Knowledge

6/14/2022

Mandatory Manual Reviews and Audits – HITRUST Requirements.

Digital Edge's Compliance team has noticed that organizations and IT/compliance groups lack understanding of mandates for scheduled reviews and audits.

Each cybersecurity standard or framework has its own unique requirements. This article provides information on minimal required reviews and audits by HITRUST standard.

List of reviews HITRUST

 

Description of review

Frequency/Occurrence

Evidence

1

Review of information protection program covering:

- documentation of the program

- organization of the program

- objectives of the program

- roles and responsibilities of employees of a company

- allocated resources (employees, technical solutions)

- testing

- training

- monitoring activities

- status and update, if required, of security contact persons for each major organizational area or business unit

- disciplinary process for complying with the program

- review of feedback from employees regarding the program

- information classification and handling

- security requirements analysis and specification.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

2

Review of policies and procedures covering:

- applicable industry standards applicable to a company’s operations

- change management processes, policies and procedures

- processes, policies and policies for user registration, identification, authentication, removal of users rights

- session time-out

- clear desk and clear screen policies

- review of information exchange policies and procedures

- review of policy on use of cryptographic controls

- review of electronic messaging policies and procedures

- review of information access restriction

- review of prevention of misuse of information assets

- review of segregation of duties

- privileged users management

- acceptable use of assets

- disciplinary process for employees and contractors

- roles and responsibilities with the organization

- disposal of media processes, policies and procedures

- disposal and reuse of equipment

- data protection and privacy of covered information related processes, policies and procedures

- protection of organizational records

- updating of existent policies and procedures to reflect required changes.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

3

Internal Audit covering:

- information protection program

- regular reviews of monitoring activities.

every 12 months

Results of the review in the form of detailed report

4

Management Review covering:

- review of existent information protection program

- scope and applicability of information protection program

- risks assessment and mitigation

- Internal Audit results

- remediation plan

- improvement plan

- review of feedback from employees regarding the program.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

5

Review of anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution.

every 3 months

Results of the review in the form of memo or report (can be short or detailed report)

6

Review of protection against mobile code covering:

- automated controls to authorize or restrict the use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, postscript, Shockwave movies, and Flash animations)

- usage and updating of mobile code protection, including anti-virus and anti-spyware.

every 3 months

Results of the review in the form of memo or report (can be short or detailed report)

7

Review of the management of renewable media covering:

- registration of removable media

- control of removable media

- restricted use and safeguards of removable media.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

8

Review of mobile computing and communication covering whether:

- mobile computing devices are protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls, or equivalent functionality, secure configurations, and physical protections

- the organization monitors for unauthorized connections of mobile devices

- specially configured mobile devices are issued for personnel travelling to high risk locations and are checked for malware and physical tampering upon return

- if it is determined that encryption is not reasonable and appropriate, the organization documents its rationale and acceptance of risk

- a documented list of approved application stores has been defined as acceptable for mobile devices accessing or storing entity (client) or cloud service provider-managed client data, and the use of unapproved application stores is prohibited for company-owned and BYOD mobile devices. Non-approved applications or approved applications not obtained through approved application stores are prohibited

- the organization prohibits the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting)

- personnel using mobile computing devices are trained on the risks, the controls implemented, and their responsibilities (e.g., shoulder surfing, physical protections).

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

9

Review of teleworking checking whether:

- teleworking activities are only authorized if security arrangements and controls that comply with relevant security policies and organizational requirements are in place

- suitable protections of the teleworking site are in place to protect against the theft of equipment and information, the unauthorized disclosure of information, and unauthorized remote access to the organization's internal systems or misuse of facilities

- personnel who telework are trained on the risks, the controls implemented, and their responsibilities.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

10

Access Review checking whether:

- vendor defaults for wireless access points are changed prior to authorizing the implementation of the access point

- Wireless access points are configured with strong encryption (AES WPA2 at a minimum)

- wireless access points are placed in secure locations

- the ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications

- requirements for network routing control are based on the access control policy, including positive source and destination checking mechanisms, such as firewall validation of source/destination addresses, and the hiding of internal directory services and IP addresses. The organization designed and implemented network perimeters so that all outgoing network traffic to the Internet passes through at least one application layer filtering proxy server. The proxy supports decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a blacklist, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites. The organization forces outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter

