g. smoke or heat activated) shall be installed on and in
the ceilings and floors.

Fire authorities shall be automatically notified when a fire alarm is

activated.
Level 1 Control  CMSRs 2012v1.5 PE-1 (HIGH)
Standard  CMSRs 2012v1.5 PE-13(3) (HIGH)
Mapping:  CSA RS-06
 HIPAA §164.310(a)(1)
 HIPAA §164.310(a)(2)(ii)
 HIPAA §164.310(a)(2)(iii)
 ISO/IEC 27002-2005 9.1.4
 ISO 27799-2008 7.6.1.2
 NIST SP800-53 R4 PE-1
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 240 of 488

Level 2 Level 1 plus:
Implementation:
Any security threats presented by neighboring premises shall be identified
(e.g. a fire in a neighboring building, water leaking from the roof or in floors
below ground level or an explosion in the street).

Fire prevention training shall be included in the regular training programs

provided to the organization personnel.

Appropriate fire suppression systems (e.g. sprinklers, gas) shall be

implemented throughout the building and within secure areas containing
information processing devices. For facilities not staffed continuously, these
devices shall be automated.

The building's HVAC system shall be configured to automatically shut down

upon fire detection.
Level 2 Control  CSA RS-05
Standard  NIST SP800-53 R4 PE-13(2)
Mapping:

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Fire suppression and detection devices/systems are implemented and

maintained that are supported by an independent energy source.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 241 of 488

Level 3 Control  CMSRs 2012v1.5 PE-13 (HIGH)
Standard  CMSRs 2012v1.5 PE-13(1) (HIGH)
Mapping:  CMSRs 2012v1.5 PE-13(2) (HIGH)
 CMSRs 2012v1.5 PE-15 (HIGH)
 CMSRs 2012v1.5 PE-15(1) (HIGH)
 NIST SP800-53 R4 PE-13
 NIST SP800-53 R4 PE-13(1)
 NIST SP800-53 R4 PE-15

CMS Contractor Requirements

CMS For critical information system in unattended or unmonitored areas subject

Contractors: to water leaks or flooding, the organization employs mechanisms that,
without the need for manual intervention, protect the information system
from water damage.

Fire detection devices/systems shall activate automatically and notify the

organization and emergency responders in the event of a fire.

Control Reference: 08.e Working in Secure Areas

Control Physical protection and guidelines for working in secure areas shall be
Specification: designed and applied.
Factor Type: Organizational
Topics: Personnel
Physical and Facility Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The arrangements for working in secure areas shall include controls for the
Implementation: employees, contractors, and third party users working in the secure area, as
well as other third party activities taking place there.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 242 of 488

Personnel shall only be aware of the existence of, or activities within, a
secure area on a need to know basis. Unsupervised working in secure areas
shall be avoided both for safety reasons and to prevent opportunities for
malicious activities. Vacant secure areas shall be physically locked and
periodically checked.

Visitor records shall contain:

i. name and organization of the person visiting;
ii. signature of the visitor;
iii. form of identification;
iv. date of access;
v. time of entry and departure;
vi. purpose of visit; and
vii. name and organization of person visited.

Photographic, video, audio or other recording equipment such as cameras

in mobile devices, shall not be allowed unless otherwise authorized.
Level 1 Control  HIPAA §164.310(a)(1)
Standard  HIPAA §164.310(a)(2)(iii)
Mapping:  HIPAA §164.310(b)
 HIPAA §164.310©
 ISO/IEC 27002-2005 9.1.5
 ISO 27799-2008 7.6.1.2
 NIST SP800-53 R4 PE-2
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 243 of 488

Physical access logs shall be reviewed weekly. The organization shall
coordinate the results of reviews and investigations with the organization's
incident response capability.
Level 2 Control  CMSRs 2012v1.5 PE-2 (HIGH)
Standard  CMSRs 2012v1.5 PE-3 (HIGH)
Mapping:  CMSRs 2012v1.5 PE-6 (HIGH)
 CMSRs 2012v1.5 PE-8 (HIGH)CMSRs 2010v1.0 PE-8(1) (HIGH)
 CMSRs 2012v1.5 PE-8(2) (HIGH)
 COBIT 4.1 DS5.7
 COBIT 5 DSS05.05
 NIST SP800-53 R4 PE-6

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization maintains a record of all physical access, both visitor and
Contractors: authorized individuals, and employs automated mechanisms to facilitate
the maintenance and review of access records.

Control Reference: 08.f Public Access, Delivery, and Loading Areas

Control Access points such as delivery and loading areas and other points where
Specification: unauthorized persons may enter the premises shall be controlled and, if
possible, isolated from information processing facilities to avoid
unauthorized access.
Factor Type: Organizational
Topics: Media and Assets
Physical and Facility Security
User Access
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 244 of 488

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 1 Access to a delivery and loading area from outside of the building shall be
Implementation: restricted to identified and authorized personnel. The delivery and loading
area shall be designed so that supplies can be unloaded without delivery
personnel gaining access to other parts of the building. The external doors
of a delivery and loading area shall be secured when the internal doors are
opened.

Incoming material shall be registered in accordance with asset management

procedures on entry to the site. Incoming and outgoing shipments shall be
physically segregated, where possible.
Level 1 Control  CMSRs 2012v1.5 PE-16 (HIGH)
Standard  CSA FS-05
Mapping:  NIST SP800-53 R4 PE-16

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 245 of 488

Incoming material shall be inspected for potential threats before this
material is moved from the delivery and loading area to the point of use.
Level 2 Control  ISO/IEC 27002-2005 9.1.6
Standard  ISO 27799-2008 7.6.1.3
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Objective Name: 08.02 Equipment Security

Control To prevent loss, damage, theft or compromise of assets and interruption to

Objective: the organization's activities.

Control Reference: 08.g Equipment Siting and Protection

Control Equipment shall be sited or protected to reduce the risks from

Specification: environmental threats and hazards, and opportunities for unauthorized
access.
Factor Type: Organizational
Topics: Media and Assets
Physical and Facility Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Page 246 of 488

Level 1 Subject to PCI Compliance
Regulatory
Factors:
Level 1 Guidelines for eating, drinking, and smoking in proximity to information
Implementation: assets shall be established.

Lightning protection shall be applied to all buildings, and lightning

protection filters (e.g. surge protectors) shall be fitted to all incoming power
and communications lines.

Information assets handling covered information shall be positioned and

the viewing angle restricted to reduce the risk of information being viewed
by unauthorized persons during their use, and storage devices secured to
avoid unauthorized access.

Device locks shall be distributed and implemented for equipment

containing covered information. Types of locks include, but are not limited
to, slot locks, port controls peripheral switch controls and cable traps.

The organization shall restrict physical access to wireless access points,

gateways, handheld devices, networking/communications hardware, and
telecommunication lines.

The organization plans the location or site of the facility where the
information system resides with regard to physical and environmental
hazards and for existing facilities, considers the physical and environmental
hazards in its risk mitigation strategy.

Controls shall be implemented to minimize the risk of potential physical

threats including theft, fire, explosives, smoke, water (or water supply
failure), dust, vibration, chemical effects, electrical supply interference,
communications interference, electromagnetic radiation, and vandalism.

The organization shall position information system components within the

facility to minimize potential damage from physical and environmental
hazards and to minimize the opportunity for unauthorized access.
i. the following controls shall be implemented to avoid damage from fire,
flood, earthquake, explosion, civil unrest, and other forms of natural or
man-made disaster: Hazardous or combustible materials shall be stored
at a safe distance from a secure area;
ii. bulk supplies such as stationery shall not be stored within a secure
area; and
iii. fallback equipment and back-up media shall be stored at a safe distance
to avoid damage from disaster affecting the main site.

Page 247 of 488

Level 1 Control  CMSRs 2012v1.5 PE-1 (HIGH)
Standard  CMSRs 2012v1.5 PE-18 (HIGH)
Mapping:  HIPAA §164.310(c)
 NIST SP800-53 R4 PE-1
 NIST SP800-53 R4 PE-18
 NIST SP800-53 R4 PE-18(1)
 NRS 603.215.1
 PCI DSS v2 9.1.3
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy 2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Items requiring special protection shall be isolated to reduce the general

level of protection required.

The use of special protection methods, such as keyboard membranes, shall

be implemented for equipment in industrial environments.
Level 2 Control  CMSRs 2012v1.5 PE-18(1) (HIGH)
Standard  CSA RS-06
Mapping:  ISO/IEC 27002-2005 9.2.1
 ISO 27799-2008 7.6.2.1
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 248 of 488

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 08.h Supporting Utilities

Control Equipment shall be protected from power failures and other disruptions
Specification: caused by failures in supporting utilities.
Factor Type: Organizational
Topics: Contingency Planning
Maintenance
Monitoring
Physical and Facility Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 All supporting utilities, such as electricity, water supply, sewage,
Implementation: heating/ventilation, and air conditioning shall be adequate for the systems
they are supporting. Support utilities shall be regularly inspected and tested
to ensure their proper functioning and to reduce any risk from their
malfunction or failure.

Page 249 of 488

A suitable electrical supply shall be provided that conforms to the
equipment manufacturer's specifications. An uninterruptable power supply
(UPS) to support orderly close down or continuous running shall be
required for equipment supporting critical business operations. Power
contingency plans shall cover the action to be taken on failure of the UPS.
UPS equipment and generators shall be regularly checked to ensure they
have adequate capacity and are tested in accordance with the
manufacturer's recommendations.

The water supply shall be stable and adequate to supply air conditioning,
humidification equipment and fire suppression systems, where used.

Malfunctions in the water supply system may damage equipment or

prevent fire suppression from acting effectively.

An uninterruptable power supply (UPS) to support orderly close down or

continuous running (transition to long-term alternate power) shall be
required.
Level 1 Control  CMSRs 2012v1.5 PE-11 (HIGH)
Standard  CMSRs 2012v1.5 PE-11 (1) (HIGH)
Mapping:  CSA RS-07
 CSA RS-08
 HIPAA §164.310(a)(1)
 HIPAA §164.310(a)(2)(ii)
 HIPAA §164.310(a)(2)(iii)
 ISO 27799-2008 7.6.2.2
 NIST SP800-53 R4 PE-11
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 250 of 488

Level 2 Level 1 plus:
Implementation:
Humidity monitoring (e.g. Hygrometer) shall be implemented in areas
containing critical information processing systems. Proper notification shall
be provided if the moisture level is outside the bounds deemed acceptable
by equipment manufacturers.

Emergency lighting shall be provided in case of main power failure that

covers emergency exists and evacuation routes within the facility.

An alarm system to detect malfunctions in the supporting utilities shall be

evaluated and installed if required.

Only authorized maintenance personnel are permitted to access

infrastructure assets, including power generators, HVAC systems, cabling,
and wiring closets.
Level 2 Control  CMSRs 2012v1.5 PE-9 (HIGH)
Standard  CMSRs 2012v1.5 PE-12 (HIGH)
Mapping:  CMSRs 2012v1.5 PE-14 (HIGH)
 NIST SP800-53 R4 PE-9
 NIST SP800-53 R4 PE-12
 NIST SP800-53 R4 PE-14

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 251 of 488

Level 3 Control  ISO/IEC 27002-2005 9.2.2
Standard
Mapping:

CMS Contractor Requirements

CMS A back-up generator shall be considered if processing is required to

Contractors: continue in case of a prolonged power failure. An adequate supply of fuel
shall be available to ensure that the generator, if used, can perform for a
prolonged period.

A back-up generator shall be implemented and an adequate supply of fuel

shall be available to ensure that the generator can perform for a prolonged
period. Generators shall be regularly checked to ensure they have adequate
capacity and are tested in accordance with the manufacturer’s
recommendations.

Multiple power sources or a separate power substation shall be used.

Telecommunications equipment shall be connected to the utility provider
by at least two diverse routes to prevent failure in one connection path
removing voice services. The organization shall develop
telecommunications service agreements that contain priority of service
(Telecommunications Service Priority) provisions.

Provider Requirements

Level 1 A back-up generator shall be considered if processing is required to

Providers: continue in case of a prolonged power failure. An adequate supply of fuel
shall be available to ensure that the generator, if used, can perform for a
prolonged period.
Level 2 A back-up generator shall be implemented and an adequate supply of fuel
Providers: shall be available to ensure that the generator can perform for a prolonged
period. Generators shall be regularly checked to ensure they have adequate
capacity and are tested in accordance with the manufacturer’s
recommendations.
Level 3 Multiple power sources or a separate power substation shall be used.
Providers: Telecommunications equipment shall be connected to the utility provider
by at least two diverse routes to prevent failure in one connection path
removing voice services. The organization shall develop
telecommunications service agreements that contain priority of service
(Telecommunications Service Priority) provisions.

Page 252 of 488

Control Reference: 08.i Cabling Security

Control Power and telecommunications cabling carrying data or supporting

Specification: information services shall be protected from interception or damage.
Factor Type: Organizational
Topics: Media and Assets
Physical and Facility Security
Network Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The organization shall protect power equipment and power cabling for the
Implementation: information system from damage and destruction.

Access to patch panels and cable rooms shall be controlled. A documented

patch list shall be used to reduce the possibility of errors.

Clearly identifiable cable and equipment markings shall be used to

minimize handling errors, such as accidental patching of wrong network
cables.
Level 1 Control  CMSRs 2012v1.5 PE-9 (HIGH)
Standard  HIPAA §164.310(a)(1)
Mapping:  HIPAA §164.310(c)
 NIST SP800-53 R4 PE-9
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 253 of 488

Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to the CMS
Regulatory Minimum Security Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
Power and telecommunications lines into information processing facilities
shall be underground, where possible, or subject to adequate alternative
protection. Network cabling shall be protected from unauthorized
interception or damage, for example by using a conduit or by avoiding
routes through public areas. Power cables shall be segregated from
communications cables to prevent interference (only applicable where
copper telecommunications cables are used).

Armored conduit and locked rooms or boxes at inspection and termination

points shall be installed. Alternative routings and/or transmission media
providing appropriate security shall be used. Electromagnetic shielding
shall be used to protect the cables.

The organization disables any physical ports (e.g., wiring closets, patch
panels, etc.) not in use.
Level 2 Control  CMSRs 2012v1.5 PE-4 (HIGH)
Standard  CSA RS-08
Mapping:  ISO/IEC 27002-2005 9.2.3
 ISO 27799-2008 7.6.2.2
 NIST SP800-53 R4 PE-4
 NRS 603A.215.1
 PCI DSS v2 9.1.2

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 254 of 488

Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 Level 2 plus:
Implementation:
Technical sweeps and physical inspections shall be initiated for
unauthorized devices being attached to the cables.

Control Reference: 08.j Equipment Maintenance

Control Equipment shall be correctly maintained to ensure its continued availability

Specification: and integrity.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Documentation and Records
Maintenance
Media and Assets

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Equipment shall be maintained in accordance with the supplier's

recommended service intervals and specifications. Only authorized
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 255 of 488

maintenance personnel shall carry out repairs and service equipment.
Appropriate controls shall be implemented when equipment is scheduled
for maintenance (e.g. authorization levels) taking into account whether this
maintenance is performed by personnel on site or external to the
organization.

The organization shall designate personnel with required access

authorizations and technical competence to supervise the maintenance
activities of personnel who do not possess the required access
authorizations.

Organizations shall approve and monitor non-local maintenance and

diagnostic activities; only allow the use of non-local maintenance and
diagnostic tools consistent with organizational policy; maintain records for
non-local maintenance and diagnostic activities; and terminate all sessions
and network connections when non-local maintenance is completed.

All requirements imposed by insurance policies shall be complied with.

Level 1 Control  CMSRs 2012v1.5 MA-1 (HIGH)
Standard  CMSRs 2012v1.5 MA-4 (HIGH)
Mapping:  CMSRs 2012v1.5 MA-4(1) (HIGH)
 CMSRs 2012v1.5 MA-4(2) (HIGH)
 CMSRs 2012v1.5 MA-4(3) (HIGH)
 CMSRs 2012v1.5 MA-5 (HIGH)
 CMSRs 2012v1.5 MA-6 (HIGH)
 HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.310(a)(2)(iv)
 ISO 27799-2008 7.6.2.2
 NIST SP800-53 R4 MA-1
 NIST SP800-53 R4 MA-4
 NIST SP800-53 R4 MA-4(2)
 NIST SP800-53 R4 MA-5
 NIST SP800-53 R4 MA-6
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 256 of 488

Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Covered information shall be cleared from the equipment, or the
maintenance personnel shall be sufficiently cleared prior to all
maintenance. Records shall be kept of all suspected or actual faults and all
preventive and corrective maintenance including:
i. date and time of maintenance;
ii. name of individual performing maintenance;
iii. name of escort;
iv. a description of maintenance performed; and
v. a list of equipment removed or replaced.

The organization shall check all potentially impacted security controls to

verify that the controls are still functioning properly following maintenance
or repair actions.
Level 2 Control  CMSRs 2012v1.5 MA-2 (HIGH)
Standard  CMSRs 2012v1.5 MA-2(1) (HIGH)
Mapping:  CMSRs 2012v1.5 MA-2(2) (HIGH)
 CSA OP-04
 ISO/IEC 27002-2005 9.2.4
 NIST SP800-53 R4 MA-2

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 257 of 488

Level 3 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
The organization shall approve, control and monitor the use of information
system maintenance tools (e.g. hardware and software brought into the
organization for diagnostic/repair actions) and maintain the tools on an
ongoing basis. All maintenance tools carried into the facility by
maintenance personnel shall be inspected for obvious improper
modifications. All media containing diagnostic and test programs shall be
checked for malicious code prior to the media being used in the information
system.
Level 3 Control  CMSRs 2012v1.5 MA-3 (HIGH)
Standard  CMSRs 2012v1.5 MA-3(1) (HIGH)
Mapping:  CMSRs 2012v1.5 MA-3(2) (HIGH)
 CMSRs 2012v1.5 MA-3(3) (HIGH)
 NIST SP800-53 R4 MA-3
 NIST SP800-53 R4 MA-3(1)
 NIST SP800-53 R4 MA-3(2)

CMS Contractor Requirements

CMS The organization monitors and controls non-local maintenance and

Contractors: diagnostic activities and prohibits non-local CMS system maintenance
unless explicitly authorized, in writing, by the CIO or his/her designated
representative.

If non-local maintenance and diagnostic activities are authorized, the

organization shall:
i. monitor and control non-local maintenance
ii. allow the use of non-local maintenance and diagnostic tools only as
consistent with organizational policy and documented in the security
plan for the information system;
iii. employ strong identification and authentication techniques in the
establishment of non-local maintenance and diagnostic sessions;
iv. maintain records for non-local maintenance and diagnostic activities;
and
v. terminate all sessions and network connections when non-local
maintenance is completed.

If password-based authentication is used during remote maintenance,

change the passwords following each remote maintenance service.

Page 258 of 488

The organization shall audit non-local maintenance and diagnostic sessions
and designated organizational personnel review the maintenance records
of the sessions. The organization shall document, in the security plan for the
information system, the installation and use of non-local maintenance and
diagnostic connections.

The organization shall:

i. require that non-local maintenance and diagnostic services be
performed from an information system that implements a level of
security at least as high as that implemented on the system being
serviced; or
ii. remove the component to be serviced from the information system and
prior to non-local maintenance or diagnostic services, sanitizes the
component (with regard to sensitive information) before removal from
organizational facilities, and after the service is performed, inspects and
sanitizes the component (with regard to potentially malicious software
and surreptitious implants) before reconnecting the component to the
information system.

The organization shall obtain maintenance support and/or spare parts for
CMS critical systems and applications (including Major Applications [MA]
and General Support Systems [GSS] and their components) within twenty-
four (24) hours of failure.

Automated mechanisms are implemented to schedule, conduct, and

document maintenance and repairs as required, producing up-to-date,
accurate, complete and available records of all maintenance and repair
actions, needed, in process and completed.

The equipment shall be appropriately sanitized before release; if the

equipment cannot be sanitized, the equipment shall remain within control
of the organization, be destroyed, or obtain an exemption from a designated
organization official explicitly authorizing removal of the equipment from
the facility.

The organization requires that non-local maintenance and diagnostic

services be performed from an information system that implements a level
of security at least as high as that implemented on the system being
serviced; or removes the component to be serviced from the information
system and prior to non-local maintenance or diagnostic services, sanitizes
the component (with regard to organization information) before removal
from organizational facilities, and after the service is performed, inspects
and sanitizes the component (with regard to potentially malicious software
and surreptitious implants) before reconnecting the component to the
information system.

Page 259 of 488

Control Reference: 08.k Security of Equipment Off-Premises

Control Security shall be applied to off-site equipment taking into account the
Specification: different risks of working outside the organization's premises.
Factor Type: Organizational
Topics: Authorization
IT Organization and Management Roles and Responsibilities
Media and Assets
Physical and Facility Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance, Subject to FISMA Compliance
Regulatory
Factors:
Level 1 Regardless of ownership, the use of any information processing equipment
Implementation: outside the organization's premises shall be authorized by management.
This shall include equipment used by remote workers, even where such use
is permanent (e.g. a core feature of the employee's role, such as for
ambulance personnel or therapists.).

Equipment and media taken off the premises shall not be left unattended in
public places. Portable computers shall be carried as hand luggage and
disguised where possible when travelling.

Manufacturers' instructions for protecting equipment shall be observed at

all times (e.g. protection against exposure to strong electromagnetic fields).
Home-working controls shall be applied, including lockable filing cabinets,
clear desk policy, and access controls for computers and secure
communication with the office.

Adequate insurance coverage shall be in place to protect equipment off-site.

Security risks (e.g. of damage, theft or eavesdropping) may vary
considerably between locations and shall be taken into account in
determining the most appropriate controls.

Page 260 of 488

Level 1 Control  CMSRs 2012v1.5 R4 MP-5 (HIGH)
Standard  CMSRs 2012v1.5R4 PE-17 (HIGH)
Mapping:  CSA FS-07
 HIPAA §164.310(a)(2)(i)
 HIPAA §164.310(d)(1)
 HIPAA §164.310(d)(2)(iii)
 HIPAA §164.312(c)(1)
 ISO/IEC 27002-2005 9.2.5
 ISO 27799-2008 7.6.2.3
 NIST SP800-53 R4 MP-5
 NIST SP800-53 R4 PE-17
 NRS 603A.215.1
 PCI DSS v2 9.8
 (State of Texas) 181.004(a)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:

Page 261 of 488

Level 3 No additional requirements
Implementation:

Control Reference: 08.l Secure Disposal or Re-Use of Equipment

Control All items of equipment containing storage media shall be checked to ensure
Specification: that any covered information and licensed software has been removed or
securely overwritten prior to disposal.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Data Loss Prevention
Media and Assets

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to the
Regulatory State of Nevada Security of Personal Information Requirements, Subject to
Factors: Joint Commission Accreditation
Level 1 Surplus equipment is stored securely while not in use, and disposed of or
Implementation: sanitized when no longer required.

Devices containing covered information shall be physically destroyed or the

information shall be destroyed, deleted or overwritten using techniques to
make the original information non-retrievable rather than using the
standard delete or format function.

The following are appropriate techniques to securely remove information:

i. disk wiping
ii. degaussing

The following are appropriate techniques to securely destroy electronic and

hard copy media:
i. shredding disk platters
ii. disintegration
iii. grinding surfaces
iv. incineration

Page 262 of 488

v. pulverization
vi. melting

See NIST SP800-88 Guidelines for Media Sanitization for more information
on implementing media sanitization and destruction techniques.

The organization shall render information unusable, unreadable, or

indecipherable on system media, both digital and non-digital, prior to
disposal or release for reuse using organization-defined sanitization
techniques and procedures in accordance with applicable federal and
organizational standards and policies.
Level 1 Control  CMSRs 2012v1.5 MP-6 (HIGH)
Standard  CSA DG-05
Mapping:  Guidance to render PHI unusable, unreadable, or indecipherable (b)(i)
 Guidance to render PHI unusable, unreadable, or indecipherable (b)(ii)
 HIPAA §164.310(d)(1)
 HIPAA §164.310(d)(2)(i)
 HIPAA §164.310(d)(2)(ii)
 ISO/IEC 27002-2005 9.2.6
 ISO 27799-2008 7.6.2.4
 JCAHO IM.02.01.03, EP 7
 NIST SP800-53 R4 MP-6
 NRS 603A.200.1
 NRS 603A.200.2.b.1
 NRS 603A.200.2.b.2
 NRS 603A.215.1
 PCI DSS V2 9.10.1
 PCI DSS V2 9.10.2
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Page 263 of 488

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 08.m Removal of Property

Control Equipment, information or software shall not be taken off-site without prior
Specification: authorization.
Factor Type: Organizational
Topics: Authorization
Documentation and Records
Media and Assets
Personnel
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance, Subject to Joint Commission Accreditation,
Regulatory Subject to the CMS Minimum Security Requirements (High)
Factors:
Level 1 Equipment, information or software shall not be taken off-site without prior
Implementation: authorization. Employees, contractors and third party users who have
authority to permit off-site removal of assets shall be clearly identified.

Page 264 of 488

Time limits for equipment removal shall be set and returns checked for
compliance. Where necessary and appropriate, equipment shall be
recorded as being removed off-site and recorded when returned.
Level 1 Control  CMSRs 2012v1.5 PE-16 (HIGH)
Standard  CSA FS-06
Mapping:  ISO/IEC 27002-2005 9.2.7
 ISO 27799-2008 7.6.2.5
 JCAHO IM.02.01.03, EP 4
 NIST SP800-53 R4 PE-16

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:

Level 2 System None

Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 265 of 488

Control Category: 09.0 - Communications and Operations Management

Objective Name: 09.01 Documented Operating Procedures

Control To ensure that operating procedures are documented, maintained and

Objective: made available to all users who need them.

Control Reference: 09.a Documented Operations Procedures

Control Operating procedures shall be documented, maintained, and made available

Specification: to all users who need them.
Factor Type: System
Topics: Cryptography
Documentation and Records
Policies and Procedures

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 Subject to PCI Compliance, Subject to FISMA Compliance
Regulatory
Factors:
Level 1 Documented procedures shall be prepared for system activities associated
Implementation: with information and communication assets, including computer start-up
and close-down procedures, backup of data, equipment maintenance, media
handling, electronic communications, computer room and mail handling
management, and safety.

The operating procedures shall specify the detailed instructions for the
execution of each job including:
i. processing and handling of information;
ii. the backup of data;
iii. scheduling requirements, including interdependencies with other
systems, earliest job start and latest job completion times;

Page 266 of 488

iv. instructions for handling errors or other exceptional conditions,
which might arise during job execution, including restrictions on the
use of system utilities;
v. support contacts in the event of unexpected operational or technical
difficulties;
vi. special output and media handling instructions, such as the use of
special stationery or the management of confidential output
including procedures for secure disposal of output from failed jobs;
vii. system restart and recovery in the event of system failure; and
viii. the management of audit-trail and system log information.

Operating procedures, and the documented procedures for system

activities, shall be treated as formal documents and changes authorized by
management.
Level 1 Control  CMSRs 2012v1.5 MA-1 (HIGH)
Standard  CMSRs 2012v1.5 MP-5 (HIGH)
Mapping:  CMSRs 2012v1.5 MP-5(4) (HIGH)
 CSA OP-01
 CSA OP-02
 ISO/IEC 27002-2005 10.1.1
 ISO 27799-2008 7.7.1.1
 NIST SP800-53 R4 MA-1
 NRS 603A.215.1
 PCI DSS v2 12.2

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:
Level 2 Control  NIST SP800-53 R4 MP-5
Standard
Mapping:

Page 267 of 488

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements.
Implementation:

Control Reference: 09.b Change Management

Control Changes to information assets and systems shall be controlled and archived.
Specification:
Factor Type: System
Topics: IT Organization and Management Roles and Responsibilities
Media and Assets

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Changes to information assets, including systems, networks and network
Implementation: services, shall be controlled and archived.

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 268 of 488

Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
Changes shall be managed strictly and consistently. Formal management
responsibilities and procedures shall be in place to ensure satisfactory
control of all changes to equipment, software or procedures, including:
i. the identification and recording of significant changes;
ii. the planning and testing of changes;
iii. the assessment of the potential impacts, including security impacts, of
such changes;
iv. the formal approval for proposed changes; and
v. the communication of change details to all relevant persons.

Fallback procedures shall be defined and implemented, including

procedures and responsibilities for aborting and recovering from
unsuccessful changes and unforeseen events.
Level 2 Control  CMSRs 2012v1.5 CM-3 (HIGH)
Standard  CMSRs 2012v1.5 CM-4 (HIGH)
Mapping:  CMSRs 2012v1.5 CM-5 (HIGH)
 ISO/IEC 27002-2005 10.1.2
 ISO 27799-2008 7.7.1.2
 NIST SP800-53 R4 CM-3
 NIST SP800-53 R4 CM-4
 NIST SP800-53 R4 CM-5

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 269 of 488

Control Reference 09.c Segregation of Duties

Control Separation of duties shall be enforced to reduce opportunities for

Specification: unauthorized or unintentional modification or misuse of the organization's
assets.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Authorization
IT Organization and Management Roles and Responsibilities
Monitoring

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Small organizations may find segregation of duties difficult to achieve, but
Implementation: the principle shall be applied as far as is possible and practicable. Whenever
it is difficult to segregate controls such as monitoring of activities, audit
trails, management supervision or a system of dual control (e.g. two
individuals with separate responsibilities needing to work together to
accomplish a task) shall be required.

Security audit activities shall always remain independent.

Level 1 Standard  HIPAA §164.308(a)(3)(i)
Control  HIPAA §164.308(a)(4)(i)
Mapping:  HIPAA §164.308(a)(4)(ii)(A)
 HIPAA §164.312(a)(1)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Page 270 of 488

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development
Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to FISMA Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Segregation of duties is a method for reducing the risk of accidental or
deliberate system misuse. No single person shall be able to access, modify
or use assets without authorization or detection. The initiation of an event
shall be separated from its authorization to reduce the possibility of
collusion. The organization shall identify duties that require separation and
define information system access authorizations to support separation of
duties. Job descriptions shall reflect accurately the assigned duties and
responsibilities that support separation of duties.

Incompatible duties shall be segregated across multiple users to minimize

the opportunity for misuse or fraud. In cases where conflicting duties must
be assigned to a single user, activity logging and log reviews by an
independent party shall be required.
Level 2 Control  COBIT 4.1 DS5.7
Standard  COBIT 5 DSS05.05
Mapping:  CSA IS-15
 ISO/IEC 27002-2005 10.1.3
 ISO 27799-2008 7.7.1.3
 NIST SP800-53 R4 AC-5

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 271 of 488

Employees, Pharmacy Companies: > 70,000,000 Prescriptions Per Year,
Health Information Exchange: >6,000,000 Transactions Per Year
Level 3 System None
Factors:
Level 3 Subject to PCI Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
The organization shall:
i. ensure that audit functions are not performed by security personnel
responsible for administering access control;
ii. maintain a limited group of administrators with access based upon the
users' roles and responsibilities;
iii. ensure that mission critical functions and information system support
functions are divided among separate individuals;
iv. ensure that information system testing functions (i.e., user acceptance,
quality assurance, information security) and production functions are
divided among separate individuals or groups;
v. ensure that an independent entity, not the Business Owner, System
Developer(s) / Maintainer(s), or System Administrator(s) responsible
for the information system, conducts information security testing of the
information system; and
vi. ensure that quality assurance and code reviews of custom-developed
applications, scripts, libraries, and extensions are conducted by an
independent entity, not the code developers.
Level 3 Control  CMSRs 2012v1.5 AC-5 (HIGH)
Standard  NRS 603A.215.1
Mapping:  PCI DSS v2 6.4.2

Control Reference: 09.d Separation of Development, Test, and Operational Environments

Control Development, test, and operational environments shall be separated and

Specification: controlled to reduce the risks of unauthorized access or changes to the
operational system.
Factor Type: System
Topics: IT Organization and Management Roles and Responsibilities
Policies and Procedures

Level 1 Implementation Requirements

Page 272 of 488

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The organization shall minimize any testing on production systems. When
Implementation: testing must be performed, a test plan shall be developed that documents
all changes to the system and the procedures for undoing any changes made
to the system (e.g. removing test accounts).

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 Subject to PCI Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The level of separation between operational, test, and development
environments shall be identified and controls shall be implemented to
prevent operational issues, including:
i. along with removing accounts, a review of all custom code preceding
the release to production or to customers must be completed in order to
identify any possible coding vulnerability.
ii. test data and accounts shall be removed completely before the
application is placed into a production state.
iii. organizations shall remove all custom application accounts, user IDs,
and passwords before applications go from development to production
or are released to customers
iv. rules for the transfer of software from development to operational
status shall be defined and documented;
v. development and operational software shall run on different systems or
computer processors and in different domains or directories;
vi. compilers, editors, and other development tools or system utilities shall
not be accessible from operational systems when not required;

Page 273 of 488

vii. the test system environment shall emulate the operational system
environment as closely as possible;
viii. users shall use different user profiles for operational and test systems,
and menus shall display appropriate identification messages to reduce
the risk of error; and
ix. covered information shall not be copied into the test system
environment.
Level 2 Control  CMSRs 2012v1.5 CM-2 (HIGH)
Standard  CMSRs 2012v1.5 SA-11 (HIGH)
Mapping:  CSA SA-06
 ISO/IEC 27002-2005 10.1.4
 ISO 27799-2008 7.7.1.4
 NIST SP800-53 R4 CM-2
 NRS 603A.215.1
 PCI DSS v2 6.3.1
 PCI DSS v2 6.3.2
 PCI DSS v2 6.4.1
 PCI DSS v2 6.4.3
 PCI DSS v2 6.4.4

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS All systems supporting development and pre-production testing are

Contractors: connected to an isolated network separated from production systems.
Network traffic into and out of the development and pre-production testing
environment is only permitted to facilitate system testing, and is restricted
by source and destination access control lists (ACLs) as well as ports and
protocols.

Page 274 of 488

Objective Name: 09.02 Control Third Party Service Delivery

Control To ensure that third party service providers maintain security

Objective: requirements and levels of service as part of their service delivery
agreements.

Control Reference: 09.e Service Delivery

Control It shall be ensured that the security controls, service definitions and
Specification: delivery levels included in the third party service delivery agreement are
implemented, operated and maintained by the third party.

*Required for HITRUST Certification 2014

Factor Type: System
Topics: Monitoring
Requirements (Legal and Contractual)
Services and Acquisitions
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Third Party Support (Vendor Access or Maintenance): Yes
Factors:
Level 1 None
Regulatory
Factors:
Level 1 In an agreed service arrangement, service delivery by a third party (e.g., a
Implementation: certification authority for the provision of cryptographic services) shall
include:
i. service definitions;
ii. delivery levels;
iii. security controls, including third-party personnel security, information
classification, transmission, and authorization; and
iv. aspects of service management, including monitoring, auditing, and
change management; and
v. issues of liability, reliability of services and response times for the
provision of services.

Page 275 of 488

Level 1 Control  CSA CO-03
Standard  HIPAA §164.308(b)(1)
Mapping:  HIPAA §164.308(b)(4)
 HIPAA §164.314(a)(1)
 HIPAA §164.314(a)(2)(i)
 HIPAA §164.314(a)(2)(ii)
 ISO 27799-2008 7.7.2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 Geographic Scope: Multi-state, Geographic Scope: Off-Shore (Outside U.S.) ,

Organizational Health Information Exchange: >1,000,000 Transactions Per Year
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to FTC
Regulatory Red Flags Rule Compliance, Subject to the CMS Minimum Security
Factors: Requirements (High)
Level 2 Level 1 plus:
Implementation:
The organization shall develop, disseminate, and review/update annually
a list of current service providers.

