The HITRUST Common Security Framework (CSF) outlines requirements for control specifications (security requirements) to meet compliance objectives such as ISO, HIPPA, and GDPR. These implementation requirements are categorized into three levels (L1, L2, L3) based on the customer’s risk and user profile. Any organization with business functions focusing on health care systems, patient information and medical records etc. must at least follow implementation requirements specified under L1.
L1 includes baseline implementation requirements for security requirements. For example, L1 specifies basic access control policies to limit access to systems for all the users and system components. L1 is suitable for organizations with low to moderate risk profiles.
L2 adds additional implementation requirements to existing security requirements from L1. These additional implementation requirements provide more granular steps in strengthening the security requirements. Implementation procedures specified under L2 includes L1 requirements plus the use of Role-Based-Access-Control mechanisms. L2 is suitable for organizations with high-risk profiles.
L3 includes extensive implementation steps to existing security requirements from L1 and L2. It is recommended to achieve L3 for customers with higher risk profiles. Implementation procedures specified under L3 include requirements from L1 and L2 and the monitoring privileged roles for anomalous behavior. L3 is suitable for larger organizations with higher risk profiles and threat exposures.
Oak9 enables organizations to quickly monitor and maintain HITRUST CSF trust through continuous analysis of an organization's infrastructure.