The HITRUST Shared Responsibility Matrix – the Assessor’s Point of View

HITRUST® announced the availability of the new Shared Responsibility Program and MatrixTM Version 1.0 to help communicate and assign security and privacy responsibilities between cloud service providers (CSPs) and their customers. Coalfire is proud that we helped develop the Matrix as part of the Shared Responsibilities Working Group and we appreciate the opportunity to offer some thoughts from the assessor’s perspective.

Matrix Definition and Usage
The Shared Responsibility Matrix is a common model that provides clarity, education, and guidance to help organizations understand the appropriate terms to use when discussing shared responsibility issues. It can also be used as a high-level planning document to understand which aspects of cloud architecture and operations require adjustments in terms of ownership and responsibility that may translate into changes to operations or budget planning.

We encourage organizations to first review the publicly available documents to understand the new terminology and standards, and then begin preparations for inheriting cloud-provider controls in a timely and accurate manner for upcoming HITRUST assessments. 

For those future assessments, it’s important to note that guidelines addressing parties’ previous responsibilities for control requirement ownership may need to be changed based on the clarity and guidance set forth in the new Shared Responsibility Matrix. At a minimum, a review of the new Matrix’s control ownership and inheritance standards should be completed in case operational or budget concerns are identified and need to be addressed. The review should be conducted in advance of your next scheduled HITRUST assessment to allow for remediation or improvements.

The full version of the Shared Responsibility Matrix that’s available to subscribers of HITRUST’s MyCSF® tool provides comprehensive guidance by both unique control identifier and cloud-provider type. Each unique control contains the information identifying whether the control is Fully, Partially, or Not Inheritable and further delineated by SaaS, PaaS, IaaS and Colocation categories. We recommend that organizations review the detailed “by-control” matrix to ensure there are no changes to an existing understanding or configuration of a shared control, as it will take time to apply changes prior to the next scheduled assessment.

The control-level guidance clarifies which controls, or portions of a control, are inheritable from the CSP and identifies which controls/portions that are their customers responsibility. In most cases, the CSP will provide configuration guidance for shared controls – especially those that are required as a result of cloud configuration requirements, or that contain sensitive information such as protected health information (PHI), personally identifiable information (PII), credit card data, etc. Some CSPs are providing configuration guidance that improves their customers’ understanding of what parts of the process are their responsibility.

Benefits of Using the Matrix
What are the next steps now that the Matrix has arrived? CSPs will move forward with creating customized Matrices that further define Service, Application, or Configuration responsibilities between the provider and the customer. Each customized Matrix will further enhance control responsibility understanding, provide for smoother assessments, and help improve security posture for organizations using the cloud.

For us at Coalfire, the Matrix provides substantial benefits in assessment costs, accuracy of control ownership, and overall security posture improvements for our customers. Assessment costs will be lower due to the reduction in the number of controls to be assessed based on the model. When assessments are initially scoped, having the Matrix available as part of the scoping process will help us identify which controls will not have to be assessed (because they will be inherited from the CSP Object), thus reducing the overall control count.

When we assess organizations with cloud-based operations, we often discover misunderstandings about who owns the responsibility for a control, or even which portion of a control. This confusion can result in a non-passing score for that control based on an incorrect assumption that the CSP was responsible for ensuring that all control elements have been addressed. With the Matrix now available, we highly recommend that prior to their HITRUST assessment, organizations first conduct a gap analysis of their cloud environment controls to resolve control ownership questions.

A huge benefit to organizations will be the opportunity for improved security posture based on an accurate understanding of control ownership. If you clearly understand your control responsibilities and enable operations or configurations to support that control, an upgraded security posture is within reach. As cloud architectures have become commonplace and cost-effective, the learning curve for how to secure data, applications, and processes in the cloud hasn’t caught up with adoption rates and complexities often found with the cloud. We only need to watch the news to see that many breaches have occurred due to misconfigured cloud storage or access control processes. The new Matrix provides clarity and guidance at the individual control level for a reduced learning curve.

Other Notable Matrix Features
Along with the new Matrix comes the ability (in the MyCSF tool) to inherit controls previously assessed by the CSP. After the early-adopter phase concludes later this year, organizations will be able to inherit or import CSP controls and scores directly into their own MyCSF Object. No phone calls to the cloud provider, no meetings with the assessor, no wondering who should score what control – it will all be condensed into MyCSF for automatic import. A quick review of the Matrix shows which controls to select for inheritance.

The new Matrix also adds value to vendor assessment, risk, and compliance programs. Many third-party partners and supply chain vendors have access to an organization’s on-prem or cloud-based applications or operations, and the Matrix helps define responsibilities. Whether or not the organization or its vendors plan to conduct HITRUST assessments, the Matrix is an extremely useful model of control responsibility for any environment with multiple tenants, multiple-organization access, or data connections to diverse environments.

Again, Coalfire is proud to have played a role in the development of the new HITRUST Matrix, and we’re excited about the benefits that it brings to our clients and our assessor teams. As members of the Working Group, we are happy to discuss the Matrix in detail and to share our knowledge to help you plan your future assessments.

How can we help?