- the organization's security gateways (e.g., firewalls) (i) enforce security policies; (ii) are configured to filter traffic between domains; (iii) block unauthorized access; (iv) are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet), including DMZs; and, (vi) enforce access control policies for each of the domains

- access of privileged users.

every 3 months

Results of the review in the form of memo or report (can be short or detailed report)

11

Review and update, if required, of Network Diagram

every 6 months

Results of the review in the form of memo or report (can be short or detailed report)

12

Suppliers Review checking whether:

- agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely

- formal agreements with external information system providers include specific obligations for security and privacy

- the organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services

- the contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared

- the organization identifies and mandates information security controls to specifically address supplier access to the organization's information and information assets

- the organization maintains written agreements (contracts) that include: (i) an acknowledgement that the third-party (e.g., a service provider) is responsible for the security of the data and requirements to address the associated information security risks; and, (ii) requirements to address the information security risks associated with information and communications technology services (e.g., cloud computing services) and product supply chain

- the agreement ensures that there is no misunderstanding between the organization and the third-party and satisfies the organization as to the indemnity of the third-party

- the organization establishes personnel security requirements, including security roles and responsibilities, for third-party providers that are coordinated and aligned with internal security roles and responsibilities

- the organization ensures a screening process is carried out for contractors and third-party users, and, where contractors are provided through an organization, the contract with the organization clearly specifies (i) the organization's responsibilities for screening and the notification procedures they need to follow if screening has not been completed, or if the results give cause for doubt or concern; and, (ii) all responsibilities and notification procedures for screening.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

13

Review of network access and controls checking whether:

- routing controls are implemented through security gateways (e.g., firewalls) used between internal and external (e.g., the Internet and third-party networks)

- the organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative

- the organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access

- the organization formally manages equipment on the network, including equipment in user areas

- the organization reviews and updates the interconnection security agreements on an ongoing basis, verifying enforcement of security requirements

- the organization employs and documents in a formal agreement or other document either i) allow-all, deny-by-exception, or ii) deny-all, permit-by-exception (preferred)policy for allowing specific information systems to connect to external information systems

- the organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization.

every 3 months

Results of the review in the form of memo or report (can be short or detailed report)

14

Review of controls of operational software checking whether:

- only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release

- applications and operating systems are tested for usability, security, and impact prior to production

- the organization uses its configuration control program to maintain control of all implemented software and its system documentation, and archives prior versions of implemented software and associated system documentation

- operational systems only hold approved programs or executable code

- the organization maintains information systems according to a current baseline configuration and configures system security parameters to prevent misuse. Vendor supplied software used in operational systems is maintained at a level supported by the supplier and uses the latest version of web browsers on operational systems to take advantage of the latest security functions in the application.

If systems or system components in production are no longer supported by the developer, vendor, or manufacturer, the organization is able to provide evidence of a formal migration plan approved by management to replace the system or system components

- a rollback strategy is in place before changes are implemented, and an audit log is maintained of all updates to operational program libraries

- physical or logical access is only given to suppliers for support purposes when necessary, with management approval, and such access is monitored

- the operating system has in place supporting technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of its baseline

- the organization prevents program execution in accordance with the list of unauthorized (blacklisted) software programs and rules authorizing the terms and conditions of software program usage

- the organization identifies unauthorized (blacklisted) software on the information system, including servers, workstations and laptops, employs an allow-all, deny-by-exception policy to prohibit the execution of known unauthorized (blacklisted) software on the information system, and reviews and updates the list of unauthorized (blacklisted) software periodically but no less than annually

- no malicious code is used.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

15

Technical Review covering:

- technical security configuration of systems, either manually by an individual with experience with the systems and/or with the assistance of automated software tools

- technical vulnerabilities are identified, evaluated for risk, and corrected in a timely manner

- taking of appropriate action if non-compliance is found

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

16

Inventory Review covering:

- review of maintenance of list of assets and services

- review of information lifecycle manages the secure use, transfer, exchange, and disposal of IT-related assets

- whether organization's asset inventory does not duplicate other inventories unnecessarily and ensures their respective content is aligned

- whether organization maintains an inventory of authorized wireless access points (WAPs), including a documented business justification to support unauthorized WAP identification and response

