The HITRUST Shared Responsibility Program, and Why It Matters?

In everyday life, knowing who is responsible for what plays a vital role in keeping us safe and secure. Being aware of the rules of the road, knowing which side to drive on, and indicating if you’re going to turn, are all aimed at preventing accidents and injury. A path that clearly defines responsibility and builds in safety precautions is one that will keep everything working smoothly. HITRUST exclude the misunderstanding with the functions of the cloud service provider and the customer.

In business, there are a lot of similarities. Over the last few years, knowing who is responsible for security in the cloud has become a hot topic. If you assume that your cloud service provider is certified to comply with all the major regulations around protecting your data, you’d be partially correct.

Though it is possible to leverage your cloud service provider’s security controls, there are ones of your own that you’ll need to apply, as well as some you’ll share with your cloud service provider.

By applying your controls — in addition to the ones shared with your provider — you can be confident that your cloud data is fully protected from cyber attacks and is in compliance with regulations and standards for your industry.

The challenge you face is analyzing the security controls used by your cloud service provider and comparing them to your controls. The key is to identify the line between what is their responsibility and what is yours.

Hacker in data security concept. Hacker using laptop. Hacking the Internet. Cyber attack.

Updating the HITRUST PRISMA Maturity Model 

Launched in 2018, the HITRUST Shared Responsibility program looks at the challenges businesses face when dealing with their cloud service providers. The HITRUST Shared Responsibility Model (SRM) is the industry’s first commonly accepted model for sharing responsibility in the cloud.

Organizations can benefit from this model by ensuring that cloud service providers can communicate appropriate security and privacy assurances, get better guidance on the delineation of control ownership, and simplify customer assurance processes.

Shared Responsibility eliminates the confusion when trying to understand the roles and responsibilities of the cloud service provider and you, the customer. This is where HITRUST’s Shared Responsibility program comes in. It capitalizes on HITRUST’s expertise in managing risk and protecting sensitive information, whether in the cloud or not, with efficiency and clarity.

“HITRUST launched this Program with the goal of providing greater clarity regarding the ownership and operation of security controls between organizations and their cloud service providers,” said Becky Swain, Director of Standards and Shared Responsibility Program Lead, HITRUST. “The introduction of the Shared Responsibility Matrix is another HITRUST resource that underscores our ongoing commitment to simplifying and enhancing offerings to address our customers’ most pressing risk management challenges.”

The shared responsibility matrix is designed to allow customers to discuss cloud-supply-chain risk. It has an out-of-the-box template, pre-populated with shared responsibility for the cloud, and includes over 2000 detailed security and privacy control requirements.

As a result, leading cloud service providers have partnered with HITRUST to publish Shared Responsibility matrices jointly. Cloud service providers including Amazon Web Services (AWS), Google Cloud, and Microsoft Azure.

HITRUST Shared Responsibility Matrix 

The Shared Responsibility Matrix is a common model that guides organizations in the appropriate terms to use when discussing shared responsibility. It’s used to understand which aspects of cloud architecture and operations need adjustments when looking at ownership and responsibility.

The matrix’s 2000 controls range from access control to privilege management and segregation networks. Each is assigned either full responsibility, partial responsibility, or no responsibility to cloud service providers, and their customers are dependent on the mode of delivery: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) or Colocation (Colo).

HITRUST Shared Responsibility Matrix 

The most significant benefit of the HITRUST Shared Responsibility Matrix is that it removes the guesswork from interpreting compliance, making it easier to manage and providing  more robust security and greater efficiency.

The full version of the Shared Responsibility Matrix is available as part of the HITRUST MyCSF platform, which now includes the ability to inherit controls from AWS and Microsoft Azure. This saves organizations time, money, and resources. MyCSF serves as the foundation for the matrix and integrates with more than 40 authoritative sources.

If your business is dependent on high-quality cybersecurity measures, as is increasingly common in today’s digital age, HITRUST’s Shared Responsibility program helps ease the complexity and regulatory burden associated with data security and compliance. HITRUST keeps your business on the road by minimizing potential hazards, helping you to see clearly what comes next.

As a HITRUST CSF certified organization, ISI Language Solutions is an ideal language access and localization specialist to take your brand global, and to support your firm’s journey to open up new markets around the world.

Contact us on (818) 753-9181 to find out more.

As a HITRUST CSF certified organization, ISI Language Solutions is an ideal language access and localization specialist to take your brand global, and to support your firm’s journey to open up new markets around the world.