apac regional webinar adopting hitrust for global risk

© 2020 HITRUST Alliance855.HITRUST (855.448.7878)www.HITRUSTAlliance.net855.HITRUST (855.448.7878)www.HITRUSTAlliance.net

APAC Regional WebinarAdopting HITRUST for Global Risk

Management and Compliance: Getting Started and What to Know

Thursday, December 10, 202010:00am-11:00am SST

© 2020 HITRUST Alliance

http://www.hitrustalliance.net/


© 2020 HITRUST Alliance855.HITRUST (855.448.7878)www.HITRUSTAlliance.net

Presented by:

Michael ParisiVP of Assurance Strategy & Community Development

HITRUST

Shyam MishraVP of Risk, Compliance & Audit

QUANTUM SECURITYCo-chair, Asia Advisory Council of

HITRUST

2


ABOUT QUANTUM

+Ownership Structure

Quantum sits within the ST Telemedia (STT) family which is wholly owned by Temasek (Singapore sovereign wealth fund with assets over $300 billion). ST Telemedia invests and owns leading businesses across the communications / media, data centres and infrastructure technology space.

STT Group CompaniesWe are actively combining a group of companies under STT ownership to remove the blurry lines between MSP, MSSP, DevOps and cybersecurity technology needs. This approach will deliver coordinated and automated secure cloud outcomes. Experience the power of our strategic integrations between these companies:

ASIA MSP GLOBAL MSP CYBER TECHNOLOGY MANAGED SECOPS

We look forward to our own journey as we combine these capabilities to globally deliver the world’s most secure and performant cloud experience.

DEVOPS

3

Conventional cybersecurity approaches are failing and escape from their crippling constraints is long overdue. Quantum liberates you with its cybersecurity platform and services that are non-proprietary, comprehensive, scalable, and the best of all – affordable.

WWW.QUANTUM.SECURITY

http://www.quantum.security/


Agenda

• Introduction and Business Challenges• About HITRUST• Leveraging HITRUST for APAC Needs• Additional Resources• Q&A

4



Section 1 Introduction and Business Challenges

5



Unique Business Challenges of the APAC Region

• Local organizations need to provide assurances to other organizations located:• In Asia-Pacific• In other parts of the world (e.g., EU, USA)

• Cloud Providers and Service Providers seeking to demonstrate assurances to their customers

• All organizations seeking to manage their third-party risk• Organizations who seek efficiency, coverage, and currency for their own internal

program needs.• Providing Transparency into Privacy and Security Programs• Organizations now have a need to provide assurances with respect to the Work

From Home (WFH) / Work From Anywhere (WFA) strategies.• Growing need to demonstrate a combined posture for Privacy and Cybersecurity• Organizations operating in the region need to meet a multitude of regulatory

requirements for information security and data privacy

Dominant information protection and compliance use cases faced by organizations operating in Asia-Pacific:



HITRUST and the Asia Pacific RegionHITRUST, a leading data protection standards development and certification organization, continues to expand and enhance services and support in the Asia Pacific region as part of a global information protection approach to streamline information risk management and compliance for organizations of any type, size, or geography delivering services locally, nationally, or internationally.

• To accomplish this important global objective, HITRUST has undertaken several activities:• Establish the HITRUST Asia Advisory Council• Further update the HITRUST CSF framework with additional Asia-specific authoritative sources• Enable organizations to execute targeted assessments against relevant ISO standards (ISO 2701-27002)• Work to support data localization within HITRUST MyCSF• Designated as an Accountability Agent under the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules System

(CBPR) and Privacy Recognition for Processors System (PRP).• Design a globally relevant TPRM methodology and program

• This strategy builds on the HITRUST Approach vision of One Framework, One Assessment, Globally, further allowing organizations to Assess once, Report many.



HITRUST Asia Advisory CouncilPurpose• The Asia Advisory Council helps to ensure the HITRUST Approach remains current and relevant to the needs of the HITRUST community in Asia-Pacific countries.

• The Council supports HITRUST in facilitating continuous improvement of information security and individual privacy as HITRUST expands within Asia by providing thought leadership on the emerging laws, policies, and trends impacting regional risk management and compliance.

