Related Links

HITRUST®, a data protection standards development and certification organisation, announces the release of publicly available resources that clearly define security and privacy responsibilities between cloud service providers and their customers, thereby streamlining processes for risk management programs.

Developed with Amazon Web Services (AWS) and Microsoft Azure, each new HITRUST Shared Responsibility Matrix aligns with the cloud service provider’s unique solution offering. Cloud service providers have long supported shared responsibility models, whereby the provider assumes some security responsibility for hosting applications and systems, while the organisation deploying its solutions in the cloud assumes partial or shared responsibility for others.

Risk management objectives

The challenge, however, is that many shared responsibility models are loosely defined and vary based on the solution. For businesses deploying solutions in the cloud, this ambiguity creates an added layer of complexity related to achieving broader risk management objectives.

Scaling cost-effectively to meet customer demand requires us to leverage the cloud"

Scaling cost-effectively to meet customer demand requires us to leverage the cloud, which introduces additional and unique challenges as it relates to data privacy and security,” said Lee Penn, Chief Financial Officer, and Chief Compliance Officer, PDHI. “Specifically understanding who is responsible or partially responsible for securing cloud services is a challenge that is addressed by the HITRUST Shared Responsibility Matrix.”

Controls between organisations

In 2019, HITRUST engaged AWS and Microsoft Azure to begin developing joint Shared Responsibility Matrices. The initiative was added to the larger HITRUST Shared Responsibility and Inheritance Program, which was introduced in 2018 to address the many misunderstandings, risks, and complexities involved when organisations leverage cloud service providers.

HITRUST launched this Program with the goal of providing greater clarity regarding the ownership and operation of security controls between organisations and their cloud service providers,” said Becky Swain, Director of Standards and Shared Responsibility Program Lead, HITRUST. “The introduction of the Shared Responsibility Matrix is another HITRUST resource that underscores our ongoing commitment to simplifying and enhancing offerings to address our customers’ most pressing risk management challenges.”

Cloud service providers

The HITRUST CSF®, a certifiable framework that integrates and harmonises more than 40 sourcesThe HITRUST CSF®, a certifiable framework that integrates and harmonises more than 40 authoritative sources, serves as the foundation for the HITRUST Shared Responsibility Matrix. With more than 2,000 controls available in the HITRUST CSF (with ‘control’ generally defined as an activity to mitigate risk), the HITRUST Shared Responsibility Matrix documents which HITRUST CSF controls are full, partial, or shared responsibility between cloud service providers and their customers.

With Microsoft’s extensive worldwide presence and partner ecosystem, it is essential to streamline security collaboration. Providing comprehensive coverage for applicable controls across industries and use cases helps ensure that high levels of privacy, security, and compliance are achieved, and nothing falls through the cracks,” said David Houlding, Director of Healthcare Experiences, Microsoft Azure. “This was not an easy feat for the teams at HITRUST and Microsoft, but we know our partners and customers will benefit, which makes it worth it.”

Pursue risk management

The HITRUST MyCSF® SaaS platform used for managing assessments now includes the ability to inherit controls from AWS and Microsoft Azure. The ability to automatically inherit controls saves time, money, and resources as organisations pursue their risk management and compliance objectives.

The HITRUST Shared Responsibility Matrix for AWS and the HITRUST Shared Responsibility Matrix for Microsoft Azure are now available online. AWS and Microsoft Azure also participate in HITRUST’s Third-Party Risk Management Council, which is comprised of companies, third-party vendors, and advisory service firms that are dedicated to improving processes for identifying, assessing, and mitigating supply chain risks.

Download PDF version Download PDF version

Related videos

Upgraded feature for Xesar - Now with smartphone as well!

Upgraded feature for Xesar - Now with smartphone as well!
Enhancing government security with proactive threat detection from Wavestore

Enhancing government security with proactive threat detection from Wavestore
Join the biggest hour for Earth

Join the biggest hour for Earth

In case you missed it

What are the new security applications in colleges and universities?
What are the new security applications in colleges and universities?

College campuses are meant to be places of learning, growth, and community. Fostering such an environment requires the deployment of policies and technologies that ensure safety an...

Real-time security analytics by Winston-Salem Police Department with Verkada
Real-time security analytics by Winston-Salem Police Department with Verkada

The Winston-Salem Police Department (WSPD), internationally accredited by the Commission on Accreditation for Law Enforcement Agencies (CALEA), is dedicated to proactive, data-driv...

Oil sector cybersecurity - overcoming challenges with Honeywell's csHAZOP
Oil sector cybersecurity - overcoming challenges with Honeywell's csHAZOP

A major European oil and gas company that acquires, explores, produces and supplies chemical and petroleum products had a cybersecurity challenge. Company leadership wanted a b...

Featured white papers
Security practices for hotels

Security practices for hotels

Download
Access control system planning phase 2

Access control system planning phase 2

Download
Honeywell GARD USB threat report 2024

Honeywell GARD USB threat report 2024

Download
SIA Identity and Biometrics Symposium

SIA Identity and Biometrics Symposium

Download
Artificial intelligence

Artificial intelligence

Download
Quick poll
Which feature is most important in a video surveillance system?
More corporate news
Check Point research shows a massive 45% spike in cyber-attacks targeting healthcare organisations worldwide

Check Point research shows a massive 45% spike in cyber-attacks targeting healthcare organisations worldwide
Teledyne Technologies Incorporated and FLIR Systems announce their agreement for FLIR’s acquisition through a cash and stock transaction

Teledyne Technologies Incorporated and FLIR Systems announce their agreement for FLIR’s acquisition through a cash and stock transaction
Allegion gives back to community hunger-relief efforts in wake of ongoing COVID-19 pandemic

Allegion gives back to community hunger-relief efforts in wake of ongoing COVID-19 pandemic
Featured products
HID Signo™ Biometric Reader 25B - Multi-technology, mobile ready, fingerprint reader

HID Signo™ Biometric Reader 25B - Multi-technology, mobile ready, fingerprint reader
Anviz 8MP AI-Powered Mini Dome Network Camera with 360° Clarity

Anviz 8MP AI-Powered Mini Dome Network Camera with 360° Clarity
Verkada Monitored Alarm System

Verkada Monitored Alarm System