HITRUST Common Security Framework

Program governance, risk management, and information protection policies.

Malware protection, mobile device security, and removable media controls.

Encryption, tracking, and disposal of portable storage and devices.

User registration, privilege management, password policies, and session controls.

Event logging, monitoring, clock synchronization, and log protection.

Network segmentation, firewall management, and intrusion detection.

Encryption of data in transit, secure messaging, and remote access.

Vulnerability scanning, patch management, and penetration testing.

Baseline configurations, change control, and system hardening.

BCP/DR planning, backup and recovery, and crisis communication.

Notice, consent, data minimization, retention, and individual rights.

Vendor risk assessment, contracts, and ongoing monitoring.