In the case of outsourcing arrangements, the organization shall plan the

necessary transitions (of information, information processing systems, and
anything else that needs to be moved), and shall ensure that security is
maintained throughout the transition period. The service provider shall
protect the company's data with reasonable policies and procedures
designed to detect, prevent, and mitigate risk.

The organization shall ensure that the third party maintains sufficient
service capabilities together with workable plans designed to ensure that
agreed service continuity levels are maintained following major service
failures or disaster.
Level 2 Control  16 CFR Part §681.2(e)(4)
Standard  16 CFR Part §681 Appendix A VI(c)
Mapping:  CMSRs 2012v1.5 SA-9 (HIGH)
 ISO/IEC 27002-2005 10.2.1
 NIST SP800-53 R4 SA-9
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 276 of 488

 NRS 603A.215.1
 PCI DSS v2 2.4
 PCI DSS v2 12.8
 PCI DSS v2 12.8.1
 PCI DSS v2 12.8.3

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization shall:

Contractors: i. require that providers of external information system services comply
with the organization's information security requirements and employ
appropriate security controls in accordance with applicable federal
laws, Executive Orders, directives, policies, regulations, standards, and
guidance;
ii. define and document Government oversight and user roles and
responsibilities with regard to external information system services;
iii. monitor security control compliance by external service providers;
iv. prohibit service providers from outsourcing any system function
outside the U.S. or its territories.

(FTI Only) The organization shall develop, disseminate, and periodically

review/update a formal, documented, system and services acquisition
policy that includes IRS documents received and identified by:
i. taxpayer name
ii. tax year(s)
iii. type of information (e.g., revenue agent reports, Form 1040, work
papers)
iv. the reason for the request
v. date requested
vi. date received
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 277 of 488

vii. exact location of the FTI
viii. who has had access to the data, and
ix. if disposed of, the date and method of disposition.

Control Reference: 09.f Monitoring and Review of Third Party Services

Control The services, reports and records provided by the third party shall be
Specification: regularly monitored and reviewed, and audits shall be carried out regularly
to govern and maintain compliance with the service delivery agreements.

*Required for HITRUST Certification 2014

Factor Type: System
Topics: Audit and Accountability
Documentation and Records
Incident Response
Requirements (Legal and Contractual)
Services and Acquisitions
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Third Party Support (Vendor Access or Maintenance): Yes
Factors:
Level 1 None
Regulatory
Factors:
Level 1 A periodic review of service-level agreements (SLAs) shall be conducted at
Implementation: least annually and compared against the monitoring records.
Level 1 Control  CSA CO-03
Standard  HIPAA §164.308(b)(1)
Mapping:  HIPAA §164.308(b)(4)
 HIPAA §164.314(a)(1)
 HIPAA §164.314(a)(2)(i)
 HIPAA §164.314(a)(2)(ii)
 ISO 27799-2008 7.7.2
 1 TAC § 390.2(a)(1)

Page 278 of 488

Level 2 Implementation Requirements

Level 2 Geographic Scope: Multi-state, Health Information Exchange: >1,000,000

Organizational Transactions Per Year
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 Subject to FISMA Compliance, Subject to FTC Red Flags Rule Compliance;
Regulatory Subject to the CMS Minimum Security Requirements (HIGH)
Factors:
Level 2 Level 1 plus:
Implementation:
Monitoring shall involve a service management relationship and process
between the organization and the third party.

Service performance levels shall be monitored to check adherence to the

agreements. Service reports produced by the third party shall be
reviewed and regular progress meetings shall be arranged as required by
the agreements. Third party audit trails and records of security events,
operational problems, failures, tracing of faults and disruptions related to
the service delivered shall be reviewed.

Information about information security incidents shall be provided to the

incident response team. This information shall be reviewed by the third
party that experienced the incident and the organization which the third
party provides services to as required by the agreements and any
supporting guidelines and procedures. Any identified problems shall be
resolved and reviewed by the organization as noted above.

The organization shall monitor the network service features and service
levels to detect abnormalities and violations. The organization shall
periodically audit the network services to ensure that network service
providers implement the required security features and meet the
requirements agreed with management, including with new and existing
regulations.
Level 2 Control  16 CFR Part §681.2 (e)(4)
Standard  16 CFR Part §681 Appendix A VI(c)
Mapping:  CMSRs 2012v1.5 SA-9 (HIGH)
 ISO/IEC 27002-2005 10.2.2
 NIST SP800-53 R4 SA-9
 PCI DSS v2 12.8.4
 1 TAC § 390.2(a)(3)

Page 279 of 488

Level 3 Implementation Requirements

Level 3 Geographic Scope: Off-Shore (Outside U.S.) , Health Information Exchange:

Organizational >6,000,000 Transactions Per Year
Factors:
Level 3 System Processing PHI: Yes - AND -, Number of Users: > 5,500, Number of
Factors: Transactions Per Day: > 85,000, Number of Interfaces to Other Systems: >
75
Level 3 Subject to PCI Compliance
Regulatory
Factors:
Level 3 Level 2 plus:
Implementation:
The organization shall maintain sufficient overall control and visibility into
all security aspects for covered and critical information or information
processing systems accessed, processed or managed by a third party. The
organization shall ensure they retain visibility into security activities such
as change management, identification of vulnerabilities, and information
security incident reporting and response through a clearly defined
reporting process, format and structure.
Level 3 Control  NRS 603A.215.1
Standard  PCI DSS v2 2.4
Mapping:

Control Reference: 09.g Managing Changes to Third Party Services

Control Changes to the provision of services, including maintaining and improving

Specification: existing information security policies, procedures and controls, shall be
managed, taking account of the criticality of business systems and processes
involved and re-assessment of risks.

*Required for HITRUST Certification 2014

Factor Type: System
Topics: Risk Management and Assessments
Services and Acquisitions
Third Parties and Contractors

Level 1 Implementation Requirements

Page 280 of 488

Level 1 None
Organizational
Factors:
Level 1 System Third Party Support (Vendor Access or Maintenance): Yes
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The organization shall ensure that third party organization's use
Implementation: appropriate change management procedures for any changes to a third
party service or organizational system (see 9.a and 10.k).
Level 1 Control  ISO 27799-2008 7.7.2
Standard
Mapping:

Level 2 Implementation Requirements

Level 2 Geographic Scope: Multi-state, Geographic Scope: Off-Shore (Outside U.S.),

Organizational Health Information Exchange: >1,000,000 Transactions Per Year
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 Subject to FTC Red Flags Rule Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Change management on a third party service shall include:
i. the assessment and explicit recording of the potential impacts, including
security impacts, of such changes;
ii. evaluating and implementing changes made by the organization for:
1. enhancements to the current services offered;
2. development of any new applications and systems;
3. modifications or updates of the organization's policies and
procedures; and
4. new controls to resolve information security incidents and to
improve security;
iii. evaluating and implementing changes in third party services for:
1. changes and enhancement to networks;
2. use of new technologies;
3. adoption of new products or newer versions/releases;
4. new development tools and environments;

Page 281 of 488

5. changes to physical location of service facilities; and
6. change of vendors.
Level 2 Control  16 CFR Part §681.2 (e)(4)
Standard  16 CFR Part §681 Appendix A VI(c)
Mapping:  ISO/IEC 27002-2005 10.2.3
 1 TAC § 390.2(a)(3)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Objective Name: 09.03 System Planning and Acceptance

Control To ensure that systems meet the businesses current and projected needs to
Objective: minimize failures.

Control Reference: 09.h Capacity Management

Control The availability of adequate capacity and resources shall be planned,

Specification: prepared, and managed to deliver the required system performance.
Projections of future capacity requirements shall be made to mitigate the
risk of system overload.
Factor Type: System
Topics: IT Organization and Management Roles and Responsibilities
Monitoring
Planning

Level 1 Implementation Requirements

Page 282 of 488

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The use of information and information system resources shall be
Implementation: monitored, and projections made of future capacity requirements to ensure
adequate systems performance.
Level 1 Control CMSRs 2012v1.5 AU-4 (HIGH)
Standard ISO/IEC 27002:2005 10.3.1
Mapping:

Level 2 Implementation Requirements

Level 2 Geographic Scope: Multi-state, Geographic Scope: Off-Shore (Outside U.S.),

Organizational Health Information Exchange: >1,000,000 Transactions Per Year
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 Subject to FISMA Compliance; Subject to the CMS Minimum Security
Regulatory Requirements (HIGH)
Factors:
Level 2 Level 1 plus:
Implementation:
Capacity and monitoring procedures shall include:
i. the identification of capacity requirements for each new and ongoing
system/service;
ii. the projection of future capacity requirements, taking into account
current use, audit record storage requirements, projected trends, and
anticipated changes in business requirements; and
iii. the system monitoring and tuning to ensure and improve the
availability and effectiveness of current systems.

Organizations shall allocate sufficient storage capacity to reduce the

likelihood of exceeding capacity and reduce the impact on network
infrastructure, e.g., bandwidth.

The information system shall take the following additional actions in

response to an audit storage capacity issue:

Page 283 of 488

i. shutdown the information system,
ii. stop generating audit records, or
iii. overwrite the oldest records, in the case that storage media is
unavailable.

The organization shall protect against or limit the effects of the types of
denial of service attacks defined in NIST SP 800-63 Rev. 1, Computer
Security Incident Handling Guide, and the following Websites:
i. SANS Organization www.sans.org/dosstep;
ii. SANS Organization's Roadmap to Defeating DDoS
www.sans.org/dosstep/roadmap.php; and
iii. NIST CVE List National Vulnerability Database:
http://nvd.nist.gov/home.cfm.
Level 2 Control  CMSRs 2012v1.5 SC-5 (HIGH)
Standard  CSA OP-03
Mapping:  ISO 27799-2008 7.7.3.1
 NIST SP800-53 R4 SC-5

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 09.i System Acceptance

Control Acceptance criteria for new information systems, upgrades, and new
Specification: versions shall be established and suitable tests of the system(s) carried out
during development and prior to acceptance to maintain security.
Factor Type: System
Topics: Awareness and Training
Documentation and Records
IT Organization and Management Roles and Responsibilities

Page 284 of 488

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Managers shall ensure that the requirements and criteria for acceptance of
Implementation: new systems are clearly defined, agreed, documented, and tested. New
information systems, upgrades, and new versions shall only be migrated
into production after obtaining formal acceptance from management.
Level 1 Control  CSA RM-01
Standard
Mapping:

Level 2 Implementation Requirements

Level 2 Geographic Scope: Multi-state, Geographic Scope: Off-Shore (Outside U.S.),

Organizational Health Information Exchange: >1,000,000 Transactions Per Year
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The following actions shall be carried out prior to formal acceptance being
provided:
i. an agreed set of security controls are in place;
ii. consultation with affected persons, or representatives of affected
groups, at all phases of the process;
iii. preparation and testing of routine operating procedures to defined
standards;
iv. effective manual procedures;
v. evidence that installation of the new system will not adversely affect
existing systems, particularly at peak processing times, such as month
end;
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 285 of 488

vi. evidence that an analysis has been carried out to the effect the new
system has on the overall security of the organization;
vii. training in the operation or use of new systems;
viii. error recovery and restart procedures, and contingency plans;
ix. ease of use (as this affects user performance and avoids human error);
and
x. training in the new operation(s).

Organizations shall ensure that the IT systems employed contain

application functionality that enforces the approval of processes by
different role holders. The impact of the installation of any new system shall
be thoroughly analyzed and tested with the coverage of the extreme
operational conditions of the current systems.
Level 2 Control  ISO/IEC 27002-2005 10.3.2
Standard  ISO 27799-2008 7.7.3.2
Mapping:  CSA RM-03

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Objective Name: 09.04 Protection Against Malicious and Mobile Code

Control Ensure that integrity of information and software is protected from

Objective: malicious or unauthorized code.

Control Reference: 09.j Controls Against Malicious Code

Control Detection, prevention, and recovery controls shall be implemented to

Specification: protect against malicious code, and appropriate user awareness procedures
on malicious code shall be provided.

Page 286 of 488

*Required for HITRUST Certification 2014
Factor Type: Organizational
Topics: Awareness and Training
Contingency Planning
Policies and Procedures
Viruses and Malware

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance, Subject to State of Massachusetts Data
Regulatory Protection Act
Factors:
Level 1 Protection against malicious code shall be based on malicious code
Implementation: detection and repair software, security awareness, and appropriate system
access and change management controls.

Formal policies shall be required and technologies implemented for the

timely installation and upgrade of the protective measures, including the
installation of anti-virus or anti-spyware software, and for the regular
updating of it, including virus definitions, automatically whenever updates
are available. Periodic reviews/scans shall be required of installed software
and the data content of systems to identify and, where possible, remove any
unauthorized software.

Procedures shall be defined for response to identification of malicious code

or unauthorized software. Checking anti-virus or anti-spy software shall
generate audit logs of checks performed.

The checks carried out by the malicious code detection and repair software
to scan computers and media shall include:
i. checking any files on electronic or optical media, and files received over
networks, for malicious code before use;
ii. checking electronic mail attachments and downloads for malicious code
before use; this check shall be carried out at different places (e.g. at
electronic mail servers, desk top computers and when entering the
network of the organization); and
iii. checking web traffic, such as HTML, JavaScript, and HTTP, for malicious
code.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 287 of 488

Formal policies shall be required prohibiting the use or installation of
unauthorized software, including a prohibition of obtaining data and
software from external networks.

User awareness and training on these policies and methods shall be

provided for all users on a regular basis.
Level 1 Control  CMSRs 2012v1.5 SA-7 (HIGH)
Standard  COBIT 4.1 DS5.9
Mapping:  COBIT 5 DSS05.01
 CSA IS-21
 HIPAA §164.308(a)(5)(ii)(B)
 ISO 27799-2008 7.7.4.1
 NRS 603A.215.1
 PCI DSS v2 5.1
 PCI DSS v2 5.1.1
 PCI DSS v2 5.2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 2.2
 (State of Mass.) 201 CMR 17.04(7)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
Critical system file scans are performed during system boot and every 12
hours. Malicious code is blocked and quarantined and an alert sent to
administrators in response to malicious code detection. The organization
shall address the receipt of false positives during malicious code detection
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 288 of 488

and eradication and the resulting potential impact on the availability of the
information system.

Malicious code protection mechanisms shall be centrally managed. Non-

privileged users are prevented from circumventing malicious code
protection capabilities.

The organization shall:

i. employ spam protection mechanisms at information system entry and
exit points and at workstations, servers, or mobile computing devices
on the network to detect and take action on unsolicited messages
transported by electronic mail, electronic mail attachments, web
accesses, or other common means, or inserted through the exploitation
of information system vulnerabilities;
ii. update spam protection mechanisms when new releases are available
in accordance with the organization’s configuration management policy
and procedures;
iii. configures malicious code protection mechanisms to perform periodic
scans of the information system according to organization guidelines
and real-time scans of files from external sources at either endpoints or
network entry/exit points as the files are downloaded, opened, or
executed in accordance with organizational security policy; and block
malicious code, quarantine malicious code, or send alert to
administrator in response to malicious code detection; and
iv. addresses the receipt of false positives during malicious code detection
and eradication and the resulting potential impact on the availability of
the information system.

Spam protection mechanisms shall be centrally managed. Spam protection

mechanisms (including signature definitions) are automatically updated.
The information system prevents non-privileged users from circumventing
malicious code protection capabilities.

User functionality (including user interface services [e.g., web services])

shall be separated from information system management (e.g., database
management systems) functionality.
Level 2 Control  CMSRs 2012v1.5 SC-2 (HIGH)
Standard  CMSRs 2012v1.5 SI-3 (HIGH)
Mapping:  CMSRs 2012v1.5 SI-3(1) (HIGH)
 CMSRs 2012v1.5 SI-3(2) (HIGH)
 CMSRs 2012v1.5 SI-3(3) (HIGH)
 CMSRs 2012v1.5 SI-8 (HIGH)
 CMSRs 2012v1.5 SI-8(1) (HIGH)
 CMSRs 2012v1.5 SI-8(2) (HIGH)
 ISO/IEC 27002-2005 10.4.1

Page 289 of 488

 NIST SP800-53 R4 SC-2
 NIST SP800-53 R4 SI-3
 NIST SP800-53 R4 SI-3(1)
 NIST SP800-53 R4 SI-3(2)
 NIST SP800-53 R4 SI-8
 NIST SP800-53 R4 SI-8(1)
 NIST SP800-53 R4 SI-8(2)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization shall prohibit users from downloading or installing

Contractors: software, unless explicitly authorized, in writing, by the CIO or his/her
designated representative. If user downloading and installing of software is
authorized, explicit rules shall govern the installation of software by users
and technical controls enforce the documented authorizations and
prohibitions.

Control Reference: 09.k Controls Against Mobile Code

Control Mobile code shall be authorized before its installation and use, and the
Specification: configuration shall ensure that the authorized mobile code operates
according to a clearly defined security policy. All unauthorized mobile code
shall be prevented from executing.
Factor Type: Organizational
Topics: Authorization
Cryptography
Policies and Procedures
Viruses and Malware
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 290 of 488

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Automated controls (e.g. browser settings) shall be in place to authorize
Implementation: and restrict the use of mobile code (e.g. Java, JavaScript, ActiveX, PDF,
postscript, Shockwave movies, and Flash animations).

A formal policy shall be in place for mobile code protection and to ensure
protective measures including anti-virus and anti-spyware are in place and
regularly updated.
Level 1 Control  CSA SA-15
Standard  HIPAA §164.308(a)(5)(ii)(B)
Mapping:  1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 291 of 488

The following actions shall be carried out to protect against mobile code
performing unauthorized actions:
i. ensuring a logically isolated environment is established for executing
mobile code;
ii. activating technical measures as available on a specific system to ensure
mobile code is managed; and
iii. control the resources with access to mobile code.

Rules for the migration of software from development to operational status

shall be defined and documented by the organization hosting the affected
application(s), including that development, test, and operational systems be
separated (physically or virtually) to reduce the risks of unauthorized
access or changes to the operational system.
Level 2 Control  CMSRs 2012v1.5 SC-2 (HIGH)
Standard  CMSRs 2012v1.5 SC-3 (HIGH)
Mapping:  CMSRs 2012v1.5 SC-3(1) (HIGH)
 CMSRs 2012v1.5 SC-3(2) (HIGH)
 CMSRs 2012v1.5 SC-3(3) (HIGH)
 CMSRs 2012v1.5 SC-3(4) (HIGH)
 CMSRs 2012v1.5 SC-3(5) (HIGH)
 CMSRs 2012v1.5 SC-18 (HIGH)
 CMSRs 2012v1.5 SI-8 (HIGH)
 ISO/IEC 27002-2005 10.4.2
 ISO 27799-2008 7.7.4.2
 NIST SP800-53 R4 SC-2
 NIST SP800-53 R4 SC-18
 NIST SP800-53 R4 SI-8

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 292 of 488

CMS Contractor Requirements

CMS The information system shall implement underlying hardware separation

Contractors: mechanisms to facilitate security function isolation.

Security functions enforcing access and information flow control shall be

isolated from both non-security functions and from other security
functions.

An information system isolation boundary shall be implemented to

minimize the number of non-security functions included within the
boundary containing security functions.

Security functions shall be implemented as largely independent modules

that avoid unnecessary interactions between modules.

Security functions shall be implemented as a layered structure minimizing

interactions between layers of the design and avoiding any dependence by
lower layers on the functionality or correctness of higher layers.

Objective Name: 09.05 Information Back-Up

Control Ensure the maintenance, integrity, and availability of organizational

Objective: information.

Control Reference: 09.l Back-up

Control Back-up copies of information and software shall be taken and tested
Specification: regularly.
Factor Type: Organizational
Topics: Cryptography
Documentation and Records
Physical and Facility Security
Policies and Procedures
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Page 293 of 488

Level 1 System None
Factors:
Level 1 Subject to PCI Compliance, Subject to Joint Commission Accreditation
Regulatory
Factors:
Level 1 Back-up copies of information and software shall be made, and tested at
Implementation: appropriate intervals, in accordance with an agreed-upon back-up policy. A
formal definition of the level of back-up required for each system shall be
defined and documented including the scope of data to be imaged,
frequency of imaging, and duration of retention. This shall be based on
the contractual, legal, regulatory and business requirements.

Complete documentation of restoration procedures shall be defined and

documented for each system.

The back-ups shall be stored in a physically secure remote location, at a

sufficient distance to make them reasonably immune from damage to data
at the primary site. Physical and environmental controls shall be in place for
the back-up copies.

Regular testing of back-up media and restoration procedures shall be

performed.
Inventory records for the back-up copies, including content and current
location shall be maintained.

When the back-up service is delivered by the third party, the service level
agreement shall include the detailed protections to control confidentiality,
integrity, and availability of the back-up information.
Level 1 Control  CSA DG-04
Standard  HIPAA §164.308(a)(7)(ii)(A)
Mapping:  HIPAA §164.308(a)(7)(ii)(B)
 HIPAA §164.310(d)(2)(iv)
 HIPAA §164.312(c)(1)
 JCAHO IM.01.01.03, EP 4
 NIST SP800-53 R4 CP-9
 NRS 603A.215.1
 PCI DSS v2 9.5
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Page 294 of 488

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development
Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Automated tools shall track all back-ups.
The integrity and security of the back-up copies shall be maintained to
ensure future availability in accordance with the agreed backup policy. Any
potential accessibility problems with the back-up copies shall be identified
and mitigated in the event of an area-wide disaster.

Covered information shall be backed-up in an encrypted format to

guarantee confidentiality.
Level 2 Control  ISO/IEC 27002-2005 10.5.1
Standard  ISO 27799-2008 7.7.5
Mapping:

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 295 of 488

Level 3 Level 2 plus:
Implementation:
The organization shall perform full backups weekly to separate media.
Incremental or differential backups shall be performed daily to separate
media.
Three (3) generations of backups (full plus all related incremental or
differential backups) shall be stored off-site. Off-site and on-site backups
shall be logged with name, date, time and action.

The organization shall ensure a current, retrievable copy of covered

information is available before movement of servers.

The organization shall test backup information following each backup to

verify media reliability and information integrity.
Level 3 Control  CMSRs 2012v1.5 CP-9 (HIGH)
Standard  CMSRs 2012v1.5 CP-9(1) (HIGH)
Mapping:  CMSRs 2012v1.5 CP-9(3) (HIGH)
 NIST SP800-53 R4 CP-9(1)

CMS Contractors

CMS Backups shall include:

Contractors: i. copies of user-level and system-level information (including system
state information);
ii. copies of the operating system and other critical information system
software; and
iii. the information system inventory (including hardware, software, and
firmware components).

Objective Name: 09.06 Network Security Management

Control Ensure the protection of information in networks and protection of the

Objective: supporting network infrastructure.

Control Reference: 09.m Network Controls

Control Networks shall be managed and controlled in order to protect the

Specification: organization from threats and to maintain security for the systems and
applications using the network, including information in transit.

*Required for HITRUST Certification 2014

Factor Type: Organizational

Page 296 of 488

Topics: Authentication
Communications and Transmissions
Cryptography
Data Loss Prevention
Monitoring
Network Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Network managers shall implement controls to ensure the security of
Implementation: information in networks, and the protection of connected services from
unauthorized access. Controls shall be implemented to ensure the
availability of network services and information services using the network.
Responsibilities and procedures shall be established for the management of
equipment on the network, including equipment in user areas.

When configuring wireless access points and devices, the organization shall
change the following:
i. vendor default encryption keys.
ii. encryption keys anytime anyone with knowledge of the keys leaves the
company or changes positions
iii. default SNMP community strings on wireless devices
iv. default passwords/passphrases on access points
v. firmware on wireless devices to support strong encryption for
authentication and transmission over wireless networks
vi. other security-related wireless vendor defaults, if applicable.

A current network diagram (for example, one that shows how covered
information flows over the network) shall exist, documenting all
connections to systems storing, processing or transmitting covered
information, including any wireless networks. Review and update the
network diagram as based on the changes in the environment and no less
than every 6 months.

Misconfigured wireless networks and vulnerabilities in legacy encryption

and authentication protocols can be continued targets of malicious
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 297 of 488

individuals who exploit these vulnerabilities to gain privileged access to
covered information environments. The organization monitors for
unauthorized wireless access to the information system and prohibits
installation of wireless access points (WAP) unless explicitly authorized, in
writing, by the CIO or his/her designated representative. The organization
shall ensure wireless networks connected to the systems that store, process
or transmit covered information implement strong encryption (e.g. WPA)
for authentication and transmission.

WAPs shall be placed in secure areas.

Extra attention shall be given to the use of Voice over Internet Protocol
(VoIP) technologies. Usage restrictions and implementation guidance shall
be defined and documented for VoIP, including the authorization and
monitoring of the service.
Level 1 Control  CSA SA-10
Standard  HIPAA §164.308(a)(2)(ii)(A)
Mapping:  HIPAA §164.308(a)(4)(ii)(B)
 HIPAA §164.310(b)
 PCI DSS v2 1.1.2
 PCI DSS v2 1.1.3
 PCI DSS v2 1.1.4
 PCI DSS v2 2.1.1
 PCI DSS v2 4.1.1
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 298 of 488

Level 2 Level 1 plus:
Implementation:
The organization shall uniquely identify and authenticate network devices
that require authentication mechanisms before establishing a connection
that, at a minimum, use shared information (i.e., MAC or IP address) and
access control lists to control remote network access.

To identify and authenticate devices on local and/or wide area networks,

the information system shall use either:
i. shared known information solutions (Media Access Control (MAC) or
Transmission Control Protocol/Internet Protocol (TCP/IP) addresses);
or
ii. an organizational authentication solution (IEEE 802.1x and Extensible
Authentication Protocol (EAP) or a Radius server with EAP-Transport
Layer Security (TLS) authentication).

The required strength of the device authentication mechanism shall

be determined by the security categorization of the information system.
A formal process shall be established for approving and testing all network
connections and changes to the firewall and router configurations. The
organization shall build a firewall configuration that restricts connections
between un-trusted networks and any system components in the covered
information environment (Note: An "un-trusted network" is any network
that is external to the networks belonging to the entity under review,
and/or which is out of the entity's ability to control or manage.) Perform
quarterly scans for unauthorized wireless access points and take
appropriate action if any access points are discovered. Any changes to the
firewall configuration shall be updated in the network diagram.

The firewall configuration shall:

i. restrict inbound and outbound traffic to that which is necessary for the
covered information systems environment;
ii. secure and synchronize router configuration files;
iii. require firewalls between any wireless networks and the covered
information systems environment; and
iv. configure these firewalls to deny or control any traffic from a wireless
environment into the covered data environment.

The organization shall ensure information systems protect the

confidentiality and integrity of transmitted information. The organization
requires information systems to use FIPS-validated cryptographic
mechanisms during transmission to protect the confidentiality and integrity
of information unless otherwise protected by alternative physical measures.

Extra attention shall be given to the use of Voice over Internet Protocol
(VoIP) technologies. Usage restrictions and implementation guidance shall
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 299 of 488

be defined and documented for VoIP, including the authorization and
monitoring of the service.

The name/address resolution system shall provide additional data origin

integrity artifacts (e.g. digital signatures, cryptographic keys) along with
authoritative data (e.g. DNS resource records) in response queries to obtain
origin authentication and integrity verification assurances.

The organization shall:

i. authorize connections from the information system to other
information systems outside of the organization through the use of
interconnection security agreements or other formal agreement; and
ii. document for each connection, the interface characteristics, security
requirements, and the nature of the information communicated, and
iii. employ a deny all, permit by exception policy for allowing connections
from the information system to other information systems outside of
the organization.
Level 2 Control  CMSRs 2012v1.5 SC-7 (HIGH)
Standard  CMSRs 2012v1.5 SC-8 (HIGH)
Mapping:  CMSRs 2012v1.5 SC-8(1) (HIGH)
 CMSRs 2012v1.5 SC-19 (HIGH)
 CMSRs 2012v1.5 SC-20 (HIGH)
 CMSRs 2012v1.5 SC-20 (1) (HIGH)
 CSA SA-08
 NIST SP800-53 R4 AC-18
 NIST SP800-53 R4 SC-7
 NIST SP800-53 R4 SC-19
 NIST SP800-53 R4 SC-20
 NIST SP800-53 R4 CA-3(5)
 PCI DSS v2 1.1.1
 PCI DSS v2 1.2
 PCI DSS v2 1.2.1
 PCI DSS v2 1.2.2
 PCI DSS v2 1.2.3
 PCI DSS v2 4.1
 PCI DSS v2 11.1
 Phase 1 CORE 153: Eligibility and Benefits Connectivity Rule v1.1.0

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Organizational Development Per Year, Third Party Processor: > 60,000,000 Records
Factors: Processed Per Year, Physician Practice: > 180,000 Visits Per Year, Medical
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 300 of 488

Facilities / Hospital: > 10,000 Licensed Beds, Health Plan / Insurance /
PBM: > 7,500,000 Covered Lives, IT Service Providers (Vendors): > 2,500
Employees, Pharmacy Companies: > 70,000,000 Prescriptions Per Year,
Health Information Exchange: >1,000,000 Transactions Per Year
Level 3 System None
Factors:
Level 3 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to the CMS
Regulatory Minimum Security Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
An analysis shall be conducted to determine the impact the loss of network
service availability will have upon critical business functions.

Technical controls shall be implemented to safeguard the confidentiality

and integrity of covered information passing over the organization's
network and to/from public networks. Technical tools and solutions shall
be implemented and used to identify the vulnerabilities and mitigate the
threats, including intrusion detection system (IDS), and vulnerability
scanning. The organization shall employ tools and techniques, such as an
IDS, to monitor events on the information system, detect attacks, and
provide identification of unauthorized use of the system. These tools shall
be implemented at the perimeter of the organization’s environment and at
key points within the environment. These tools shall be updated on a
regular basis, including the engines, the baselines and signatures.

Management processes shall be implemented to ensure coordination of and

consistency in the elements of the network infrastructure.

The organization shall establish firewall and router configuration standards

for the current network with all connections to covered information,
including any wireless networks. A description shall be documented of
groups, roles, and responsibilities for the logical management of network
components.

Documentation and business justification shall be provided for the use of all
services, protocols, and ports allowed, including documentation of security
features implemented for those protocols considered to be insecure. The
firewall and router rule sets shall be reviewed at least every six months.

Wireless access points shall be shut down when not in use (e.g. nights,
weekends). MAC address authentication and static IP addresses shall be
utilized. Access points shall be placed in secure areas. File sharing shall
be disabled on all wireless clients.

Page 301 of 488

The organization shall build a firewall configuration to restrict inbound and
outbound traffic to that which is necessary for the covered data
environment (e.g. information flooding of denial of service attacks). The
router configuration files shall be secured and synchronized. Access to all
proxies shall be denied, except for those hosts, ports, and services that are
explicitly required. The organization shall utilize firewalls from at least two
(2) different vendors at the various levels within the network to reduce the
possibility of compromising the entire network.

The organization shall prohibit direct public access between the Internet
and any system component in the covered data environment.

This shall be achieved by performing the following:

i. establishing DMZ to limit inbound and outbound traffic to only
protocols that are necessary for the covered data environment;
ii. limiting inbound Internet traffic to IP addresses within the DMZ;
iii. not allowing any direct routes inbound or outbound for traffic between
the Internet and the covered data environment;
iv. not allowing internal addresses to pass from the Internet into the DMZ;
v. restricting outbound traffic from the covered data environment to the
Internet such that outbound traffic can only access IP addresses within
the DMZ;
vi. implementing stateful inspection, also known as dynamic packet
filtering (that is, only "established" connections are allowed into the
network);
vii. placing all database(s), servers and other system components storing or
processing covered information in an internal network zone, segregated
from the DMZ; and
viii. methods including but not limited to Network Address Translation
(NAT), placing system components behind a proxy server, and/or
removing or filtering route advertisements.

The information system requests and performs data origin authentication

and data integrity verification on the name/address resolution responses
the system receives from authoritative sources. A resolving or caching
domain name system (DNS) server and authoritative DNS servers are
examples of systems that perform this function.

To eliminate single points of failure and to enhance redundancy, there shall

be at least two authoritative domain name system (DNS) servers, one
configured as primary and the other as secondary. These servers shall be
located on different subnets and geographically separated. Authoritative
DNS servers shall be segregated into internal and external roles. The DNS
server with the internal role shall provide name/address resolution
information pertaining to both internal and external information
technology resources while the DNS server with the external role shall only
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 302 of 488

provide name/address resolution information pertaining to external
information technology resources.
Level 3 Control  CMSRs 2012v1.5 AC-18 (HIGH)
Standard  CMSRs 2012v1.5 AC-18(1) (HIGH)
Mapping:  CMSRs 2012v1.5 AC-18(2) (HIGH)
 CMSRs 2012v1.5 AC-18(4) (HIGH)
 CMSRs 2012v1.5 AC-18(5) (HIGH)
 CMSRs 2012v1.5 CM-8(3) (HIGH)
 CMSRs 2012v1.5 SC-7(6) (HIGH)
 CMSRs 2012v1.5 SC-21 (HIGH)
 CMSRs 2012v1.5 SC-22 (HIGH)
 COBIT 4.1 DS5.10
 COBIT 5 DSS05.02
 ISO/IEC 27002-2005 10.6.1
 ISO/IEC 27002-2005 12.5.4
 NIST SP800-53 R4 AC-18(1)
 NIST SP800-53 R4 SC-21
 NIST SP800-53 R4 SC-22
 NRS 603A.215.1
 PCI DSS v2 1.1.5
 PCI DSS v2 1.1.6
 PCI DSS v2 1.3
 PCI DSS v2 1.3.1
 PCI DSS v2 1.3.2
 PCI DSS v2 1.3.3
 PCI DSS v2 1.3.4
 PCI DSS v2 1.3.5
 PCI DSS v2 1.3.6
 PCI DSS v2 1.3.7
 PCI DSS v2 1.3.8
 PCI DSS v2 11.4

CMS Contractor Requirements

CMS The organization shall prevent the unauthorized release of information

Contractors: outside of the network boundary or any unauthorized communication
through the network boundary when there is an operational failure of the
boundary protection mechanisms.

The organization shall not allow users to independently configure wireless

networking capabilities.

Page 303 of 488

The organization shall confine wireless communications to organization-
controlled boundaries.

Control Reference: 09.n Security of Network Services

Control Security features, service levels, and management requirements of all

Specification: network services shall be identified and included in any network services
agreement, whether these services are provided in-house or outsourced.
Factor Type: Organizational
Topics: Documentation and Records
Monitoring
Requirements (Legal and Contractual)
Services and Acquisitions
Network Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The ability of the network service provider to manage agreed services in a
Implementation: secure way shall be determined and regularly monitored, and the right to
audit shall be agreed by management. The security arrangements necessary
for particular services including security features, service levels, and
management requirements, shall be identified and documented.
Level 1 Control  CSA IS-31
Standard  HIPAA §164.308(b)(1)
Mapping:  HIPAA §164.308(b)(4)
 HIPAA §164.312(c)(1)
 HIPAA §164.213(c)(2)
 HIPAA §164.312(e)(1)
 HIPAA §164.312(e)(2)(i)
 HIPAA §164.312(e)(2)(ii)
 HIPAA §164.314(a)(1)
 HIPAA §164.314(a)(2)(ii)
 ISO/IEC 27002-2005 10.6.2

Page 304 of 488

 ISO 27799-2008 7.7.6.2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Formal agreements with external information system services shall:

i. require providers comply with organizational information security
requirements;
ii. employ appropriate security controls in accordance with applicable
federal laws, Executive Orders, directives, policies, regulations,
standards, guidance;
iii. define and document organizational oversight and user roles and
responsibilities with regard to external information system services;
and
iv. provide for organizational monitoring of security control compliance by
external service providers; and

The organization requires external/outsourced service providers to identify

the specific functions, ports, and protocols used in the provision of such
external/outsourced services.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 305 of 488

The contract with the external/outsourced service provider shall include
the specification that the service provider is responsible for the protection
of covered information shared in the contract.
Level 2 Control  16 CFR Part §681.2 (e)(4)
Standard  CMSRs 2012v1.5 CA-3 (HIGH)
Mapping:  CMSRs 2012v1.5 SA-9 (HIGH)
 CMSRs 2012v1.5 SA-9(2) (HIGH)
 NIST SP800-53 R4 CA-3
 NIST SP800-53 R4 SA-9
 NIST SP800-53 R4 SC-8(1)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 None
Implementation:
Level 3 Control None
Standard
Mapping:

CMS Contractor Requirements

CMS The organizational shall prohibit service providers from outsourcing any
Contractors: system function outside the U.S. or its territories.

