Determining the scope of an assessment against the HITRUST Common Security Framework (CSF) is one of the first and most important tasks of the entire HITRUST assessment process. The assessment scope is a major factor in the level of effort required to complete an assessment, and is important to relying entities in determining if the services they use are assessed against the HITRUST CSF. However, for organizations with large or complex IT environments, the task of determining the scope of their HITRUST assessment(s) may seem daunting.

What is the SOC 2? At a high level a SOC 2 examination is a report on internal controls of a service organization related to the Trust Service Principles and Criteria (TSPs), which include: security, availability, processing integrity, confidentiality and/or privacy. Reporting on these TSPs can provide assurance around the adequacy of your services’ security control environment.

Employees are one of the weakest links in any business’ security defenses, especially if there is a lack of awareness about criminal attacks that are designed to obtain sensitive information from organizations.

Many of the requests that we receive are limited in scope to Internet facing assets. A true understanding of the threats facing your networks requires a complete evaluation of all possible threat vectors. So what kinds of vulnerabilities does an internal test find that an external would miss? Schellman was recently engaged to perform an external and internal penetration test for a software development firm. The external test revealed very little about the company. Strong firewall rules opened only the most necessary of ports (80 and 443) to the Internet. All external facing servers were well patched, running modern operating systems and lacked any exploitable vulnerability. However, the internal assessment told a completely different story. We began the test with no credentials on a “rouge device” that was placed on the internal network. A database server running an automation tool exposed a scripting console that allowed unauthenticated commands to be run on the underlying OS. A VBS script that downloaded an executable was run followed by another VBS script that executed the shell program. With this foothold, we impersonated the token of a database administrator who also happened to be a Domain Administrator. A few commands later, we’d taken over the domain. If our client had only engaged us for an external test, none of this would’ve been found.

HITRUST Basics The HITRUST set of security controls and safeguards (referred to as the ‘CSF’ or ‘Common Security Framework’) was developed using a risk-based approach to address the multitude of security, privacy, and regulatory challenges facing healthcare organizations. It includes control points derived from the HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT frameworks, as well as federal and state privacy laws.

One of the most effective ways of approaching professional development is by using collaborative approaches. Or, as Eleanor Roosevelt once said, do one thing every day that scares you. I imagine that might be just as effective when it comes to professionally developing oneself and, as a result, personal skills with it. Here are three areas to consider dedicating attention to on the job if you desire to take personal development to new heights.

NOTE: Schellman has since updated and expanded this information in an article found here.

“We shall defend our island…we shall fight on the beaches, we shall fight on the landing grounds, we shall fight in the fields and in the streets, we shall fight in the hills; we shall never surrender.”