Catalogue Provides Enhanced Visibility into Cybersecurity Threats   

Frisco, TX., November 1, 2018 – HITRUST, a leading security and privacy standards development and certification organization, is releasing its Threat Catalogue to provide organizations with greater visibility into the threats and risks targeting their information, assets and operations.

In addition to helping organizations understand the threats targeting their organization and their associated risks, the Threat Catalogue also identifies the specific technical, physical and administrative controls needed to address these risks. This improves an organization’s visibility into how it manages threats and better enables management to prioritize security programs and align budgets and resources.

Join our webinar on November 29, 2018 to learn more about the HITRUST Threat Catalogue.  Click here to register. 

Identifying threats is a major component of a comprehensive risk analysis process for any organization seeking to protect their sensitive data. Following an asset inventory, information classification, and system categorization, the threat identification process helps determine what adverse events are relevant to the organization and must be controlled. For example, the increased frequency of ransomware intrusions required organizations – of all types and sizes – to re-examine their controls around data backup and restoration and ensure they could successfully recover their data if such an attack occurred.

“Unfortunately, a comprehensive threat list that could support risk analysis and help organizations better understand and mitigate threats to sensitive information was essentially unavailable,” says Dr. Bryan Cline, vice president of standards and analytics at HITRUST. “Given its significance to the risk management process, we invested years identifying a complete set of threats at a level consistent with the controls used to address them.”

The HITRUST Threat Catalogue will be available free of charge and becomes an integral part of HITRUST’s risk management and compliance suite. It will help organizations ease the burden of analyzing and managing security and privacy risk by mapping these threats directly to the controls in the HITRUST CSF® framework. By ensuring organizations can identify threats to their sensitive information, assets and operations, they can prioritize and focus on specific controls that are relevant to them, and in turn, reduce risk.

The Threat Catalogue will also be used to help ensure the HITRUST CSF remains current and relevant to the changing environment by linking requirements to active threat intelligence. A thorough understanding of how well the CSF controls address existing and emerging threats will help HITRUST identify new control requirements or enhancements to requirements that may be needed to further mitigate associated risk.

In addition to mapping specific threats to controls used to limit organization’s exposure to risk, the catalogue also provides mappings to less comprehensive threat lists from other respected frameworks, such as the National Institute of Standards and Technology (NIST) Special Publication 800-30 and the European Network and Information Security Agency (ENISA) Threat Taxonomy.

HITRUST will update the Threat Catalogue regularly alongside the market-leading HITRUST CSF. This early release of the HITRUST Threat Catalogue allows public and private sector organizations to provide feedback prior to the document’s general release.

Interested parties are encouraged to download and review the catalogue after its release on Thursday, November 1st and submit comments by Monday, December 31st, 2018.

Click here to register for the HITRUST webinar on Thursday, November 29th discussing the benefits of the Threat Catalogue.

HITRUST Risk Management and Compliance Suite

Designed to leverage and integrate the best-in-class components for a comprehensive information risk management and compliance program – including a robust privacy and security framework, a scalable and transparent assurance program, catalogue of threats, shared security control responsibility assignment and assurance, an assessment and corrective action plan management platform, a third-party risk management process, and an assessment exchange. The HITRUST Suite offers organizations an integrated, updated and supported approach for information risk management and compliance which includes the following HITRUST programs and services – HITRUST CSF®, HITRUST CSF Assurance, HITRUST Assessor Program, HITRUST Threat Catalogue®, HITRUST Shared Responsibility Program, HITRUST MyCSF®, HITRUST Third Party Assurance Program and the HITRUST Assessment XChange.

Click here to read the press release.

The post HITRUST® Releases Threat Catalogue to Improve Risk Management appeared first on HITRUST.


To listen to the Federal Newscast on your phone or mobile device, subscribe on PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

  • The Office of Personnel Management is changing regulations on direct hire authority. A proposed rule would give agency heads the task of issuing direct hire authorities to address recruiting challenges rather than OPM. The president’s executive order on chief information officers required OPM to propose new regulations on direct-hire authority. (Federal Register)
  • Postal employees received thanks for working to help find a suspect charged with allegedly sending 14 explosive devices through the mail. Gary Barksdale, deputy chief inspector of the Postal Inspection Service, thanked postal employees for serving as the law enforcement agency’s “eyes and ears” last week. FBI Director Chris Wray said his agency identified the suspect through a fingerprint on an envelope addressed to Rep. Maxine Waters (D-Calif.). The FBI also found DNA evidence on two additional packages containing explosives. (Federal News Network)
  • The Pentagon is creating one budget request for fiscal 2020 at $700 billion and another one at $733 billion. Deputy Secretary of Defense Pat Shanahan said the Defense Department had been working on the larger budget proposal for much of the past year. But made the smaller one after President Donald Trump asked all agencies to cut their requests by 5 percent. Shanahan said to get to that smaller number, the Pentagon will have to make some touch decisions about which investments in the research and development and acquisition areas are most important.
  • IBM became the latest government contractor to jump head first into a mega acquisition. Big Blue announced Sunday it is buying Red Hat for $34 billion in an all-cash deal. Red Hat provides open source enterprise software. IBM and Red Hat have partnered over the past 20 years, including more recently on open source cloud software. IBM said it will remain committed to Red Hat’s open governance, open source contributions and participation in the open source community and development model. (IBM)
  • A former Veterans Affairs employee pleaded guilty to taking bribes from three for profit schools in exchange for encouraging disabled veterans to enroll in those schools. The Department of Justice said James King admitted to demanding and taking cash to steer veterans to the schools. At the time, King was working as a program counselor for VA’s Vocational Rehabilitation and Employment program. DOJ said King facilitated almost $2.5 million in VA payments to the schools. Three people from the schools themselves also pleaded guilty to bribing King. (Department of Justice
  • The Office of Management and Budget set new cyber deadlines for agencies to reduce their risk profiles. Agencies have less than two years to move to a shared service for their security operations centers. In the 2019 Federal Information Security Management Act guidance released last week, OMB said agencies must develop and submit one enterprise-level cybersecurity operations maturation plan to OMB and DHS by April 2019. Then, by Sept. 30, 2020, they must migrate to a matured, consolidated and/or shared security operations center-as-a-service offering. Also in the FISMA guidance, OMB said agencies must implement a threat intelligence capability to identify deficiencies in their security defenses. (White House)
  • It’s going to take the Agriculture Department a little longer to transition to the Enterprise Infrastructure Solutions telecommunications contract. USDA’s Director of Enterprise Network Services said it will miss the May 2020 deadline as there isn’t enough time to reduce 14 unique infrastructures down to one. Meanwhile, the Department of Housing and Urban Development said its timetable is too close to call. But both departments are pushing forward, and intend to release requests for proposals next month. (Federal News Network)
  • State Department embassy construction is way behind schedule. Auditors found the agency won’t meet even half of its goal of 180 new, more secure embassies by the end of 2018. It’s only got 77 so far. The effort started during the Clinton administration, when a series of bombings prompted a long-term effort to replace buildings throughout the world. But the Government Accountability Office found staff shortages have slowed the effort, as well as poor collaboration with contractors. (Government Accountability Office)
  • OPM and the Equal Employment Opportunity Commission want to remind agencies of the resources they have to help employees self-identify disabilities and other conditions. Updates to the Rehabilitation Act require agencies to target a 12 percent participation rate for employees with disabilities. OPM acting Director Margaret Weichert and EEOC Commissioner Victoria Lipnic said agencies have several resources to help them meet those goals. (Chief Human Capital Officers Council)