Objective Name: 09.07 Media Handling

Control Prevent unauthorized disclosure, modification, removal or destruction of

Objective: information assets, or interruptions to business activities

Control Reference: 09.o Management of Removable Media

Page 306 of 488

Control Formal procedures shall be documented and implemented for the
Specification: management of removable media.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Authorization
Cryptography
Documentation and Records
Media and Assets
Physical and Facility Security
Policies and Procedures

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Policies and procedures shall be established and enforced for
Implementation: the management of removable media and laptops including:
i. restrictions on the type(s) of media, and usages thereof to maintain
security;
ii. registration of certain type(s) of media including laptops.

Policies and procedures shall be updated annually.

Media containing covered information shall be physically stored and its

data encrypted in accordance with the organization’s data protection and
privacy policy on the use of cryptographic controls (see06.d) until the
media are destroyed or sanitized (see 09.p) and commensurate with the
confidentiality and integrity requirements for its data classification level.
Level 1 Control  CMSRs 2012v1.5 MP-1 (HIGH)
Standard  CMSRs 2012v1.5 MP-4 (HIGH)
Mapping:  CMSRs 2012v1.5 MP-5 (HIGH)
 CSA IS-32
 Guidance to render PHI unusable, unreadable, or indecipherable (a)(i)
 HIPAA §164.310(c)
 HIPAA §164.310(d)(1)

Page 307 of 488

 HIPAA §164.310(d)(2)(iv)
 ISO 27799-2008 7.7.7.1
 NIST SP800-53 R4 MP-1
 NIST SP800-53 R4 MP-4
 NIST SP800-53 R4 MP-5
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.03(2)(c)
 (State of Mass.) 201 CMR 17.04(5)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizations shall identify digital and non-digital media requiring

restricted use and the specific safeguards necessary to restrict use.

The organization:
i. protects and controls digital and non-digital media containing sensitive
information during transport outside of controlled areas using
cryptography and tamper evident packaging and
1. if hand carried, using securable container (e.g., locked briefcase)
via authorized personnel, or
2. if shipped, trackable with receipt by commercial carrier;
ii. maintains accountability for information system media during transport
outside of controlled areas; and
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 308 of 488

iii. restricts the activities associated with transport of such media to
authorized personnel.
Level 2 Control  CMSRs 2012v1.5 MP-5(2) (HIGH)
Standard  CMSRs 2012v1.5 MP-5(3) (HIGH)
Mapping:  CMSRs 2012v1.5 MP-5(4) (HIGH)
 ISO/IEC 27002-2005 10.7.1
 NIST SP800-53 R4 MP-5(4)
 NIST SP800-53 R4 MP-7
 NRS 603A.215.1
 PCI DSS v1.2 9.8

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

The organization shall prohibit the use of removable media in organization

information systems when the media has no identifiable owner.
Level 3 Control  CMSRs 2010v1.0 MP-6(3) (HIGH)
Standard  NIST SP800-53 R4 MP-7 (1)
Mapping:

CMS Contractors

CMS The organization employs an identified custodian through the transport of

Contractors: CMS information system media.

Page 309 of 488

Portable, removable storage devices shall be sanitized prior to connecting
such devices to the information system under the following circumstances:
i. initial use after purchase;
ii. when obtained from an unknown source;
iii. when the organization loses a positive chain of custody; and
iv. when the device was connected to a lower assurance system based on
its security categorization (e.g., a publically accessible kiosk)

Control Reference: 09.p Disposal of Media

Control Media shall be disposed of securely and safely when no longer required,
Specification: using formal procedures that are documented.
*Required for HITRUST Certification 2014
Factor Type: Organizational
Topics: Media and Assets
Policies and Procedures
Services and Acquisitions
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to Joint
Regulatory Commission Accreditation
Factors:
Level 1 Formal procedures for the secure disposal of media shall minimize the risk
Implementation: of information leakage to unauthorized persons. The procedures for the
secure disposal of media containing information shall be commensurate
with the sensitivity of that information.

The following items shall be addressed:

i. the use of generally-accepted secure disposal or erasure methods (see
08.l) for use by another application within the organization, for media
that contains (or might contain) covered information; and
ii. the identification of information that qualifies as covered, or a policy
shall be developed that all information shall be considered covered in
the absence of unequivocal evidence to the contrary.

Page 310 of 488

It may be easier to arrange for all media items to be collected and disposed
of securely, rather than attempting to separate out the items containing
covered information. If collection and disposal services offered by other
organizations are used, care shall be taken in selecting a suitable contractor
with adequate controls and experience.
Level 1 Control  CMSRs 2012v1.5 MP-6 (HIGH)
Standard  CSA DG-05
Mapping:  Guidance to render PHI unusable, unreadable, or indecipherable (b)
 HIPAA §164.310(d)(1)
 HIPAA §164.310(d)(2)(i)
 HIPAA §164.310(d)(2)(ii)
 ISO 27799-2008 7.7.7.2
 JCAHO IM.02.01.03, EP 3
 NIST SP800-53 R4 MP-6
 NRS 603A.215.1
 PCI DSS v2 9.10
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to the CMS Minimum Security Requirements (High)
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Procedures shall be implemented to prevent the aggregation effect, which
may cause a large quantity of non-covered information to become covered
for accumulating media for disposal.
Level 2 Control  CMSRs 2012v1.5 MP-6(1) (HIGH)
Standard  CMSRs 2012v1.5 MP-6(2) (HIGH)
Mapping:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 311 of 488

 CMSRs 2012v1.5 MP-6(5) (HIGH)
 CMSRs 2012v1.5 MP-6(6) (HIGH)
 ISO/IEC 27002-2005 10.7.2

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contactor Requirements

CMS Logging and an audit trail of disposal operations shall be maintained.

Contractors: Disposal of items containing covered information shall be logged in order to
maintain an audit trail.

The organization tests sanitization equipment and procedures to verify

correct performance as defined in the protection policy within every three
hundred and sixty-five (365) days.

Control Reference: 09.q Information Handling Procedures

Control Procedures for the handling and storage of information shall be established
Specification: to protect this information from unauthorized disclosure or misuse.
*Required for HITRUST Certification 2014
Factor Type: Organizational
Topics: Cryptography
Data Loss Prevention
Documentation and Records
Media and Assets
Monitoring
User Access

Page 312 of 488

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance, Subject to State of Massachusetts Data
Regulatory Protection Act
Factors:
Level 1 Procedures for handling, processing, communication and storage of
Implementation: information (including information media awaiting disposal) shall be
established to protect data from unauthorized disclosure or misuse
including:

i. physical and technical access restrictions commensurate with the data

classification level;
ii. handling and labeling of all media according to its indicated
classification (sensitivity) level;
iii. periodic review (at a minimum annually) of distribution and authorized
recipient lists; and
iv. monitoring the status and location of media containing unencrypted
covered information.

The organization shall formally identify information media (electronic and

paper) that is exempt from marking as long as the exempted items remain
within organization-defined controlled-access areas.
Level 1 Control  CMSRs 2012v1.5 MP-2 (HIGH)
Standard  CMSRs 2012v1.5 MP-3 (HIGH)
Mapping:  CMSRs 2012v1.5 MP-5(4) (HIGH)
 CMSRs 2012v1.5 SI-12 (HIGH)
 HIPAA §164.308(a)(3)(ii)(A)
 HIPAA §164.310(b)
 HIPAA §164.310(c)
 HIPAA §164.310(d)(1)
 HIPAA §164.310(d)(2)(iv)
 HIPAA §164.312(c)(1)
 ISO 27799-2008 7.7.7.3
 NIST SP800-53 R4 MP-2
 NIST SP800-53 R4 MP-3
 NIST SP800-53 R4 SI-12
 PCI DSS v2 9.6

Page 313 of 488

 (State of Mass.) 201 CMR 17.03(2)(c)
 (State of Mass.) 201 CMR 17.03(2)(g)
 1 TAC § 390.2(a)(1)
 1 TAC § 390.2(a)(4)(A)(ii)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Maintenance of formal records of data transfers, including logging and an

audit trail shall be maintained.
Level 2 Control  CMSRs 2012v1.5 MP-2(1) (HIGH)
Standard  ISO/IEC 27002-2005 10.7.3
Mapping:  NIST SP800-53 R4 MP-2(1)
 NRS 603A.215.1
 PCI DSS v2 9.7
 PCI DSS v2 9.8
 PCI DSS v2 9.9

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 314 of 488

Employees, Pharmacy Companies: > 70,000,000 Prescriptions Per Year,
Health Information Exchange: >6,000,000 Transactions Per Year
Level 3 System None
Factors:
Level 3 Subject to the CMS Minimum Security Requirements (High)
Regulatory
Factors:
Level 3 Level 2 plus:
Implementation:
Inventory and disposition records for information system media shall be
maintained to ensure control and accountability of the organization's
information. The media related records shall contain sufficient information
to reconstruct the data in the event of a breach.

The media records shall, at a minimum, contain:

i. the name of media recipient;
ii. the signature of media recipient;
iii. the date/time media received;
iv. the media control number and contents;
v. the movement or routing information; and
vi. if disposed of, the date, time, and method of destruction.

The information system implements cryptographic mechanisms to protect

the confidentiality and integrity of sensitive (non-public) information
stored on digital media during transport outside of controlled areas.
Level 3 Control  CMSRs 2010v1.0 MP-CMS-1 (HIGH)
Standard
Mapping:

CMS Contractor Requirements

CMS The information system shall use cryptographic mechanisms to protect and
Contractors: restrict access to information on organization-defined portable digital
media.
The organization physically controls and securely stores digital and non-
digital media defined within NIST SP 800-88, Guidelines for Media
Sanitization, within controlled areas using physical security safeguards
prescribed for the highest system security level of the information ever
recorded on it.

The organization shall employ automated mechanisms to restrict access to

media storage areas and to audit access attempts and access granted.

Page 315 of 488

Control Reference: 09.r Security of System Documentation

Control System documentation shall be protected against unauthorized access.

Specification:
Factor Type: Organizational
Topics: Authorization
Documentation and Records
User Access

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 1 Organizations shall document attempts to obtain information system
Implementation: documentation when such documentation is either unavailable or non-
existent.

The organization shall protect system documentation in accordance with

the organization’s risk management strategy, e.g., by access controls (see
1.0), and distribute documentation to organization-defined personnel with
the need for such documentation. The access list for system documentation
shall be kept to a minimum and authorized by the application owner.
Level 1 Control  CMSRs 2012v1.5 SA-5 (HIGH)
Standard  CSA OP-02
Mapping:  ISO/IEC 27002-2005 10.7.4
 ISO 27799-2008 7.7.7.4
 NIST SP800-53 R4 SA-5
 NIST SP800-53 R4 SA-5 (1)
 NIST SP800-53 R4 SA-5 (3)
 NIST SP800-53 R4 SA-5 (6)

Level 2 Implementation Requirements

Page 316 of 488

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Objective Name: 09.08 Exchange of Information

Control Ensure the exchange of information within an organization and with any
Objective: external entity is secured and protected, and carried out in compliance with
relevant legislation and exchange agreements.

Control Reference: 09.s Information Exchange Policies and Procedures

Control Formal exchange policies, procedures, and controls shall be in place to

Specification: protect the exchange of information through the use of all types of
communication mediums.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Awareness and Training
Communications and Transmissions
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 317 of 488

Cryptography
Personnel
Policies and Procedures
Third Parties and Contractors
Viruses and Malware

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance
Regulatory
Factors:
Level 1 The organization shall ensure that communications protection
Implementation: requirements, including the security of exchanges of information, is the
subject of policy development (see also 04.a and 04.b) and compliance
audits (see 06.g).

When using electronic communication applications or systems for

information exchange, the following items shall be addressed:
i. policies or guidelines shall be defined outlining acceptable use of
electronic communication applications or systems;
ii. the use of anti-malware for the detection of and protection against
malicious code that may be transmitted through the use of electronic
communications;
iii. procedures shall be implemented for the use of wireless
communications including an appropriate level of encryption (see
09.m);
iv. employee, contractor and any other user's responsibilities shall be
defined to not compromise the organization (e.g. through defamation,
harassment, impersonation, forwarding of chain letters, unauthorized
purchasing, etc.);
v. the required use of cryptographic techniques to protect the
confidentiality, integrity and authenticity of covered information;
vi. the retention and disposal guidelines shall be defined for all business
correspondence, including messages, in accordance with relevant
national and local legislation and regulations; and
vii. controls and restrictions shall be implemented associated with the
forwarding of communications (e.g. automatic forwarding of electronic
mail to external mail addresses);

Page 318 of 488

The organization shall establish terms and conditions, consistent with any
trust relationship established with other organizations owning, operating,
and/or maintaining external information systems, allowing authorized
individuals to:
i. access the information system from external information systems; and
ii. process, store or transit organization-controlled information using
external information systems.

Personnel shall be appropriately educated and periodically reminded of the

following:
i. not to leave covered or critical information on printing systems (e.g.
copiers, printers, and facsimile machines) as these may be accessed by
unauthorized personnel;
ii. that they should take necessary precautions, including not to reveal
covered information to avoid being overheard or intercepted when
making a phone call by:
1. people in their immediate vicinity particularly when using
mobile phones;
2. wiretapping, and other forms of eavesdropping through
physical access to the phone handset or the phone line, or using
scanning receivers; or
3. people at the recipient's end;
iii. not leaving messages containing sensitive information on answering
machines since these may be replayed by unauthorized persons, stored
on communal systems or stored incorrectly as a result of misdialing;
iv. the problems of using facsimile machines, namely:
1. unauthorized access to built-in message stores to retrieve
messages;
2. deliberate or accidental programming of machines to send
messages to specific numbers; and
3. sending documents and messages to the wrong number either
by misdialing or using the wrong stored number;
v. not to register demographic data, such as the e-mail address or other
personal information, in any software to avoid collection for
unauthorized use; and
vi. that modern facsimile machines and photocopiers have page caches and
store pages in case of a paper or transmission fault, which will be
printed once the fault is cleared.

Cryptography shall be used to protect the confidentiality and integrity of

remote access sessions to the internal network and to external systems.

Formal procedures shall be defined to encrypt data in transit including use

of strong cryptography protocols to safeguard covered information during
transmission over open public networks.

Page 319 of 488

Valid encryption processes include:
i. transport Layer Security (TLS) 1.0
ii. secure Sockets Layer (SSL) 3.1
iii. IPSec VPNs:
1. gateway-To-Gateway Architecture
2. host-To-Gateway Architecture
3. host-To-Host Architecture
iv. SSL VPNs:
1. SSL Portal VPN
2. SSL Tunnel VPN

See NIST SP800-52 Guidelines for the Selection and Use of Transport Layer
Security (TLS) Implementation and NIST SP800-77 Guide to IPsec VPNs for
more information on implementing encryption technologies for information
transmissions.

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 320 of 488

Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to PCI Compliance, Subject to State of Massachusetts Data
Regulatory Protection Act, Subject to the State of Nevada Security of Personal
Factors: Information Requirements, Subject to Joint Commission Accreditation,
Subject to the CMS Minimum Security Requirements (High)
Level 2 Level 1 plus:
Implementation:
The organization shall permit authorized individuals to use an external
information system to access the information system or to process, store or
transmit organization-controlled information only when then organization:
i. verifies the implementation of required security controls on the
external system as specified in the organization’s information security
policy and security plan; or
ii. retains approved information connection or processing agreements
with the organizational entity hosting the external information system
(see 09.t).

The organization shall limit the use of organization-controlled portable

storage media by authorized individuals on external information systems.
Terms and conditions shall be established for authorized individuals to:
i. to access the information system from an external information system
shall be established; and
ii. to process, store and/or transmit organization-controlled information
using an external information system.

The information system shall:

i. prohibit remote activation of collaborative computing devices; and
ii. provide an explicit indication of use to users physically present at the
devices.
Level 2 Control  CMSRs 2012v1.5 SC-15 (HIGH)
Standard  CMSRs 2012v1.5 SC-15(1) (HIGH)
Mapping:  CMSRs 2012v1.5 AC-20(1) (HIGH)
 CMSRs 2012v1.5 AC-20(2) (HIGH)
 COBIT 4.1 DS5.11
 COBIT 5 DSS05.02
 CSA IS-18
 Guidance to render PHI unusable, unreadable, or indecipherable (a)(ii)
 JCAHO IM.02.01.03, EP 5
 NIST SP800-53 R4 AC-20 (1)
 NIST SP800-53 R4 AC-20 (2)
 NRS 603A.215.1
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 321 of 488

 NRS 603A.215.2.a
 PCI DSS v2 4.1
 Phase 1 CORE 153: Eligibility and Benefits Connectivity Rule v1.1.0
 (State of Mass.) 201 CMR 17.04(3)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization shall prohibit the use of external information systems,
Contractors: including but not limited to, Internet kiosks, personal desktop computers,
laptops, tablet personal computers, personal digital assistant (PDA) devices,
cellular telephones, facsimile machines, and equipment available in hotels
or airports to store, access, transmit, or process CMS sensitive information,
unless explicitly authorized, in writing, by the CIO or his/her designated
representative. If external information systems are authorized, the
organization shall establish strict terms and conditions for their use.

The terms and conditions shall address, at a minimum:

i. the types of applications that can be accessed from external information
systems;
ii. the maximum FIPS 199 security category of information that can be
processed, stored, and transmitted;
iii. how other users of the external information system will be prevented
from accessing federal information;
iv. the use of virtual private networking (VPN) and firewall technologies;
v. the use of and protection against the vulnerabilities of wireless
technologies;
vi. the maintenance of adequate physical security controls;
vii. the use of virus and spyware protection software; and
viii. how often the security capabilities of installed software are to be
updated.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 322 of 488

The organization shall prohibit running collaborative computing
mechanisms, unless explicitly authorized, in writing, by the CIO or his/her
designated representative. If authorized, the authorization shall specifically
identify allowed mechanisms, allowed purpose, and the information system
upon which the mechanisms can be used.

Control Reference: 09.t Exchange Agreements

Control Agreements shall be established and implemented for the exchange of

Specification: information and software between the organization and external parties.
Factor Type: Organizational
Topics: Communications and Transmissions
Data Loss Prevention
IT Organization and Management Roles and Responsibilities
Media and Assets
Requirements (Legal and Contractual)
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to the State of Nevada Security of Personal Information
Regulatory Requirements
Factors:
Level 1 Exchange agreements shall specify the minimum set of controls on
Implementation: responsibility, procedures, technical standards and solutions.

The exchange agreements shall also specify organization policies including:

i. classification policy for the sensitivity of the business information;
ii. management responsibilities for controlling and notifying transmission,
dispatch, and receipt;
iii. procedures for notifying sender of transmission, dispatch, and receipt;
iv. procedures to ensure traceability and non-repudiation;
v. minimum technical standards for packaging and transmission;
vi. courier identification standards;
vii. responsibilities and liabilities in the event of information security
incidents, such as loss of data;

Page 323 of 488

viii. use of an agreed labeling system for covered or critical information,
ensuring that the meaning of the labels is immediately understood and
that the information is appropriately protected;
ix. ownership and responsibilities for data protection, copyright, software
license compliance and similar considerations;
x. technical standards for recording and reading information and
software;
xi. any special controls that may be required to protect covered
items, including cryptographic keys; and
xii. escrow agreements.

Policies, procedures, and standards shall be established and maintained to

protect information and physical media in transit, and shall be referenced in
such exchange agreements.
Level 1 Control  COBIT 4.1 DS5.11
Standard  COBIT 5 DSS05.02
Mapping:  CSA LG-02
 ISO/IEC 27002-2005 10.8.2
 ISO 27799-2008 7.7.8.1
 NRS 603A.210.2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Page 324 of 488

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 09.u Physical Media in Transit

Control Media containing information shall be protected against unauthorized

Specification: access, misuse or corruption during transportation beyond the
organization's physical boundaries.
Factor Type: Organizational
Topics: Communications and Transmissions
Cryptography
Media and Assets
Policies and Procedures
Services and Acquisitions

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance
Regulatory
Factors:
Level 1 The following procedures shall be established to protect information media
Implementation: being transported between sites:
i. reliable transport or couriers shall be used that can be tracked;
ii. a list of authorized couriers shall be agreed with management;
iii. procedures to check the identification of couriers shall be developed;
and
iv. packaging shall be sufficient to protect the contents from any physical
damage likely to arise during transit and in accordance with any
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 325 of 488

manufacturers' specifications (e.g. for software) for example protecting
against any environmental factors that may reduce the media's
restoration effectiveness such as exposure to heat, moisture or
electromagnetic fields.

Controls shall be adopted to protect covered information from

unauthorized disclosure or modification, including at least one of the
following:
i. use of locked containers;
ii. delivery by hand;
iii. tamper-evident packaging (which reveals any attempt to gain access);
or
iv. splitting of the consignment into more than one delivery and dispatch
by different routes.
Level 1 Control  CSA IS-32
Standard  HIPAA §164.310(d)(1)
Mapping:  HIPAA §164.310(d)(2)(iii)
 HIPAA §164.312(c)(1)
 ISO/IEC 27002-2005 10.8.3
 ISO 27799-2008 7.7.8.2
 NRS 603A.215.1
 PCI DSS v2 9.7.2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 326 of 488

Media shall be encrypted when being moved off site. Media shall be
encrypted on-site unless physical security can be guaranteed.
Level 2 Control  CMSRs 2012v1.5 MP-5 (HIGH)
Standard  CMSRs 2012v1.5 MP-5(2) (HIGH)
Mapping:  CMSRs 2012v1.5 MP-5(3) (HIGH)
 CMSRs 2012v1.5 MP-5(4) (HIGH)
 COBIT 4.1 DS5.11
 COBIT 5 DSS05.02
 JCAHO IM.02.01.03, EP 5
 NIST SP800-53 R4 MP-5
 NIST SP800-53 R4 MP-5(4)
 NRS 603A.215.2.a

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization shall:

Contractors: i. protect and control digital and non-digital media containing CMS
sensitive information during transport outside of controlled areas using
cryptography and tamper-evident packaging and
1. if hand carried, using securable container (e.g., locked briefcase)
via authorized personnel, or
2. if shipped, trackable with receipt by commercial carrier;
ii. maintain accountability for information system media during transport
outside of controlled areas; and
iii. restrict the activities associated with transport of such media to
authorized personnel.

The organization shall employ an identified custodian throughout the

transport of information system media outside of controlled areas.

Page 327 of 488

Custodial responsibilities can be transferred from one individual to another
as long as an unambiguous custodian is identified at all times.

Control Reference: 09.v Electronic Messaging

Control Information involved in electronic messaging shall be appropriately

Specification: protected.
Factor Type: Organizational
Topics: Authentication
Authorization
Communications and Transmissions

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 1 Legal considerations, including requirements for electronic signatures, shall
Implementation: be addressed. Approval shall be obtained prior to using external public
services, including instant messaging or file sharing. Stronger levels of
authentication controlling access from publicly accessible networks shall be
implemented.

Stronger controls, such as electronic signatures, shall be implemented to

protect certain electronic messages (e.g. clinical information).

The electronic messages shall be protected throughout the duration of its

end-to-end transport path. Cryptographic mechanisms shall be employed to
protect message integrity and confidentiality unless protected by
alternative measures, e.g., physical controls.

The organization shall never send unencrypted covered information by

end-user messaging technologies (e.g. e-mail, instant messaging, and chat).
Level 1 Control  CMSRs 2012v1.5 SC-8 (HIGH)
Standard  CMSRs 2012v1.5 SC-8(1) (HIGH)
Mapping:  CMSRs 2012v1.5 SC-CMS-1 (HIGH)
 COBIT 4.1 DS5.11
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 328 of 488

 COBIT 5 DSS05.02
 HIPAA §164.312(c)(1)
 HIPAA §164.312(c)(2)
 HIPAA §164.312(e)(1)
 HIPAA §164.312(e)(2)(i)
 HIPAA §164.312(e)(2)(ii)
 ISO/IEC 27002-2005 10.8.4
 ISO 27799-2008 7.7.8.3
 NIST SP800-53 R4 SC-8
 NIST SP800-53 R4 SC-8(1)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 09.w Interconnected Business Information Systems

Page 329 of 488

Control Policies and procedures shall be developed and implemented to protect
Specification: information associated with the interconnection of business information
systems.
Factor Type: Organizational
Topics: Communications and Transmissions
Physical and Facility Security
Policies and Procedures
User Access
Network Security

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Security and business implications shall be addressed for interconnecting
Implementation: business information assets including:
i. policy and appropriate controls to manage information sharing;
ii. excluding categories of sensitive business information and classified
documents if the system does not provide an appropriate level of
protection;
iii. categories of personnel, contractors or business partners allowed to use
the system and the locations from which it may be accessed;
iv. restricting selected systems and facilities to specific categories of user;
and
v. identifying the status of users (e.g. employees of the organization or
contractors in directories for the benefit of other users).
Level 1 Control  HIPAA §164.308(b)(1)
Standard  HIPAA §164.308(b)(4)
Mapping:  HIPAA §164.314(a)(2)(ii)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 330 of 488

Security and business implications shall be addressed for interconnecting

business information assets including:
i. known vulnerabilities in the administrative and accounting systems
where information is shared between different parts of the
organization;
ii. restricting access to diary information relating to selected individuals
(e.g. personnel working on sensitive projects);
iii. vulnerabilities of information in business communication systems (e.g.
recording phone calls or conference calls, confidentiality of calls,
storage of facsimiles, opening mail, distribution of mail);

Interconnected business information systems shall be linked to other

requirements and controls, including:
i. the separation of operational systems from interconnected system;
ii. the retention and back-up of information held on the system; and
iii. the fallback requirements and arrangements.

A baseline shall be established for basic security hygiene in interconnected

systems. A firewall physical and logical configuration shall be established
that restricts connections between untrusted networks and systems
storing, processing or transmitting covered information.
Level 2 Control  CMSRs 2012v1.5 CA-3 (HIGH)
Standard  COBIT 4.1 DS5.10
Mapping:  COBIT 4.1 DS5.11
 COBIT 5 DSS05.02
 ISO/IEC 27002-2005 10.8.5
 ISO 27799-2008 7.7.8.4
 NIST SP800-53 R4 CA-3
 NRS 603A.215.1
 PCI DSS v2 1.2
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 331 of 488

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements.
Implementation:

Objective Name: 09.09 Electronic Commerce Services

Control Ensure the security of electronic commerce services, and their secure use.
Objective:

Control Reference: 09.x Electronic Commerce Services

Control Information involved in electronic commerce passing over public networks

Specification: shall be protected from fraudulent activity, contract dispute, and
unauthorized disclosure or modification.
Factor Type: Organizational
Topics: Authorization
Cryptography
Data Loss Prevention
Requirements (Legal and Contractual)
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:

Page 332 of 488

Level 1 None
Regulatory
Factors:
Level 1 The confidentiality and integrity for electronic commerce shall be
Implementation: maintained by ensuring the following:
i. the level of confidence each party requires in each other's claimed
identity (e.g. through authentication);
ii. authorization processes associated with who may set prices, issue or
sign key trading documents;
iii. ensuring that trading partners are fully informed of their
authorizations;
iv. determining and meeting requirements for confidentiality, integrity,
proof of dispatch and receipt of key documents, and the non-
repudiation of contracts (e.g. associated with tendering and contract
processes);
v. the level of trust required in the integrity of advertised price lists;
vi. the confidentiality of any covered data or information;
vii. the confidentiality and integrity of any order transactions, payment
information, delivery address details, and confirmation of receipts;
viii. the degree of verification appropriate to check payment information
supplied by a customer;
ix. selecting the most appropriate settlement form of payment to guard
against fraud;
x. the level of protection required to maintain the confidentiality and
integrity of order information;
xi. avoidance of loss or duplication of transaction information;
xii. liability associated with any fraudulent transactions; and
xiii. insurance requirements.
Level 1 Control  CMSRs 2012v1.5 AU-10 (HIGH)
Standard  CSA IS-28
Mapping:  HIPAA §164.312(c)(1)
 HIPAA §164.312(c)(2)
 HIPAA §164.312(e)(1)
 HIPAA §164.312(e)(2)(i)
 HIPAA §164.312(e)(2)(ii)
 ISO 27799-2008 7.7.9.1
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 333 of 488

Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
A documented agreement shall be committed and maintained for electronic
commerce arrangements between trading partners on the agreed terms of
trading, including details of authorization. Other agreements with
information service and value added network providers shall also be
required.

Public trading systems shall publicize their terms of business to customers.

Attacks of the host(s) used for electronic commerce shall be addressed to

provide resilient service(s). The security implications of any network
interconnection required for the implementation of electronic commerce
services shall be identified and addressed.

Cryptographic controls shall be used to enhance security, taking into

account compliance with legal requirements.
Level 2 Control  CMSRs 2012v1.5 SC-8 (HIGH)
Standard  CMSRs 2012v1.5 SC-8(1) (HIGH)
Mapping:  ISO/IEC 27002-2005 10.9.1
 NIST SP800-53 R4 SC-8
 NIST SP800-53 R4 SC-8(1)
 NIST SP800-53 R4 SC-9
 NIST SP800-53 R4 SC-9(1)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:

Page 334 of 488

Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The information system shall protect against an individual falsely denying
Contractors: having performed a particular action.

Control Reference: 09.y On-Line Transactions

Control Information involved in on-line transactions shall be protected to prevent

Specification: incomplete transmission, miss-routing, unauthorized message alteration,
unauthorized disclosure, unauthorized message duplication or replay.
Factor Type: Organizational
Topics: Authentication
Communications and Transmissions
Cryptography

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Data involved in electronic commerce and online transactions shall be
Implementation: checked to determine if it contains covered information.

Security shall be maintained through all aspects of the transaction, ensuring

that:
i. user credentials of all parties are valid and verified;
ii. the transaction remains confidential; and
iii. privacy associated with all parties involved is retained.

Page 335 of 488

Protocols used to communicate between all involved parties shall be
secured using cryptographic techniques (e.g. SSL).
Level 1 Control  CSA IS-28
Standard  ISO 27799-2008 7.7.9.1
Mapping:

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

The organization shall ensure the storage of the transaction details are
located outside of any publicly accessible environments (e.g. on a storage
platform existing on the organization's intranet) and not retained and
exposed on a storage medium directly accessible from the Internet.

Where a trusted authority is used (e.g. for the purposes of issuing and
maintaining digital signatures and/or digital certificates) security shall be
integrated and embedded throughout the entire end-to-end
certificate/signature management process.

Communications path between all involved parties shall be encrypted. The

protocols used for communications shall be enhanced to address any new
vulnerability, and the updated versions shall be adopted as soon as
possible.
Level 2 Control  ISO/IEC 27002-2005 10.9.2
Standard  Phase 1 CORE 153: Eligibility and Benefits Connectivity Rule v1.1.0
Mapping:

Page 336 of 488

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 09.z Publicly Available Information

Control The integrity of information being made available on a publicly available

Specification: system shall be protected to prevent unauthorized modification.
Factor Type: Organizational
Topics: Authorization

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 There shall be a formal approval process before information is made
Implementation: publicly available. In addition, all input provided from the outside to the
system shall be verified and approved. The source (authorship) of publicly
available information shall be stated.

The organization ensures that network access controls, operating system

file permissions, and application configurations protect the integrity of
information stored, processed, and transmitted by publicly accessible
systems, as well as the integrity of publicly accessible applications.

Page 337 of 488

Level 1 Control  CMSRs 2012v1.5 SC-14 (HIGH)
Standard
Mapping:

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

The publicly accessible system shall be tested against weaknesses and

failures prior to information being made available. Installation checklist and
vulnerability testing shall be implemented to ensure security baselines and
configuration baselines are met or exceeded.

Electronic publishing systems, especially those that permit feedback and

direct entering of information, shall be carefully controlled so that:
i. information is obtained in compliance with any data protection
legislation;
ii. information input to, and processed by, the publishing system will be
processed completely and accurately in a timely manner;
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 338 of 488

iii. covered information will be protected during collection, processing, and
storage; and
iv. access to the publishing system does not allow unintended access to
networks to which the system is connected.

Publicly available health information (as distinct from personal health

information) shall be archived.
Level 2 Control  CMSRs 2012v1.5 AC-22 (HIGH)
Standard  CMSRs 2012v1.5 SC-CMS-2 (HIGH)
Mapping:  ISO 27799-2008 7.7.9.2
 ISO/IEC 27001-2005 10.9.3
 NIST SP800-53 R4 AC-22

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Organizational Development Per Year, Third Party Processor: > 60,000,000 Records
Factors: Processed Per Year, Physician Practice: > 180,000 Visits Per Year, Medical
Facilities / Hospital: > 10,000 Licensed Beds, Health Plan / Insurance /
PBM: > 7,500,000 Covered Lives, IT Service Providers (Vendors): > 2,500
Employees, Pharmacy Companies: > 70,000,000 Prescriptions Per Year,
Health Information Exchange: >6,000,000 Transactions Per Year
Level 3 System None
Factors:
Level 3 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
Software, data, and other information requiring a high level of integrity
being made available on a publicly available system shall be protected by
appropriate mechanisms, including digital signatures. The signatures
themselves provide a convenient point for either access or denial of
service attack, and require extra protection. Digital Signatures shall be
protected on a secure fault-tolerant system (e.g. increased capacity and
bandwidth, service redundancy) with protected access and with full
auditing.
Level 3 Control  CMSRs 2012v1.5 SC-14 (HIGH)
Standard  ISO/IEC 27002-2005 10.9.3
Mapping:

Page 339 of 488

CMS Contractor Requirements

CMS If e-authentication is implemented as a remote access solution or associated

Contractors: with remote access, refer to the Risk Management Handbook (RMH),
Volume III, Standard 3.1, “CMS Authentication Standards.”

CMS web sites are operated within the restrictions addressed in OMB
directives M-10-22 "Guidance for Online Use of Web Measurement and
Customization Technologies" and M-10-23 "Guidance for Agency Use of
Third-Party Websites and Applications" and applicable CMS and DHHS
directives and instruction.

The organization shall monitor the CMS and DHHS security programs to
determine if there are any modified directives and instruction.

Objective Name: 09.10 Monitoring

Control Ensure information security events are monitored and recorded to detect
Objective: unauthorized information processing activities in compliance with all
relevant legal requirements.

Control Reference: 09.aa Audit Logging

Control Audit logs recording user activities, exceptions, and information security
Specification: events shall be produced and kept for an agreed period to assist in future
investigations and access control monitoring.

*Required for HITRUST Certification 2014

Factor Type: System
Topics: Audit and Accountability
Documentation and Records
Incident Response
User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:

Page 340 of 488

Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Information systems processing covered information shall create a secure
Implementation: audit record each time a user accesses, creates, updates, or archives
covered information via the system.

