Earlier this month, we discussed how achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) gives you plenty of overlap compliance with the EU’s General Data Protection Regulation (GDPR). Now you can apply the standards you meet by achieving System and Organization Controls 2 (SOC 2) compliance with the Health Information Trust Alliance (HITRUST) framework for additional streamlining of your regulatory obligations.
HITRUST has partnered with the American Institute of CPAs (AICPA) to develop and publish guidance to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting.
As you know, an SOC 2 report is intended to meet the needs of a range of users who need to understand internal control at a service organization as it relates to one or more of the AICPA’s Trust Services criteria of security, availability, processing, integrity, confidentiality, or privacy.
An SOC 2 exam is similar in structure to SOC 1 reporting, but also allows the flexibility to incorporate additional suitable criteria. For example, criteria that adhere to public, industry-specific frameworks like HITRUST CSF are applicable.
HITRUST also has developed a standard report that provides a consistent representation of risk exposure, compliance posture, and corrective actions that allow for benchmarking of results against security practices at similar organizations in the industry. However, requests come in for other reporting attributes, such as response to security questionnaires, requests for proposals, description of processes and controls implemented to satisfy the HITRUST CSF, and assurance that controls have operated as designed, for a fixed and continuous period. This means the HITRUST reporting model is complementary since both are facilitated through the efficient assessment and implementation of controls to satisfy the CSF.
Since SOC 2 is a reporting format and not a security framework, your best bet is to issue an SOC 2 report on the HITRUST CSF control requirements, using these requirements as the basis of your organization’s cybersecurity and information protection program. To support this approach, the AICPA’s Trust Services Criteria has been aligned to the HITRUST CSF, which provides standard and comparable requirements for use in SOC 2 reporting.
Did you follow that alphabet soup of regulatory compliance? Depending on your industry, you may need to comply with HITRUST and SOC 2, as well as any number of additional regulations or CSFs. You don’t have to navigate these waters on your own. Partner with 2W Tech and take advantage of our comprehensive Cybersecurity Compliance Program. Contact us today.