A few council members from leading international organizations include:



Asia Advisory Council MembersCOUNCIL MEMBER ORGANIZATION LOCATION

Abbas Kudrati Microsoft Australia

Anshum Sinha Shearwater Health Philippines

Kai Seng Leong Integrated Health Information Systems (IHIS) Pte Ltd Singapore

Kieran Donovan Latham & Watkins, LLP Hong Kong

Leon Jackson Amazon Web Services Singapore

Martin Leo State Street Singapore

Min Chee Liew Integrated Health Information Systems (IHIS) Pte Ltd Singapore

Saladin Effendi PT Bank Mandiri Indonesia

Shyam Mishra Quantum Security Singapore

Sundar Ramaswamy KPMG India

Sushanth Nair IBM - No longer with IBM Singapore

Yousof Elmalty Amazon Web Services Singapore



About HITRUSTHITRUST addresses the globally growing need for a common framework, tailorable to all sizes and types of organizations, to improve trust and mitigate data breaches.

HITRUST champions programs and solutions that protect sensitive information and manage information risk & compliance, from start to finish, for organizations across all industries.

One of the most widely adopted frameworks – covers over 40

authoritative sources

Hundreds of thousands of privacy and security risk assessments performed

All the programs and tools you need in one spot – the

HITRUST Approach



Section 2 APAC Data Protection and Compliance:Leveraging HITRUST to Solve Your Business Needs

11



Primary Drivers for APAC Organizations to Provide Assurances• Need to demonstrate trust to customers and trading partners• Regulatory• Data Privacy (acknowledging the dependency of privacy on security)• Desire to avoid data breaches and/or the need to be able to

effectively respond thereto• Need to expand WFH/WFA into programs, demonstrating that

remote working is safe (especially for Service Providers)• Third Party Privacy and Security Assessment (both directions)• Insider Risk• Headquarter direction/needs in Global Organizations• Need to manage competing requirements and multiple frameworks• Resource Challenges – Acutely felt



HITRUST Can Help with Assurance Coverage

All the programs in the HITRUST Approach can help organizations in the Asia-Pacific region obtain assurances for these top 3 distinct areas:

Privacy Cloud WFH/WFA (i.e., COVID-19 response)



Information Protection and Compliance Can Be Challenging

• Multiple regulations• Increasing customer expectations• Market variations• Dynamic business models• Organizational culture• Third Party Risk• Technical Evolution• New Threats

Question – How can organizations best address this challenge?

Answer – By leveraging HITRUST programs



The HITRUST Approach

• HITRUST CSF®—a robust privacy and security controls framework

• HITRUST Threat Catalogue™—a list of reasonably anticipated threats mapped to specific HITRUST CSF controls• HITRUST CSF Assurance Program—a scalable and transparent means to provide reliable assurances to internal

and external stakeholders

• HITRUST Shared Responsibility Program—a matrix of HITRUST CSF requirements identifying service provider and customer responsibilities

• HITRUST Assessment XChange™—an automated means of sharing assurances between organizations• HITRUST MyCSF®—an assessment and corrective action plan management platform

• HITRUST® Third-Party Assurance Program—a third-party risk management process and a managed third-party risk management service

• HITRUST Academy®—a comprehensive training program designed to educate about information protection and the implementation of the HITRUST CSF

• HITRUST RightStart Program™—assist and guide start-up organizations build a solid foundation for risk management, compliance and privacy

15

The HITRUST Approach eliminates the need for multiple assessments and reports, scales and customizes to adapt to your organization’s growing needs and is based on the most up-to-date framework that incorporates international, federal, and state regulations concerning privacy and security.

HITRUST has data protection, information risk, and compliance programs — all in one approach, the HITRUST Approach.



* Since HITRUST, ISO, NIST and PCI are all RMFs, the document specifying their associated controls is used in the table to uniquely identify them † The NIST Cybersecurity Framework is a high-level framework that relies on the specification or design of additional controls to support the framework’s recommended outcomes ‡ HIPAA specifies information security requirements (generally at a high level) but is a U.S. federal regulation and not a risk management framework

The gold standard in risk management frameworks. The HITRUST Approach is the most comprehensive globally applicable risk management approach.



No matter your location or industry, HITRUST has you covered.

