HITRUST CSF 06.0 Compliance

The HITRUST Common Security Framework (CSF) reports provide available documentation and compliance artifacts that help you demonstrate compliance with HITRUST CSF control categories, as outlined in the HITRUST Risk Management Framework.

The HITRUST CSF 06.0 Compliance report provides guidance on how to access configuration features in the Alert Logic console that help you demonstrate compliance with Control Category 6.0.

To access the HITRUST CSF 06.0 report:

1. In the Alert Logic console, click the menu icon (), and then click Validate.
2. Click Reports, and then click Compliance.
3. Under HITRUST CSF, click VIEW.
4. Click HITRUST CSF 06.0 Compliance.

The report summary page displays two columns. Control References lists each procedure that is required to meet the selected control objective. Available Documentation and Artifacts describes, and contains links to, the documentation and compliance artifacts that this report can demonstrate compliance with each control objective.

Filter the report

To refine your findings, you can filter your report by date range and customer account.

Filter the report using drop-down menus

By default, Alert Logic includes (All) values for most filters in the report.

To add or remove filter values:

1. Click the drop-down menu in the filter, and then select or clear values.
2. Click Apply.

Schedule the report

After you finish setting up the report, you can use CREATE REPORT to run it periodically and subscribe users or an integration (such as a webhook) to receive a notification when the report is generated. To learn how to schedule the report and subscribe notification recipients, see Scheduled Reports and Notifications.

Available Documentation and Artifacts

This report provides access to features in the Alert Logic console that help you demonstrate compliance with the following control objectives in Control Category 06.0:

• 06.01 Compliance with Legal Requirements
• 06.03 Information System Audit Considerations

Control Objectives 06.01 Compliance with Legal Requirements

This section consists of implementation requirements that help you demonstrate compliance with Control Objective 06.01 Compliance with Legal Requirements. This control objective requires you to demonstrate that the design, operation, use, and management of information systems adheres to applicable laws, statutory, regulatory or contractual obligations, and any security requirements.

Control Reference 06.d (Level 1 Implementation Requirements)

Alert Logic offers guidance for Control Reference 06.d Data Protection and Privacy of Covered Information in Control Objective 06.01 Compliance with Legal Requirements. This control reference specifies that all relevant statutory, regulatory, and contractual requirements and the organization's approach to meet these requirements shall be explicitly defined, documented, and kept up to date for each information system and the organization.

Organizational data protection and privacy policy

A portion of the Level 1 implementation for Control Reference 06.d requires proof that an organizational data protection and privacy policy is developed and implemented. This implementation also requires that the policy to be communicated to all persons involved in the processing of covered information, and supported by management structure and control.

Alert Logic does not provide data for this portion of the Level 1 implementation for Control Reference 06.d. You must provide the policy and procedure documents for this audit.

Technical security controls

Another portion of the Level 1 implementation for Control Reference 06.d requires that technical security controls—including access controls, special authentication requirements, and monitoring—and organizational measures to protect covered information are implemented. This section provides you with the following links for quick access to appropriate pages in the Alert Logic console:

• Log Management Flat File Policy configuration in the Log Management page.
• Networks monitored in your environment by the Network IDS in the Health page.
• PCI scanning page to review the latest 25 internal vulnerability scan reports for the most recent 12- month period.
• Websites protected by Alert Logic Managed Web Application Firewall (WAF) in the WAF websites page.
• Protection status, software version status and last check-in time for endpoints in your environment in the Get Started with Alert Logic Extended Endpoint Protection page.

Development and implementation of privacy policies and procedures

Another portion of the Level 1 implementation for Control Reference 06.d requires proof of responsibilities that include the development and implementation of privacy policies and procedures. The privacy policy and procedure must serve as the point of contact for all privacy-related issues, including the receipt of privacy-related complaints, and providing privacy-related guidance to managers, users, and service providers on their individual responsibilities and the specific procedures that are listed in the HITRUST Risk Management Framework.

Alert Logic does not provide data for this portion of the Level 1 implementation for Control Reference 06.d. You must provide the policy and procedure documents for this audit.

Control Objectives 06.03 Information System Audit Considerations

This section consists of specifications to meet the requirements for Control Objective 06.03 Information System Audit Considerations. This control objective requires you to ensure the integrity and effectiveness of the information systems audit process.

Control Reference 06.j (Level 1 Implementation Requirements)

Compliance with Control Reference 06.j Protection of Information Systems Audit Tools requires you demonstrate that access to information systems audit tools is protected to prevent any possible misuse or compromise.

This section provides you with a link for quick access to a list of users in the Alert Logic console that have access to information systems audit tools.