User:Mwashington2020/sandbox

Implementing HITRUST CSF using a self-assessment process is much more achievable with internal staff, so more cost effective to the organization. This decision must be made based on our level of assurance and risk tolerance. My recommendation would be to implement HITRUST CSF using a self-assessment process and bring in a third party for a validated assessment if required by our parent or partner organizations. A challenge with any cybersecurity framework, including HITRUST CSF, is how to appropriately capture the necessary documentation of all of the procedures and policies to implement and maintain the desired risk profile for receiving a validated assessment from a third party organization. This could be overcome through adopting regimented document management procedures to capture the appropriate information regarding control existence and evidence in the event of a breach. The adoption of a document management system within the organization as part of the custom software implementation is another way to ensure that HITRUST CSF processes and procedures are captured effectively.