The audit logs shall include:

i. a unique user identifier;
ii. a unique data subject (e.g. the patient) identifier;
iii. the function performed by the user (e.g. log-in, record creation, access,
update, etc.); and
iv. the time and date that the function was performed.

Logs for operators or administrators shall also include:

i. the type of event that occurred (e.g., success or failure);
ii. the time at which an event occurred;
iii. information about the event (e.g., files handled) or failure (e.g., error
occurred and corrective action taken);
iv. which account and which administrator or operator was involved; and
v. which processes were involved.

Audit logs shall be retained in accordance with the organization's retention

policy.
Level 1 Control  CMSRs 2012v1.5 AU-8 (HIGH)
Standard  CSA SA-14
Mapping:  HIPAA §164.308(a)(5)(ii)(C)
 HIPAA §164.312(b)
 NIST SP800-53 R4 AU-3
 NIST SP800-53 R4 AU-8
 NIST SP800-53 R4 AU-11
 PCI DSS v2 10.1
 PCI DSS v2 10.2.1
 PCI DSS v2 10.3.1
 PCI DSS v2 10.3.2
 PCI DSS v2 10.3.3
 PCI DSS v2 10.3.6
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Page 341 of 488

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Messaging systems used to transmit messages containing covered
information shall keep a log of message transmissions, such a log shall
contain the time, date, origin and destination of the message, but not its
content. The organization shall carefully assess and determine the retention
period for these audit logs, with particular reference to professional
standards and legal obligations, in order to enable investigations to be
carried out when necessary and to provide evidence of misuse where
necessary.

Audit logs shall include, but are not limited to:

i. dates, times, and details of key events (e.g. log-on and log-off);
ii. records of successful and rejected system access attempts;
iii. records of successful and rejected data and other resource access
attempts;
iv. changes to system configuration and procedures for managing
configuration changes;
v. use of privileges;
vi. use of system utilities and applications;
vii. files accessed and the kind of access;
viii. network addresses and protocols;
ix. alarms raised by the access control system; and
x. activation and de-activation of protection systems, including anti-virus
systems and intrusion detection systems.
xi. identification and authentication mechanisms are logged.
xii. creation and deletion of system level objects are logged.

The listing of auditable events shall be reviewed and updated periodically,

at a minimum annually. Information systems' audit logging systems shall be
operational at all times while the information system being audited is
available for use. Where necessary for highly sensitive logs, separation of
duties and split key access shall be employed.

Page 342 of 488

Audit records shall be retained for ninety (90) days, and old
records archived for one (1) year to provide support for after-the-fact
investigations of security incidents and to meet regulatory and the
organization's retention requirements.
Level 2 Control  CMSRs 2012v1.5 AU-2(3) (HIGH)
Standard  CMSRs 2012v1.5 AU-11 (HIGH)
Mapping:  CMSRs 2012v1.5 CM-4 (HIGH)
 ISO/IEC 27002-2005 10.10.1
 ISO 27799-2008 7.7.10.2
 NIST SP800-53 R4 AU-2
 NIST SP800-53 R4 AU-2(3)
 NIST SP800-53 R4 AU-2(4)
 PCI DSS v2 10.2
 PCI DSS v2 10.2.3
 PCI DSS v2 10.2.4
 PCI DSS v2 10.2.5
 PCI DSS v2 10.2.7
 PCI DSS v2 10.3
 PCI DSS v2 10.3.4
 PCI DSS v2 10.3.5
 PCI DSS v2 10.7
 PCI DSS v2 A.1.3

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System Processing PHI: Yes - AND -, Number of Users: > 5,500, Number of
Factors: Transactions Per Day: > 85,000, Number of Interfaces to Other Systems: >
75
Level 3 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to the CMS
Regulatory Minimum Security Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
i. server alerts and error messages;
ii. user log-on and log-off (successful or unsuccessful);
iii. all system administration activities;
iv. modification of privileges and access;
v. Start up and shut down;
vi. application modifications;
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 343 of 488

vii. application alerts and error messages;
viii. configuration changes;
ix. account creation, modification, or deletion;
x. file creation and deletion;
xi. read access to sensitive information;
xii. modification to sensitive information; and
xiii. printing sensitive information.

Disclosures of covered information shall be recorded. Information type,

date, time, receiving party, and releasing party shall be logged. The
organization shall verify every ninety (90) days for each extract that the
data is erased or its use is still required.

The following shall be logged:

i. all system changes with the potential to compromise the integrity of
audit policy configurations and audit record generation services;
ii. the enabling or disabling of audit report generation services; and
iii. command line changes, batch file changes and queries made to the
system (e.g., operating system, application, and database).

Account creation, modification, disabling, enabling and removal actions

shall be automatically logged and audited providing notification, as
required, to appropriate individuals.
Level 3 Control  CMSRs 2012v1.5 AU-2 (HIGH)
Standard  CMSRs 2012v1.5 AU-2(4) (HIGH)
Mapping:  CMSRs 2012v1.5 AU-3 (HIGH)
 CMSRs 2012v1.5 AU-3(1) (HIGH)
 CMSRs 2012v1.5 AU-3(2) (HIGH)
 CMSRs 2012v1.5 AU-12 (HIGH)
 CMSRs 2012v1.5 AU-12(1) (HIGH)
 NIST SP800-53 R4 AU-3(1)
 NIST SP800-53 R4 AU-12
 NRS 603A.215.1
 PCI DSS v2 10.2.6
 PCI DSS v2 10.2.7
 1 TAC § 390.2(a)(4)(A)(xi)

CMS Contractor Requirements

CMS The organization shall audit inspection reports, including a record of

Contractors: corrective actions, shall be retained by the organization for a minimum of
three (3) years from the date the inspection was completed.

Page 344 of 488

(For FTI only) The organization shall audit records for the following events
in addition to those specified in other controls:
i. all successful and unsuccessful authorization attempts.
ii. all changes to logical access control authorities (e.g., rights,
permissions).
iii. all system changes with the potential to compromise the integrity of
audit policy configurations, security policy configurations and audit
record generation services.
iv. the audit trail shall capture the enabling or disabling of audit report
generation services.
v. the audit trail shall capture command line changes, batch file changes
and queries made to the system (e.g., operating system, application, and
database).

Audit records shall be compiled from multiple components throughout the

system into a system-wide (logical or physical) audit trail that is time-
correlated to within +/- five (5) minutes. The organization shall centrally
manage the content of audit records generated by individual components
throughout the information system.

A real time alert shall be provided when the audit record log is full or there
is an authentication or encryption logging failure.

Control Reference: 09.ab Monitoring System Use

Control Procedures for monitoring use of information processing systems and

Specification: facilities shall be established to check for use and effectiveness of
implemented controls. The results of the monitoring activities shall be
reviewed regularly.

*Required for HITRUST Certification 2014

Factor Type: System
Topics: Incident Response
Monitoring
Requirements (Legal and Contractual)
User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:

Page 345 of 488

Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The organization shall comply with all relevant legal requirements
Implementation: applicable to its monitoring activities. Items that shall be monitored
include:
i. authorized access; and
ii. unauthorized access attempts.
Level 1 Control  HIPAA §164.308(a)(1)(ii)(D)
Standard  HIPAA §164.308(a)(3)(ii)(A)
Mapping:  HIPAA §164.308(a)(4)(i)
 HIPAA §164.308(a)(4)(ii)(B)
 HIPAA §164.308(a)(5)(ii)(B)
 HIPAA §164.308(a)(5)(ii)(C)
 HIPAA §164.312(b)
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.03(2)(h)
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 Subject to FTC Red Flags Rule Compliance, Subject to State of Massachusetts
Regulatory Data Protection Act
Factors:
Level 2 Level 1 plus:
Implementation:
Information systems containing covered information shall actively be
provided with automated assets for monitoring events of the system(s),
detecting attacks, and analyzing logs and audit trails that:
i. allow the identification of all system users who have accessed or
modified a given record(s) over a given period of time; and
ii. allow the identification of all records that have been accessed or
modified by a given system user over a given period of time.

Page 346 of 488

Monitoring devices shall be strategically deployed within the information
system (e.g. at selected perimeter locations, near server farms supporting
critical applications) to collect essential information. Monitoring devices
shall also be deployed at ad hoc locations within the system to track specific
transactions. Additionally, these devices shall be used to track the impact of
security changes to the information system.

Monitoring of authorized access shall include:

i. the user ID;
ii. the date and time of key events;
iii. the types of events;
iv. the files accessed; and
v. the program/utilities used.

All privileged operations shall be monitored including:

i. the use of privileged accounts (e.g. supervisor, root, administrator);
ii. the system start-up and stop; and
iii. I/O device attachment/detachment.

Monitoring of unauthorized access attempts shall include:

i. failed or rejected user actions;
ii. failed or rejected actions involving data and other resources;
iii. access policy violations and notifications for network gateways and
firewalls; and
iv. alerts from proprietary intrusion detection systems.

System alerts or failures shall be monitored including:

i. console alerts or messages;
ii. system log exceptions;
iii. network management alarms;
iv. alarms raised by the access control system (e.g. intrusion detection,
intrusion prevention, or networking monitoring software); and
v. changes to, or attempts to change, system security settings and controls.

Systems shall support audit reduction and report generation, and the
results of monitoring activities shall be reviewed regularly.

The information system shall provide the capability to automatically

process audit records in the information system for events of interest based
on selectable event criteria.

Systems shall support audit reduction and report generation that supports
expeditious, on-demand review, analysis, reporting and incident
investigators and does not alter the original audit records, and the results of
monitoring activities shall be reviewed regularly.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 347 of 488

Level 2 Control  16 CFR Part §681 Appendix A III(b)
Standard  CMSRs 2010v1.5 AU-7 (HIGH)
Mapping:  CMSRs 2012v1.5 AU-7 (1) (HIGH)
 ISO/IEC 27202-2005 10.10.2
 ISO/IEC 27002-2005 12.5.4
 ISO 27799-2008 7.7.10.3
 NIST SP800-53 R4 AU-7
 NIST SP800-53 R4 AU-7 (1)
 (State of Mass.) 201 CMR 17.04(4)
 1 TAC § 390.2(a)(3)

Level 3 Implementation Requirements

The results of monitoring activities shall be reviewed daily, through the use
of automated tools, for those servers that perform security functions like
intrusion detection system (IDS), intrusion prevention system (IPS) and
authentication, authorization, and accounting protocol (AAA) servers (for
example, RADIUS).

The automated tools shall generate alert notification for technical staff
review and assessment.

System records shall be reviewed for:

i. initialization sequences;
ii. log-ons and errors;
iii. system processes and performance; and
iv. system resources utilization.

Page 348 of 488

The reviews shall be conducted daily and the results shall be used to
determine anomalies on demand. An alert notification shall be generated
for technical personnel review and analyze.

Suspicious activity or suspected violations on the information system shall

be investigated, with findings reported to appropriate officials and take
appropriate action.

Manual reviews of system audit records shall be performed randomly on

demand, but at least once every thirty (30) days.

The organization shall integrate the audit review, analysis, and reporting
processes to support organizational processes for investigation and
response to suspicious activities.

The organization shall interconnect and configure individual intrusion

detection tools into a system-wide intrusion detection system (IDS) using
common protocols. The organization shall employ automated tools to
support near real-time analysis of events and maintain an audit log to track
prohibited sources and services. The organization shall employ automated
tools to integrate intrusion detection tools into access control and flow
control mechanisms for rapid response to attacks by enabling
reconfiguration of these mechanisms in support of attack isolation and
elimination. Inbound and outbound communications shall be monitored for
unusual or unauthorized activities or conditions.

Manual reviews of system audit records shall be performed randomly on

demand, but at least once every thirty (30) days.

The organization shall specify the permitted actions for information system
processes, roles, and/or users associated with review, analysis, and
reporting of audit records (e.g., read, write, execute, append, and delete).

The organization shall deploy file-integrity monitoring tools to alert

personnel to unauthorized modification of critical system files,
configuration files, or content files; and configure the software to perform
critical file comparisons at least weekly.

The information system shall provide near real-time alerts when the
following indications of compromise or potential compromise occur:
i. presence of malicious code;
ii. unauthorized export of information;
iii. signaling to an external information system; or
iv. potential intrusions.

Page 349 of 488

The organization analyzes and correlates audit records across different
repositories and correlates this information with input from non-technical
sources to gain and enhance organization-wide situational awareness.

The information system shall:

i. alert designated organizational officials in the event of an audit
processing failure; and
ii. take the following additional actions in response to an audit failure or
audit storage capacity issue:
1. shutdown information system,
2. stop generating audit records, or
3. overwrite the oldest records, in the case that storage media is
unavailable.
Level 3 Control  CMSRs 2012v1.5 AU-6 (HIGH)
Standard  CMSRs 2012v1.5 AU-6(1) (HIGH)
Mapping:  CMSRs 2012v1.5 AU-6(3) (HIGH)
 CMSRs 2012v1.5 SI-4 (HIGH)
 CMSRs 2012v1.5 SI-4(1) (HIGH)
 CMSRs 2012v1.5 SI-4(2) (HIGH)
 CMSRs 2012v1.5 SI-4(3) (HIGH)
 CMSRs 2012v1.5 SI-4(4) (HIGH)
 CMSRs 2012v1.5 SI-4(5) (HIGH)
 CMSRs 2012v1.5 SI-4(6) (HIGH)
 CSA SA-14
 NIST SP800-53 R4 AU-6
 NIST SP800-53 R4 AU-6 (1)
 NIST SP800-53 R4 AU-6 (9)
 NIST SP800-53 R4 SI-4
 NIST SP800-53 R4 SI-4(2)
 NIST SP800-53 R4 SI-4(4)
 NIST SP800-53 R4 SI-4(5)
 NIST SP800-53 R4 SI-4(6)
 NIST SP800-53 R4 AU-6(3)
 NRS 603A.215.1
 PCI DSS v2 10.6
 PCI DSS v2 11.5

CMS Contractor Requirements

CMS The organization shall:

Contractors: i. monitor events on the information system in accordance with CMS
Information Security Incident Handling and Breach
Analysis/Notification Procedure and detect information system attacks;

Page 350 of 488

ii. heighten the level of information system monitoring activity whenever
there is an indication of increased risk to CMS operations and assets,
individuals, other organizations, or the Nation based on law
enforcement information, intelligence information, or other credible
sources of information.

A real time alert shall be provided when the audit record log is full.

The information system shall provide a warning when allocated audit

record storage volume reaches 80% of maximum audit record storage
capacity.

Control Reference: 09.ac Protection of Log Information

Control Logging systems and log information shall be protected against tampering
Specification: and unauthorized access.

*Required for HITRUST Certification 2014

Factor Type: System
Topics: Audit and Accountability
Documentation and Records
User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Access to system audit tools and audit trails shall be safeguarded from
Implementation: unauthorized access and use to prevent misuse or compromise of logs.

As defined in the record retention policy or based on

applicable requirements to collect and retain evidence, audit logs shall be
archived.
Level 1 Control  ISO/IEC 27002:2005 10.10.3
Standard
Mapping:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 351 of 488

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
Access to audit tools and audit trails shall be limited to those with a job-
related need. Authorized and unauthorized access attempts to the audit
system and audit trails shall be logged and protected from modification.

Controls shall protect against unauthorized changes and operational

problems with the logging system(s) including:
i. promptly back up audit trail files to a centralized log server or media
that is difficult to alter.
ii. alterations to the message types that are recorded (e.g. write-once
media);
iii. log files being edited or deleted.

The organization authorizes access to management of audit functionality to

a specific subset of privileged users defined by the organization.

Level 2 Control  CMSRs 2012v1.5 AU-9 (HIGH)

Standard  COBIT 4.1 DS5.7
Mapping:  COBIT 5 DSS05.05
 ISO 27799-2008 7.7.10.4
 NIST SP800-53 R4 AU-9
 NIST SP800-53 R4 AU-9 (4)
 PCI DSS v2 10.2.3
 PCI DSS v2 10.5
 PCI DSS v2 10.5.1
 PCI DSS v2 10.5.2
 PCI DSS v2 10.5.3

Level 3 Implementation Requirements

Page 352 of 488

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 Subject to PCI Compliance
Regulatory
Factors:
Level 3 Level 2 plus:
Implementation:
The organization shall implement file-integrity monitoring or change-
detection software on logs to ensure that existing log data cannot be
changed without generating alerts (although new data being added should
not cause an alert).

Write logs for external-facing technologies (wireless, firewalls, DNS, mail)

onto a log server on the internal LAN.
Level 3 Control  CMSRs 2012v1.5 AU-5 (HIGH)
Standard  CMSRs 2012v1.5 AU-5(1) (HIGH)
Mapping:  CMSRs 2012v1.5 AU-5(2) (HIGH)
 NRS 603A.215.1
 PCI DSS v2 10.5.4
 PCI DSS v2 10.5.5
 PCI DSS v2 11.5

Control Reference: 09.ad Administrator and Operator Logs

Control System administrator and system operator activities shall be logged and
Specification: regularly reviewed.
Factor Type: System
Topics: Audit and Accountability
Documentation and Records
Monitoring

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 353 of 488

Level 1 Subject to PCI Compliance
Regulatory
Factors:
Level 1 Verify that proper logging is enabled in order to audit administrator
Implementation: activities.
System administrator and operator logs shall be reviewed on a regular
basis.
Level 1 Control  HIPAA §164.308(a)(5)(ii)(C)
Standard  HIPAA §164.312(b)
Mapping:  ISO/IEC 27002-2005 10.10.4
 ISO 27799-2008 7.7.10.5
 NIST SP800-53 R4 AU-2
 NRS 603A.215.1
 PCI DSS v2 10.2.2
 PCI DSS v2 A.1.3
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 5,500, Number of
Factors: Transactions Per Day: > 85,000, Number of Interfaces to Other Systems: >
25
Level 2 Subject to the CMS Minimum Security Requirements (High); Subject to
Regulatory FISMA Compliance
Factors:
Level 2 Level 1 plus:
Implementation:
An intrusion detection system managed outside of the control of system and
network administrators shall be used to monitor system and network
administration activities for compliance.

Administrator accounts, root accounts and other operator related accounts

shall be reviewed on demand but at least once every seven days to ensure
that unauthorized accounts have not been created.

Page 354 of 488

Level 2 Control  CMSRs 2012v1.5 AU-2 (HIGH)
Standard  CSA SA-14
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 09.ae Fault Logging

Control Faults shall be logged, analyzed, and appropriate remediation action taken.
Specification:
Factor Type: System
Topics: Audit and Accountability
Documentation and Records
Incident Response
Products and 09.ae Fault Logging
Services Guide:

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Faults reported by users or by system programs related to problems with
Implementation: information processing or communications systems shall be logged.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 355 of 488

There shall be clear rules for handling reported faults including:
i. review of fault logs by authorized personnel in an expeditious manner
to ensure that faults have been satisfactorily resolved; and
ii. review of corrective measures to ensure that controls have not been
compromised, and that the action taken is fully authorized.

Error logging shall be enabled if this system function is available.

Level 1 Control  CMSRs 2010v1.0 AU-2 (HIGH)
Standard  CSA SA-14
Mapping:  HIPAA §164.308(a)(1)(ii)(C)
 HIPAA §164.312(b)
 ISO/IEC 27002-2005 10.10.5
 ISO 27799-2008 7.7.10.6
 NIST SP800-53 R4 AU-2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 Subject to the CMS Minimum Security Requirements (High); Subject to
Regulatory FISMA Compliance
Factors:
Level 2 Level 1 plus:
Implementation:
The information system shall:
i. identify potentially security-relevant error conditions;
ii. generate error messages that provide information necessary for
corrective actions without revealing information that could be exploited
by adversaries in error logs and administrative messages that could be
exploited by adversaries; and
iii. reveal error messages only to authorized personnel.

The information system shall provide automated real-time alerts when

faults or errors occur. Covered information shall not be listed in the logs or
associated administrative messages.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 356 of 488

Level 2 Control  CMSRs 2012v1.5 SI-11 (HIGH)
Standard  NIST SP800-53 R4 SI-11
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 09.af Clock Synchronization

Control The clocks of all relevant information processing systems within the
Specification: organization or security domain shall be synchronized with an agreed
accurate time source to support tracing and reconstitution of activity
timelines.

*Required for HITRUST Certification 2014

Factor Type: System
Topics: Audit and Accountability
Requirements (Legal and Contractual)

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:

Page 357 of 488

Level 1 Where a computer or communications device has the capability to operate a
Implementation: real-time clock, this clock shall be set to an agreed standard, either
Coordinated Universal Time (UTC) or International Atomic Time. As some
clocks are known to drift with time, there shall be a procedure that checks
for and corrects any significant variation.

The correct interpretation of the date/time format shall be used to ensure

that the timestamp reflects the real date/time (e.g. daylight savings).
The information system's internal information system clocks shall
synchronize daily and at system boot.
Level 1 Control  CMSRs 2012v1.5 U-8 (HIGH)
Standard  CMSRs 2012v1.5 AU-8(1) (HIGH)
Mapping:  CSA SA-12
 ISO/IEC 27002-2005 10.10.6
 ISO 27799-2008 7.7.10.7
 NIST SP800-53 R4 AU-8
 NIST SP800-53 R4 AU-8(1)
 PCI DSS v2 10.4
 PCI DSS v2 10.4.1
 PCI DSS v2 10.4.3

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None, Processing PHI: Yes - AND -, Number of Users: > 500, Number of
Factors: Transactions Per Day: > 6,750, Number of Interfaces to Other Systems: > 25
Level 2 Subject to PCI Compliance
Regulatory
Factors:
Level 2 Time data shall be protected according to the organizations access controls
Implementation: (see 01.c) and logging controls (see 09.ad).
Level 2 Control  NRS 603A.215.1
Standard  PCI DSS v2 10.4.2
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 358 of 488

Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 359 of 488

Control Category: 10.0 - Information Systems Acquisition,
Development, and Maintenance

Objective Name: 10.01 Security Requirements of Information Systems

Control To ensure that security is an integral part of information systems.

Objective:

Control Reference: 10.a Security Requirements Analysis and Specification

Control Statements of business requirements for new information systems

Specification: (developed or purchased), or enhancements to existing information
systems shall specify the requirements for security controls.
Factor Type: Organizational
Topics: Documentation and Records
Requirements (Legal and Contractual)
Risk Management and Assessments
Services and Acquisitions

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Page 360 of 488

Specifications for the security control requirements shall include that
security controls be incorporated in the information system, supplemented
by manual controls as needed. These considerations shall be applied when
evaluating software packages, developed or purchased.

Security requirements and controls shall reflect the business value of the
information assets involved (see 7.d), and the potential business damage
that might result from a failure or absence of security.

For purchased commercial product, a formal acquisition process shall be

followed. Contracts with the supplier shall include the identified security
requirements. Where the security functionality in a proposed product does
not satisfy the specified requirement, then the risk introduced and
associated controls shall be reconsidered prior to purchasing the product.
Where additional functionality is supplied and causes a security risk, this
shall be disabled or mitigated through application of additional controls.

The organization shall require developers of information systems,

components, and services to identify (document) early in the system
development life cycle, the functions ports, protocols, and services intended
for organizational use.
Level 1 Control  HIPAA §164.314(a)(2)(i)
Standard  NIST SP800-53 R4 SA-1
Mapping:  1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 361 of 488

acquired information systems. Specifications for the security control
requirements shall include that automated controls be incorporated in the
information system, supplemented by manual controls as needed. This shall
be evidenced in a formal System Development Lifecycle (SDLC), which shall
cover request initiation, requirements definition, analysis, communication,
conflict detection and resolution, and evolution of requirements.

System requirements for information security and processes for

implementing security shall be integrated in the requirements definition
phase. Also in the SDLC initial planning or requirement stage, Data
Classification and risk of the assets shall be assigned to ensure appropriate
controls will be considered and the correct project team members are
involved. The risk and classification activities shall require sign-off.

Commercial products sought to store and/or process covered information

shall undergo a security assessment and/or security certification by a
qualified assessor prior to implementation. (Not applicable to operating
system software).
Information security roles and responsibilities are defined and documented
throughout the system development life cycle.

The organization’s security risk management process shall be integrated

into all SDLC activities. System requirements for information security and
processes for implementing security shall be integrated in the requirements
definition phase.
Level 2 Control  CMSRs 2012v1.5 SA-3 (HIGH)
Standard  CMSRs 2012v1.5 SA-8 (HIGH)
Mapping:  CSA IS-04
 ISO/IEC 27002-2005 12.1.1
 ISO 27799-2008 7.9.1
 NIST SP800-53 R4 SA-3
 NIST SP800-53 R4 SA-8
 NRS 603A.215.1
 PCI DSS v2 6.3

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 362 of 488

Level 3 System None
Factors:
Level 3 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
The organization develops enterprise architecture with consideration for
information security and the resulting risk to organizational operations,
organizational assets, individuals, and other organizations.

The organization shall include security functional, strength and assurance

requirements, design and implementation information for the security
controls to be employed, and security-related documentation requirements
in information system acquisition contracts based on applicable laws,
policies, standards, guidelines and business needs.
Level 3 Control  CMSRs 2012v1.5 SA-4 (1) (HIGH)
Standard  CMSRs 2012v1.5 SA-4 (2) (HIGH)
Mapping:  CMSRs 2012v1.5 SA-4 (4) (HIGH)
 NIST SP800-53 R4 SA-4
 NIST SP800-53 R4 SA-4 (1)
 NIST SP800-53 R4 SA-4 (4)
 NIST SP800-53 R4 PM-7

CMS Contractor Requirements

CMS The organization shall manage the information system using the
Contractors: information security steps of IEEE 12207.0 standard for SDLC, as provided
in the CMS eXpedited Life Cycle (IXLC).

Each contract and Statement of Work (SOW) that requires development or

access to CMS information must include language requiring adherence to
CMS security and privacy policies and standards, define security roles and
responsibilities, and receive approval from CMS officials.

The organization shall ensure that each information system component

acquired is explicitly assigned to an information system, and that the owner
of the system acknowledges this assignment.

Objective Name: 10.02 Correct Processing in Applications

Control To ensure the prevention of errors, loss, unauthorized modification or

Objective: misuse of information in applications, controls shall be designed into
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 363 of 488

applications, including user developed applications to ensure correct
processing. These controls shall include the validation of input data,
internal processing and output data.

Control Reference: 10.b Input Data Validation

Control Data input to applications and databases shall be validated to ensure that
Specification: this data is correct and appropriate.

*Required for HITRUST Certification 2014

Factor Type: System
Topics: Policies and Procedures
Risk Management and Assessments

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 Subject to FISMA Compliance, Subject to FTC Red Flags Rule Compliance,
Regulatory Subject to Joint Commission Accreditation
Factors:
Level 1 For organizations doing system development (e.g. applications, databases)
Implementation: checks shall be applied to the input of business transactions, standing data,
and parameter tables and minimally for covered information.

The organization shall develop applications based on secure coding

guidelines to prevent common coding vulnerabilities in software
development processes including but not limited to:
i. injection flaws, particularly SQL injection. (Validate input to verify user
data cannot modify meaning of commands and queries, utilize
parameterized queries, etc.)
ii. buffer overflow (Validate buffer boundaries and truncate input strings.)
iii. insecure cryptographic storage (Prevent cryptographic flaws)
iv. insecure communications (Properly encrypt all authenticated and
sensitive communications)
v. improper error handling (Do not leak information via error messages)
For web applications and application interfaces (internal or external) this
also includes but is not limited to:

Page 364 of 488

i. cross-site scripting (XSS) (Validate all parameters before inclusion,
utilize context-sensitive escaping, etc.)
ii. improper Access Control, such as insecure direct object references,
failure to restrict URL access, and directory traversal (Properly
authenticate users and sanitize input. Do not expose internal object
references to users.)
iii. cross-site request forgery (CSRF). (Do not reply on authorization
credentials and tokens automatically submitted by browsers.)

Web-based applications shall be checked for the most current OWASP top
10 input-validation related vulnerabilities.

Alternatively, the inclusion of input validation checks in the testing

methodology shall be in place, and performed at least annually. Input
validation testing can be manually performed.

The following input validation procedures shall be performed:

i. dual input or other input checks, such as boundary checking or limiting
fields to specific ranges of input data, to detect the following errors:
i. out-of-range values
ii. invalid characters in data fields
iii. missing or incomplete data
iv. exceeding upper and lower data volume limits
v. unauthorized or inconsistent control data
ii. review of the content of key fields or data files to confirm their validity
and integrity;
iii. procedures for responding to validation errors;
iv. procedures for testing the plausibility of the input data;
v. verifying the identity of an individual opening or updating an account;
vi. defining the responsibilities of all personnel involved in the data input
process; and
vii. creating a log of the activities involved in the data input process (see
9.aa).

Level 1 Control  16 CFR Part §681 Appendix A III(a)

Standard  16 CFR Part §681 Appendix A III(b)
Mapping:  CSA SA-04
 CSA SA-05
 ISO/IEC 27002-2005 12.2.1
 ISO 27799-2008 7.9.2.2
 JCAHO IM.04.01.01, EP 1
 NIST SP800-53 R4 SI-10
 PCI DSS v2 6.5
 PCI DSS v2 6.5.1
 PCI DSS v2 6.5.2
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 365 of 488

 PCI DSS v2 6.5.3
 PCI DSS v2 6.5.4
 PCI DSS v2 6.5.5
 PCI DSS v2 6.5.6
 PCI DSS v2 6.5.7
 PCI DSS v2 6.5.8
 PCI DSS v2 6.5.9
 1 TAC § 390.2(a)(3)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Accessible from the Internet: Yes, Number of
Factors: Users: > 5,500, Number of Transactions Per Day: > 85,000, Number of
Interfaces to Other Systems: > 25
Level 2 Subject to PCI Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
Applications that store, process or transmit covered information shall
undergo application vulnerability testing at least annually by a qualified
party, with an emphasis on input validation controls. Application input
validation testing shall be automated through use of tools or other non-
manual methods.

Additionally, the organization shall:

i. develop and document system and information integrity policy and
procedures;
ii. disseminate the system and information integrity policy and procedures
to appropriate areas within the organization;
iii. assign responsible parties within the organization to annually review
system and information integrity policy and procedures; and
iv. update the system and information integrity policy and procedures
when organizational review indicates updates are required.
Level 2 Control  CMSRs 2012v1.5 SI-10 (HIGH)
Standard  NRS 603A.215.1
Mapping:  PCI DSS v2 6.6

Level 3 Implementation Requirements

Page 366 of 488

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 10.c Control of Internal Processing

Control Validation checks shall be incorporated into applications to detect any

Specification: corruption of information through processing errors or deliberate acts.
Factor Type: System
Topics: Documentation and Records
Risk Management and Assessments
Products and 10.c Control of Internal Processing
Services Guide:

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 Subject to Joint Commission Accreditation
Regulatory
Factors:
Level 1 For organizations doing system development (e.g. applications, databases)
Implementation: the design and implementation of applications shall ensure that the risks of
processing failures leading to a loss of integrity are minimized.

Data integrity controls shall address:

i. the use of add, modify, and delete functions to implement changes to
data;
ii. the procedures to prevent programs running in the wrong order or
running after failure of prior processing (see 9.a);

Page 367 of 488

iii. the use of appropriate programs to recover from failures to ensure the
correct processing of data; and
iv. protection against attacks using buffer overruns/overflows.

A checklist for validation checking shall be prepared, activities documented,

and the results shall be kept secure. The checks to be incorporated include
the following and can be manual:
i. session or batch controls, to reconcile data file balances after
transaction updates;
ii. balancing controls, to check opening balances against previous closing
balances, namely:
1. run-to-run controls
2. file update totals
3. program-to-program controls
iii. validation of system-generated input data (see 10.b);
iv. checks on the integrity, authenticity or any other security feature of
data or software downloaded, or uploaded, between central and remote
computers;
v. hash totals of records and files;
vi. checks to ensure that application programs are run at the correct time;
vii. checks to ensure that programs are run in the correct order and
terminate in case of a failure, and that further processing is halted until
the problem is resolved; and
viii. creating an automated log of the activities involved in the processing
(see 9.aa).
Level 1 Control  CSA SA-04
Standard  HIPAA §164.312(c)(1)
Mapping:  HIPAA §164.312(c)(2)
 HIPAA §164.312(e)(2)(i)
 ISO/IEC 27002-2005 12.2.2
 ISO 27799-2008 7.9.2.3
 JCAHO IM.04.01.01, EP 1
 NIST SP800-53 R4 SI-10
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:

Page 368 of 488

Level 2 System Processing PHI: Yes - AND -, Accessible from the Internet: Yes, Number of
Factors: Users: > 5,500, Number of Transactions Per Day: > 85,000, Number of
Interfaces to Other Systems: > 25
Level 2 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to the CMS
Regulatory Minimum Security Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
Applications shall undergo application vulnerability testing annually by a
qualified party, focusing on the use of add, modify, and delete functions to
implement changes to data, and attacks using buffer overruns/overflows.
Automated validation checks shall be conducted at an organization-defined
frequency but no less than monthly and/or after organization-defined
security-relevant events through use of tools or other non-manual methods
to detect unauthorized changes to information, firmware and software.
Information system flaws shall be identified, reported, and corrected. All
appropriate information pertaining to the discovered flaws in the
information system, including the cause of the flaws, mitigation activities,
and lessons learned shall be collected.

The organization shall reassess the integrity of software and information by

performing daily integrity scans of the information system.

The organization incorporates the detection of unauthorized security-

relevant changes to the information system into the organization incident
response capability to ensure that such detected events are tracked,
monitored, corrected, and available for historical purposes.

The information system shall provide notification of failed automated

security tests.

Automated validation checks shall be conducted at an organization-defined

frequency but no less than monthly and/or after organization-defined
security-relevant events automated through use of tools or other non-
manual methods to detect unauthorized changes to information, firmware
and software.

The organization shall incorporate detection of unauthorized, security-

relevant configuration changes into the organization's incident response
capability to ensure that such detected events are tracked, monitored,
corrected, and available for historical purposes.
Level 2 Control  CMSRs 2012v1.5 SC-24 (HIGH)
Standard  CMSRs 2012v1.5 SI-6 (HIGH)
Mapping:  CMSRs 2012v1.5 SI-6(1) (HIGH)
 CMSRs 2012v1.5 SI-6(2) (HIGH)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 369 of 488

 CMSRs 2012v1.5 SI-7(1) (HIGH)
 CMSRs 2012v1.5 SI-7(2) (HIGH)
 CMSRs 2012v1.5 SI-9 (HIGH)
 NIST SP800-53 R4 SI-7
 NIST SP800-53 R4 SI-7 (1)
 NIST SP800-53 R4 SI-9
 NRS 603A.215.1
 PCI DSS v2 6.6

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 Refer to the Provider specific requirements.
Implementation:
Level 3 Control  ISO 27799-2008 7.9.2.1
Standard
Mapping:

CMS Contractor Requirements

CMS  The information system shall fail to a known secure state of all failures
Contractors: preserving the maximum amount of state information in failure.

The information system shall verify the correct operation of system security
functions upon system startup and restart, upon command by a user with
appropriate privilege, periodically on a monthly basis, provide notification
of failed automated security tests, and notify system administration when
anomalies are discovered.

The information system shall provide automated support for the

management of distributed security testing.

The organization shall employ automated tools that provide notification to

designated individuals upon discovering discrepancies during integrity
verification.

