FRISCO, Texas--(BUSINESS WIRE)--HITRUST, a leading security and privacy standards development and certification organization, is releasing its Threat Catalogue to provide organizations with greater visibility into the threats and risks targeting their information, assets and operations.
In addition to helping organizations understand the threats targeting their organization and their associated risks, the Threat Catalogue also identifies the specific technical, physical and administrative controls needed to address these risks. This improves an organization’s visibility into how it manages threats and better enables management to prioritize security programs and align budgets and resources.
Identifying threats is a major component of a comprehensive risk analysis process for any organization seeking to protect their sensitive data. Following an asset inventory, information classification, and system categorization, the threat identification process helps determine what adverse events are relevant to the organization and must be controlled. For example, the increased frequency of ransomware intrusions required organizations – of all types and sizes – to re-examine their controls around data backup and restoration and ensure they could successfully recover their data if such an attack occurred.
“Unfortunately, a comprehensive threat list that could support risk analysis and help organizations better understand and mitigate threats to sensitive information was essentially unavailable,” says Dr. Bryan Cline, vice president of standards and analytics at HITRUST. “Given its significance to the risk management process, we invested years identifying a complete set of threats at a level consistent with the controls used to address them.”
The HITRUST Threat Catalogue will be available free of charge and becomes an integral part of HITRUST’s risk management and compliance suite. It will help organizations ease the burden of analyzing and managing security and privacy risk by mapping these threats directly to the controls in the HITRUST CSF® framework. By ensuring organizations can identify threats to their sensitive information, assets and operations, they can prioritize and focus on specific controls that are relevant to them, and in turn, reduce risk.
The Threat Catalogue will also be used to help ensure the HITRUST CSF remains current and relevant to the changing environment by linking requirements to active threat intelligence. A thorough understanding of how well the CSF controls address existing and emerging threats will help HITRUST identify new control requirements or enhancements to requirements that may be needed to further mitigate associated risk.
In addition to mapping specific threats to controls used to limit organization’s exposure to risk, the catalogue also provides mappings to less comprehensive threat lists from other respected frameworks, such as the National Institute of Standards and Technology (NIST) Special Publication 800-30 and the European Network and Information Security Agency (ENISA) Threat Taxonomy.
HITRUST will update the Threat Catalogue regularly alongside the market-leading HITRUST CSF. This early release of the HITRUST Threat Catalogue allows public and private sector organizations to provide feedback prior to the document’s general release. Interested parties are encouraged to download and review the catalogue after its release on Thursday, November 1st and submit comments by Monday, December 31st, 2018.
Click here to register for the HITRUST webinar on Thursday, November 29th discussing the benefits of the Threat Catalogue.
HITRUST Risk Management and Compliance Suite
Designed to leverage and integrate the best-in-class components for a comprehensive information risk management and compliance program – including a robust privacy and security framework, a scalable and transparent assurance program, catalogue of threats, shared security control responsibility assignment and assurance, an assessment and corrective action plan management platform, a third-party risk management process, and an assessment exchange. The HITRUST Suite offers organizations an integrated, updated and supported approach for information risk management and compliance which includes the following HITRUST programs and services – HITRUST CSF®, HITRUST CSF Assurance, HITRUST Assessor Program, HITRUST Threat Catalogue®, HITRUST Shared Responsibility Program, HITRUST MyCSF®, HITRUST Third Party Assurance Program and the HITRUST Assessment XChange.
Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis and resilience.
HITRUST actively participates in many efforts in government advocacy, community building, and cybersecurity education. For more information, visit www.hitrustalliance.net.