Current Authoritative Sources included in the HITRUST CSF:

1 TAC 15 390.2 CCPA 1798 IRS Pub 1075 (2016) OCR Guidance for Unsecured PHI

16 CFR 681 CIS Controls v7.1 ISO 27799:2016 OECD Privacy Framework

201 CMR 17.00 CMS ARS v3.1 ISO/IEC 27001:2013 PCI DSS v3.2.1

21 CFR 11 COBIT 5 ISO/IEC 27002:2013 Singapore PDPA

23 NYCRR 500 CSA CCM v3.0.1 ISO/IEC 29100:2011 PMI DSP Framework

45 CFR HIPAA.BN DHS CISA CRR v1.1 ISO/IEC 29151:2017 SCIDSA 4655

45 CFR HIPAA.PR CMMC v1.0 MARS-E v2 TJC

45 CFR HIPAA.SR EHNAC NIST Cybersecurity Framework v1.1

AICPA TSP 100 EU GDPR NIST SP 800-171 r2

APEC Privacy Framework FedRAMP NIST SP 800-53 r4

CAQH Core Phase 1 FFIEC IS NRS 603A

CAQH Core Phase 2 HITRUST De-ID Framework v1 OCR Audit Protocol (2016)

HITRUST leads the market as the only solution that

integrates 40+ authoritative sources into one certifiable

framework.

Is your organization already considering another framework or standard in particular? It’s likely already included in the HITRUST CSF.



18

To support organizations operating in APAC, HITRUST has added the following regulations to our list of Authoritative Sources for inclusion in upcoming and future versions of the CSF Library:

Hong Kong – v10Personal Data Privacy

Ordinance (PDPO)

Malaysia Personal Data

Protection Act 2010

Philippines Data Privacy Act of 2012

Australian Signals Directorate Information

Security Registered Assessors Program

(IRAP)

Thailand Personal Data Protection Act,

B.E. 2562 (2019) (PDPA)

Dubai Information Security Regulation

(ISR) version 2

Relevancy: Ongoing Compliance with Authoritative Sources and Regulations

Personal Data Privacy Ordinance in Hong Kong is slated to be added in HITRUST's v10 release. All other authoritative sources and regulations will be included in future releases, undetermined at this time.



Benefits of a HITRUST CSF CertificationProvides significant assurances that can be relied upon by all applicable parties such as clients, vendors, shareholders, and internal stakeholders.

Differentiates your organization relative to security and privacy posture

Reduces unnecessary efforts to responding to third-party proprietary questionnaires

Increases awareness of your organization’s relative risk exposure, inherent risk, current security posture, and the maturity of your information risk management program.

Demonstrates that your organization is committed to managing risk, improving its security posture, and meeting compliance requirements

Potentially helps save on cybersecurity insurance premiums

Starts conversations and potential new business partnerships with organizations who may require in-depth, third party verified assurances

1

2

3

4

5

6

7



Starting your journey to HITRUST CSF Certification*

1 Download the HITRUST CSF Framework• Identify your privacy and security controls

2

3

4

5

Conduct a Readiness Assessment using our software, MyCSF• Allows you to self-assess using the standard methodology, requirements, and tools provided under the HITRUST CSF Assurance

Program

Prepare for a Validated Assessment • Select your authorized HITRUST External Assessor to help with the process• Utilize MyCSF to streamline preparedness

Undergo a Validated Assessment process using MyCSF• Select your Authorized HITRUST External Assessor to help with the process• Our Assurance team audits your validated assessment and will issue your certification (assuming a

passing score)

Receive your HITRUST Letter of Certification• Maintain certification every 2 years *Recommended best practices. Every organization is unique in their needs.


Quantum liberates you from the constraints ofconventional cybersecurity strategy and execution.

YOUR VALUE STATEMENTS

FOUR FOCUSED INVESTMENTS

22

XDR + SOC VAPT DATA PROTECTION RISK MANAGEMENT

INTEGRATED WITH XDR INTEGRATED WITH XDR

Focusing On The Four Most Important Strategies To Better Protect Your Organisation

I detect alerts through AI/ML, create relevant incidents, and trust my 24/7 cybersecurity team to quickly respond to and remediate threats. Included are my users, applications, IT and cloud landscape.

I keep my valuable logging data, tuning, playbooks and automation – forever.

I am focused on the tactics, techniques and procedures (TTPs) of threat actors leveraging the MITRE ATT&CK framework.

I know my environment and threats are constantly evolving so require continuous vulnerability assessments / penetration testing to protect my data and organisation.

Data is the most important asset in my organisation to protect from cyber attacks. My data-centric strategy focuses efforts on our most sensitive data.