Page 370 of 488

Control Reference: 10.d Message Integrity

Control Requirements for ensuring authenticity and protecting message integrity in

Specification: applications shall be identified and controls implemented.
Factor Type: System
Topics: Cryptography

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Processing PHI: Yes -AND-, Accessible from the Internet: Yes, Exchanges
Factors: Data with a Business Partner: Yes
Level 1 Subject to Joint Commission Accreditation
Regulatory
Factors:
Level 1 The information system provides mechanisms to protect the authenticity of
Implementation: communications sessions.

Cryptographic controls (see 10.f) shall be implemented to ensure message

authentication and integrity for covered information applications.

The system shall implement one of the following integrity protection

algorithms:
i. HMAC-SHA-1
ii. HMAC-MD5

See NIST SP800-52 Guidelines for the Selection and Use of Transport Layer
Security (TLS) Implementations for more information on
implementing integrity checks for information transmissions.

Level 1 Control  CMSRs 2012 v1.5 SC-23 (HIGH)

Standard  Guidance to render PHI unusable, unreadable, or indecipherable (a)(ii)
Mapping:  HIPAA § 164.312(e)(2)(i)
 ISO/IEC 27002-2005 12.2.3
 ISO 27799-2008 7.9.2.4
 JCAHO IM.02.01.03, EP 6
 NIST SP800-53r3 SC-8
 NIST SP800-53 R4 SC-23

Page 371 of 488

 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 10.e Output Data Validation

Control Data output from an application shall be validated to ensure that the
Specification: processing of stored information is correct and appropriate to the
circumstances.
Factor Type: System
Topics: None

Page 372 of 488

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 Subject to Joint Commission Accreditation
Regulatory
Factors:
Level 1 For organizations doing system development (e.g. applications, databases)
Implementation: output validation shall be manually or automatically performed.

Output validation shall include:

i. plausibility checks to test whether the output data is reasonable;
ii. reconciliation control counts to ensure processing of all data;
iii. providing sufficient information for a reader (i.e. to ensure that the
patient they are treating matches the information retrieved, or
subsequent processing system to determine the accuracy,
completeness--hardcopy print-outs ("page 3 of 5")--precision, and
classification of the information);
iv. procedures for responding to output validation tests;
v. defining the responsibilities of all personnel involved in the data output
process; and
vi. creating an automated log of activities in the data output validation
process.
Level 1 Control  CSA SA-04
Standard  CSA SA-05
Mapping:  HIPAA §164.312(c)(1)
 HIPAA §164.312(c)(2)
 HIPAA §164.312(e)(2)(i)
 ISO/IEC 27002-2005 12.2.4
 ISO 27799-2008 7.9.2.5
 JCAHO IM.04.01.01, EP 1
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:

Page 373 of 488

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Objective Name: 10.03 Cryptographic Controls

Control To protect the confidentiality, authenticity and integrity of information by

Objective: cryptographic means.

A policy shall be developed on the use of cryptographic controls. Key

management should be in place to support the use of cryptographic
techniques.

Control Reference: 10.f Policy on the Use of Cryptographic Controls

Control A policy on the use of cryptographic controls for protection of information

Specification: shall be developed and implemented, and supported by formal procedures.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Communications and Transmissions
Cryptography

Page 374 of 488

Media and Assets
Policies and Procedures

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to the State of Nevada Security of Personal Information
Regulatory Requirements, Subject to Joint Commission Accreditation
Factors:
Level 1 The cryptographic policy shall address the use of encryption for protection
Implementation: of covered information transported by mobile or removable media, devices
or across communication lines. Supporting cryptographic procedures shall
address:
i. the required level of protection (e.g. the type and strength of the
encryption algorithm required); and
ii. specifications for the effective implementation throughout the
organization (i.e. which solution is used for which business processes).

The cryptographic policy shall be aligned with the organization's data

protection and privacy policy (see 06.d)
Level 1 Control  CMSRs 2012v1.5 SC-13(1) (HIGH)
Standard  CSA IS-18
Mapping:  Guidance to render PHI unusable, unreadable, or indecipherable (a)
 HIPAA 164.312(a)(2)(iv)
 HIPAA 164.312(e)(2)(ii)
 JCAHO IM.02.01.03, EP 2
 NRS 603A.215.2.a
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 375 of 488

Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year
Level 2 System None
Factors:
Level 2 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 2 Level 1 plus:
Implementation:
The cryptographic procedures shall address:
i. the approach to key management;
ii. roles and responsibilities for:
1. the implementation of the policy; and
2. the key management, including key generation (see 10.g)

When implementing the organization's cryptographic policy and

procedures, the regulations and national restrictions that apply to the use of
cryptographic techniques in different parts of the world and to the issues of
trans-border flow of encrypted information (see 06.f) shall be adhered to.
Level 2 Control  CMSRs 2012v1.5 SC-12 (HIGH)
Standard  CMSRs 2012v1.5 SC-13 (HIGH)
Mapping:  COBIT 4.1 DS5.8
 COBIT 5 DSS05.03
 ISO/IEC 27002-2005 12.3.1
 ISO 27799-2008 7.9.3.1
 NIST SP800-53 R4 SC-12
 NIST SP800-53 R4 SC-13

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 376 of 488

CMS Contractor Requirements

CMS The organization shall require cryptographic procedures that address the
Contractors: approach to key management, including methods to deal with the
protection of cryptographic keys and the recovery of encrypted information
in the case of lost, compromised or damaged keys.

When cryptography is used to protect covered information, organizations

shall employ, at a minimum, FIPS-validated cryptography.

Control Reference: 10.g Key Management

Control Key management shall be in place to support the organizations use of

Specification: cryptographic techniques.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Authentication
Cryptography
Physical and Facility Security
Requirements (Legal and Contractual)
Services and Acquisitions

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to the State of Nevada Security of Personal Information
Regulatory Requirements, Subject to Joint Commission Accreditation
Factors:
Level 1 All cryptographic keys shall be protected against modification, loss, and
Implementation: destruction. In addition, secret and private keys shall require protection
against unauthorized disclosure. Cryptographic keys shall be limited to the
fewest number of custodians necessary. Equipment used to generate, store
and archive keys shall be physically protected.

Page 377 of 488

If manual clear-text key-management procedures are used, the organization
shall split knowledge and control of keys (e.g., requiring multiple
individuals knowing only their respective key comprising the whole key).
Level 1 Control  CSA IS-19
Standard  Guidance to render PHI unusable, unreadable, or indecipherable (a)
Mapping:  HIPAA §164.312(a)(2)(iv)
 HIPAA §164.312(e)(2)(ii)
 JCAHO IM.02.01.03, EP 6
 NRS 603A.215.2.a
 PCI DSS v2 3.5.2
 PCI DSS v2 3.6.6
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 378 of 488

1. as deemed necessary and recommended by the associated
application; and
2. at least annually;
vi. revoking keys including how keys should be withdrawn or deactivated
(e.g. when keys have been compromised or suspected to have been
compromised or when a user leaves an organization, in which case keys
shall also be archived);
vii. recovering keys that are lost or corrupted as part of business continuity
management (e.g. for recovery of encrypted information);
viii. archiving keys (e.g. for information archived or backed up);
ix. destroying keys; and
x. logging and auditing of key management related activities.

In order to reduce the likelihood of compromise, activation, and

deactivation, dates for keys shall be defined so that the keys can only be
used for a limited period of time. This period of time shall be dependent on
the circumstances under which the cryptographic control is being used, and
the perceived risk, however shall not exceed one year. The organization
shall prevent the unauthorized substitution of keys.

Cryptographic key custodians shall be required to sign a form stating they

understand and accept their key custodian responsibilities.

In addition to securely managing secret and private keys, the authenticity of

public keys shall also be addressed. This authentication process shall be
done using public key certificates issued by a certification authority, which
shall be a recognized organization with suitable controls and procedures in
place to provide the required degree of trust.

The organization shall maintain the availability of information in the event

of the loss of cryptographic keys by users. Mechanisms shall be employed
to:
i. prohibit the use of encryption keys that are not recoverable by
authorized personnel;
ii. require senior management approval to authorize recovery of keys by
other than the key owner; and
iii. comply with approved cryptography standards.
Level 2 Control  CMSRs 2012v1.5 SC-12 (HIGH)
Standard  CMSRs 2012v1.5 SC-12(1) (HIGH)
Mapping:  CMSRs 2012v1.5 SC-17 (HIGH)
 COBIT 4.1 DS5.8
 COBIT 5 DSS05.03
 ISO/IEC 27002-2005 12.3.2
 ISO 27799-2008 7.9.3.2
 NIST SP800-53 R4 SC-12

Page 379 of 488

 NIST SP800-53 R4 SC-17
 NRS 603A.215.1
 PCI DSS v2 3.5.1
 PCI DSS v2 3.6
 PCI DSS v2 3.6.1
 PCI DSS v2 3.6.2
 PCI DSS v2 3.6.3
 PCI DSS v2 3.6.4
 PCI DSS v2 3.6.5
 PCI DSS v2 3.6.7
 PCI DSS v2 3.6.8

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization maintains availability of information in the event of the

Contractors: loss of cryptographic keys by users. Mechanisms are employed to:
1. prohibit the use of encryption keys that are not recoverable by
authorized personnel;
2. require senior management approval to authorize recovery of keys by
other than the key owner; and
3. comply with approval cryptography standards.

Objective Name: 10.04 Security of System Files

Control To ensure the security of system files, access to system files and program
Objective: source code shall be controlled, and IT projects and support activities
conducted in a secure manner.

Page 380 of 488

Control Reference: 10.h Control of Operational Software

Control There shall be procedures in place to control the installation of software on

Specification: operational systems.

*Required for HITRUST Certification 2014

Factor Type: System
Topics: Authorization
Documentation and Records
Maintenance
Monitoring
Services and Acquisitions
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 To minimize the risk of corruption to operational systems, the following
Implementation: procedures shall be implemented to control changes:
i. the updating of the operational software, applications, and program
libraries shall only be performed by authorized administrators; and
ii. operational systems shall only hold approved programs or executable
code (i.e. no development code or compilers).

Vendor supplied software used in operational systems shall be maintained

at a level supported by the supplier.

The organization shall maintain information systems according to a current

baseline configuration and configure system security parameters to prevent
misuse.

Any decision to upgrade to a new release shall take into account the
business requirements for the change, and the security and privacy impacts
of the release (e.g. the introduction of new security functionality or the
number and severity of security problems affecting this version).
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 381 of 488

If systems in production are no longer supported by a vendor, the
organization must show evidence of a formal migration plan approved by
management.
Level 1 Control  CMSRs 2012v1.5 CM-2 (HIGH)
Standard  CMSRs 2012v1.5 CM-4 (HIGH)
Mapping:  CMSRs 2012v1.5 CM-6 (HIGH)
 CMSRs 2012v1.5 CM-6 (1) (HIGH)
 CMSRs 2012v1.5 CM-6 (2) (HIGH)
 CSA RM-05
 PCI DSS v2 2.2.3
 NIST SP800-53 R4 CM-2
 NIST SP800-53 R4 CM-4
 NIST SP800-53 R4 CM-6

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Number of Users: > 500, Third Party Support
Factors: (Vendor Access or Maintenance): Yes, Number of Transactions Per Day: >
6,750
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Applications and operating system software shall only be implemented
after successful testing. The tests shall include tests on usability, security,
and effects on other systems, and shall be carried out on separate systems.
It shall be ensured that all corresponding program source libraries have
been updated.
A configuration control system shall be used to keep control of all
implemented software as well as the system documentation.

A rollback strategy shall be in place before changes are implemented.

An audit log shall be maintained of all updates to operational program

libraries.

Previous versions of application software shall be retained as a contingency

measure. Old versions of software shall be archived, together with all
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 382 of 488

required information and parameters, procedures, configuration details,
and supporting software for as long as the data is retained in archive or as
dictated by the organization's data retention policy.

Physical or logical access shall only be given to suppliers for support

purposes when necessary, and with management approval. The supplier's
activities shall be monitored.
Level 2 Control  CMSRs 2012v1.05CM-3 (HIGH)
Standard  ISO/IEC 27002-2005 12.4.1
Mapping:  ISO 27799-2008 7.9.4.1
 NIST SP800-53 R4 CM-3
 NRS 603A.2145.1
 PCI DSS v2 2.2

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System Processing PHI: Yes - AND -, Number of Users: > 5,500, Number of
Factors: Transactions Per Day: > 85,000
Level 3 None
Regulatory
Factors:
Level 3 No additional Requirements
Implementation:

CMS Contractor Requirements

CMS The organization shall employ automated mechanisms to respond to

Contractors: unauthorized changes to network authorization and/or auditing systems
and system security-related configuration settings baselines, log files, and
critical system files (including sensitive system and application executables,
libraries, and configurations).

The organization shall employ automated mechanisms to respond to

unauthorized changes to network and system security-related
configuration settings.

Control Reference: 10.i Protection of System Test Data

Page 383 of 488

Control Test data shall be selected carefully, and protected and controlled in non-
Specification: production environments.
Factor Type: System
Topics: Authorization
Data Loss Prevention
Documentation and Records
User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The use of operational databases containing covered information for non-
Implementation: production (e.g. testing) purposes shall be avoided. If covered or otherwise
sensitive information must be used for testing purposes, all sensitive details
and content shall be removed or modified beyond recognition (e.g. de-
identified) before use.

The following requirements shall be applied to protect data, when used for
testing purposes:
i. the access control procedures, which apply to operational application
systems, shall also apply to test application systems (see 1.0);
ii. there shall be formal management authorization for instances where
operational information is copied to a non-production application
system; and
iii. operational information and test accounts shall be erased from a test
application system immediately after the testing is complete.
Level 1 Control  CSA DG-06
Standard  ISO 27799-2008 7.9.4.2
Mapping:

Level 2 Implementation Requirements

Page 384 of 488

Level 2 None
Organizational
Factors:
Level 2 System Processing PHI: Yes - AND -, Accessible from the Internet: Yes, Number of
Factors: Users: > 500, Number of Transactions Per Day: > 6,750
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The following requirements shall be applied to protect operational data,
when used for testing purposes:
i. security controls shall be equally applied to non-production
environments as production environments;
ii. all instances where covered information is used in non-production
environments must be documented; and
iii. the copying, use and erasure of operational information shall be logged
to provide an audit trail.

Personnel developing and testing system code shall not have access to
production libraries.
Level 2 Control  ISO/IEC 27002-2005 12.4.2
Standard
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 10.j Access Control to Program Source Code

Page 385 of 488

Control Access to program source code shall be restricted.
Specification:
Factor Type: System
Topics: Authorization
Policies and Procedures
Risk Management and Assessments
Services and Acquisitions
User Access

Level 1 Implementation Requirements

Level 1 None
Organizational
Factors:
Level 1 System Applicable to all systems
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Access to program source code (code written by programmers, which is
Implementation: compiled and linked to create executables) and associated items (such as
designs, specifications, verification plans and validation plans) shall be
strictly controlled, in order to prevent the introduction of unauthorized
functionality and to avoid unintentional changes. An organization will not
have access to source code for the majority of purchased software
applications, and this requirement does not apply.

Level 2 Implementation Requirements

Page 386 of 488

The following requirements shall be implemented (see 1.0) to control
access to such program source libraries in order to reduce the potential for
corruption of computer programs:
i. program source libraries shall not be held in operational systems;
ii. the program source code and the program source libraries shall be
managed according to established procedures;
iii. access to program source libraries shall be strictly limited to that which
is needed to perform a job function;
iv. the updating of program source libraries and associated items, and the
issuing of program sources to programmers shall only be performed
after appropriate authorization has been received;
v. program listings shall be held in a secure environment (see 9.r);
vi. an audit log shall be maintained of all accesses to program source
libraries; and
vii. maintenance and copying of program source libraries shall be subject to
strict change control procedures (see 10.k).
Level 2 Control  CSA IS-33
Standard  ISO/IEC 27002-2005 12.4.3
Mapping:  ISO 27799-2008 7.9.4.3

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Objective Name: 10.05 Security in Development and Support Processes

Control To ensure the security of application system software and information

Objective: through the development process, project and support environments shall
be strictly controlled.

Control Reference: 10.k Change Control Procedures

Page 387 of 488

Control The implementation of changes, including patches, service packs, and other
Specification: updates and modifications, shall be controlled by the use of formal change
control procedures.
Factor Type: Organizational
Topics: Documentation and Records
IT Organization and Management Roles and Responsibilities
Requirements (Legal and Contractual)

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Project and support environments shall be strictly controlled. Managers
Implementation: responsible for application systems shall also be responsible for the
security of the project or support environment. They shall ensure that all
proposed system changes are reviewed to check that they do not
compromise the security of either the system or the operating environment.

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 388 of 488

A formal, documented configuration management policy that addresses
purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance shall be
developed. Configuration management policy/procedures shall be
reviewed/updated annually.

The organization shall develop, document, and implement a configuration

management plan for the information system that:
i. addresses roles, responsibilities, and configuration management
processes and procedures;
ii. defines the configuration items for the information system and when in
the system development life cycle the configuration items are placed
under configuration management; and
iii. establishes a process for identifying configuration items throughout the
system development life cycle and for managing the configuration of the
configuration items.

Formal change control procedures shall be documented and enforced in

order to minimize the corruption of information systems. Introduction of
new systems and major changes to existing systems shall follow a formal
process of documentation, specification, testing, quality control, and
managed implementation.

This process shall include a risk assessment, analysis of the security and
privacy impacts of changes, and specification of security controls needed.
This process shall also ensure that existing security and control procedures
are not compromised, that support programmers are given access only to
those parts of the system necessary for their work, and that formal
agreement and approval for any change is obtained.

Installation checklists shall be used to validate the configuration of servers,

devices and appliances. In addition, vulnerability port scanning shall occur
on server and desktops to ensure configuration meets minimum security
standards.

The change procedures shall minimally include:

i. ensuring changes are submitted by authorized users;
ii. maintaining a record of agreed authorization levels;
iii. reviewing controls and integrity procedures to ensure that they will not
be compromised by the changes;
iv. identifying all software, information, database entities, and hardware
that require amendment;
v. obtaining formal approval for detailed proposals requesting changes
before work commences;
vi. documenting unit, system, and user acceptance testing procedures in an
environment segregated from development and production;
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 389 of 488

vii. ensuring all system components are tested and approved (operating
system, utility, applications) prior to promotion to production;
viii. documenting rollback procedures for failed changes;
ix. ensuring authorized users accept changes prior to implementation
based on the results on the completion of each change of testing the
changes;
x. ensuring that the system documentation set is updated and that old
documentation is archived or disposed of;
xi. maintaining a version control for all software updates;
xii. maintaining an audit trail of all change requests and approvals; and
xiii. ensuring that operating documentation (see 9.a) and user procedures
are changed as necessary to remain appropriate.

If development is outsourced, change control procedures to address

security are included in the contract(s). Automated updates shall not be
used on critical systems, as some updates may cause critical applications to
fail.

If application development is done in-house, formal security considerations

shall be incorporated in the application development lifecycle (SDLC) to
ensure integration of security at every steps of the SDLC process.
Level 2 Control  CMSRs 2012v1.5 CM-1 (HIGH)
Standard  CMSRs 2012v1.5 CM-3 (HIGH)
Mapping:  CMSRs 2012v1.5 CM-3(1) (HIGH)
 CMSRs 2012v1.5 CM-3(2) (HIGH)
 CMSRs 2012v1.5 CM-4 (HIGH)
 CMSRs 2012v1.5 CM-4(1) (HIGH)
 CMSRs 2012v1.5 CM-4(2) (HIGH)
 CMSRs 2012v1.5 CM-5 (HIGH)
 CMSRs 2012v1.5 CM-5(1) (HIGH)
 CMSRs 2012v1.5 CM-5(3) (HIGH)
 CMSRs 2012v1.5 CM-9 (HIGH)
 CMSRs 2012v1.5 SA-10 (HIGH)
 CSA RM-02
 ISO/IEC 27002-2005 12.5.1
 ISO/IEC 27002-2005 12.5.2
 ISO/IEC 27002-2005 12.5.3
 ISO 27799-2008 7.9.5
 NIST SP800-53 R4 CM-1
 NIST SP800-53 R4 CM-3
 NIST SP800-53 R4 CM-3(2)
 NIST SP800-53 R4 CM-4
 NIST SP800-53 R4 CM-5
 NIST SP800-53 R4 CM-9

Page 390 of 488

 NIST SP800-53 R4 SA-10
 NRS 603A.215.1
 PCI DSS v2 6.4

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

The organization shall review and update the baseline configuration of the
information system:
i. at least once every six (6) months;
ii. when required due to critical security patches, upgrades and emergency
changes (e.g., unscheduled changes, system crashes, replacement of
critical hardware components), major system changes/upgrades;
a. as an integral part of information system component installations,
b. upgrades, and
c. supporting baseline configuration documentation reflects ongoing
implementation of operational configuration baseline updates,
either directly or by policy.

The organization shall:

i. establish and documents mandatory configuration settings for
information technology products employed within the information
system using the latest security configuration baselines established by
the HHS, U.S. Government Configuration Baselines (USGCB), and the
National Checklist Program (NCP) defined by NIST SP 800-70 Rev. 2

Page 391 of 488

that reflect the most restrictive mode consistent with operational
requirements;
ii. identify, document, and approve exceptions from the mandatory
established configuration settings for individual components within the
information system based on explicit operational requirements; and
iii. monitor and control changes to the configuration settings in accordance
with organizational policies and procedures.

The organization shall employ automated mechanisms to centrally manage,

apply, and verify configuration settings. The organization shall employ
automated mechanisms to respond to unauthorized changes to network
and system security-related configuration settings.

The organization employs automated mechanisms to enforce access

restrictions and support auditing of the enforcement actions. The
organization conducts audits of information system changes at intervals
specified by the organization but no less than quarterly and when
indications so warrant to determine whether unauthorized changes have
occurred.
Level 3 Control  CMSRs 2012v1.5 CM-2 (HIGH)
Standard  CMSRs 2012v1.5 CM-2(1) (HIGH)
Mapping:  CMSRs 2012v1.5 CM-2(2) (HIGH)
 CMSRs 2012v1.5 CM-2(3) (HIGH)
 CMSRs 2012v1.5 CM-2(4) (HIGH)
 CMSRs 2012v1.5 CM-2(5) (HIGH)
 CMSRs 2012v1.5 CM-2(6) (HIGH)
 CMSRs 2012v1.5 CM-6 (HIGH)
 CMSRs 2012v1.5 CM-6 (HIGH)
 CMSRs 2012v1.5 CM-6(1) (HIGH)
 CMSRs 2012v1.5 CM-6(2) (HIGH)
 CMSRs 2012v1.5 CM-6(3) (HIGH)
 CMSRs 2012v1.5 CM-6(4) (HIGH)
 NIST SP800-53 R4 CM-2
 NIST SP800-53 R4 CM-2(1)
 NIST SP800-53 R4 CM-2(3)
 NIST SP800-53 R4 CM-6

CMS Contractor Requirements

CMS The CMS hierarchy for implementing all security configuration guidelines is
Contractors: as follows:
i. CMS
ii. DHHS
iii. OMB
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 392 of 488

iv. NIST
v. DISA

The organization shall require that information system

developers/integrators, in consultation with associated security personnel
(including security engineers) create and implement a security test and
evaluation plan in accordance with, but not limited to the, current CMS
procedures.

The organization shall:

i. develop and maintain a list of software programs and authorized (white
list) or unauthorized (black list) to execute on the system; and
ii. employ a deny-all, permit-by-exception or allow-all, deny-by-exception
authorization policy to identify software allowed to execute on the
information system.

The organization shall maintain a baseline configuration for development

and test environments that is managed separately from the operational
baseline configuration.

The organizations shall employ automated mechanisms to enforce access

The information system shall prevent the installation of network and

operating system software programs that are not signed with a certificate
that is recognized and approved by the organization.

The organization shall employ automated mechanisms to:

i. document proposed changes to the information system;
ii. notify designated approval authorities;
iii. highlight approvals that have not been received in a timely manner;
iv. inhibit change until designated approvals are received; and
v. document completed changes to the information system.

The organization shall analyze new software in a separate test environment

before installation in an operational environment, looking for security
impacts due to flaws, weaknesses, incompatibility, or intentional malice.

The organization shall employ automated mechanisms to maintain up-to-

date, complete, accurate, and readily available baseline configuration of the
information system.

Page 393 of 488

Control Reference: 10.l Outsourced Software Development

Control Outsourced software development shall be supervised and monitored by

Specification: the organization.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Documentation and Records
Media and Assets
Requirements (Legal and Contractual)
Services and Acquisitions

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance
Regulatory
Factors:
Level 1 Where software development is outsourced, the following points shall be
Implementation: addressed contractually (either in a contract or Security Service Level
Agreement):
i. licensing arrangements, code ownership, and intellectual property
rights (see 6.b);
ii. certification of the quality and accuracy of the work carried out;
iii. escrow arrangements in the event of failure of the third party;
iv. rights of access for audit of the quality and accuracy of work done;
v. contractual requirements for quality and security functionality of code;
and
vi. testing before installation to detect malicious code.
Level 1 Control  CMSRs 2012v1.5 SA-11 (HIGH)
Standard  CMSRs 2012v1.5 SA-12 (HIGH)
Mapping:  CMSRs 2012v1.5 SA-13 (HIGH)
 ISO/IEC 27002-2005 12.5.5
 ISO 27799-2008 7.9.5
 NIST SP800-53 R4 SA-11
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 394 of 488

 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Pharmaceutical Companies: > 10,000,000 Prescriptions Per Year,
Factors: Third Party Processor: > 10,000,000 Records Processed Per Year, Physician
Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: > 1,000
Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered Lives,
IT Service Providers (Vendors): > 500 Employees, Pharmacy Companies: >
10,000,000 Prescriptions Per Year, Health Information Exchange:
>1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The development of all outsourced software shall be supervised and
monitored by the organization and must include security requirements,
independent security review of the outsourced environment by a certified
individual, certified security training for outsourced software developers,
and code reviews.
Certification for the purposes of this control shall be defined as a legally
recognized license or certification in the legislative jurisdiction the
organization outsourcing the development has chosen as its domicile.
Level 2 Control  CSA RM-04
Standard  NIST SP800-53 R4 SA-12
Mapping:

Level 3 Implementation Requirements

Page 395 of 488

Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization shall protect against supply chain threats by employing
Contractors: best practices and methodologies, wherever possible, selecting components
that have been previously reviewed by other government entities (e.g.,
National Information Assurance Partnership [NIAP]) as part of a
comprehensive, defense-in-breadth information security strategy.

The organization shall require that all information systems meet a level of
security functionality and security assurance that is sufficient to preserve
the confidentiality, integrity, and availability of the information being
processed, stored, or transmitted by the system by establishing system
trustworthiness objectives as part of the security authorization by following
the CMS eXpedited Life Cycle (XLC).

Objective Name: 10.06 Technical Vulnerability Management

Control To reduce the risks resulting from exploitation of published technical

Objective: vulnerabilities, technical vulnerability management shall be implemented in
an effective, systematic, and repeatable way with measurements taken to
confirm its effectiveness.

Control Reference: 10.m Control of Technical Vulnerabilities

Control Timely information about technical vulnerabilities of information systems

Specification: being used shall be obtained; the organization's exposure to such
vulnerabilities evaluated; and appropriate measures taken to address the
associated risk.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Incident Response
IT Organization and Management Roles and Responsibilities
Risk Management and Assessments

Level 1 Implementation Requirements

Page 396 of 488

Level 1 Applicable to all organizations
Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to State of Massachusetts Data Protection Act
Regulatory
Factors:
Level 1 Specific information needed to support technical vulnerability management
Implementation: includes the software vendor, version numbers, current state of deployment
(e.g. what software is installed on what systems) and the person(s) within
the organization responsible for the software.

Appropriate, timely action shall be taken in response to the identification of

potential technical vulnerabilities. Once a potential technical vulnerability
has been identified, the organization shall identify the associated risks and
the actions to be taken. Such action shall involve patching of vulnerable
systems and/or applying other controls.
Level 1 Control  (State of Mass.) 201 CMR 17.04(6)
Standard
Mapping:

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Level 2 None
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
The organization shall define and establish the roles and responsibilities
associated with technical vulnerability management, including vulnerability

Page 397 of 488

monitoring, vulnerability risk assessment, patching, asset tracking, and any
coordination responsibilities required.

Information resources (including tools and vulnerability mailing lists/other

information sources) that will be used to identify relevant technical
vulnerabilities and to maintain awareness about them shall be identified for
software and other technology (based on the asset inventory list, see 7.a).
These information resources shall be updated based on changes in the
inventory, or when other new or useful resources are found.

Internal and external vulnerability assessments of covered information

systems and networked environments shall be performed on a quarterly
basis, and after any significant change in the network, by a qualified
individual. These tests shall include both network- and application-layer
tests.

The action taken shall be carried out according to the controls related to
change management (see 10.k) or by following information security
incident response procedures (see 11.c).

If a patch is available, change control procedures for the implementation of

security patches and software modifications shall be followed (see
09.b). This shall include assessing the risks associated with installing the
patch shall be assessed (the risks posed by the vulnerability should be
compared with the risk of installing the patch). Patches shall be tested and
evaluated before they are installed to ensure they are effective and do not
result in side effects that cannot be tolerated.

If no patch is available, other controls shall be applied including:

i. documentation of impact.
ii. documented change approval by authorized parties.
iii. functionality testing to verify that the change does not adversely impact
the security of the system.
iv. back-out procedures.
v. turning off services or capabilities related to the vulnerability;
vi. adapting or adding access controls (e.g. firewalls) at network borders
(see 9.m);
vii. increased monitoring to detect or prevent actual attacks; and
viii. raising awareness of the vulnerability.

An audit log shall be kept for all procedures undertaken.

Establish a process to identify and assign a risk ranking to newly discovered

security vulnerabilities. The risk ranking shall consider the CVSS score,
classification of the vendor supplied patch, and/or the classification and
criticality of the affected system. The technical vulnerability management
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 398 of 488

process shall be evaluated on a quarterly basis in order to ensure its
effectiveness and efficiency. Systems at high risk shall be addressed first.
A configuration standard shall be developed for all system components
(workstations, databases, servers, applications). The standards shall be
hardened to address, to the extent practical, all known security
vulnerabilities.

The organizations configuration standards shall be consistent with

industry-accepted system hardening standards, including:
i. Center for Internet Security (CIS)
ii. International Organization for Standardization (ISO)
iii. SysAdmin Audit Network Security (SANS)
iv. Institute National Institute of Standards Technology (NIST)

Enable only necessary and secure services, protocols, daemons, etc., as

required for the function of the system. Implement security features for any
required services, protocols or daemons that are considered to be insecure
(e.g., use secured technologies such as SSH, S-FTP, SSL, or IPSec VPN to
protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.).
Level 2 Control  CMSRs 2012v1.5 CM-7 (HIGH)
Standard  ISO/IEC 27002-2005 12.6.1
Mapping:  ISO 27799-2008 7.9.5
 NIST SP800-53 R4 CM-7
 NIST SP800-53 R4 RA-5
 NIST SP800-53 R4 RA-5(1)
 NIST SP800-53 R4 SI-2
 PCI DSS v2 2.2
 PCI DSS v2 6.2
 PCI DSS v2 6.4.5
 PCI DSS v2 6.4.5.1
 PCI DSS v2 6.4.5.2
 PCI DSS v2 6.4.5.3
 PCI DSS v2 6.4.5.4
 PCI DSS v2 11.2
 PCI DSS v2 11.2.1
 PCI DSS v2 11.2.2
 PCI DSS v2 11.2.3

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:

Page 399 of 488

Level 3 System None
Factors:
Level 3 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to the CMS
Regulatory Minimum Security Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
Perform external and internal network penetration testing and an
enterprise security posture review shall be performed annually and after
any significant infrastructure or application upgrade. The penetration test
should also include application-layer penetration tests.

The organization shall employ automated mechanisms monthly to

determine the state of information system components with regard to flaw
remediation.

The organization scans for vulnerabilities in the information system and

hosted applications within every thirty (30) days and when new
vulnerabilities potentially affecting the systems and networked
environments are identified and reported.

The organization updates the list of information system vulnerabilities

scanned within every thirty (30) days or when new vulnerabilities are
identified and reported.

The organization includes privileged access authorization to operating

system, telecommunications, and configuration components for selected
vulnerability scanning activities to facilitate more thorough scanning.
Level 3 Control  CMSRs 2012v1.5 RA-5 (HIGH)
Standard  CMSRs 2012v1.5 RA-5(1) (HIGH)
Mapping:  CMSRs 2012v1.5 RA-5(2) (HIGH)
 CMSRs 2012v1.5 RA-5(3) (HIGH)
 CMSRs 2012v1.5 RA-5(4)(HIGH)
 CMSRs 2012v1.5 RA-5(5) (HIGH)
 CMSRs 2012v1.5 RA-5(7) (HIGH)
 CMSRs 2012v1.5 RA-5(9) (HIGH)
 CMSRs 2012v1.5 SI-2 (HIGH)
 CMSRs 2012v1.5 SI-2(1) (HIGH)
 CMSRs 2012v1.5 SI-2(2) (HIGH)
 CSA IS-20
 NIST SP800-53 R4 SI-2(2)
 NRS 603A.215.1
 PCI DSS v2 6.1
 PCI DSS v2 11.3
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 400 of 488

 PCI DSS v2 11.3.1
 PCI DSS v2 11.3.2

CMS Contractors

CMS The organization shall correct identified information system flaws on

Contractors: production equipment within ten (10) business days and all others within
thirty (30) calendar days.

A risk-based decision is documented through the configuration

management process in the form of written authorization from the CMS CIO
or his/her designated representative (e.g., the system data owner or CMS
CISO) if a security patch is not applied to a security-based system or
network.

For critical infrastructure and systems (e.g., public-facing, internet

accessible), critical security patches shall be applied within one month of
release. For less-critical infrastructure and systems (e.g., only accessible
internally) or for non-critical security patches, patches shall be applied
within three months of release.
Vulnerability scanning procedures shall be implemented that can
demonstrate the breadth and depth of coverage (i.e., information system
components scanned and vulnerabilities checked).

The organization shall attempt to discern what information about the

information system environment is discernible by malicious, external
parties.
The organization shall include privileged access authorization to operating
system, telecommunications, and configuration components for selected
vulnerability scanning activities to facilitate more thorough scanning.

The organization shall employ automated mechanisms every thirty (30)

days to detect the presence of unauthorized hardware, software and
firmware on organizational information systems and notify designated
organizational officials.

The organization shall centrally manage the flaw remediation process and
shall install software updates automatically where possible.

Page 401 of 488

Control Category: 11.0 - Information Security Incident Management

Objective Name: 11.01 Reporting Information Security Incidents and Weaknesses

Control To ensure information security events and weaknesses associated with

Objective: information systems are handled in a manner allowing timely corrective
action to be taken.

Control Reference: 11.a Reporting Information Security Events

Control Information security events shall be reported through appropriate

Specification: communications channels as quickly as possible. All employees, contractors
and third party users shall be made aware of their responsibility to report
any information security events as quickly as possible.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Awareness and Training
Incident Response
IT Organization and Management Roles and Responsibilities
Personnel
Policies and Procedures
Risk Management and Assessments
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to State of Massachusetts Data Protection Act
Regulatory
Factors:
Level 1 Formal information security event reporting procedures to support the
Implementation: corporate direction (policy) shall be established, together with an incident
response and escalation procedure, setting out the action to be taken on
receipt of a report of an information security event, treating the breach as
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 402 of 488

discovered, and the timeliness of reporting and response. With the
importance of Information Security Incident Handling, a policy shall be
established to set the direction of management.

A point of contact shall be established for the reporting of information

security events. It shall be ensured that this point of contact is known
throughout the organization, is always available and is able to provide
adequate and timely response.

