In today’s digital world, consumers and businesses alike are constantly creating and utilizing a myriad of personal data — from fitness trackers and telehealth to online finance and education. To protect this data, governments across the globe are instituting regulatory requirements that, while critical to protecting data privacy, can create costly and time-consuming challenges as businesses scramble to keep up with the latest digital trends.
That’s why we’re pleased to announce that Salesforce is now part of the HITRUST Shared Responsibility and Inheritance program.
Shared Responsibility
We follow the Shared Responsibility Model and believe security is a shared responsibility between Salesforce and its customers.
HITRUST and the Shared Responsibility of protecting customer data
At Salesforce, building and maintaining trusted relationships with our customers and everyone in the Salesforce ecosystem is important. We earn that trust through transparency, security, privacy, and compliance. We’re committed to supporting our customers on their own compliance journeys.
The HITRUST organization created the HITRUST Common Security Framework (CSF) as a way to consolidate multiple control/compliance frameworks, like HIPAA, ISO 27001, SOC 2 and NIST Cybersecurity Framework, into a single framework. HITRUST assessors review customers’ systems and environments and assess their maturity levels. Originally focused on the healthcare industry, HITRUST CSF has expanded to companies from the life sciences, financial, insurance, technology, and hospitality sectors.
The HITRUST Shared Responsibility and Inheritance Program enables Salesforce customers completing their own HITRUST assessment to rely on shared information protection controls that are available from internal shared IT services and third-party or downstream organizations.
In simpler terms, this program enables customers to take the internal controls that Salesforce uses and pull them into their own audits and assessments. There’s no need to review the Salesforce audit reports individually. This allows an assessor to rely on Salesforce’s validation of those controls via an understanding that Salesforce has met the testing requirements for the control. Furthermore, ensure that Salesforce’s HITRUST assessor reviewed it.
Customers can utilize inheritance when they’re building applications on the Salesforce platform or when they’re utilizing Salesforce as part of their business processes. Inheritance will help Salesforce customers reduce the time and cost associated with an external HITRUST assessment. Auditors can use Salesforce’s already validated controls and pull them into their assessment through the MyCSF portal.
How does HITRUST Inheritance work?
- You create the inheritance request in the HITRUST MyCSF tool.
- You submit the request to Salesforce.
- Salesforce will either approve or reject the inheritance request based on the Salesforce HITRUST Shared Responsibility Matrix.
- Finally, you can import all approved inheritance requests to your assessment for your assessors to review.
Without inheritance, customers would need to use Salesforce’s publicly available compliance reports. For example, adding SOC2 type 2 controls to their audit report. However, this depends on the assessor working on the engagement. They might not approve those controls if they haven’t been specifically tested by the assessor.
Ultimately, the HITRUST Shared Responsibility and Inheritance Program can provide time, effort, and cost savings. All while helping customers better manage their cyber risk and preserve data privacy. Explore the HITRUST program resources or contact your Salesforce Account Executive for more information.