- if the organization assigns assets to contractors, it ensures that the procedures for assigning and monitoring the use of the property are included in the contract; and, if assigned to volunteer workers, there is a written agreement specifying how and when the property will be inventoried and how it will be returned upon completion of the volunteer assignment

- whether organization creates and documents the process/procedure the organization intends to use for deleting data from hard-drives prior to property transfer, exchange, or disposal/surplus.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

17

Input Data Validation Review covering:

- whether applications developed by the organization are based on secure coding guidelines to prevent common vulnerabilities or undergo appropriate testing

- whether applications that store, process, or transmit covered information undergo automated application vulnerability testing by a qualified party on an annual basis

- whether system and information integrity requirements are developed, documented, disseminated, reviewed, and updated annually

- whether the information system checks the validity of organization-defined information inputs for accuracy, completeness, validity, and authenticity as close to the point of origin as possible

- for in-house developed software, the organization ensures that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats

- whether procedures, guidelines, and standards for the development of applications are periodically reviewed, assessed, and updated as necessary by the appointed senior-level information security official of the organization

- for any public-facing web applications, application-level firewalls have been implemented to control traffic. For any public-facing applications that are not web-based, the organization has implemented a network-based firewall specific to the application type. If the traffic to the public-facing application is encrypted, the device either sits behind the encryption or is capable of decrypting the traffic prior to analysis.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

18

Sensitive System Isolation review covering whether:

- the sensitivity of applications/systems is explicitly identified and documented by the application/system owner.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

19

Review of Electronic Commerce Services and On-line Transactions checking whether:

- organization takes specific steps to ensure the confidentiality and integrity of electronic commerce is maintained

- data involved in electronic commerce and online transactions is checked to determine if it contains covered information

- security is maintained through all aspects of the transaction

- protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL).

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

20

Users Passwords Review checking whether:

- passwords are not displayed when entered

- the organization maintains a list of commonly-used, expected, or compromised passwords, and updates the list (i) at least every 180 days and (ii) when organizational passwords are suspected to have been compromised (either directly or indirectly); allows users to select long passwords and passphrases, including spaces and all printable characters; employs automated tools to assist the user in selecting strong passwords and authenticators; and verifies, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords

- the organization avoids the use of third-parties or unprotected (clear text) electronic mail messages for the dissemination of passwords

- electronic signatures that are not based upon biometrics employ at least two distinct identification components that are administered and executed

- the organization changes passwords for default system accounts, whenever there is any indication of password compromise, at first logon following the issuance of a temporary password, and requires immediate selection of a new password upon account recovery.

every 2 months

Results of the review in the form of memo or report (can be short or detailed report)

21

Review of Information Security Incident plan covering whether:

- information security events are reported

- procedure and documenting of reporting of an information security event

- the organization responds to physical security incidents and coordinates results of reviews and investigations with the organization's incident response capability

- incident response is formally managed and include specific elements

- the information gained from the evaluation of information security incidents is used to identify recurring or high-impact incidents, and update the incident response and recovery strategy

- the organization has implemented an incident handling capability for security incidents that addresses: (i) policy (setting corporate direction) and procedures defining roles and responsibilities; (ii) incident handling procedures (business and technical); (iii) communication; (iv) reporting and retention; and, (v) references to a vulnerability management program

- the organization coordinates incident handling activities with contingency planning activities

- the organization incorporates lessons learned from ongoing incident handling activities and industry developments into incident response procedures, training and testing exercises, and implements the resulting changes accordingly.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

22

Review of Information Security Awareness, Education, and Training checking whether:

- employees and contractors receive documented initial (as part of their onboarding within 60 days of hire), annual, and ongoing training on their roles related to security and privacy

- dedicated security and privacy awareness training is developed as part of the organization's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat

- employees sign acceptance/acknowledgement of their security and privacy responsibilities

- personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities: (i) prior to being granted access to the organizations systems and resources; (ii) when required by system changes; (iii) when entering into a new position that requires additional training; and, (iv) no less than annually thereafter

- the organization maintains a documented list of each individual who completes the on-boarding process and maintains all training records for at least five years

- the organization provides incident response and contingency training to information system users consistent with assigned roles and responsibilities within 90 days of assuming an incident response role or responsibility; when required by information system changes; and within every 365 days thereafter

- the organization provides specialized security and privacy education and training appropriate to the employee's roles/responsibilities, including organizational business unit security POCs and system/software developers

