Management’s Responsibilities During a HITRUST CSF Assessment

by Sarah Harvey / August 16th, 2018

What is an Executive Charter?

When your organization begins preparing to undergo a HITRUST CSF assessment, management needs to review what their own responsibilities are, regardless of how seemingly small some of them might seem. For example, does your organization have an executive charter in place that delegates the responsibilities of the CISO? What level of involvement do your C-level executives have in your information security program? In this webinar, Shannon Lane dives into one of the most commonly missed components of a HITRUST CSF assessment, the executive charter, and provides guidance on how your organization should go about ensuring that one is in place.

An executive charter is a a policy that drives your entire organization’s security posture. It demonstrates whether or not your senior-level executives are involved in your information security program, grants rights, responsibilities, and power to departments, defines responsibilities of individuals, establishes baseline accountability and reporting structure, and should be built into your organization’s foundational documentation.

Because the executive charter sets aside who does what at each level, it serves as a type of check-and-balance system for an organization. Specifically, the executive charter for an information security management policy does this by outlining the following:

  • Addressing the CISO role and IS department
  • Defining the powers and responsibilities of the CISO/ISO
  • Defining the reporting structure of the CISO/ISO
  • Establishing the independence of the IS department
  • Allowing the IS department to set appropriate policies to the limits allowable by the CEO
  • Empowering the IS team within he who of the corporate structure
  • Defining the limits of the IS team operation

Is My Executive Charter Compliant?

When you’re engaging in HITRUST CSF assessment, KirkpatrickPrice Information Security Specialists will be looking to validate that your executive charter adheres to HITRUST CSF protocols. In order to ensure that your executive charter meets the expectations of the HITRUST CSF, you’ll need to ensure that your senior management officials have assigned an individual or group to do the following:

  • Ensure the effectiveness of the information protection program through program oversight
  • Establish and communicate the organization’s priorities for organizational missions, objectives, and activities
  • Review and update the organization’s security plan
  • Ensure compliance with the security plan by the workforce
  • Evaluate and accept security risks on behalf of the organization

You’ll also need to ensure that your executive charter meets the following HITRUST CSF requirement statements:

  • A senior-level information security official is appointed and is responsible for ensuring security processes are in place, communicated to all stakeholders, and consider and address organizational requirements.
  • The owner of the security policies has management’s approval and is assigned the responsibility to develop, review, update, and approve the security policies, and such reviews, updates, and approvals occur no less than annually.
  • An individual or dedicated team is assigned to manage the information security of the organization’s users.

The executive charter lays the foundation for a strong security posture. To learn more about how to establish and implement an executive charter to prepare for your HITRUST CSF engagement, watch the full webinar. To get started on your HITRUST CSF journey, contact us today to speak to an expert.