I always know where our sensitive data is through continuous discovery. I have applied smart classification methods and can remediate / protect data that breaks policy.

I empower my organisation to take a strategic and comprehensive view into cybersecurity risk.

Aligning to the HITRUST framework allows me to support many compliance standards, manage third-party risks, measure effectiveness of our cybersecurity implementation, share control responsibilities with leading cloud providers, and easily report to my management and third parties.

A CONTINUOUS AND ENDURING STRATEGY

RISK MANAGEMENT SERVICE DESCRIPTION

23

Today, you are required to assess & report your organization’s risk posture with multiple regulatory frameworks and standards across global geos. There is a pressing need to comply with an ever-growing set data privacy regulations. Continually managing your risk & security maturity assurance, designing and delivering in information privacy and managing vendor risk has never been more important

WHY?

One Framework, One Assessment - GloballyQuantum helps you get assessed on HITRUST CSF, a framework that is mapped to a large and growing list of authoritative sources globally including ISO 27001, NIST, PCI-DSS, HIPAA, GDPR, PDPA. Services include HITRUST CSF Adoption and Certification.

A Comprehensive & Continuous View of Risk PostureBuild and adopt a sustainable security and risk governance programme using a universally portable and globally acceptable framework. Get a full view of your risk posture - for both Cybersecurity and Privacy throughout your assessment lifecycle.

Track and Monitor RemediationQuantum helps you to have a full view of gaps in your environment and implement corrective action plans to remediate them so that you can measure, demonstrate and celebrate your ever- improving posture with your internal teams and partners.

Efficiency of ReportingAssess once against up to 44 authoritative sources and obtain a single report with an ability to provide assurances to multiple requesting parties

Localized Engagement ModelsChoose between different engagement models based on your organizational maturity, size, and goals to have control on your adoption process. Enjoy subscription models to benefit from continuous advisory services from Quantum.

Quantum’s Risk & Compliance assessment and Advisory as-a-Service delivers the most prescriptive approach to protecting customer data using the globally recognized risk framework- HITRUST. Quantum helps you to build a sustainable security and IT risk governance program and thereby improve your security & risk maturity. Using the HITRUST CSF, Quantum helps you to “assess once and report many” allowing you to meet a vast variety of internal and external requirements.

HOW?

WWW.QUANTUM.SECURITY

http://www.quantum.security/


Section 4 Additional Resources & Tips on Getting Started

24



Potential Future Discussion Topics

• Successful adoption by managing cultural aspects• Inheritance and the Shared Responsibility Model• Enabling the startup community (HITRUST RightStart Program)• Effective and efficient third-party risk management



Additional Resources & Tips on Getting Started

26

Asia Advisory Council

Visit our Website:HITRUSTAlliance.net

Consult with an Authorized HITRUST External Assessor

Additional Resources:

Value of a HITRUST CSFCertification

How Do I Know If An Assurance Report is

Rely-Able™?

HITRUST C-Level Executive Overview

Third-Party Risk ManagementMethodologies, Programs,

and Services



Built especially for you, HITRUST Central members can learn about HITRUST programs and services, engage in discussions on current security and privacy trends, learn from peers’ experiences, and take part in relevant industry discussions.As a member, you'll get to:

• Access exclusive early product announcements• Participate in discussions with peers and industry-leading experts

• Chat directly with our HITRUST subject matter experts

• Download and access curated content• ...and much more!

Join today!

HITRUST Central


https://hitrustcentral.influitive.com/join/HTAsiaPacificRegion


Contact Information

Michael Parisi, [email protected]

Shyam Mishra, QUANTUM [email protected]


mailto:[email protected]

mailto:[email protected]


Q&A Session

29


© 2020 HITRUST Alliance855.HITRUST (855.448.7878)www.HITRUSTAlliance.net855.HITRUST (855.448.7878)www.HITRUSTAlliance.net

Thank you for joining the webinar.

Additional Resources can be found at: https://HITRUSTAlliance.net

© 2020 HITRUST All rights reserved. Any commercial uses or creations of derivative works are prohibited. No part of this publication may be reproduced or utilized other than being shared as is in full, in any form or by any means, electronical or mechanical, without HITRUST’s prior written permission.



https://hitrustalliance.net/

apac regional webinar adopting hitrust for global risk

Documents