Employees and other workforce members, including third parties, are able
to freely report security weaknesses (real and perceived) without fear of
repercussion.

The organization shall implement an insider threat program that includes a

cross-discipline insider threat incident handling team.

Organizations shall ensure workforce members do not interfere with

federal or state investigations or disciplinary proceedings by willful
misrepresentation or omission of facts or by the use of threats or
harassment against any person. Organizations shall ensure violations of
these requirements are incorporated into disciplinary procedures (see
02.f).
Level 1 Control  (State of Mass.) 201 CMR 17.03(2)(j)
Standard  CSA IS-23
Mapping:  HIPAA §164.308(a)(1)(ii)(D)
 HIPAA §164.308(a)(5)(ii)(A)
 HIPAA §164.308(a)(5)(ii)(B)
 HIPAA §164.308(a)(6)(i)
 HIPAA §164.308(a)(6)(ii)
 HIPAA §164.314(a)(2)(i)
 HITECH Act, Subpart D 164.404(a)(2)
 HITECH Act, Subpart D 164.410(a)(1)
 HITECH Act, Subpart D 164.410(a)(2)
 NIST SP800-53 R4 IR-1
 NIST SP800-53 R4 PM-12
 PCI DSS v2 12.9
 PCI DSS v2 12.9.3
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)
 (State of Texas) HB 300 521.053(b)
 (State of Texas) HB 300 521.053(b-1)
 1 TAC § 390.2(a)(4)(A)(ix)
 1 TAC § 390.2(a)(4)(B)(xvi)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 403 of 488

 1 TAC § 390.2(a)(4)(B)(xviii)(III)
 1 TAC § 390.2(a)(4)(B)(xviii)(IV)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to PCI Compliance, Subject to HITECH Breach Notification
Regulatory Requirements, Subject to the State of Nevada Security of Personal
Factors: Information Requirements
Level 2 Level 1 plus:
Implementation:
The policy shall refer to the specific procedures and programs to address
incidents and also refer to a forensic program. The organization shall
institute a mechanism to anonymously report security issues. Procedures
shall be developed to provide for definition of the information security
incidents, roles and responsibilities, incident handling, reporting and
communication processes. They shall also state the requirements for an
incident handling team to address regulatory requirements, third party
relationships, and the handling of third party security breaches. Reports
and communications shall be made without unreasonable delay and no
later than 60 days after the discovery of the incident, unless otherwise
stated by law enforcement in writing or orally. If the statement is made in
writing, the notification shall be delayed for the time specified by the
official. If the statement is made orally, the organization shall document the
statement, including the identity of the official making the statement, and
delay the notification temporarily and no longer than 30 days from the date
of the oral statement, unless a written statement from a law enforcement
official is submitted during that time.

All employees, contractors and third party users shall receive mandatory
incident response training to ensure they are aware of their responsibilities
to report any information security events as quickly as possible, the
procedure for reporting information security events and the point(s) of
contact.

The reporting procedures shall include:

Page 404 of 488

i. feedback processes to ensure that those reporting information security
events are notified of results after the issue has been dealt with and
closed;
ii. information security event reporting forms to support the reporting
action, and to help the person reporting to remember all necessary
actions in case of an information security event including:
1. the correct behavior to be undertaken in case of an information
security event and noting all important details (e.g. type of non-
compliance or breach) occurring malfunction, messages on the
screen, strange behavior, immediately; and
2. not carrying out any own action, but immediately reporting to
the point of contact;
iii. reference to an established formal disciplinary process for dealing with
employees, contractors or third party users who commit security
breaches;
iv. communication with each individual affected by, or who is reasonably
believed to have been affected by, the incident;
v. communication with business associate(s) identifying each individual
affected by, or who is reasonably believed to have been affected by, the
incident;
vi. communicating incidents to local and federal law enforcement agencies;
and
vii. automated work flow processes for incident management, reporting
and resolution.

Reports to external organizations, individuals or federal or state agencies

shall include:
i. a brief description of what happened;
ii. the date of the breach;
iii. the date of the discovery of the breach;
iv. a description of the types of information that were involved in the
breach (e.g. full name, Social Security number, date of birth, home
address, account number, disability code);
v. the recommended steps external entities should take to protect
themselves from potential harm resulting from the breach;
vi. a brief description of the steps the organization is taking to:
1. investigate the breach,
2. mitigate damages, and
3. protect against any further breaches
vii. contact procedures to ask questions or learn additional information,
which shall include:
1. a toll-free telephone number,
2. an e-mail address,
3. Web site, or
4. postal address.

Page 405 of 488

Reports to the individuals affected by the incident shall be provided with
notification by first-class mail to the individual (or the next of kin of the
individual if the individual is deceased) at the last known address of the
individual or the next of kin, respectively, or by electronic mail if specified
as a preference by the individual. Organizations may provide notifications
by telephone in cases deemed urgent by the organization. In the case that
there are 10 or more individuals for whom there is insufficient or out-of-
date contact information (including a phone number, email address, or any
other form of appropriate communication), a conspicuous posting shall be
placed on the home page of the Web site of the organization involved for a
period of 90 days. A toll-free phone number shall be also be posted that
remains active for at least 90 days where an individual can learn whether
the individual’s information may be included in the breach. The
organization shall also notify, without unreasonable delay, any consumer
reporting agency of the time the notification is distributed and the content
of the notification.

If more than 500 residents of such State or jurisdiction were, or are

reasonably believed to have been, affected by the breach, notice shall be
immediately provided to the federal government (to publicly disclose) and
prominent media outlets.

The notification to individuals shall be written in plain language (e.g., at an

appropriate reading level, using clear language and syntax, and not include
any extraneous material that might diminish the message it is trying to
convey).
Alerts from the organization's intrusion-detection and intrusion-prevention
systems shall be utilized for reporting information security events.
Level 2 Control  CMSRs 2012v1.5 IR-1 (HIGH)
Standard  CMSRs 2012v1.5 IR-6 (HIGH)
Mapping:  CMSRs 2012v1.5 IR-6(1) (HIGH)
 COBIT 4.1 DS5.6
 COBIT 5 DSS02.01
 HITECH Act, Subpart D 164.404(a)(1)
 HITECH Act, Subpart D 164.404(b)
 HITECH Act, Subpart D 164.404(c)(1)
 HITECH Act, Subpart D 164.404(c)(2)
 HITECH Act, Subpart D 164.404(d)(1)
 HITECH Act, Subpart D 164.404(d)(2)
 HITECH Act, Subpart D 164.404(d)(3)
 HITECH Act, Subpart D 164.406(a)
 HITECH Act, Subpart D 164.406(b)
 HITECH Act, Subpart D 164.406(c)
 HITECH Act, Subpart D 164.408(a)
 HITECH Act, Subpart D 164.408(b)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 406 of 488

 HITECH Act, Subpart D 164.408(c)
 HITECH Act, Subpart D 164.410(b)
 HITECH Act, Subpart D 164.410(c)(1)
 HITECH Act, Subpart D 164.410(c)(2)
 HITECH Act, Subpart D 164.412
 HITECH Act, Subpart D 164.414(b)
 ISO 27799-2008 7.10.1
 NIST SP800-53 R4 IR-6
 NIST SP800-53 R4 IR-6(1)
 NRS 603A.215.1
 NRS 603A.220.1
 NRS 603A.220.2
 NRS 603A.220.3
 PCI DSS v2 12.5.2
 PCI DSS v2 12.5.3
 PCI DSS v2 12.9.1
 PCI DSS v2 12.9.4
 PCI DSS v2 12.9.5
 1 TAC § 390.2(a)(3)
 1 TAC § 390.2(a)(4)(B)(xiii)

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 407 of 488

An information security assessment shall be made either on all incidents or
on a sample, to further validate the effectiveness or otherwise of
established controls and of the risk assessment that lead to them.

Examples include:
i. a break-in leading to theft of IT hardware, resulting in a confidentiality
breach; or
ii. a fire could be set to disguise misuse of IT equipment.
Level 3 Control  CMSRs 2012v1.5 SI-4 (HIGH)
Standard  ISO/IEC 27002-2005 13.1.1
Mapping:  NIST SP800-53 R4 SI-4

CMS Contractor Requirements

CMS The organization shall require personnel to report suspected security

Contractors: incidents to the organizational incident response capability within
timeframe established in the current CMS Incident Handling and Breach
Notification Standard.

Texas Covered Entities

Texas Covered Organizations or persons that conduct business in Texas and own or license
Entities: computerized data that includes sensitive personal information shall
disclose any breach of system security, after discovering or receiving
notification of the breach, to any individual whose sensitive personal
information was, or is reasonably believed to have been, acquired by an
unauthorized persons. The disclosure shall be made as quickly as possible,
except at the request of a law enforcement agency that determines
notification will impede a criminal investigation, or as necessary to
determine the scope of the breach and restore the reasonable integrity of
the data system.

If the individual is a resident of a state that requires a person or entity to

provide notice of a breach of system security, notice of the breach of system
security may be provided in accordance with that state's law.

i. A person or entity may give notice by providing:

ii. Written notice at the last known address;
iii. Electronic notice, if the notice is provided in accordance with 15 U.S.C.
Section 7001; or
iv. If the person or entity required to give notice demonstrates that the
cost of providing notice would exceed $250,000, the number of
affected persons exceeds 500,000, or the person or entity does not
have sufficient contact information, the notice may be given by:
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 408 of 488

1. Electronic mail, if the person or entity has electronic mail addresses
for the affected persons;
2. Conspicuous posting of the notice on the person’s or entity's
Website;
3. Notice published in or broadcast on major statewide media; or
4. Notwithstanding the methods described above, a person or entity
who maintains the their own notification procedures as part of an
information security policy for the treatment of sensitive personal
information that complies with the timing requirements for notice
under this section complies with this section if the person or entity
notifies affected persons in accordance with that policy.

If a person or entity is required by this section to notify at one time more

than 10,000 persons of a breach of system security, the person or entity
shall also notify each consumer reporting agency, as defined by 15 U.S.C.
Section 1681a, that maintains files on consumers on a nationwide basis, of
the timing, distribution, and content of the notices. The person or entity
shall provide the notice required by this subsection without unreasonable
delay.

Organizations shall incorporate procedures in their security and privacy

incident response programs to assist with investigations conducted by TX
state and local registrars or their representatives, when it is believed a
person or persons intentionally or knowingly supplied false information, or
intentionally or knowingly creates a false record, or directs another person
to supply information or create a false record, for use in the preparation of a
certificate, record or report, or amendment covered under THSC Title 3, as
provided by THSC §§ 195.002 thru 195.005.

Private psychiatric (mental) hospitals, crisis stabilization units and other

mental health facilities shall incorporate procedures in their security and
privacy incident response programs to assist with state investigations,
including the release of otherwise confidential information related to the
investigation, as required under THSC § 577.
Control  1 TAC § 390.2(a)(3)
Standard  1 TAC § 390.2(a)(4)(A)(ix)
Mapping:  1 TAC § 390.2(a)(4)(B)(xvi)

Control Category: 11.0 - Information Security Incident Management

Control 11.b Reporting Security Weaknesses

Reference:

Page 409 of 488

Control All employees, contractors, and third party users of information systems
Specification: and services shall be required to note and report any observed or suspected
security weaknesses in systems or services.
Factor Type: Organizational
Topics: Awareness and Training
Incident Response
Personnel
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 All employees, contractors and third party users shall report incident and
Implementation: event information, including violations of workforce rules of behavior and
acceptable use agreement, to their management and/or directly to their
service provider as quickly as possible in order to prevent information
security incidents.

The reporting mechanism shall be easy to use, widely accessible, and

available to all employees.

Employees, contractors and third party users shall be informed via the
policies and procedures and incident response training that they shall not,
in any circumstances, attempt to prove a suspected weakness.
Level 1 Control  CMSRs 2012v1.5 PL-4 (HIGH)
Standard  CMSRs 2012v1.5 SI-2 (HIGH)
Mapping:  HIPAA §164.308(a)(1)(ii)(D)
 HIPAA §164.308(a)(5)(ii) (B)
 ISO/IEC 27002-2005 13.1.2
 ISO 27799-2008 7.10.1
 NIST SP800-53 R4 PL-4
 NIST SP800-53 R4 SI-2
 1 TAC § 390.2(a)(1)

Page 410 of 488

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 Subject to FTC Red Flags Rule Compliance
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
All employees, contractors and third party users shall report potential
weaknesses that may lead to organization or system breaches, or lead to
identity theft for the following categories:
i. alerts, notifications, or other warnings received from third parties, state
or federal agencies or service providers, such as fraud detection
services;
ii. the presentation of suspicious documents associated with an
individual's account;
iii. the presentation of suspicious covered information (e.g., an address
change that is inconsistent with existing information);
iv. the unusual use of, or other suspicious activity related to, an individual's
account; and
v. notice from customers, law enforcement authorities, or other persons
regarding possible weaknesses in connection with accounts held by the
organization.
Level 2 Control  16 CFR Part §681 Appendix A II(c)
Standard  1 TAC § 390.2(a)(3)
Mapping:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:

Page 411 of 488

Level 3 No additional requirements
Implementation:

Objective Name: 11.02 Management of Information Security Incidents and Improvements

Control To ensure a consistent and effective approach to the management of

Objective: information security incidents.

Control Reference: 11.c Responsibilities and Procedures

Control Management responsibilities and procedures shall be established to ensure

Specification: a quick, effective, and orderly response to information security incidents.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Awareness and Training
Contingency Planning
Documentation and Records
Incident Response
IT Organization and Management Roles and Responsibilities
Policies and Procedures
Third Parties and Contractors

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Procedures shall be established to handle different types of information

security incidents including:
i. information system failures and loss of service;
ii. malicious code;
iii. denial of service;

Page 412 of 488

iv. errors resulting from incomplete or inaccurate business data;
v. breaches of confidentiality and integrity;
vi. disclosures of unprotected health information;
vii. misuse of information systems;
viii. identity theft.
In addition to normal contingency plans, the procedures shall also cover:
i. analysis and identification of the cause of the incident;
ii. containment;
iii. increased monitoring of system use;
iv. planning and implementation of corrective action to prevent recurrence
including
1. changing of password or security codes;
2. changing of devices that permit access to the organization's
systems or network;
3. modifying or terminating an account of individuals involved
directly or indirectly by the incident (e.g., employees, third
party, contractors, customers);
v. assigning a single point of contact for the organization responsible for
sharing information and coordinating responses;
Level 1 Control  16 CFR Part §681 Appendix A IV(a)
Standard  16 CFR Part §681 Appendix A IV(b)
Mapping:  16 CFR Part §681 Appendix A IV(c)
 16 CFR Part §681 Appendix A IV(d)
 16 CFR Part §681 Appendix A IV(e)
 16 CFR Part §681 Appendix A IV(f)
 16 CFR Part §681 Appendix A IV(g)
 16 CFR Part §681 Appendix A IV(h)
 16 CFR Part §681 Appendix A IV(i)
 COBIT 4.1 DS5.6
 COBIT 5 DSS02.01
 CSA IS-22
 HIPAA §164.308(a)(6)(i)
 HIPAA §164.308(a)(6)(ii)
 HITECH Act, Subpart D 164.404(a)(1)
 PCI DSS v2 12.9
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 (State of Mass.) 201 CMR 17.03(2)(j)
 1 TAC § 390.2(a)(1)
 1 TAC § 390.2(a)(3)

Level 2 Implementation Requirements

Page 413 of 488

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development
Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to HITECH
Regulatory Breach Notification Requirements, Subject to the State of Nevada Security of
Factors: Personal Information Requirements
Level 2 Level 1 plus:
Implementation:
Audit trails and similar evidence shall be collected and secured, as
appropriate, for:
i. internal problem analysis;
ii. use as forensic evidence in relation to a potential breach of contract or
regulatory requirement or in the event of civil or criminal proceedings
(e.g. under computer misuse or data protection legislation); and
iii. negotiating for compensation from software and service suppliers;

A log shall be maintained of any incident occurring and annually submit

such a log to the federal government.

Action to recover from security breaches and correct system failures shall
be carefully and formally controlled. The procedures shall ensure that:
i. only clearly identified and authorized personnel are allowed access to
live systems and data;
ii. all emergency actions taken are documented in detail;
iii. emergency action is reported to management and reviewed in an
orderly manner; and
iv. the integrity of business systems and controls is confirmed with
minimal delay.

The organization shall disseminate incident response policy and procedures

to appropriate elements within the organization. Responsible parties within
the organization on a pre-defined frequency shall review incident response
policy and procedures. The organization shall update incident response
policy and procedures when organizational review indicates updates are
required.

The organization shall coordinate incident response testing with

organization elements responsible for related plans.

Page 414 of 488

Incident Response Testing and Exercises procedures shall include:
i. defining incident response tests/exercises, including automated
mechanisms;
ii. defining the frequency of incident response tests/exercises;
iii. testing the incident response capability for the information system
using organization-defined tests/exercises in accordance with
organization-defined frequency; and
iv. documenting the results of incident response tests/exercises.

In addition to reporting of information security events and weaknesses, the

monitoring of systems, alerts, and vulnerabilities shall be used to detect
information security incidents.

The organization shall test and/or exercise the incident response capability
for the information system within every three hundred sixty-five (365) days
using reviews, analyses, and simulations to determine the incident response
effectiveness and documents the results. A formal test need not be
conducted if the organization actively exercises its response capability
using real incidents.

The incident response policy and procedures shall be reviewed/updated

annually.

The organization shall:

i. train personnel in their incident response roles and responsibilities
with respect to the information system; and
ii. provide refresher training annually.
Level 2 Control  CMSRs 2012v1.5 IR-1 (HIGH)
Standard  CMSRs 2012v1.5 IR-3 (HIGH)
Mapping:  CMSRs 2012v1.5 IR-3(1) (HIGH)
 ISO/IEC 27002-2005 13.2.1
 ISO 27799-2008 7.10.2.1
 NIST SP800-53 R4 IR-1
 NIST SP800-53 R4 IR-3
 NIST SP800-53 R4 IR-3(2)
 NRS 603A.215.1
 NRS 603A.220.4.a
 NRS 603A.220.4.b
 NRS 603A.220.4.c.1
 NRS 603A.220.4.c.2
 NRS 603A.220.4.c.3
 NRS 603A.220.6
 PCI DSS v2 12.9.1
 PCI DSS v2 12.9.2
 PCI DSS v2 12.9.4
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 415 of 488

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Organizational Development Per Year, Pharmaceutical Companies: > 70,000,000
Factors: Prescriptions Per Year, Third Party Processor: > 60,000,000 Records
Processed Per Year, Physician Practice: > 180,000 Visits Per Year, Medical
Facilities / Hospital: > 10,000 Licensed Beds, Health Plan / Insurance /
PBM: > 7,500,000 Covered Lives, IT Service Providers (Vendors): > 2,500
Employees, Pharmacy Companies: > 70,000,000 Prescriptions Per Year,
Health Information Exchange: >,0600,000 Transactions Per Year
Level 3 System None
Factors:
Level 3 Subject to the CMS Minimum Security Requirements (High)
Regulatory
Factors:
Level 3 Level 2 plus:
Implementation:
The organization shall:
i. develop an incident response plan that:
1. provides the organization with a roadmap for implementing its
incident response capability;
2. describes the structure and organization of the incident
response capability;
3. provides a high-level approach for how the incident response
capability fits into the overall organization;
4. meets the unique requirements of the organization, which relate
to mission, size, structure, and functions;
5. defines reportable incidents;
6. provides metrics for measuring the incident response capability
within the organization.
7. defines the resources and management support needed to
effectively maintain and mature an incident response capability;
and
8. is reviewed and approved by designated officials within the
organization;
ii. distribute copies of the incident response plan to incident response
personnel and organizational elements;
iii. review the incident response plan within every three hundred sixty-five
(365) days;
iv. revise the incident response plan to address system/organizational
changes or problems encountered during plan implementation,
execution, or testing; and

Page 416 of 488

v. communicate incident response plan changes to incident response
personnel and organizational elements.

The organization shall provide an incident response support resource that

offers advice and assistance to users of the information system for the
handling and reporting of security incidents. The incident response support
resource shall be an integral part of the organization's incident response
capability.

The organization shall track and document information system security

incidents on an ongoing basis. The organization shall promptly report
incident information to appropriate authorities. The types of incident
information reported, the content and timeliness of the reports, and the list
of designated reporting shall be consistent with applicable laws, Executive
Orders, directives, policies, regulations, standards, and guidance.
Weaknesses and vulnerabilities in the information system shall be reported
to appropriate organizational officials in a timely manner to prevent
security incidents.

The organization shall communicate with outside parties regarding the

incident. This includes reporting incidents to organizations such as the
Federal Computer Incident Response Center (FedCIRC) and the CERT
Coordination Center (CERT/CC), contacting law enforcement, and fielding
inquiries from the media.
The objectives for information security incident management shall be
agreed to with management, and it shall be ensured that those responsible
for information security incident management understand the
organization's priorities for handling information security incidents.

The organization shall employ automated mechanisms to increase the

availability of incident response-related information and support.
Level 3 Control  CMSRs 2012v1.5 IR-5 (HIGH)
Standard  CMSRs 2012v1.5 IR-7 (HIGH)
Mapping:  CMSRs 2012v1.5 IR-7(1) (HIGH)
 CMSRs 2012v1.5 IR-8 (HIGH)
 NIST SP800-53 R4 IR-5
 NIST SP800-53 R4 IR-7
 NIST SP800-53 R4 IR-7(1)
 NIST SP800-53 R4 IR-8

CMS Contractor Requirements

CMS The organization shall employ automated mechanisms to more thoroughly

Contractors: and effectively test/exercise the incident response capability.

Page 417 of 488

The organization shall employ automated mechanisms to assist in the
tracking of security incidents.

The organization shall distributes copies of the incident response plan to:
i. CMS Chief Information Security Officer;
ii. CMS Chief Information Officer;
iii. Information System Security Officer;
iv. CMS Office of the Inspector General/Computer Crimes Unit;
v. All personnel within the organization Incident Response Team;
vi. All personnel within the PII Breach Response Team; and
vii. All personnel within the organization Operations Centers.

The organization shall communicate incident response plan changes to the

organizational elements listed above for distribution.

Control Reference: 11.d Learning from Information Security Incidents

Control There shall be mechanisms in place to enable the types, volumes, and costs
Specification: of information security incidents to be quantified and monitored.
Factor Type: Organizational
Topics: Awareness and Training
Incident Response
IT Organization and Management Roles and Responsibilities

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The information gained from the evaluation of information security
Implementation: incidents shall be used to identify recurring or high impact incidents.
Level 1 Control  CSA IS-25
Standard  HIPAA §164.308(a)(1)(ii)(D)
Mapping:  HIPAA §164.308(a)(6)(ii)
 ISO/IEC 27002-2005 13.2.2
 ISO 27799-2008 7.10.2.2

Page 418 of 488

 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Components shall include:

i. policy (setting corporate direction) and procedures defining roles and
responsibilities;
ii. incident handling procedures (business and technical);
iii. communication;
iv. reporting and retention; and
v. references to vulnerability management program that includes network
tools for IPS, IDS, forensics, vulnerability assessments and validation.

Level 2 Control  CMSRs 2012v1.5 IR-4 (HIGH)

Standard  CMSRs 2012v1.5 IR-4(1) (HIGH)
Mapping:  CMSRs 2012v1.5 IR-5 (HIGH)

Page 419 of 488

 CMSRs 2012v1.5 IR-5(1) (HIGH)
 NIST SP800-53 R4 IR-4
 NIST SP800-53 R4 IR-4(1)
 NIST SP800-53 R4 IR-5
 NRS 603A.215.1
 PCI DSS v2 12.9.6
 (State of Mass.) 201 CMR 17.03(2)(j)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

CMS Contractor Requirements

CMS The organization shall implement an incident handling capability using the
Contractors: current CMS Incident Handling and Breach Notification Standard and
Procedures. Relevant information related to a security incident shall be
documented according to the current CMS Incident Handling and Breach
Notification Standard and Procedures.

The organization shall employ automated mechanisms to assist in the

collection and analysis of incident information.

Control Reference: 11.e Collection of Evidence

Control Where a follow-up action against a person or organization after an

Specification: information security incident involves legal action (either civil or criminal),
evidence shall be collected, retained, and presented in support of potential
legal action in accordance with the rules for evidence in the relevant
jurisdiction(s).
Factor Type: Organizational

Page 420 of 488

Topics: Documentation and Records
Incident Response
Requirements (Legal and Contractual)
Services and Acquisitions

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to HITECH Breach Notification Requirements
Regulatory
Factors:
Level 1 The organization shall collect, retain, and present evidence to support legal
Implementation: action (either civil or criminal). The evidence that is collected, retained, and
presented shall be done in accordance with the laws of the relevant
jurisdiction(s).
Level 1 Control  HIPAA §164.308(a)(6)(ii)
Standard  HITECH Act, Subpart D 164.408(c)
Mapping:  HITECH Act, Subpart D 164.414(b)
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 421 of 488

Level 2 Level 1 plus:
Implementation:
Internal procedures shall be developed, documented and followed when
collecting and presenting evidence for the purposes of disciplinary action
handled within an organization.

To achieve admissibility of the evidence, the organization shall ensure that

their information systems comply with any published standard or code of
practice for the production of admissible evidence. The weight of evidence
provided shall comply with any applicable requirements.

To achieve weight of evidence, the quality and completeness of the controls

used to correctly and consistently protect the evidence (i.e. process control
evidence) throughout the period that the evidence to be recovered was
stored and processed shall be demonstrated by a strong evidence trail
established with the following conditions:
i. for paper documents: the original is kept securely with a record of the
individual who found the document, where the document was found,
when the document was found and who witnessed the discovery; any
investigation shall ensure that originals are not tampered with.
ii. for information on computer media: mirror images or copies
(depending on applicable requirements) of any removable media,
information on hard disks or in memory shall be taken to ensure
availability; the log of all actions during the copying process shall be
kept and the process shall be witnessed; the original media and the log
(if this is not possible, at least one mirror image or copy) shall be kept
securely and untouched.

Any forensics work shall only be performed on copies of the evidential

material. The integrity of all evidential material shall be protected. Copying
of evidential material shall be supervised by trustworthy personnel and
information on when and where the copying process was executed, who
performed the copying activities and which tools and programs have been
utilized shall be logged.

Organizations shall incorporate appropriate Forensic handling procedures

Forensics can be outsourced or handled in-house. Any type of Forensics
shall require training, staff and processes for maintaining a proper chain of
evidence.
Level 2 Control  CMSRs 2012v1.5 IR-4 (HIGH)
Standard  CSA IS-24
Mapping:  ISO/IEC 27002-2005 13.2.3
 ISO 27799-2008 7.10.2.3
 NIST SP800-53 R4 IR-4
 NRS 603A.215.1

Page 422 of 488

 PCI DSS v2 A.1.4

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 423 of 488

Control Category: 12.0 - Business Continuity Management

Objective Name: 12.01 Information Security Aspects of Business Continuity Management

Control To ensure that strategies and plans are in place to counteract interruptions
Objective: to business activities and to protect critical business processes from the
effects of major failures of information systems or disasters and to ensure
their timely resumption.

Control Reference: 12.a Including Information Security in the Business Continuity

Management Process

Control A managed program and process shall be developed and maintained for
Specification: business continuity throughout the organization that addresses the
information security requirements needed for the organization's business
continuity.
Factor Type: Organizational
Topics: Contingency Planning
Documentation and Records
IT Organization and Management Roles and Responsibilities
Media and Assets
Personnel
Risk Management and Assessments

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The program and process shall bring together the following key elements of
Implementation: business continuity management:
i. identifying all the assets involved in critical business processes;

Page 424 of 488

ii. considering the purchase of suitable insurance which may form part of
the overall business continuity process, as well as being part of
operational risk management;
iii. ensuring the safety of personnel and the protection of information
assets and organizational property;
iv. formulating and documenting business continuity plans addressing
information security requirements in line with the agreed business
continuity strategy (see 12.c);
Level 1 Control  CSA RS-01
Standard  HIPAA §164.308(a)(7)(ii)(B)
Mapping:  HIPAA §164.308(a)(7)(ii)(C)
 HIPAA §164.308(a)(7)(ii)(D)
 HIPAA §164.308(a)(7)(ii)(E)
 HIPAA §164.310(a)(2)(i)
 HIPAA §164.312(a)(2)(ii)
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to FISMA Compliance; Subject to the CMS Minimum Security
Regulatory Requirements (HIGH)
Factors:
Level 2 Level 1 plus:
Implementation:
The program and process shall bring together the following key elements of
business continuity management:
i. identifying critical information system assets supporting organizational
missions and functions;
ii. understanding the risks the organization is facing in terms of likelihood
and impact in time, including an identification and prioritization of
critical business processes;
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 425 of 488

iii. understanding the impact which interruptions caused by information
security incidents are likely to have on the business (it is important that
solutions are found that will handle incidents causing smaller impact, as
well as serious incidents that could threaten the viability of the
organization), and establishing the business objectives of information
assets;
iv. implementing additional preventive detective controls for the critical
assets identified to mitigate risks to the greatest extent possible;
v. identifying financial, organizational, technical, and environmental
resources to address the identified information security requirements;
vi. testing and updating, at a minimum, a section of the plans and processes
put in place at least annually;
vii. ensuring that the management of business continuity is incorporated in
the organization's processes and structure; and
viii. assigning responsibility for the business continuity management
process at an appropriate level within the organization.
Level 2 Control  CMSRs 2012v1.5 CP-2 (HIGH)
Standard  ISO/IEC 27002-2005 14.1.1
Mapping:  ISO 27799-2008 7.11
 NIST SP800-53 R4 CP-2
 NIST SP800-53 R4 CP-2(8)

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 12.b Business Continuity and Risk Assessment

Control Events that can cause interruptions to business processes shall be

Specification: identified, along with the probability and impact of such interruptions and
their consequences for information security.
Factor Type: Organizational

Page 426 of 488

Topics: Contingency Planning
IT Organization and Management Roles and Responsibilities
Risk Management and Assessments

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 This process shall identify the critical business processes.
Implementation: Information security aspects of business continuity shall be based on
identifying events (or sequence of events) that can cause interruptions to
the organizations critical business processes (e.g. equipment failure, human
errors, theft, fire, natural disasters and acts of terrorism). This shall be
followed by a risk assessment to determine the probability and impact of
such interruptions, in terms of time, damage scale and recovery period.
Based on the results of the risk assessment, a business continuity strategy
shall be developed to identify the overall approach to business continuity.
Once this strategy has been created, endorsement shall be provided by
management, and a plan created and endorsed to implement this strategy.
Level 1 Control  CSA RS-02
Standard  NIST SP800-53 R4 PM-8
Mapping:  Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)
 HIPAA § 164.308(a)(1)(ii)(A)
 HIPAA § 164.308(a)(7)(ii)(B)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Page 427 of 488

Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to Joint Commission Accreditation
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
This process shall identify the critical business processes and integrate the
information security management requirements of business continuity with
other continuity requirements relating to such aspects as operations,
staffing, materials, transport and facilities. The consequences of disasters,
security failures, loss of service, and service availability shall be subject to a
business impact analysis.

Business continuity risk assessments shall be carried out annually with full
involvement from owners of business resources and processes. This
assessment shall consider all business processes and shall not be limited to
the information assets, but shall include the results specific to information
security. It is important to link the different risk aspects together, to obtain
a complete picture of the business continuity requirements of the
organization. The assessment shall identify, quantify, and prioritize risks
against key business objectives and criteria relevant to the organization,
including critical resources, impacts of disruptions, allowable outage times,
and recovery priorities.
Level 2 Control  ISO/IEC 27002-2005 14.1.2
Standard  ISO 27799-2008 7.11
Mapping:  JCAHO IM.01.01.03, EP 6

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Page 428 of 488

Control Reference: 12.c Developing and Implementing Continuity Plans Including
Information Security

Control Plans shall be developed and implemented to maintain or restore

Specification: operations and ensure availability of information at the required level and
in the required time scales following interruption to, or failure of, critical
business processes.

*Required for HITRUST Certification 2014

Factor Type: Organizational
Topics: Awareness and Training
Contingency Planning
Documentation and Records
Physical and Facility Security
Policies and Procedures

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to PCI Compliance
Regulatory
Factors:
Level 1 A formal, documented contingency planning policy (addressing purpose,
Implementation: scope, roles, responsibilities, management commitment, coordination
among organizational entities, and compliance); and formal, documented
procedures (to facilitate the implementation of the contingency planning
policy and associated contingency planning controls) shall be developed,
disseminated, and reviewed annually.

The business continuity planning process shall include the following:

i. implementation of the procedures to allow recovery and restoration of
business operations and availability of information in required time-
scales
ii. particular attention shall be given to the assessment of internal and
external business dependencies and the contracts in place;
iii. documentation of agreed procedures and processes; and
iv. testing and updating of at least a section of the plans.

Page 429 of 488

The planning process shall focus on the required business objectives (e.g.
restoring of specific communication services to customers in an acceptable
amount of time). The procedures for obtaining necessary electronic covered
information during an emergency shall be defined. The services and
resources facilitating this shall be identified, including staffing, non-
information processing resources, as well as fallback arrangements for
information processing facilities.
Such fallback arrangements may include arrangements with third parties in
the form of reciprocal agreements, or commercial subscription services.
The organization shall coordinate contingency planning activities with
incident handling activities.

Developed business continuity plans shall:

i. identify essential missions and business functions and associated
contingency requirements;
ii. provide recovery objectives, restoration priorities, and metrics; and
iii. address contingency roles, responsibilities, assigned individuals with
contact information; iv. address maintaining essential missions and
business functions despite an information system disruption,
compromise, or failure;
iv. address eventual, full information system restoration without
deterioration of the security measures originally planned and
implemented; and
v. be reviewed and approved by designated officials within the
organization.

Continuity and recovery plans shall be developed and documented to deal

with system interruptions and failures caused by malicious code. Business
continuity plans shall include recovering from malicious code attacks,
including all necessary data and software back-up and recovery
arrangements.

Copies of the business continuity plans shall be distributed to the

Information System Security Officer, System Owner, Contingency Plan
Coordinator, System Administrator, and Database Administrator (or the
organization’s functional equivalents).

If alternative temporary locations are used, the level of implemented

security controls at these locations shall have logical and physical access
controls that are equivalent to the primary site, consistent with the
HITRUST CSF.

The information system implements transaction recovery for systems that

are transaction-based.

Page 430 of 488

The organization provides compensating security controls for
circumstances that inhibit recover and reconstitution to a known state.
Level 1 Control  CMSRs 2012v1.5 CP-1 (HIGH)
Standard  CMSRs 2012v1.5 CP-2 (HIGH)
Mapping:  CMSRs 2012v1.5 CP-2(1) (HIGH)
 CMSRs 2012v1.5 CP-2(2) (HIGH)
 CMSRs 2012v1.5 CP-2(3) (HIGH)
 CMSRs 2012v1.5 CP-10 (HIGH)
 CMSRs 2012v1.5 CP-10 (2) (HIGH)
 CMSRs 2012v1.5 CP-10 (3) (HIGH)
 CMSRs 2012v1.5 CP-10 (4) (HIGH)
 CSA RS-02
 HIPAA §164.308(a)(7)(i)
 HIPAA §164.308(a)(7)(ii)(A)
 HIPAA §164.308(a)(7)(ii)(B)
 HIPAA §164.308(a)(7)(ii)(C)
 HIPAA §164.308(a)(7)(ii)(D)
 HIPAA §164.308(a)(7)(ii)(E)
 HIPAA §164.310(a)(2)(i)
 HIPAA §164.310(d)(2)(iv)
 HIPAA §164.312(c)(1)
 HIPAA §164.312(a)(2)(ii)
 JCAHO IM.01.01.03, EP 2
 JCAHO IM.01.01.03, EP 4
 NIST SP800-53 R4 CP-1
 NIST SP800-53 R4 CP-2
 NIST SP800-53 R4 CP-2(1)
 NIST SP800-53 R4 CP-2(3)
 NIST SP800-53 R4 CP-10
 NIST SP800-53 R4 CP-10 (2)
 NIST SP800-53 R4 CP-10 (3)
 NRS 603A.215.1
 PCI DSS v2 12.9.1
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy v1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 431 of 488

Business continuity plans shall address organizational vulnerabilities and

therefore may contain covered information that needs to be appropriately
protected. Copies of business continuity plans shall be stored in a remote
location, at a sufficient distance to escape any damage from a disaster at the
main site. Management shall ensure copies of the business continuity plans
are up-to-date and protected with the same level of physical and logical
security as applied at the main site. Other material necessary to execute the
continuity plans shall also be stored at the remote location.

