After months of preparation, your organization successfully navigated a HITRUST-validated assessment and achieved HITRUST certification – but what comes next?
This article will focus on some general practices and techniques that will allow your organization to continually improve the information security posture of the organization in an effort to maintain a state of readiness to successfully navigate the inevitable: your next validated assessment.
The guidance contained within this article will be somewhat specific to HITRUST assessments, but will be equally relevant to any organization that maintains any form of GRC program, including those maintaining compliance with SOC 1, SOC 2, FedRAMP, HIPAA, NIST 800-171, or others.
What Are Common Post-Assessment Mistakes?
There is a common theme with organizations that struggle to maintain their compliance programs following a major accomplishment such as HITRUST certification. Here are a few of the leading challenges organizations face, and over the years, we have found these to be some of the most negatively impactful scenarios based on our observations.
Failing to Maintain Momentum
Leading up to a compliance audit or HITRUST-validated assessment, there tends to be a lot of energy within the organization. Management has been heavily involved and is very interested in seeing the endeavor succeed. This energy flows down to operational groups who in turn apply significant effort to navigate the assessment process. However, once the assessment is over and certification is achieved, there is a tendency to take a deep breath and relax, get back to a normal workflow, and slow down a bit. When this happens, routines are lost, controls may not be executed as designed, and when the next assessment comes around, evidence may be lacking.
Personnel Turnover
Turnover of key personnel can also have a significant impact on the ability of an organization to maintain a compliance program. There are many recurring tasks that need to be performed on various schedules, and when turnover of significant roles occurs, the likelihood of critical tasks being neglected increases significantly.
Significant Organizational Changes
When a major change occurs within an organization (merger, acquisition, new product rollout, enterprise reorganization, etc.) it typically has a significant impact on security and compliance programs. Mergers and acquisitions are particularly challenging because they often involve the combination of two different entities utilizing different platforms, systems, security programs, and organizational cultures. This scenario can create a significant amount of confusion/misalignment between the organizations if transitions are not carefully managed to ensure roles and responsibilities are clearly defined and communicated within the environment.
How to Maintain HITRUST Certification
When considering the scenarios above, it is important to remember that it is not the fact that there is a loss of momentum, the occurrence of personnel turnover, or the execution of a merger that creates challenges – it’s the fact these events can distract personnel from the activities that are so vital to the maintenance of the information security program.
It is fair to acknowledge that information security and compliance programs vary broadly between organizations. Some are very structured and some are less structured. Some are driven largely by one individual, and some are directed by a team or group of subject matter experts from across the organization. There is no right or wrong way to design an information security or compliance program since the nature of the program will tie to the culture of the organization.
Strategies for Successful HITRUST Program Management
In the following sections, we will talk about some strategies to assist organizations in maintaining information security and compliance programs in a manner supporting efforts to continually demonstrate compliance with any chosen framework.
Develop & Maintain Information Security Program Schedules
Within any information security and compliance program, there is a given set of objectives the organization wishes to implement. Some of these are executed as-needed (i.e. onboarding tasks, change management functions), while others are executed against some cadence (i.e. quarterly access reviews, annual risk assessments, monthly vulnerability scanning), and others are more continuous in nature (i.e. SIEM solutions, DLP configurations). It is important to turn the various requirements within applicable frameworks into a schedule or “compliance calendar” and then automate, to the extent possible, the tasks associated with these actions.
Most successful organizations do not rely on individuals individually tracking the completion of tasks associated with compliance. Instead, they rely on automations built into task tracking tools such as Asana, Smartsheet, ClickUp, or more formal compliance automation and GRC tools which are broadly marketed within the industry. If the organization has the in-house expertise to configure task-tracking tools, then that is often the less costly method. If the organization lacks the expertise to manage task-tracking tools, then a more formal GRC tool often provides a higher level of assurance since they often create the cadences and accountability as a core component of the platform.
In addition, GRC and compliance tools will often facilitate the execution of activities including access reviews, vendor reviews, etc. That said, these tools can be costly and in more mature organizations, the expense is sometimes not worth the investment when balanced with internal capabilities.
Implement a Team-Based Approach to Compliance
Organizations struggling with turnover are often the same organizations that are over-reliant on a small number of individuals (often only one) as part of the assessment process. As stated above – when a central individual is pivotal to the information security program, any turnover involving that role is likely to have a negative impact on the compliance program. The first way to address this is to implement the tracking and automation mentioned previously.
The second way to address this issue is to reduce dependence on any one individual by creating a team-based approach to compliance and effectively delegating tasks to other personnel within the organization. That is not to say that one individual cannot act as the central resource for the compliance program, but it is more about engaging others within the organization to create cross-organizational accountability, creating an environment where the central resource or “project manager” is primarily responsible for monitoring the completion of activities by other personnel using the tools addressed above.
Leverage the Risk Assessment Process to Manage Change
A risk assessment should not be looked upon as an archival document to be picked up and dusted off only once a year as a precursor to an audit. Organizations should continually leverage the risk assessment process as a mechanism to ingest, analyze and address a variety of factors that will likely occur over the course of time.
Excellent examples of this include mergers, organizational restructuring, and incidents, as well as relevant findings from audits, vulnerability assessments, and pen tests. When these events or other significant changes occur within the organization, management can collaboratively engage with the compliance team to consider risks associated with these items and document probability, impact, and planned risk treatments, as well as follow-up actions and responsible parties.
When properly managed, the risk assessment and risk register become a living document that helps guide organizational priorities and activities.
The Bottom Line: HITRUST Compliance Program Maintenance
Just as any organization must maintain the information security program in terms of policy and procedure reviews, tool configurations, and other activities, it must maintain the overall compliance program to ensure that:
- Controls intended to address specific requirements continue to be appropriate for the organization based on an assessment of risk.
- Controls are effectively implemented and executed as required based on the necessary cadence.
This is especially important for any activities which must be performed at a specific point of time, or on a given cadence, because it is not possible to go back in time and perform some function that was not performed at the proper time.
Organizations should commit to developing and maintaining information security program schedules, implementing a team-based approach to compliance, and leveraging the risk assessment process to aid the organization in managing change. If properly executed, the organization will be able to maintain an effective information security program that continually improves the security posture of the organization, as well as maintains a strong level of compliance as a byproduct of security.
What Are Your Next Steps?
Remember, achieving and maintaining HITRUST certification is an ongoing commitment, but the benefits are an investment in the future of your organization. Take charge of your cybersecurity posture and demonstrate your dedication to safeguarding information.
Linford & Company is here to support your organization’s journey to continuous compliance and certification. Reach out for expert guidance and tools that will make your HITRUST compliance journey smoother than ever.
Richard Rieben is a Partner and HITRUST practice lead at Linford & Co., where he leads audits and assessments covering various frameworks including HITRUST, SOC, CMMC, and NIST. With over 20 years of experience in IT and cybersecurity and various certifications including PMP, CISSP, CCSFP, GSNA, and CASP+, Richard is skilled in helping growing organizations achieve their information security and compliance goals. He holds a Bachelor of Science in Business Management and an MBA from Western Governors University.