- the organization provides training on BYOD usage, which includes providing an approved list of applications, application stores, and application extensions and plugins

- the organization trains its workforce to ensure covered information is stored in organization-specified locations

- the organization trains workforce members on how to properly respond to perimeter security alarms

- the organization ensures that the senior executives have been trained in their specific roles and responsibilities

- the organizations security awareness and training program (i) identifies how workforce members are provided security awareness and training, and the workforce members who will receive security awareness and training; (ii) describes the types of security awareness and training that is reasonable and appropriate for its workforce members; (iii) how workforce members are provided security and awareness training when there is a change in the organizations information systems; and, (iv) how frequently security awareness and training is provided to all workforce members.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

23

Risk Review covering:

- identification of risks related to third parties

- risk assessment and acceptance criteria

- risk identification and periodical review of such risks

- risk treatment/mitigation options and actual treatment of each risk

- review of controls to mitigate or minimize risks

- risk treatment plan

- risk owners and risk approvers

- risk treatment plan with allocated risk owners, resources and timeline.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

24

Customers Data Security Review checking whether:

- the organization ensures that customers are aware of their obligations and rights, and accept the responsibilities and liabilities involved in accessing, processing, communicating, or managing the organization's information and information assets

- the organization permits an individual to request restriction of the disclosure of the individual's covered information to a business associate for purposes of carrying out payment or health care operations, and is not for purposes of carrying out treatment, and responds to any requests from an individual on the disclosure of the individual's covered information

- the public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

25

Business Continuity Plan review checking whether:

- the organization can recover and restore business operations and establish an availability of information in the time frame required by the business objectives and without a deterioration of the security measures

- the contingency program addresses required capacity, identifies critical missions and business functions, defines recovery objectives and priorities, and identifies roles and responsibilities

- copies of the business continuity plans are distributed to key contingency personnel.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

26

Back-up Review checking whether:

- backup copies of information and software are made, and tests of the media and restoration procedures are regularly performed at appropriate intervals

- a formal definition of the level of backup required for each system is defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements

- the backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location

- inventory records for the backup copies, including content and current location, are maintained

- when the backup service is delivered by the third-party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information

- workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

27

Physical Environment and Entry review checking whether:

- accessibility and usage of protection from environmental threats (fire extinguishers, etc.)

- visitor and third-party support access is recorded and supervised unless previously approved

- areas where sensitive information (e.g., covered information, payment card data) is stored or processed are controlled and restricted to authorized individuals only

- repairs or modifications to the physical components of a facility which are related to security (e.g., hardware, walls, doors and locks) are documented and retained in accordance with the organization's retention policy

- the organization develops, approves and maintains a list of individuals with authorized access to the facility where the information system resides; issues authorization credentials for facility access; reviews the access list and authorization credentials periodically but no less than quarterly; and removes individuals from the facility access list when access is no longer required

- for facilities where the information system resides, the organization enforces physical access authorizations at defined entry/exit points to the facility where the information system resides, maintains physical access audit logs, and provides security safeguards that the organization determines necessary for areas officially designated as publicly accessible.

every 12 months

Results of the review in the form of memo or report (can be short or detailed report)

28

Equipment Maintenance Review covering whether:

- the organization maintains a list of authorized maintenance organizations or personnel, ensures that non-escorted personnel performing maintenance on the information system have required access authorizations, and designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations

- the organization obtains maintenance support and/or spare parts for defined key information system components (defined in the applicable security plan) within the applicable Recovery Time Objective (RTO) specified in the contingency plan

- maintenance and service are controlled and conducted by authorized personnel in accordance with supplier-recommended intervals, insurance policies and the organizations maintenance program, taking into account whether this maintenance is performed by personnel on site or external to the organization.

every 3 months

Results of the review in the form of memo or report (can be short or detailed report)

 

 

Michael Petrov
Founder, Chief Executive Officer

Michael brings 30 years of experience as an information architect, optimization specialist and operations’ advisor. His experience includes extensive high-profile project expertise, such as mainframe and client server integration for Mellon Bank, extranet systems for Sumitomo Bank, architecture and processing workflow for alternative investment division of US Bank. Michael possesses advanced knowledge of security standards such as ISO 27001, NIST, SOC and PCI that brings into any solutions delivered by Digital Edge. Security solutions and standards are expended into public cloud such as AWS and Azure.

Was this article helpful?