The organization shall identify alternative temporary locations for

processing, and the necessary third party service agreements shall
be established to allow for the transfer and resumption of information
systems operations of critical business functions within a time-period (e.g.
priority of service provisions) as defined by a risk assessment (see 12.b).
The organization shall identify potential accessibility problems to the
alternate storage site in the event of an area-wide disruption or disaster
and outlines explicit mitigation actions. The alternate location shall be at a
sufficient distance to escape any damage from a disaster at the main site.

The type of configuration for the alternate site shall be defined by the risk
assessment (see 12.b). Acceptable solutions include:

Page 432 of 488

i. cold sites - a facility with adequate space and infrastructure to support
the system;
ii. warm sites - partially equipped office spaces that contain some or all of
the system hardware, software, telecommunications and power
sources;
iii. hot sites - office spaces configured with all of the necessary system
hardware, supporting infrastructure and personnel; and/or
iv. mobile sites - self-contained, transportable shells custom-fitted with IT
and telecommunications equipment necessary to meet the system
requirements.
The organization shall identify potential accessibility problems to the
alternate processing site in the event of an area-wide disruption or disaster
and outlines explicit mitigation actions. The organization develops alternate
processing site agreements that contain priority-of-service provisions in
accordance with the organization’s availability requirements. The alternate
processing site shall be configured so that it is ready to be used as the
operational site supporting essential missions and business functions of the
organization. The organization shall ensure that the alternate processing
site provides information security measures equivalent to that of the
primary site.
Level 2 Control  CMSRs 2012v1.5 CP-4 (4) (HIGH)
Standard  CMSRs 2012v1.5 CP-6 (HIGH)
Mapping:  CMSRs 2012v1.5 CP-6 (1) (HIGH)
 CMSRs 2012v1.5 CP-6 (2) (HIGH)
 CMSRs 2012v1.5 CP-6 (3) (HIGH)
 CMSRs 2012v1.5 CP-7 (HIGH)
 CMSRs 2012v1.5 CP-7(1) (HIGH)
 CMSRs 2012v1.5 CP-7(2) (HIGH)
 CMSRs 2012v1.5 CP-7(3) (HIGH)
 CMSRs 2012v1.5 CP-7(4) (HIGH)
 CMSRs 2012v1.5 CP-7(5) (HIGH)
 CMSRs 2012v1.5 CP-9 (HIGH)
 CMSRs 2012v1.5 CP-9(2) (HIGH)
 ISO/IEC 27002-2005 14.1.3
 ISO 27799-2008 7.11
 JCAHO IM.01.01.03, EP 3
 NIST SP800-53 R4 CP-6
 NIST SP800-53 R4 CP-6(1)
 NIST SP800-53 R4 CP-6(3)
 NIST SP800-53 R4 CP-7
 NIST SP800-53 R4 CP-7(1)
 NIST SP800-53 R4 CP-7(2)
 NIST SP800-53 R4 CP-7(3)
 NIST SP800-53 R4 CP-9

Page 433 of 488

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

The organization shall develop primary and alternate telecommunications

service agreements that contain priority-of-service provisions in
accordance with the organization's availability requirements.

The organization shall provide for the recovery and reconstitution of the
information system to a known state after a disruption, compromise, or
failure. Recovery of the information system after a failure or other
contingency shall be done in a trusted, secure, and verifiable manner.

Secure information system recovery and reconstitution shall include, but is

not limited to:
i. reset all system parameters (either default or organization-established),
ii. reinstall patches,
iii. reestablish configuration settings,
iv. reinstall application and system software, and
v. fully test the system.
Level 3 Control  CMSRs 2012v1.5 CP-8 (HIGH)
Standard  CMSRs 2012v1.5 CP-8(1) (HIGH)
Mapping:  CMSRs 2012v1.5 CP-8(2) (HIGH)
 CMSRs 2012v1.5 CP-8(3) (HIGH)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 434 of 488

 CMSRs 2012v1.5 CP-8(4) (HIGH)
 CMSRs 2012v1.5 CP-10 (HIGH)
 NIST SP800-53 R4 CP-8
 NIST SP800-53 R4 CP-8 (1)
 NIST SP800-53 R4 CP-8 (2)
 NIST SP800-53 R4 CP-10

CMS Contractor Requirements

CMS The business continuity plan shall:

Contractors: i. identify essential CMS missions and business functions and
associated contingency requirements;
ii. address maintaining essential CMS missions and business functions
despite an information system disruption, compromise, or failure;

The organization shall plan for the resumption of systems included on the
CMS Critical Infrastructure Protection (CIP) list within twelve (12) hours
and for the resumption of other essential missions and business functions
within one (1) week of contingency plan activation.

The organization shall ensure all equipment and supplies required for
resuming system operations at the alternate processing site are available,
or contracts are in place to support delivery to the site, to permit
resumption of systems included on the CMS Critical Infrastructure
Protection (CIP) list within twelve (12) hours and resumption of other
essential missions and business functions within one (1) week of
contingency plan activation.

The organization shall ensure alternate telecommunications service

agreements are in place to permit resumption of systems included on the
CMS Critical Infrastructure Protection (CIP) list within twelve (12) hours
and resumption of other essential missions and business functions within
one (1) week of contingency plan activation when primary
telecommunications capabilities are unavailable.

The organization shall provide the capability to reimage information system

components and support target recovery times from configuration-
controlled and integrity-protected disk images representing a secure,
operational state for the components.

The organization shall conduct capacity planning so that necessary capacity

for information processing, telecommunications, and environmental
support exists during contingency operations.

Page 435 of 488

The business continuity planning process shall include testing and updating
of the entirety of the plans annually including the full recovery and
reconstitution of the information system(s) to a known date.

The organization shall configure the alternate storage site to facilitate

recovery operations in accordance with recovery time and recovery point
objectives.
The organization shall use a sample of backup information in the
restoration of selected information system functions as part of contingency
plan testing (see 12.e, Level 2).

The information system shall implement transaction recovery for systems

that are transaction-based.

The organization shall provide compensating security controls for

circumstances that inhibit recover and reconstitution to a known date.

The organization shall provide the capability to reimage information system

components and support target recovery times from configuration-
controlled and integrity-protected disk images representing a secure,
operational state for the components.

Alternate telecommunications service providers that are sufficiently

separated from the organization’s primary service provider shall be
identified and agreements established to ensure they are not susceptible to
the same disasters.

The contingency plans of all telecommunications service providers shall be

reviewed to ensure adequacy in the event of a disaster.

The information system shall implement transaction recovery for systems

that are transaction-based.

The contingency plans of all telecommunications service providers shall be

reviewed to ensure adequacy in the event of a disaster.

Control Reference: 12.d Business Continuity Planning Framework

Control A single framework of business continuity plans shall be maintained to

Specification: ensure all plans are consistent, to consistently address information security
requirements, and to identify priorities for testing and maintenance.
Factor Type: Organizational
Topics: Contingency Planning
IT Organization and Management Roles and Responsibilities

Page 436 of 488

Maintenance
Policies and Procedures
Services and Acquisitions

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to FISMA Compliance, Subject to Joint Commission Accreditation
Regulatory
Factors:
Level 1 The organization shall create at a minimum one business continuity plan.
Implementation: The business continuity plan shall describe the approach for continuity,
ensuring at a minimum the approach to maintain information or
information asset availability and security. The plan shall also specify the
escalation plan and the conditions for its activation, as well as the
individuals responsible for executing each component of the plan. When
new requirements are identified, any existing emergency procedures (e.g.
evacuation plans or fallback arrangements) shall be amended as
appropriate.

The plan shall have a specific owner. Emergency procedures, manual

"fallback" procedures, and resumption plans shall be within the
responsibility of the owner of the business resources or processes involved.
Fallback arrangements for alternative technical services, such as
information processing and communications facilities, shall usually be the
responsibility of the service providers.

The business continuity planning framework shall address the identified

information security requirements, including the following:
i. the conditions for activating the plans which describe the process to be
followed (e.g. how to assess the situation, who is to be involved) before
each plan is activated;
ii. emergency procedures which describe the actions to be taken following
an incident that jeopardizes business operations;
iii. fallback procedures which describe the actions to be taken to move
essential business activities or support services to alternative
temporary locations, and to bring business processes back into
operation in the required time-scales;
iv. resumption procedures which describe the actions to be taken to return
to normal business operations;
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 437 of 488

v. a maintenance schedule which specifies how and when the plan will be
tested, and the process for maintaining the plan;
vi. awareness, education, and training activities which are designed to
create understanding of the business continuity processes and ensure
that the processes continue to be effective; and
vii. the critical assets and resources needed to be able to perform the
emergency, fallback and resumption procedures.
Level 1 Control  CSA RS-03
Standard  HIPAA §164.308(a)(7)(ii)(B)
Mapping:  HIPAA §164.308(a)(7)(ii)(C)
 HIPAA §164.308(a)(7)(ii)(E)
 HIPAA §164.310(a)(2)(i)
 HIPAA §164.312(a)(2)(ii)
 JCAHO IM.01.01.03, EP 1
 NIST SP800-53 R4 CP-2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy c1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

Organizational Per Year, Third Party Processor: > 10,000,000 Records Processed Per Year,
Factors: Physician Practice: > 60,000 Visits Per Year, Medical Facilities / Hospital: >
1,000 Licensed Beds, Health Plan / Insurance / PBM: > 1,000,000 Covered
Lives, IT Service Providers (Vendors): > 500 Employees, Pharmacy
Companies: > 10,000,000 Prescriptions Per Year, Health Information
Exchange: >1,000,000 Transactions Per Year
Level 2 System None
Factors:
Level 2 Subject to the CMS Minimum Security Requirements (High)
Regulatory
Factors:
Level 2 Level 1 plus:
Implementation:
Each business unit shall create at a minimum one business continuity plan.
Each business continuity plan shall describe the approach for continuity,
ensuring at a minimum the approach to maintain information or
information system availability and security. Each plan shall also specify the
escalation plan and the conditions for its activation, as well as the
individuals responsible for executing each component of the plan. When
new requirements are identified, any existing emergency procedures (e.g.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 438 of 488

evacuation plans or fallback arrangements) shall be amended as
appropriate.

Procedures shall be included within the organization's change management

program to ensure that business continuity matters are always addressed
and timely as part of the change management process.

Each plan shall have a specific owner. Emergency procedures, manual

"fallback" procedures, and resumption plans shall be within the
responsibility of the owners of the appropriate business resources or
processes involved. Fallback arrangements for alternative technical
services, such as information processing and communications facilities,
shall include defined responsibilities of the service providers.

A business continuity planning framework shall address the identified

information security requirements and the following:
i. temporary operational procedures to follow pending completion of
recovery and restoration; and
ii. the responsibilities of the individuals, describing who is responsible for
executing which component of the plan. Alternatives should be
nominated as required;
Level 2 Control  CMSRs 2012v1.5 CP-2 (HIGH)
Standard  ISO/IEC 27002-2005 14.1.4
Mapping:  ISO 27799-2008 7.11

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 12.e Testing, Maintaining and Re-Assessing Business

Continuity Plans

Control Business continuity plans shall be tested and updated regularly, at a

Specification: minimum annually, to ensure that they are up to date and effective.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 439 of 488

Factor Type: Organizational
Topics: Awareness and Training
Contingency Planning
IT Organization and Management Roles and Responsibilities
Personnel

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 Subject to Joint Commission Accreditation
Regulatory
Factors:
Level 1 Business continuity plan tests shall ensure that all members of the recovery
Implementation: team and other relevant staff are aware of the plans and their responsibility
for business continuity and information security and know their role when
a plan is invoked.

The test schedule for business continuity plan(s) shall indicate how and
when each element of the plan is tested. These techniques shall be applied
on a 'programmatic' basis with the tests in that program building upon one
another, and in a way that is relevant to the specific response and recovery
plan. The results of tests shall be recorded and actions taken to improve the
plans, where necessary.

Responsibility shall be assigned for regular reviews of at least a part of the

business continuity plan at a minimum, annually. The identification of
changes in business arrangements not yet reflected in the business
continuity plan shall be followed by an update of the plan.

Changes where updating of business continuity plans shall be made are

acquisition of new equipment, upgrading of systems and changes in:
i. personnel;
ii. location, facilities, and resources;
iii. legislation;
iv. processes, or new or withdrawn ones;
v. risk (operational and financial).
Level 1 Control  CSA RS-04
Standard  HIPAA §164.308 (a)(7)(ii)(B)
Mapping:  HIPAA §164.308 (a)(7)(ii)(C)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 440 of 488

 HIPAA §164.308 (a)(7)(ii)(D)
 HIPAA §164.308 (a)(7)(ii)(E)
 HIPAA §164.310(a)(2)(i)
 HIPAA §164.312(a)(2)(ii)
 JCAHO IM.01.01.03, EP 5
 NIST SP800-53 R4 CP-2
 Phase 1 CORE 102: Eligibility and Benefits Certification Policy c1.1.0
Subsection 3.3
 Phase 2 CORE 202: Certification Policy v2.1.0 Subsection 3.3
 1 TAC § 390.2(a)(1)

Level 2 Implementation Requirements

Level 2 BioTech Organizations: > $100,000 Spend on Research and Development

A variety of techniques shall be used in order to provide assurance that the

plan(s) will operate in real life including:
i. table-top testing of various scenarios (discussing the business recovery
arrangements using example interruptions);
ii. simulations (particularly for training people in their post-
incident/crisis management roles);
iii. technical recovery testing (ensuring information systems can be
restored effectively) including:
1. system parameters are set to secure values;
2. security critical patches are reinstalled;
3. security configuration settings are reset;
4. system documentation and operating procedures are readily
available;
5. application system software is reinstalled and configured with
secure settings; and
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 441 of 488

6. information from the most recent secure back-up(s) is loaded;
iv. testing recovery at an alternate site (running business processes in
parallel with recovery operations away from the main site);
v. tests of supplier facilities and services (ensuring externally provided
services and products will meet the contracted commitment);
vi. complete rehearsals (testing that the organization, personnel,
equipment, facilities, and processes can cope with interruptions).

The organization shall review test results and initiate corrective actions to
ensure the continued effectiveness of the plan.

Responsibility shall be assigned for regular reviews of each business

continuity plan. The identification of changes in business arrangements not
yet reflected in the business continuity plans shall be followed by an update
of the plan. This formal change control process shall ensure that the
updated plans are distributed and reinforced by yearly reviews of the
complete plan.

The organization shall coordinate business continuity plan testing and/or

exercises with organizational elements responsible for related plans.
Level 2 Control  CMSRs 2010v1.0 CP-2 (HIGH)
Standard  CMSRs 2010v1.0 CP-4 (HIGH)
Mapping:  CMSRs 2010v1.0 CP-4(1) (HIGH)
 CMSRs 2010v1.0 CP-4(2) (HIGH)
 ISO/IEC 27002-2005 14.1.5
 ISO 27799-2008 7.11
 NIST SP800-53 R4 CP-4
 NIST SP800-53 R4 CP-4 (1)

Level 3 Implementation Requirements

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and

Page 442 of 488

Level 3 No additional Requirements
Implementation:
Level 3 Control  CMSRs 2010v1.0 CP-4 (4) (HIGH)
Standard
Mapping:

CMS Contractor Requirements

CMS The organization shall test/exercise the contingency plan at the alternate
Contractors: processing site to familiarize contingency personnel with the facility and
available resources and to evaluate the site’s capabilities to support
contingency operations.

The organization shall include a full recovery and reconstitution of the

information system to a known state as part of contingency plan testing.

Page 443 of 488

Control Category: 13.0 – Privacy Practices

Objective Name: 13.01 – Openness and Transparency

Control To ensure openness and transparency about policies, procedures, and

Objective: technologies that directly affect individuals and/or their individually
identifiable health information.

Control Reference: 13.a Notice of Privacy Practices

Control Individuals shall have a right to adequate notice of the uses and disclosures
Specification: of protected health information that may be made by the covered entity,
and of the individual's rights and the entity's legal duties with respect to
protected health information.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The covered entity uses and discloses PHI in a manner consistent with its
Implementation: privacy notice.

The covered entity provides individuals with an appropriate, plain-

language notice of the potential uses and disclosures of their PHI that
contains all required elements (e.g., header, descriptions of uses with at
least one example, requirements for authorization).

If the covered entity provides a health plan, the covered entity provides
notice or notices relevant to the individual (other than an inmate) no later
than the compliance date or upon enrollment thereafter, within 60 days of a
material revision, and no less than every three years.

Page 444 of 488

If the covered entity has a direct treatment relationship with an individual,
the covered entity provides notice or notices relevant to the individual no
later than the date of first service delivery, as soon as practicable after an
emergency treatment situation, upon revision or upon request, and
prominently displays such notice at a the physical service delivery site.

If the covered entity maintains a relevant Website or provides electronic

service delivery, the covered entity posts and provides notice through the
Website and provides electronic notice upon service delivery or paper
notice should electronic delivery fail or a paper copy is requested by the
individual.

The covered entity ensures revisions to its privacy practices stated in the
notice are compliant with relevant standards, regulatory requirements and
best practices and that its practices are modified to reflect the changes in
the notice. If the right to change a privacy practice is not stated in its notice,
the covered entity only applies such changes to PHI created or received
after the effective date of the revised notice.
Level 1 Control 1 TAC 390 § 390.2(a)(1)
Standard HIPAA § 164.502(i)
Mapping: HIPAA § 164.520(a)
HIPAA § 164.520(b)
HIPAA § 164.520(c)
HIPAA § 164.520(d)
HIPAA § 164.530(i)(4)
HIPAA §164.530(j)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No Additional Requirements
Implementation:

Level 3 Implementation Requirements

Page 445 of 488

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No Additional Requirements
Implementation:

Group Health Plans

Group Health The health insurance issuer or HMO provides an individual—other than an
Plans: inmate—enrolled in a group health plan a notice of privacy practices for
that portion of the group health plan through which the individual receives
benefits.

Control Reference: 13.b Rights to Protection and Confidentiality

Control Individuals shall have the right to request restriction of uses and
Specification: disclosures of their protected health information.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Hospitals, ambulatory surgical centers, nursing and other facilities in which
Implementation: the patient is resident, outpatient facilities such as those for end stage renal
disease, special care facilities such as those for AIDs patients, psychiatric
(mental) facilities, and intermediate care facilities such as those for the
elderly or persons with an intellectual disability or related conditions, shall
ensure their statement of patient rights addresses the right of the patient,

Page 446 of 488

within the limits of federal and state law, to personal privacy and
confidentiality of personal information and clinical records.

The covered entity ensures that personal representatives of an adult;

emancipated minor; an unemancipated minor--including a parent, guardian
or other person acting in loco parentis--has an appropriate level of
authority on behalf of the individual in making decisions related to health
care.

The covered entity treats an executor, administrator, or other person with

authority to act on behalf of a deceased individual or of the individual's
estate under applicable law as a personal representative with respect to
PHI relevant to such personal representation, except when the covered
entity has a reasonable belief that the individual may be or have been
subjected to domestic violence, abuse, or neglect by such person; treating
such person as the personal representative could endanger the individual
and if, in the exercise of the entity’s professional judgment, decides that it is
not in the best interest of the individual to treat the person as the
individual's personal representative.

The covered entity agrees to and complies with requests by individuals for
restrictions on disclosure of PHI to a health plan for a health care item or
service for which someone other than the health plan pays in full,

The covered entity terminates agreements to restrictions if the individual

agrees to or requests the termination in writing, an oral agreement is
documented, or the covered entity informs the individual and termination
is effective only for PHI created or received thereafter.
The covered entity provides for individual complaints concerning the
covered entity's privacy policies and procedures or its compliance with
such policies and procedures.

The covered entity ensures that individuals who exercise any of their lawful
rights, including the filing of a complaint, are not subject to intimidation,
threats, discrimination, or any other retaliatory action.
Level 1 Control  1 TAC § 390.2(a)(4)(B)(i)
Standard  1 TAC § 390.2(a)(4)(B)(ii)
Mapping:  1 TAC § 390.2(a)(4)(B)(iii)
 1 TAC § 390.2(a)(4)(B)(v)
 1 TAC § 390.2(a)(4)(B)(xiv)
 1 TAC § 390.2(a)(4)(B)(xv)
 1 TAC § 390.2(a)(4)(B)(xvi)
 1 TAC § 390.2(a)(4)(C)(ii)
 1 TAC 390 § 390.2(a)(1)
 HIPAA § 164.502(g)
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 447 of 488

 HIPAA § 164.522(a)
 HIPAA § 164.522(a)(3)
 HIPAA §164.530(j)
 HIPAA § 164.530(d)
 HIPAA § 164.530(g)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Texas Covered Entities

Texas Covered Organizations shall ensure that a minor child as defined in Texas Civil
Entities: Practice Code § 129.001 or non-parent of a minor child may consent to
medical, dental, psychological, counseling and surgical treatment for the
child by a licensed physician or dentist for those circumstances specified in
Texas Family Code §§ 32.003 and 32.004. Organizations shall also ensure a
parent, foster parent, guardian, or managing conservator of a minor child

Page 448 of 488

with special healthcare needs or an adult client with special needs retains
the rights and duties specified in Texas Administrative Code § 38.5.

Organizations shall ensure that a parent of a minor child retains the rights
and duties specified in Texas Family Code §§ 151.001, 153.073, 153.074
and 153.132 pursuant to the exceptions provided by §§ 32.003 and 32.004.
Control  1 TAC § 390.2(a)(4)(C)(i)
Standard  1 TAC § 390.2(a)(4)(C)(ii)
Mapping:

Control Reference: 13.c Authorization Required

Control Valid authorizations for the use or disclosure of protected health

Specification: information shall be obtained, and such use or disclosure shall be consistent
with such authorization.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Organizations that handle Medicaid-related information shall ensure that
Implementation: information about Medicaid clients is not disclosed without effective
consent by the client or on behalf of the client, except for purposes directly
connected with the administration of the Medicaid program, as described in
42 USC, §1396a(a)(7) and 42 CFR §§431.301 thru 431.306, including
organizations that provide outreach, informational, and transportation
services without client consent.

The covered entity does not use or disclose PHI without a valid
authorization, when such authorization is required, including the use or
disclosure of psychotherapy notes or for the purposes of marketing.

When authorization is required, the covered entity ensures the

authorizations are valid, and the covered entity shall allow an individual to
revoke such authorization in writing at any time.

Page 449 of 488

The covered entity does not create compound authorizations except when
combining authorizations for the same research study, combining
authorizations specifically for the use or disclosure of psychotherapy notes,
or combining other allowed authorizations, none of which conditions the
provision of treatment, payment, enrollment (in a health plan), or eligibility
for benefits (but in no case for psychotherapy notes).

The covered entity ensures there is no condition on the provision of

treatment, payment, enrollment in a health plan, or eligibility for benefits
on the provision of an authorization except as allowed for research,
underwriting and risk determinations, or disclosure of PHI to a third party,
but in no case for the use of psychotherapy notes.
Level 1 Control  1 TAC § 390.2(a)(4)(C)(iii)
Standard  1 TAC 390 § 390.2(a)(1)
Mapping:  HIPAA § 164.508(a)
 1 TAC § 390.2(a)(4)(A)(viii)
 1 TAC § 390.2(a)(4)(B)(i)
 1 TAC § 390.2(a)(4)(B)(xviii)(III)
 1 TAC § 390.2(a)(4)(C)(i)
 HIPAA § 164.508(b)
 HIPAA § 164.508(c)
 HIPAA §164.530(j)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No Additional Requirements
Implementation:

Level 3 Implementation Requirements

Page 450 of 488

Level 3 System None
Factors:
Level 3 Subject to FISMA Compliance, Subject to the CMS Minimum Security
Regulatory Requirements (High)
Factors:
Level 3 Level 2 plus:
Implementation:
The organization establishes alternate telecommunications services
including necessary agreements to permit the resumption of information
system operations for essential missions and business functions within
business defined time period when the primary telecommunications
capabilities are unavailable at either the primary or alternate processing or
storage sites.

The organization shall develop primary and alternate telecommunications

service agreements that contain priority-of-service provisions in
accordance with the organization's availability requirements.

Secure information system recovery and reconstitution shall include, but is

not limited to:
vi. reset all system parameters (either default or organization-established),
vii. reinstall patches,
viii. reestablish configuration settings,
ix. reinstall application and system software, and
x. fully test the system.
Level 3 Control  CMSRs 2012v1.5 CP-8 (HIGH)
Standard  CMSRs 2012v1.5 CP-8(1) (HIGH)
Mapping:  CMSRs 2012v1.5 CP-8(2) (HIGH)
 CMSRs 2012v1.5 CP-8(3) (HIGH)
 CMSRs 2012v1.5 CP-8(4) (HIGH)
 CMSRs 2012v1.5 CP-10 (HIGH)
 NIST SP800-53 R4 CP-8
 NIST SP800-53 R4 CP-8 (1)
 NIST SP800-53 R4 CP-8 (2)
 NIST SP800-53 R4 CP-10

Texas Covered Entities

Page 451 of 488

Texas Covered Persons or organizations required to report immunization information to
Entities: the state for registry purposes or authorized to receive information from
the registry shall not disclose the individually identifiable information of an
individual to any other person without the written or electronic consent of
the individual or the individual’s legally authorized representative, except
as provided by Texas Occupations Code § 159 or TX Insurance Code §
602.053, and subject to the penalties outlined in THSC § 161.009.

Persons and organizations shall not request information from the

immunization registry without providing the written consent of the
individual or, if a child, the parent, managing conservator or legal guardian,
or except as provided by the TX Occupations Code § 159, or the TX
Insurance Code § 28B.04. Persons and organizations shall ensure registry
information is not inadvertently released due to a request for discovery,
subpoena, or other means of legal compulsion for release to any person or
entity, except as provided by THSC 161 § Subchapter A.

Persons and organizations (providers) shall identify and treat government

benefits / federal assistance information (records), such as those relating to
7 CFR § 272 (SNAP), 45 CFR § 205.50 (TANF) and 42 CFR § 431.300
(Medicaid) as confidential and not public records, and such information
(records) shall be disclosed only upon written authorization of the
recipients, except as noted in the respective program’s parent regulation(s)
or as otherwise required or authorized by other federal or state law.

Except as authorized by THSC § 241.153, a hospital or an agent or employee

of a hospital may not disclose health care information about a patient to any
person other than the patient or the patient's legally authorized
representative without the written authorization of the patient or the
patient's legally authorized representative.
Except as provided in 40 TAC §19.407(3), a resident patient may approve or
refuse the release of personal and clinical records to any individual outside
of the facility.

Organizations shall ensure that consent for the release of confidential

information related to a minor child must be in writing and signed by the
patient, the parent or legal guardian of the patient, an attorney ad litem
appointed for the patient, or a personal representative of the patient if the
patient is deceased per Texas Occupations Code § 159.005.
Control  1 TAC § 390.2(a)(4)(A)(viii)
Standard  1 TAC § 390.2(a)(4)(A)(xv)
Mapping:  1 TAC § 390.2(a)(4)(B)(i)
 1 TAC § 390.2(a)(4)(B)(ii)
 1 TAC § 390.2(a)(4)(C)(i)

Page 452 of 488

Control Reference: 13.d Opportunity Required

Control Individuals shall be informed in advance of the use or disclosure of

Specification: protected health information and shall have the opportunity to agree to or
prohibit or restrict the use or disclosure when required.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The covered entity informs individuals in advance of an allowed use or
Implementation: disclosure and provides an opportunity to agree to or prohibit or restrict
the use or disclosure, either orally or in writing.

If an individual does not object, the covered entity limits the PHI contained
in a directory of individuals at its facility to the individual's name, location,
general condition, and religious affiliation and only uses or discloses such
information for directory purposes to members of the clergy or, except for
religious affiliation, to other persons who ask for the individual by name.

The covered entity informs individuals of the PHI it may include in a

directory, and to whom it may disclose such information, and provide the
individual an opportunity to restrict or prohibit some or all of the
disclosures.

The covered entity provides directory information for allowed uses only in
cases where the individual has not objected to such use or when the
opportunity to object cannot be practicably provided because of incapacity
or an emergency treatment circumstance.

If the covered entity discloses PHI to a family member, or other relative, or

a close personal friend of the individual, or any other person identified by
the individual, or to assist and locate such a person, the disclosure is limited
to that PHI directly relevant to the person's involvement with the
individual's care or payment related to such care or otherwise limited to the
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 453 of 488

requirements for limited uses and disclosures when the individual is not
present, for disaster relieve purposes, or for a deceased individual.

If an individual is present or has the capacity, the covered entity obtains the
individual's agreement, provides the individual an opportunity to object, or
reasonably infers from the circumstances that the individual does not object
to disclosure of PHI.

The covered entity ensures that, when an individual is not present or the
opportunity to agree or object to the use or disclosure cannot practicably be
provided, it only allows uses or provides disclosures of PHI to a person that
is directly relevant to that person's involvement with the individual's health
care.

The covered entity limits disclosure of PHI to a public or private entity

authorized by law or by its charter to assist in disaster relief efforts to that
which is required for the disaster or emergency response.

If the individual is deceased, a covered entity only discloses to a family

member, or other persons identified in this control (13.d) who were
involved in the individual's care or payment for health care prior to the
individual's death, PHI of the individual that is relevant to such person's
involvement, unless doing so is inconsistent with any known prior
expressed preferences.
Level 1 Control  1 TAC 390 § 390.2(a)(1)
Standard  HIPAA § 164.510(a)
Mapping:  HIPAA § 164.510(b)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Page 454 of 488

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 13.e Authorization or Opportunity Not Required

Control Protected health information may only be used or disclosed without written
Specification: authorization of the individual or the opportunity for the individual to agree
or object only when such use or disclosure is authorized by applicable laws
or regulations.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The covered entity limits the use or disclosure of PHI to the extent that such
Implementation: use or disclosure is required by law.

The covered entity complies with the regulatory criteria for permitted uses
and disclosures of PHI for public health activities prior to the use or
disclosure for said activities.

The covered entity discloses PHI about an individual whom the entity
reasonably believes to be a victim of abuse, neglect, or domestic violence to
government authorities authorized by law to receive such reports only to
the extent necessary and required by law, and notifies the individual when
required by law.

Page 455 of 488

The covered entity discloses PHI to a health oversight agency only for those
oversight activities authorized by law.

The covered entity ensures that satisfactory assurances are obtained before
providing the appropriate disclosures of PHI pursuant to court orders,
subpoenas, or discovery requests for judicial and administrative
proceedings

The covered entity only discloses PHI to law enforcement for valid law
enforcement purposes when specifically defined criteria are met.

The covered entity discloses PHI to law enforcement for identification and
location purposes subject to specifically defined criteria, including whether
or not notice or consent is provided.

The covered entity discloses PHI related to victims of a crime to law

enforcement subject to specifically defined criteria.

The covered entity discloses PHI related to an individual who has died to
law enforcement subject to specifically defined criteria.

The covered entity discloses PHI related to a crime on premises or in an

emergency to law enforcement subject to specifically defined criteria.

The covered entity limits disclosure of PHI to a coroner or medical

examiner--or a covered entity acting in the capacity of a coroner or medical
examiner--to that required to identify a deceased person, determine a cause
of death, or other duties as authorized by law.

The covered entity limits disclosure of PHI to funeral directors, consistent

with applicable law, to the minimum necessary to carry out their duties
with respect to the decedent.

The covered entity limits uses or disclosures of PHI to legitimate organ

procurement organizations for the purpose of facilitating organ, eye or
tissue donation and transplantation.

The covered entity uses or discloses PHI for research only if approved by a
valid IRB or privacy board and receives appropriate representations from
the research regarding the appropriate uses and disclosures necessary for
research purposes.

Documentation for a use or disclosure permitted for research based on

approval of an alteration or waiver shall contain a signed, dated statement
from the IRB or privacy board that confirms the necessary conditions for
use or disclosure.
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 456 of 488

A covered entity may, consistent with applicable law and standards of
ethical conduct, use or disclose PHI to the extent allowed if the covered
entity, in good faith, believes the use or disclosure is reasonable or
necessary for safety or law enforcement.

The covered entity uses or discloses the PHI of Armed Forces personnel for
activities deemed necessary by appropriate military command authorities
only if the authority has published notice in the Federal Register with
specific, required information.

The covered entity discloses PHI to authorized federal officials for the
conduct of lawful intelligence, counter-intelligence, and other national
security activities.

The covered entity discloses PHI to authorized Federal officials for the
provision of protective services to authorized officials or for the conduct of
authorized investigations.

A covered entity that is a component of the Department of State uses PHI

only to make determinations regarding the medical suitability of an
individual to officials in the Department of State who need access to such
information for specific, defined purposes.

The covered entity uses or discloses PHI of an inmate to a law enforcement

official having lawful custody of the inmate if the correctional institution or
such law enforcement official represents such PHI is necessary for specific,
defined requirements.

A health plan that is a government program providing public benefits may

disclose PHI relating to eligibility for or enrollment in the health plan to
another agency administering a government program providing public
benefits if the sharing is required or expressly authorized by statute or
regulation.

A covered entity that is a government agency administering a government

program providing public benefits may disclose PHI relating to the program
to another covered entity that is a government agency administering a
government program providing public benefits if they serve similar
populations and the disclosure is necessary to coordinate the functions of
such programs.

The covered entity only discloses PHI as authorized and to the extent
necessary to comply with laws relating to workers' compensation or
similar programs.

Page 457 of 488

Level 1 Control  1 TAC § 390.2(a)(4)(A)(i)
Standard  1 TAC 390 § 390.2(a)(1)
Mapping:  HIPAA § 164.512(a)
 HIPAA § 164.512(b)
 HIPAA § 164.512(c)
 HIPAA § 164.512(d)
 HIPAA § 164.512(e)
 HIPAA § 164.512(f)
 HIPAA § 164.512(g)
 HIPAA § 164.512(h)
 HIPAA § 164.512(i)
 HIPAA § 164.512(j)
 HIPAA § 164.512(k)
 HIPAA § 164.512(l)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional Requirements
Implementation:

Page 458 of 488

Texas Covered Entities

Texas Covered Cancer data may be provided to the Texas Cancer Registry without patient
Entities: authorization or consent in accordance with 25 TAC § 91.3(e).

Objective Name: 13.02 – Individual Choice and Participation

Control To ensure individuals are provided a reasonable opportunity and capability

Objective: to make informed decisions about the collection, use and disclosure of their
individually identifiable health information.

