Highmark Health has found an answer by integrating FAIR with the HITRUST CSF, the cybersecurity controls framework in use at hundreds of thousands of organizations, to get the most out of both.
At the recent 2020 FAIR Conference, the FAIR Institute and HITRUST® released a white paper outlining Highmark’s experience as well as a plan to formally integrate the use of HITRUST CSF and FAIR, and the concept was presented at a conference session by the authors:
Learn more:
Watch the video on the FAIR Institute LINK members site: Case Study - Building a Program with HITRUST & FAIR. -- Become a FAIR Institute member now - it’s free to qualified professionals.
Download the white paper: Integrating HITRUST and FAIR
Join the white paper authors for an informational webinar on Wed, Nov 18, 2020, at 2:00 - 3:00 PM EST, to get your questions answered on HITRUST/FAIR integration. Register for the webinar now.
As Greg Rothauser told the story, Highmark realized the limitation of a qualitative approach that’s not connected to risk outcomes and set themselves on a new track with a new mission statement:
“Cost effectively achieve business objectives while maintaining an acceptable level of risk from probable threats to our confidential data and critical systems.”
But to fulfill that mission “requires an understanding of the threats to the organization, the controls for those threats and the resulting risk exposure.”
FAIR, with its rigorous foundation in risk scenarios identifying a threat, asset and controls, “gets us pretty far down the road. But one key challenge is how we connect that control activity, efficiencies and improvements back to the risk scenarios for an ultimate exposure of the facts.”
Greg showed this sample report from Highmark’s risk management team that shows how FAIR and the HITRUST CSF each contribute to an actionable view of risk.
Integration of FAIR and HITRUST CSF is an ongoing project. The white paper says that the full integration is likely to include sample use cases and solutions, including defined processes for:
Risk consultant Tyler Britton said, “We often receive the question ‘Is FAIR compatible with our existing qualitative program?’ Having a white paper to say ‘Yes, and this is what this could look like as an example is really exciting.”
More excitement around combining FAIR and frameworks, at the 2020 FAIR Conference…Watch the video of this session: Prioritizing NIST CSF Activities with FAIR with Cimpress Manager of Security Operations Richard Barretto.
Register for the webinar on HITRUST + FAIR on Nov. 18