HITRUST CSF 06.0 Compliance

The HITRUST Common Security Framework (CSF) reports provide available documentation and compliance artifacts that help you demonstrate compliance with HITRUST CSF control categories, as outlined in the HITRUST Risk Management Framework.

The HITRUST CSF 06.0 Compliance report provides guidance on how to access configuration features in the Alert Logic console that help you demonstrate compliance with Control Category 6.0.

To access the HITRUST CSF 06.0 report:

  1. In the Alert Logic console, click the menu icon (), and then click Validate.
  2. Click Reports, and then click Compliance.
  3. Under HITRUST CSF, click VIEW.
  4. Click HITRUST CSF 06.0 Compliance.

To refine your findings, you can filter your report by date range and customer account.

By default, Alert Logic includes (All) filter values in the report.

To add or remove filter values:

  1. Click the drop-down menu in the filter, and then select or clear values.
  2. Click Apply.

The report summary page displays two columns. Control References lists each procedure that is required to meet the selected control objective. Available Documentation and Artifacts describes, and contains links to, the documentation and compliance artifacts that this report can demonstrate compliance with each control objective.

Available Documentation and Artifacts

This report provides access to features in the Alert Logic console that help you demonstrate compliance with the following control objectives in Control Category 06.0:

  • 06.01 Compliance with Legal Requirements
  • 06.03 Information System Audit Considerations

Control Objectives 06.01 Compliance with Legal Requirements

This section consists of implementation requirements that help you demonstrate compliance with Control Objective 06.01 Compliance with Legal Requirements. This control objective requires you to demonstrate that the design, operation, use, and management of information systems adheres to applicable laws, statutory, regulatory or contractual obligations, and any security requirements.

Control Reference 06.d (Level 1 Implementation Requirements)

Alert Logic offers guidance for Control Reference 06.d Data Protection and Privacy of Covered Information in Control Objective 06.01 Compliance with Legal Requirements. This control reference specifies that all relevant statutory, regulatory, and contractual requirements and the organization's approach to meet these requirements shall be explicitly defined, documented, and kept up to date for each information system and the organization.

Organizational data protection and privacy policy

A portion of the Level 1 implementation for Control Reference 06.d requires proof that an organizational data protection and privacy policy is developed and implemented. This implementation also requires that the policy to be communicated to all persons involved in the processing of covered information, and supported by management structure and control.

Alert Logic does not provide data for this portion of the Level 1 implementation for Control Reference 06.d. You must provide the policy and procedure documents for this audit.

Technical security controls

Another portion of the Level 1 implementation for Control Reference 06.d requires that technical security controlsincluding access controls, special authentication requirements, and monitoringand organizational measures to protect covered information are implemented. This section provides you with the following links for quick access to appropriate pages in the Alert Logic console:

Development and implementation of privacy policies and procedures

Another portion of the Level 1 implementation for Control Reference 06.d requires proof of responsibilities that include the development and implementation of privacy policies and procedures. The privacy policy and procedure must serve as the point of contact for all privacy-related issues, including the receipt of privacy-related complaints, and providing privacy-related guidance to managers, users, and service providers on their individual responsibilities and the specific procedures that are listed in the HITRUST Risk Management Framework.

Alert Logic does not provide data for this portion of the Level 1 implementation for Control Reference 06.d. You must provide the policy and procedure documents for this audit.

Control Objectives 06.03 Information System Audit Considerations

This section consists of specifications to meet the requirements for Control Objective 06.03 Information System Audit Considerations. This control objective requires you to ensure the integrity and effectiveness of the information systems audit process.

Control Reference 06.j (Level 1 Implementation Requirements)

Compliance with Control Reference 06.j Protection of Information Systems Audit Tools requires you demonstrate that access to information systems audit tools is protected to prevent any possible misuse or compromise.

This section provides you with a link for quick access to a list of users in the Alert Logic console that have access to information systems audit tools.