Control Reference: 13.f Access to Individual Information

Control Individuals shall have a right of access to inspect and obtain a copy of
Specification: protected health information about themselves for as long as the
information is maintained.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:

Level 1 With limited exceptions, the covered entity provides individuals the right of
Implementation: access to review and obtain a copy of their PHI in a designated record set
for as long as the record set is maintained, and provides such access in a
timely manner (30 days with no more than one 30 day extension), for no
more than a reasonable, cost-based fee, or, if the covered entity does not
maintain the PHI but knows where it's located, the covered entity informs
the individual where to direct the request.

The covered entity provides the individual access to the PHI in the
designated record set in a written or electronic form and format requested
by the individual or otherwise agreed to by the covered entity and the
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 459 of 488

individual. Summaries of the PHI requested are only provided in lieu of the
designated record set if the individual agrees in advance to the summary
and any fees imposed for providing such summary.

The covered entity only provides access to another person designated by

the individual if the individual requests such access in writing, signed by the
individual, and the request clearly identifies the designated person and
where the copy of the PHI should be sent.

The covered entity denies an individual access to their PHI without

providing an opportunity to review for psychotherapy notes, information
compiled in anticipation of legal proceedings or subject to or exempt from
the Clinical Laboratory Improvements Amendments of 1988; the covered
entity is a correctional facility; the individual is involved in research in
progress; the information is contained in records subject to the Privacy Act;
or the information was obtained from an entity other than a health care
provider on the promise of confidentiality.

The covered entity only denies an individual access provided the individual
is given the right to have such denials reviewed when a licensed health care
professional determines access would endanger the life or physical safety
of, or otherwise cause substantial harm to, the individual or another person.

The covered entity provides timely (30 days plus no more than a 30 day
extension), written denial to an individual's request for access in plain
language that addresses the basis for denial, a statement of the individual's
rights for review of the denial, and a description of procedures for
complaints to the entity and the Secretary of Health and Human Services. If
the covered entity does not maintain the PHI that is the subject of the
individual's request for access, and the covered entity knows where the
requested information is maintained, the covered entity informs the
individual where to direct the request for access.
Level 1 Control  1 TAC 390 § 390.2(a)(1)
Standard  HIPAA § 164.524(a)
Mapping:  HIPAA § 164.524(b)
 HIPAA § 164.524(c)
 HIPAA § 164.524(d)
 HIPAA §164.530(j)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:

Page 460 of 488

Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 13.g Accounting of Disclosures

Control Individuals shall have a right to receive an accounting of disclosures of their

Specification: protected health information.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The covered entity provides individuals the right to receive an accounting
Implementation: of disclosures of PHI made by the covered entity in the six years prior to the
date on which the accounting is requested, except for specific disclosures
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 461 of 488

addressed in CSF controls 13.c (authorizations provided), 13.d (facility
directory and relevant persons), 13.e (correction institutions and national
security or intelligence purposes), 13.i (required disclosures), 13.j
(permitted disclosures), and 13.l (limited data sets).

The covered entity's accounting of disclosures includes, for the six years
prior to the request, the date, a name and address of the entity provided the
PHI, a description of the PHI disclosed, and why the information was
disclosed; and, if for research, the name of the research activity, the period
of time the PHI was disclosed, the contact information of the research
sponsor (name, address and phone number), and a statement that the PHI
may or may not have been disclosed for a particular research activity.
When requested by the individual, the covered entity provides assistance to
the individual in contacting the research sponsor and researcher for an
accounting.

The covered entity acts upon an individual's request for an accounting no

later than 60 days after receipt of the request, free of charge for the first
request within any 12 month period and, if informed in advance, for a
reasonable cost-based fee for subsequent requests within the period.
Level 1 Control  1 TAC 390 § 390.2(a)(1)
Standard  HIPAA § 164.528(a)
Mapping:  HIPAA § 164.528(b)
 HIPAA § 164.528(c)
 HIPAA §164.530(j)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Page 462 of 488

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 13.h Correction of Records

Control Individuals shall have a right to have protected health information amended
Specification: for as long as the information is maintained.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The covered entity ensures individuals have the right to amend PHI or a
Implementation: record about the individual in a designated record set for as long as the
protected health information is maintained in the designated record set.

The covered entity denies an individual's request for amendment only if it

determines the PHI or record was not created by the covered entity (unless
the originator no longer exists), is not part of the designated record set, is
not available for inspection per CSF control 13.f, or is otherwise accurate
and complete.

The covered entity acts on an individual’s request for amendment within 60

days of the request, with no more than one 30 day extension.

Page 463 of 488

If the covered entity requires a written request with a rationale for the
amendment, the covered entity makes these requirements known in
advance.

If the requested amendment is accepted in whole or in part, the covered

entity makes the amendment, informs the individual the amendment was
made in a timely manner, and makes reasonable efforts to notify relevant
persons with whom the amendment must be shared in a reasonable
timeframe.

If a requested amendment is denied in whole or in part, the covered entity

must provide the individual with a written denial; permit the individual to
submit a statement of disagreement; prepare a written rebuttal if the
individual submits a statement of disagreement; maintain denials,
disagreements and rebuttals as organizational records; and provide
relevant information regarding any disagreements in future disclosures of
the individual's PHI.

The covered entity corrects an individual’s PHI if informed by another

covered entity of an amendment.
Level 1 Control  1 TAC 390 § 390.2(a)(1)
Standard  HIPAA § 164.526(a)
Mapping:  HIPAA § 164.526(b)
 HIPAA § 164.526(c)
 HIPAA § 164.526(d)
 HIPAA § 164.526(e)
 HIPAA § 164.526(f)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No Additional Requirements
Implementation:

Level 3 Implementation Requirements

Page 464 of 488

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional Requirements
Implementation:

Group Health Plans

Group Health The group health plan limits exceptions to the general requirements for
Plans: amendments to PHI to health benefits provided other than solely through
an insurance contract with a health insurance issuer or HMO and PHI that it
does not create or receive, except for summary health information or
information on whether the individual is participating in the group health
plan, or is enrolled in or has disenrolled from a health insurance issuer or
HMO offered by the plan. Amended plan documents are subject to the
organization’s retention policy.

Control Reference: 13.i Required Uses and Disclosures

Control Protected health information shall be used or disclosed when required by

Specification: applicable laws and regulations.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Healthcare entities receiving medical records from the Social Security
Implementation: Administration shall ensure that no part of the medical record is withheld
from the individual or, in the case where the medical record pertains to a
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 465 of 488

minor child, from the parent or guardian pursuant to 42 U.S.C. §1306, 20
CFR Part 401.55(c)(2), as referenced by 20 CFR Part 401.100(d).

Laboratories shall ensure the confidentiality of patient information during

all stages of the testing process that are under the laboratory’s control and
release test results only to authorized persons and, if applicable, the
individual responsible for using the test results and the laboratory that
initially requested the test. Laboratories shall have an adequate manual or
electronic system(s) in place to ensure test results and other patient-
specific information is accurately and reliably transmitted from the point of
data entry (whether interfaced or entered manually) to the final report’s
destination, in a timely manner.

The covered entity shall disclose PHI to an individual when requested or

required under federal or state law, or when required by the Secretary of
Health and Human Services to investigate or determine the covered entity’s
compliance with the HIPAA Privacy Rule.

The business associate shall disclose PHI when required by the Secretary of
Health and Human Services to investigate or determine the business
associate's compliance with the HIPAA Privacy Rule and to the covered
entity, individual, or individual's designee, as necessary to satisfy a covered
entity's obligations as described in CSF control 13.f with respect to an
individual's request for an electronic copy of PHI.
Level 1 Control  1 TAC § 390.2(a)(4)(A)(iii)
Standard  1 TAC § 390.2(a)(4)(A)(xii)
Mapping:  1 TAC § 390.2(a)(4)(A)(xiv)
 1 TAC § 390.2(a)(4)(B)(x)
 1 TAC 390 § 390.2(a)(1)
 HIPAA § 164.502(a)(2)
 HIPAA § 164.502(a)(4)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:

Page 466 of 488

Level 2 No additional Requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Texas Covered Entities

Texas Covered The entity that performed the genetic test shall disclose the test results to
Entities: the individual or a physician designated by the individual upon written
request.

Persons and organizations (providers) shall treat family planning

information as defined by 25 TAC § 56.11 as confidential and not public
records, and shall be disclosed only upon written authorization of the
clients (patients), except for reports of child abuse as required by Texas
Family Code § 261 or as required or authorized by other federal or state
law.

Control Reference: 13.j Permitted Uses and Disclosures

Control Protected health information may be used or disclosed when permitted by

Specification: applicable laws and regulations.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:

Page 467 of 488

Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Organizations shall ensure patient information with special handling
Implementation: requirements, e.g., HIV, mental health and substance abuse-related records
(see 07.e), is not disclosed except to individuals, organizations or agencies
expressly allowed by applicable federal and state law.

The covered entity limits permitted uses or disclosures of PHI to the

individual; for treatment, payment or healthcare operations; incident to a
use or disclosure otherwise permitted or required; or otherwise pursuant
to a valid authorization or agreement.

A business associate only uses or discloses PHI only as permitted or

required by its business associate contract or other arrangement and does
not use or disclose PHI in a manner that would violate requirements for the
protection of such information, if done by the covered entity, except for the
purposes specified in CSF control 13.h if such uses or disclosures are
permitted by its contract or other arrangement.

The covered entity complies with restrictions on use and disclosure of PHI
for which it has agreed.

A covered entity or business associate may disclose PHI to a business

associate and may allow a business associate to create, receive, maintain, or
transmit PHI on its behalf, if the covered entity or business associate
obtains satisfactory, written assurance (e.g., a written contract, agreement
or arrangement that satisfies the requirements of this control) that the
business associate will appropriately safeguard the information.

The covered entity expressly permits disclosures of PHI by whistleblowers

and specifies the appropriate conditions under which whistleblowers may
disclose PHI.

The covered entity permits certain disclosures of PHI by workforce

members who are victims of a crime to law enforcement and specifies the
conditions under which they may disclose PHI.

The covered entity or business associate understands when it has not

obtained satisfactory assurances or met the standards for business
associate contracts and takes appropriate action if it knew of a pattern or
activity or practice of the business associate that constituted a material
breach or violation of its obligations.

Page 468 of 488

The covered entity uses and discloses PHI for treatment, payment or health
care operations appropriately and not in a manner inconsistent with uses
or disclosures that require authorization or are otherwise prohibited.

If consent is obtained from an individual to carry out treatment, payment or

health care operations the covered entity does not use or disclose PHI in
other circumstances that require authorization or when another condition
must be met for such use or disclosure.

The covered entity only discloses PHI for specific, allowed treatment,
payment or health care operations, including quality assessments,
competency or qualification reviews, health care fraud and abuse detection
or compliance, and patient safety activities.

The covered entity only uses or discloses specific, limited types of PHI
under specific, defined conditions to a business associate or an
institutionally-related foundation for the purpose of raising funds for its
own benefit.

The covered entity restricts uses and/or disclosures of PHI used for
underwriting purposes for any other purpose except as may be required by
law.

The covered entity formally verifies (e.g., with appropriate documentation)

the identity and authority of persons (e.g., public officials) requesting PHI.
Level 1 Control  1 TAC § 390.2(a)(4)(A)(i)
Standard  1 TAC § 390.2(a)(4)(A)(ii)
Mapping:  1 TAC § 390.2(a)(4)(A)(iii)
 1 TAC § 390.2(a)(4)(A)(ix)
 1 TAC § 390.2(a)(4)(A)(v)
 1 TAC § 390.2(a)(4)(A)(x)
 1 TAC § 390.2(a)(4)(A)(xi)
 1 TAC § 390.2(a)(4)(A)(xiii)
 1 TAC § 390.2(a)(4)(B)(iii)
 1 TAC § 390.2(a)(4)(B)(xvii)
 1 TAC § 390.2(a)(4)(C)(iii)
 1 TAC 390 § 390.2(a)(1)

Level 2 Implementation Requirements

Page 469 of 488

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional Requirements
Implementation:

Texas Covered Entities

Texas Covered Organizations shall ensure reports, records, and other documents
Entities: containing sensitive personal information lawfully obtained by state
agencies are not subject to subpoena and may not otherwise be released or
made public except as authorized by law.

Genetic information is considered sensitive personal information (also

protected health information as defined by HIPAA) and is confidential and
privileged regardless of the source of the information. Persons and
organizations, including licensing authorities, shall ensure that genetic
information about an individual may not be disclosed, or compelled to be
disclosed by subpoena or otherwise, unless the disclosure is to the
individual, or otherwise authorized by the individual as provided by TX
Insurance Code § 546.104, a physician or other individual designated or
authorized by the individual as provided by TX Labor Code § 21.403 or
other applicable federal or state law.

Page 470 of 488

Persons and organizations shall ensure that records of the identity,
personal history or background information of a survivor of sexual assault,
or information concerning the victimization of a survivor, created by or
provided to an advocate or maintained by a sexual assault program is
confidential and may not be disclosed except as provided by Tex. Gov. Code
§ 420 Subchapter D.

Persons and organizations shall ensure that the section of a birth certificate
entitled “For Medical and Health Use Only” is not considered part of the
legal birth certificate and is not released or made public on subpoena or
otherwise, except that release may be made for statistical purposes only so
that no person, patient, or facility is identified, or to medical personnel of a
health care entity, as that term is defined in Subtitle B, Title 3, TX
Occupations Code, or appropriate state or federal agencies for statistical
research, except as provided in § 192.002.

Persons and organizations shall ensure that reports, records, and

information relating to cases or suspected cases of diseases or health
conditions—regardless of the source—are confidential, are not made
public, and are not released or made public on subpoena or otherwise
except as provided by THSC § 81.046 and other applicable federal or state
law.

Persons and organizations shall ensure that individual morbidity reports

are confidential, are not made public, and are not released or made public
except as allowed under federal or state law.

Persons and organizations shall ensure the confidentiality of reports of

abuse, neglect, or exploitation of minor, elderly and disabled persons, or
information used or developed in an investigation or in providing services
as a result of an investigation, and that disclosures of such information are
limited to those defined in TX Human Resources Code §§ 48.101 and 48.154
and TX Family Code §§ 261.201 thru 261.203, and THSC § 252.126.

Persons and organizations shall treat occupational health case reports as

defined by 25 TAC § 99.1 as confidential and not public records, and shall be
accessed only by authorized persons, except when such information is de-
identified for statistical and epidemiological studies, which may be made
public.

Persons and organizations shall treat records associated with a state

investigation of alleged abuse or neglect of a chemical dependency
counselor or treatment center as confidential per THSC § 464.010(e) and
not public records, and shall only be disclosed as authorized by THSC §§
464.010(e) and 464.011.

Page 471 of 488

Organizations shall ensure the disclosures of client Medicaid information
comply with TX Human Resources Code §§ 12.003 and 21.012 and TX
Government Code § 552.10 in addition to the federal requirements outlined
in 42 USC, §1396a(a)(7) and 42 CFR §§431.301 thru 431.306.

FTI Custodians

FTI Custodians: Tax return and return-related information received by a person or

organization under U.S.C. Title 26 § 6103 shall be treated as confidential
and not disclosed in any manner connected with the person or
organization’s service under the provisions of the section, except as
authorized under the title.

Objective Name: 13.03 - Correction

Control To ensure individuals are provided with a timely means to dispute the
Objective: accuracy of their individually identifiable health information, and to have
erroneous information corrected or to have a dispute documented if their
requests are denied.

Control Reference: 13.k Prohibited or Restricted Uses and Disclosures

Control Protected health information shall not be used or disclosed when

Specification: prohibited or otherwise restricted by applicable laws and regulations.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Unless an issuer of long-term care policies, the health plan does not use
Implementation: or disclose PHI that is genetic information for underwriting purposes.
The covered entity or business associate shall not sell PHI, which, is
defined as a disclosure of PHI by a covered entity or business associate,
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 472 of 488

if applicable, where the covered entity or business associate directly or
indirectly receives remuneration from or on behalf of the recipient of
the PHI in exchange for the PHI.
Level 1 Control  1 TAC § 390.2(a)(4)(B)(iii)
Standard  1 TAC § 390.2(a)(4)(B)(xiv)
Mapping:  1 TAC 390 § 390.2(a)(1)
 HIPAA § 164.502(a)(5)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Texas Covered Entities

Texas Covered Records relating to the deaths of residents with an intellectual disability or
Entities: related condition are also confidential and not subject to release or
disclosure under the provisions of TX Government Code § 552.

Page 473 of 488

End stage renal facilities shall ensure information concerning quality of care
provided to or compiled by the Department of State Health Services or
medical review board and a recommendation of the medical review board
are confidential. The information or recommendation may not be made
available for public
Inspection, is not subject to disclosure under TX Government Code, Chapter
552, and is not subject to discovery, subpoena, or other compulsory legal
process.
Control  1 TAC § 390.2(a)(4)(B)(iii)
Standard  1 TAC § 390.2(a)(4)(B)(xiv)
Mapping:

Control Reference: 13.l Minimum Necessary Use

Control The use or disclosure of protected health information shall be limited to the
Specification: minimum necessary to accomplish the intended purpose of the use,
disclosure, or request.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The covered entity or business associate makes reasonable efforts to limit
Implementation: requests for PHI from another covered entity or business associate to the
minimum necessary to accomplish the intended purpose of the use,
disclosure or request. Exceptions include treatment, requests by the
individual, or uses or disclosures pursuant to a valid authorization, required
by law, or required for compliance with other requirements, such as
disclosures made to the Secretary of Health and Human Services.

The covered entity only creates and uses information that is not
individually identifiable (i.e., de-identified) when a code or other means of
record identification designed to enable coded or otherwise de-identified
information to be re-identified is not disclosed. If the de-identified

Page 474 of 488

information is subsequently re-identified, the covered entity only uses or
discloses such re-identified information as permitted or required for PHI.

The covered entity understands that health information is not identifiable

(i.e., de-identified) only when there is no reasonable basis to believe that
the information can be used to identify an individual and meets federal
requirements for de-identified data.

When de-identifying PHI, the covered entity removes all eighteen (18) data
elements required by the HIPAA Administrative Simplification's Privacy
Rule and has no knowledge the resulting data set could be re-identified, or
an appropriate person applies generally accepting scientific principles and
methods for rendering information not individually identifiable and
determines the risk of re-identification is appropriately small.

The covered entity ensures codes or other means used to re-identify de-
identified information are not derived from or related to information about
the individual(s) or are otherwise capable of being translated to identify the
individual(s), nor does the covered entity use or disclose the code, means or
mechanism for any other purpose.

The covered entity identifies the persons or classes of persons in its

workforce who need access to specific, limited categories of PHI to care out
their duties.

The covered entity limits the PHI disclosed to the minimum amount
reasonably necessary to achieve the purpose of the disclosure.

The covered entity must implement policies and procedures (or standard
protocols) that limit PHI for recurring requests to the minimum necessary.

A covered entity must develop criteria designed to limit all other requests
to the minimum necessary to accomplish the purpose for which it was made
and review all requests for disclosure on an individual basis in accordance
with such criteria.

The covered entity enters into a data use agreement with a recipient before
allowing the use or disclosure of a limited data set and ensures the data
provided meets the requirements for a limited data set.

The covered entity terminates data use agreements and takes reasonable
steps to secure limited data sets when it becomes aware of a pattern of
activity or practice of the recipient that constitutes a material breach or
violation of the data use agreement.

Page 475 of 488

Level 1 Control  1 TAC 390 § 390.2(a)(1)
Standard  HIPAA § 164.502(b)
Mapping:  HIPAA § 164.502(d)
 HIPAA § 164.514(a)
 HIPAA § 164.514(b)
 HIPAA § 164.514(c)
 HIPAA § 164.514(d)
 HIPAA § 164.514(e)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Control Reference: 13.m Confidential Communications

Control Individuals shall be afforded the right to request and must accommodate
Specification: reasonable requests to receive communications of protected health
information by alternative means or at alternative locations.

Page 476 of 488

Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 Persons and organizations shall ensure that communications between a
Implementation: patient and a professional for the diagnosis, evaluation, or treatment of any
mental or emotional condition or disorder, including alcoholism or drug
addiction, and records of the identity, diagnosis, evaluation, or treatment of
a patient that are created or maintained by a professional, are only
disclosed in select instances as provided by THSC §§ 611.004 or 611.0045,
or 42 CFR Part 2.

Communication between a physician, chiropractor, podiatrist or dentist and

a patient, and records of the identity, evaluation, or treatment of a patient,
that are made or created in the course of providing healthcare services to
the patient is confidential and privileged and may not be disclosed except as
provided by federal or state law. A patient’s pharmacy records are similarly
confidential, and a pharmacist may only release a confidential record to the
patient or other individual or entity permitted by federal or state law.

Communication between certified emergency medical services personnel or

a physician providing medical supervision and a patient, and records of the
identity, evaluation, or treatment of a patient, that are made or created in
the course of providing emergency medical services to the patient is
confidential and privileged and may not be disclosed except as provided by
federal or state law.

The covered entity complies with confidential communications

requirements (e.g., with respect to alternate means or locations).

The covered entity only conditions requests for confidential

communications on, when appropriate, to information as to how payment,
if any, will be handled and specification of an alternative address or other
method of contact; however, in no case may the organization require an
explanation as to the basis of the request.

Page 477 of 488

Level 1 Control  1 TAC § 390.2(a)(4)(A)(vi)
Standard  1 TAC § 390.2(a)(4)(A)(vii)
Mapping:  1 TAC § 390.2(a)(4)(B)(ix)
 1 TAC § 390.2(a)(4)(B)(vi)
 1 TAC § 390.2(a)(4)(B)(vii)
 1 TAC § 390.2(a)(4)(B)(viii)
 1 TAC § 390.2(a)(4)(B)(xi)
 1 TAC § 390.2(a)(4)(B)(xii)
 1 TAC 390 § 390.2(a)(1)
 HIPAA § 164.502(h)
 HIPAA § 164.522(b)

Level 2 Implementation Requirements

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Texas Covered Entities

Page 478 of 488

Texas Covered Persons and organizations shall ensure that communications between a
Entities: patient and a professional for the diagnosis, evaluation, or treatment of any
mental or emotional condition or disorder, including alcoholism or drug
addiction, and records of the identity, diagnosis, evaluation, or treatment of
a patient that are created or maintained by a professional, are only
disclosed in select instances as provided by THSC §§ 611.004 or 611.0045.

Control Reference: 13.n Organizational Requirements

Control An individual’s privacy and security shall be assured through appropriate

Specification: contracts, monitoring and other means and methods to report and mitigate
non-adherence and breaches.
Factor Type: Organizational

Level 1 Implementation Requirements

Level 1 Applicable to all organizations

Organizational
Factors:
Level 1 System None
Factors:
Level 1 None
Regulatory
Factors:
Level 1 The covered entity ensures each of its business associates have a valid
Implementation: agreement that addresses the proper management/oversight of the
business associate and specifies applicable requirements (e.g., around use,
further disclosure, and the implementation of reasonable and appropriate
safeguards)

If the covered entity has multiple functions, it ensures the use and
disclosure of PHI is only for the purpose related to the appropriate function
being performed.
Level 1 Control  1 TAC 390 § 390.2(a)(1)
Standard  HIPAA § 164.504(e)
Mapping:  HIPAA § 164.504(g)

Level 2 Implementation Requirements

Page 479 of 488

Level 2 None
Organizational
Factors:
Level 2 System None
Factors:
Level 2 None
Regulatory
Factors:
Level 2 No additional requirements
Implementation:

Level 3 Implementation Requirements

Level 3 None
Organizational
Factors:
Level 3 System None
Factors:
Level 3 None
Regulatory
Factors:
Level 3 No additional requirements
Implementation:

Texas Covered Entities

Texas Covered The group health plan documents appropriately restrict the use and
Entities: disclosure of PHI by the plan sponsor.

The group health plan, or a health insurance issuer or HMO with respect to
the group plan, limits disclosures to the plan sponsor information on
whether an individual is participating in the plan, or is enrolled in or
disenrolled from a health insurance issuer or HMO offered by the plan.

The group health plan documents are emended as required to incorporate

provisions to establish permitted and required uses and disclosures,
disclose PHI to the plan sponsor only upon received of certification that the
documents have been amended for specific, limited reasons, e.g., that no use
or further disclosure other than that permitted or required will be made.

Plan documents ensure adequate separation between the group health plan
and the plan sponsor by describing employees or classes of employees to
This document contains copyrighted information owned by HITRUST or its suppliers. The use and distribution of this information
are subject to the following terms: (1) The information is for internal or personal use by the licensee only and (2) The information
may be used only during the term of a valid HITRUST license. Copying, dissemination or use of this information contrary to these
terms is a violation of U.S. law and may be grounds for criminal or civil penalties.

Page 480 of 488

whom PHI may be disclosed, restricting access and use by such persons or
classes of persons to administrative functions the plan sponsor performs,
and providing an effective mechanism for resolving issues of
noncompliance with the plan document provisions.
Control  HIPAA § 164.504(f)
Standard
Mapping:

Page 481 of 488

HITRUST - CSF - 2021.12 - v9.6.0
100% (1)
HITRUST - CSF - 2021.12 - v9.6.0
547 pages
HITRUST CSF v6 2014 PDF
No ratings yet
HITRUST CSF v6 2014 PDF
481 pages
HITRUST CSFv9.6.0 Introduction
100% (1)
HITRUST CSFv9.6.0 Introduction
13 pages
Case Analysis: 13. Analyzing Strategic Management Cases
100% (3)
Case Analysis: 13. Analyzing Strategic Management Cases
29 pages
Framework For Reducing Cyber Risks To Critical Infrastructure
No ratings yet
Framework For Reducing Cyber Risks To Critical Infrastructure
41 pages
HITRUST CSF v9.6.0 Summary of Changes
No ratings yet
HITRUST CSF v9.6.0 Summary of Changes
2 pages
CPA Review: Excel Professional Services Inc
100% (1)
CPA Review: Excel Professional Services Inc
7 pages
HIPAA Compliance Checklist
100% (1)
HIPAA Compliance Checklist
3 pages
Merchandising Formula Card
No ratings yet
Merchandising Formula Card
8 pages
IRS Dec 2024 John Doe Summons Declaration
No ratings yet
IRS Dec 2024 John Doe Summons Declaration
106 pages
Edward Lampert - Businessweek
No ratings yet
Edward Lampert - Businessweek
6 pages
Example Cybersecurity Standardized Operating Procedures 23 NYCRR 500
No ratings yet
Example Cybersecurity Standardized Operating Procedures 23 NYCRR 500
29 pages
AuditScripts CIS Controls Master Mappings V7.1a
No ratings yet
AuditScripts CIS Controls Master Mappings V7.1a
3,370 pages
Pel 2018
No ratings yet
Pel 2018
275 pages
CMA Inter Law Super 30
No ratings yet
CMA Inter Law Super 30
24 pages
The Book of Abstract
No ratings yet
The Book of Abstract
47 pages
HITRUST CSF Framework FAQ 9.6.0
No ratings yet
HITRUST CSF Framework FAQ 9.6.0
3 pages
Cybersecurity Implementation Plan
100% (1)
Cybersecurity Implementation Plan
21 pages
Risk Management Frameworks: Back To Contents
No ratings yet
Risk Management Frameworks: Back To Contents
23 pages
at A Glance: Kaufman's Five Levels of Evaluation
No ratings yet
at A Glance: Kaufman's Five Levels of Evaluation
7 pages
CSF 2.0 Organizational Profile Template Draft
No ratings yet
CSF 2.0 Organizational Profile Template Draft
33 pages
Cybersecurity Awareness Memo Templates and Resources
100% (1)
Cybersecurity Awareness Memo Templates and Resources
7 pages
CKB Logistics Corporate & PLB CKB Logistics
No ratings yet
CKB Logistics Corporate & PLB CKB Logistics
29 pages
Carta VCPitchDeckTemplate
No ratings yet
Carta VCPitchDeckTemplate
30 pages
Dissolution of A Partnership
No ratings yet
Dissolution of A Partnership
18 pages
Hitrust Vs HIPAA
No ratings yet
Hitrust Vs HIPAA
37 pages
CIS Reasonable Cybersecurity Guide 2024 05 1
No ratings yet
CIS Reasonable Cybersecurity Guide 2024 05 1
82 pages
Cybersecurity and Cyber Resilience Framework (CSCRF) For SEBI Regulated Entities (REs)
No ratings yet
Cybersecurity and Cyber Resilience Framework (CSCRF) For SEBI Regulated Entities (REs)
205 pages
Blueprint For Ransomware Defense - 0523
100% (1)
Blueprint For Ransomware Defense - 0523
22 pages
HIPPA Privacy Rules
No ratings yet
HIPPA Privacy Rules
93 pages
Account Determination MM en JP
No ratings yet
Account Determination MM en JP
31 pages
Practical Accounting 1
No ratings yet
Practical Accounting 1
8 pages
HIPAA Audit Guide TeachPrivacy HIPAA Training
No ratings yet
HIPAA Audit Guide TeachPrivacy HIPAA Training
21 pages
L2 Incident Response
No ratings yet
L2 Incident Response
9 pages
Third-Party Security Controls v1.0
No ratings yet
Third-Party Security Controls v1.0
8 pages
ERISA ComplianceHandbook
No ratings yet
ERISA ComplianceHandbook
39 pages
HIPAA Primer For Nonprofit Social Services Agencies: September 2013
No ratings yet
HIPAA Primer For Nonprofit Social Services Agencies: September 2013
54 pages
HIPAA Compliance Checklist
No ratings yet
HIPAA Compliance Checklist
13 pages
Intro Resource Guide-HIPAA Security Rule
100% (1)
Intro Resource Guide-HIPAA Security Rule
117 pages
Logistics Collaboration in Supply Chains: Practice vs. Theory
No ratings yet
Logistics Collaboration in Supply Chains: Practice vs. Theory
21 pages
Chapter 4. IFRS Part 1
No ratings yet
Chapter 4. IFRS Part 1
64 pages
BITS Vulnerability Management Maturity Model
No ratings yet
BITS Vulnerability Management Maturity Model
19 pages
Warehouse For Consignment Distribution Feasibility Study
100% (1)
Warehouse For Consignment Distribution Feasibility Study
14 pages
Sample Penetration Testing Policy Template
No ratings yet
Sample Penetration Testing Policy Template
21 pages
HITRUST - Assessment Types Key Points
No ratings yet
HITRUST - Assessment Types Key Points
4 pages
Value Analysis
No ratings yet
Value Analysis
14 pages
Banks' Cyber Security
No ratings yet
Banks' Cyber Security
28 pages
FFIEC ITBooklet Information Security
No ratings yet
FFIEC ITBooklet Information Security
120 pages
Framework Mapping: HITRUST CSF V9 TO ISO 27001/27002:2013
No ratings yet
Framework Mapping: HITRUST CSF V9 TO ISO 27001/27002:2013
11 pages
A Patch & Vulnerability Management Program Presentation
No ratings yet
A Patch & Vulnerability Management Program Presentation
9 pages
Cybercrime Threats and Solutions Sample1
No ratings yet
Cybercrime Threats and Solutions Sample1
23 pages
BU 638 Online Syllabus
No ratings yet
BU 638 Online Syllabus
9 pages
IS Audit Checklist
No ratings yet
IS Audit Checklist
13 pages
NIST 800-53 - Security Control
No ratings yet
NIST 800-53 - Security Control
7 pages
Kapil Meshram Case Study Unit 3
No ratings yet
Kapil Meshram Case Study Unit 3
6 pages
2018.1 Example CSOP WISP NIST CSF Mapping
No ratings yet
2018.1 Example CSOP WISP NIST CSF Mapping
12 pages
Aurbach V Sanitary Wares
No ratings yet
Aurbach V Sanitary Wares
1 page
FedRAMP Continuous Monitoring Strategy Guide v2.0
No ratings yet
FedRAMP Continuous Monitoring Strategy Guide v2.0
14 pages
Final Exam-Part 2: Instructions: Answer The Given Problems Below. Show All The Necessary Computations
No ratings yet
Final Exam-Part 2: Instructions: Answer The Given Problems Below. Show All The Necessary Computations
2 pages
Guidelines On Firewalls and Firewall Policy
No ratings yet
Guidelines On Firewalls and Firewall Policy
81 pages
Information Assurance Security Manager in Houston TX Resume John Brown
No ratings yet
Information Assurance Security Manager in Houston TX Resume John Brown
4 pages
Asm652 Case Study Question Bristol 2020 PKP
No ratings yet
Asm652 Case Study Question Bristol 2020 PKP
3 pages
CMMC
No ratings yet
CMMC
6 pages
Entrepreneurial Development: Notes
No ratings yet
Entrepreneurial Development: Notes
2 pages
FFS Jambaf Okt23
No ratings yet
FFS Jambaf Okt23
4 pages
Rizwan & Co.: Chartered Accountants
No ratings yet
Rizwan & Co.: Chartered Accountants
2 pages
Kiwiqa Services: Web Application Vapt Report
No ratings yet
Kiwiqa Services: Web Application Vapt Report
25 pages
The Cybersecurity Framework in Action An Intel Use Case Brief
No ratings yet
The Cybersecurity Framework in Action An Intel Use Case Brief
10 pages
Penetration Testing
No ratings yet
Penetration Testing
3 pages
Letter Request - Inspect of High Risk
No ratings yet
Letter Request - Inspect of High Risk
2 pages
2 Chat GPT Mcqs
No ratings yet
2 Chat GPT Mcqs
5 pages
RetailManagement 2ndRevisedEd. - Book Coverpage
No ratings yet
RetailManagement 2ndRevisedEd. - Book Coverpage
3 pages
CIS Controls Initial Assessment Tool (v7.1b) : Instructions - Read Me First
No ratings yet
CIS Controls Initial Assessment Tool (v7.1b) : Instructions - Read Me First
23 pages
Nist CSF
No ratings yet
Nist CSF
7 pages
PCIDSS
No ratings yet
PCIDSS
13 pages
Hipaa Risk Analysis
No ratings yet
Hipaa Risk Analysis
33 pages
Effec Ve Vulnerability Management: 10 Steps For Achieving
No ratings yet
Effec Ve Vulnerability Management: 10 Steps For Achieving
23 pages
Intrusion Detection System (Ids) Review
No ratings yet
Intrusion Detection System (Ids) Review
7 pages
PCI and The Solution Framework: Table 2-1
No ratings yet
PCI and The Solution Framework: Table 2-1
10 pages
ComplianceForge Hierarchical Cybersecurity Governance Framework PDF
No ratings yet
ComplianceForge Hierarchical Cybersecurity Governance Framework PDF
1 page
FedRAMP Security Controls Preface
No ratings yet
FedRAMP Security Controls Preface
2 pages
CISO Mindmap 2022 No Headings
No ratings yet
CISO Mindmap 2022 No Headings
1 page
Cyber Boot Camp - Day 05 - Cyber Security Framework
No ratings yet
Cyber Boot Camp - Day 05 - Cyber Security Framework
3 pages
Authorizations Under HIPAA : C:/my Documents/authorizations
No ratings yet
Authorizations Under HIPAA : C:/my Documents/authorizations
6 pages
Hipaa Checklist
No ratings yet
Hipaa Checklist
2 pages
Pci-Dss What Does It Mean To Me?: Presented by
No ratings yet
Pci-Dss What Does It Mean To Me?: Presented by
10 pages
Audit Charter Standards IT English S1
No ratings yet
Audit Charter Standards IT English S1
2 pages
Auditing Cloud Computing: A Security and Privacy Guide
From Everand
Auditing Cloud Computing: A Security and Privacy Guide
Ben Halpert
3/5 (2)
Certified Information Privacy Technologist A Complete Guide
From Everand
Certified Information Privacy Technologist A Complete Guide
Gerardus Blokdyk
No ratings yet
Qualified Security Assessor Complete Self-Assessment Guide
From Everand
Qualified Security Assessor Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet