HITRUST CSF 03.0 Risk Management

The HITRUST Common Security Framework (CSF) reports provide available documentation and compliance artifacts that help you demonstrate compliance with HITRUST CSF control categories, as outlined in the HITRUST Risk Management Framework.

The HITRUST CSF 03.0 Risk Management report describes how to use and access vulnerability, threat risk index, and threat response reporting features in the Alert Logic console that help demonstrate compliance with Control Category 03.0.

To access the HITRUST CSF 03.0 report:

  1. In the Alert Logic console, click the menu icon (), and then click Validate.
  2. Click Reports, and then click Compliance.
  3. Under HITRUST CSF, click VIEW.
  4. Click HITRUST CSF 03.0 Risk Management.

To refine your findings, you can filter your report by date range and customer account.

By default, Alert Logic includes (All) filter values in the report.

To add or remove filter values:

  1. Click the drop-down menu in the filter, and then select or clear values.
  2. Click Apply.

The report summary page displays two columns. Control References lists each procedure that is required to meet the selected control objective. Available Documentation and Artifacts describes, and contains links to, the documentation and compliance artifacts that can demonstrate compliance with the control objective.

Available Documentation and Artifacts

This report provides documentation and artifacts that help you demonstrate that you have developed and implemented a Risk Management Program sufficient to comply with Control Reference 03.b Perform Risk Assessments in Control Category 03.0.

This report includes links for quick access to pages in the Alert Logic console, where you can access vulnerability assessment findings, threat risk index findings, and threat responses.

Control Reference 03.b (Level 1 Implementation Requirements)

Control Reference 03.b Perform Risk Assessments requires that you perform risk assessments consistently and identify security risks to the organization. You must account for risks from sources including prior incidents experienced, changes in the environment (for example, new methods of attack, new sources of attack, and new vulnerabilities), and any supervisory guidance such as from third-party consultants.

Risk assessments may be quantitative, semi-quantitative, quasi-quantitative, or qualitative but must be consistent and comparable, so the resources to manage risk can be prioritized. You must perform risk assessments at planned intervals, or when major changes occur in the environment, and review the results annually.

This report section provides you with the following links for quick access to appropriate pages in the Alert Logic console that illustrate compliance with procedures in Control Reference 03.b:

  • Vulnerability assessment findings in the Vulnerabilities group of the Reports page to review summary, distribution, and trending data for vulnerabilities identified in your environment.
  • Threat risk index findings in the Risk group of the Reports page to review summary and trending data for the threat risk index scores for the deployments and networks in your environment.
  • Threat responses in the Incidents page to review security incidents detected in your environment and the actions taken in response.