Compliance

Some standards lack specific technical detail and guidance, but provide an overall program structure and the security management guidance that’s necessary to implement and maintain an effective security program. Most notably, the standards that help define this overall framework include ISO, COBIT, COSO, and HITRUST CSF.
 

ISO/IEC 27002:2005
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) provide best practice recommendations on information security management and program elements. ISO defines the broadest structure of an effective overall program, supporting “information security” as a systems issue that includes technology, practice, and people, and describes the need for a formal “security program”.

COBIT
The Control Objectives for Information and related Technology (COBIT) is a set of best practices for IT management. COBIT focuses on defining program and management control functions.  It is designed to help ensure IT programs are implemented and managed effectively to maximize the investment of technology efficiently. While not specifically a security standard, strong COBIT compliance typically indicates a higher quality of control over internal practices that help manage an effective security infrastructure, as well as sound business practice.

COSO
The Committee of Sponsoring Organizations of the Treadway Commission defined the Control Objectives for their Internal Control – Integrated Framework, the widely accepted control framework for enterprise governance and risk management, and similar compliant frameworks. COSO defines a set of business, management, and security relevant controls that can be used to demonstrate good business practice controls, and can be used to show compliance with Sarbanes Oxley requirements.

HITRUST CSF
Developed in collaboration with healthcare and information security professionals, the Common Security Framework (CSF) is the first IT security framework developed specifically for healthcare information.

The HITRUST CSF:

• Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and COBIT
• Scales according to type, size and complexity of an implementing organization
• Provides prescriptive requirements to ensure clarity
• Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
• Allows for the adoption of alternate controls when necessary
• Evolves according to user input and changing conditions in the healthcare industry and regulatory environment

Solutionary is a HITRUST Common Security Framework (CSF) Assessor.
This means we are able to delivery healthcare certification work including readiness assessments and remediation associated with the CSF.  In addition to the organizational certification, Solutionary has a team or security professionals certified as CSF Practitioners for effective and efficient implementation of the CSF.