An authorization or certification from a security compliance standard, verifies that an organization has met the specific industry standard for data privacy and security. Critical infrastructure companies such as, government, healthcare, finance and nuclear are required to follow various cloud information technology (IT) compliance guidelines, due to the sensitive data managed in these industries. Software vendors, data centers and cloud service providers (CSP) seeking to work with such industries are required to verify industry specific compliances. For example, federal agencies require that software vendors and CSPs are FedRAMP compliant in order to handle or manage an agency’s data.
CSPs carry the burden of meeting compliance standards at the platform and software as a service levels for varying industry customers. Not only do they have to verify compliance, but with many higher compliance standards there is a shared responsibility with the infrastructure, platform and the end user leveraging the CSP. This requires a unified understanding of all roles and responsibilities by all parties. For example, a FedRAMP authorized CSP is able to manage 86% of the necessary security controls on top of the 9% that a FedRAMP compliant hosting infrastructure such as AWS, Azure or Google provides. In order for the customer’s environment to reach 100% compliance within the CSP’s cloud, the customer must manage approximately 5% of the remaining security controls. These controls include access control and password requirements.
As the HITRUST Alliance and their HITRUST CSF has grown in popularity with industries requiring a higher security standard, it has become clear that both CSPs and the end users seeking a HITRUST certified environment, require clarity in what security controls fall within each organization’s responsibility. This need for clarity led to the development of the HITRUST Shared Responsibility Program, HITRUST Shared Responsibility Working Group for Cloud Service Providers and eventually the HITRUST Shared Responsibility Matrix.
HITRUST launched the Shared Responsibility Program in 2018 as a strategic business priority to address growing misunderstandings, risks, complexities and assurance inefficiencies when leveraging cloud service providers. The primary objectives of the program were to help clarify roles and responsibilities regarding ownership and operation of security and privacy controls shared with CSPs and to support automation and streamlining of the assurance process when inheriting controls.
Overview of the Program
The HITRUST Shared Responsibility Program is an important initiative which addresses the top three challenges organizations face when engaging with their cloud service providers:
- To ensure cloud service providers can communicate appropriate security and privacy assurances relating to the controls associated with the services a customer has contracted
- To supply better guidance on the delineation of control ownership, including clarifying the more nuanced, partially shared controls that organizations rely upon
- To simplify the process of a cloud customer’s won assurance processes by enabling and streamlining control inheritance while promoting full awareness and managed risk
The same effort to understand all security and compliance roles and responsibilities should be a top priority for your IT vendor management team. Taking the time to ensure that all risks are effectively allocated will prevent misunderstandings such as, who is responsible for participation in the breach response process to triage, investigate and resolve the breach as quickly as possible. Being proactive in identifying all roles and responsibilities will prevent the escalation of an already uncomfortable situation and further increase an organization’s overall risk.