Jason Edwards

Framework: HITRUST

The HITRUST Audio Course is a complete, audio-first guide to mastering the HITRUST i1 and r2 frameworks—two of the most widely recognized models for integrated risk and compliance management. Designed for both newcomers and seasoned professionals, this course translates complex assurance requirements into clear, plain-language lessons you can absorb on the go. Each episode walks through the structure and intent of the HITRUST frameworks, explaining how controls, maturity levels, and evidence requirements come together to create a unified, auditable security program. Listeners gain practical in...

Author

Jason Edwards

Category

Education

Podcast website

baremetalcyber.com

Latest episode

Oct 18, 2025

Where to listen?

Podcasts in the app Replaio Radio Coming soon

Podcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts

Get it on Google Play Install for free Android 5M+ downloads · 4.8 rating iOS soon

Episodes

Episode 76 — Privacy Controls Interplay at r2 17.10.2025

Privacy controls under r2 reinforce the principle that data protection extends beyond security—it encompasses lawful processing, consent, and transparency. Candidates must understand that HITRUST integrates privacy and security controls to ensure alignment between technical safeguards and regulatory expectations such as HIPAA, GDPR, and CCPA. The r2 level requires organizations to prove that priva...

Episode 75 — Incident Management Metrics and Root Cause Analysis 17.10.2025

Incident management under r2 requires a measurable, evidence-backed approach to identifying and resolving security events. Candidates must understand that HITRUST expects organizations to not only track incidents but analyze trends and underlying causes. Root Cause Analysis (RCA) ensures lessons learned translate into systemic improvements. Evidence includes incident logs, RCA documentation, and C...

Episode 74 — Business Continuity and Disaster Recovery at r2 17.10.2025

At the r2 level, Business Continuity and Disaster Recovery (BC/DR) processes evolve into fully managed programs that demonstrate organizational resilience. Candidates must understand that HITRUST requires formal governance, defined recovery objectives, and evidence of routine testing across business units and technology tiers. Plans must cover scenarios such as data center outages, ransomware atta...

Episode 73 — Network Segmentation and Zero Trust Patterns 17.10.2025

Network segmentation and Zero Trust principles form the architectural backbone of modern assurance under r2. Candidates must understand that segmentation limits the spread of compromise by dividing networks based on sensitivity and function, while Zero Trust eliminates implicit trust between zones. HITRUST assessors expect documented network diagrams, firewall configurations, and access control po...

Episode 72 — DevSecOps Pipelines as Evidence at r2 17.10.2025

DevSecOps represents the convergence of development, security, and operations—a hallmark of modern compliance at the r2 level. Candidates must understand that HITRUST accepts automated DevSecOps pipelines as valid evidence when they demonstrate integrated security testing, code review, and deployment control. Automation within CI/CD processes allows organizations to prove repeatable, consistent ap...

Episode 71 — Threat Modeling and Secure Design Concepts 17.10.2025

Threat modeling at the r2 level ensures that security is built into systems proactively, not retrofitted after deployment. Candidates must understand that HITRUST expects organizations to identify, evaluate, and mitigate potential threats during system design and architecture stages. Effective threat modeling frameworks—such as STRIDE or MITRE ATT&CK—help identify attack vectors, assess likeli...

Episode 70 — Logging and SIEM Architecture that Passes 17.10.2025

At the r2 level, HITRUST expects organizations to maintain centralized, resilient logging and Security Information and Event Management (SIEM) architectures. Candidates must understand that this control focuses on both technology and process—ensuring logs are collected from critical assets, normalized, correlated, and analyzed in near real time. Evidence includes system diagrams, retention policie...

Episode 69 — Data Lifecycle with PHI at r2 17.10.2025

Managing the data lifecycle for Protected Health Information (PHI) under r2 requires comprehensive oversight from creation to secure disposal. Candidates must understand that HITRUST evaluates how organizations classify, retain, archive, and destroy sensitive data according to regulatory and business needs. This includes defining retention schedules, controlling replication across systems, and ver...

Episode 68 — Cryptography Program Governance at r2 17.10.2025

At the r2 level, cryptography expands from technical implementation to strategic program governance. Candidates must understand that HITRUST requires organizations to document cryptographic responsibilities, key management lifecycle, and compliance with recognized standards such as FIPS 140-3. Governance involves formal key rotation schedules, encryption algorithm reviews, and periodic risk assess...

Episode 67 — Vendor Risk Management at r2 17.10.2025

Vendor risk management under r2 moves from procedural oversight to measurable, lifecycle-based assurance. Candidates must understand that HITRUST requires organizations to continuously assess and monitor vendors based on criticality and data access. This includes maintaining risk registers, collecting third-party assurance reports, and validating that vendor controls align with the organization’s...

Episode 66 — Configuration Management at r2 17.10.2025

Configuration management under r2 ensures that systems remain secure, consistent, and aligned with approved baselines throughout their lifecycle. Candidates must understand that HITRUST expects detailed configuration standards for all system components, enforced through automated tools and verified by continuous monitoring. These baselines must address operating systems, applications, and network...

Episode 65 — Vulnerability Management at r2 17.10.2025

Vulnerability management under r2 demands mature, measurable processes that proactively identify, assess, and remediate weaknesses across systems and applications. Candidates must understand that HITRUST expects integration between scanning tools, patch management, and risk analysis frameworks. The objective is to maintain continuous visibility into vulnerabilities and demonstrate prioritization b...

Episode 64 — Evidence Sufficiency by Control Type 17.10.2025

Evidence sufficiency defines whether documentation, observation, or testing adequately supports the control’s maturity rating. Candidates must understand that at r2, assessors apply differentiated testing approaches depending on control type—technical, administrative, or procedural. HITRUST’s QA requires that evidence explicitly demonstrates control execution over time, aligning with PRISMA criter...

Episode 63 — Sampling Design for r2 17.10.2025

Sampling under r2 involves structured statistical or judgment-based methods to validate control operation across representative populations. Candidates must understand that HITRUST expects sampling to be risk-based, with rationale documented for how items are selected and how results generalize to the full environment. The process ensures testing efficiency without sacrificing assurance quality. A...

Episode 62 — Inheritance and Shared Responsibility at r2 17.10.2025

Inheritance and shared responsibility take on greater complexity under r2, especially for organizations leveraging multiple cloud or managed service providers. Candidates must understand that HITRUST allows inheritance when a third party provides a validated control aligned with the same assurance level. However, the inheriting organization remains accountable for verifying applicability, reviewin...

Episode 61 — PRISMA Scoring Strategy at r2 17.10.2025

PRISMA scoring at the r2 level requires organizations to demonstrate control maturity across all five dimensions—Policy, Procedure, Implemented, Measured, and Managed. Candidates must understand that each level builds cumulative assurance, with the Managed stage reflecting continuous monitoring and improvement. HITRUST assessors evaluate not only evidence of operation but also metrics that prove c...

Episode 60 — Control Selection Logic at r2 17.10.2025

Control selection logic under r2 determines how HITRUST chooses which requirements apply to an organization’s specific environment. Candidates must understand that this logic integrates organizational and system factors with authoritative sources such as NIST, ISO, HIPAA, and PCI DSS. The result is a customized control set that ensures comprehensive coverage without redundancy. HITRUST’s algorithm...

Episode 59 — Organizational and System Factors 17.10.2025

Organizational and system factors are key inputs that define how HITRUST customizes assessments under the r2 framework. Candidates must understand that these factors include the organization’s industry, size, regulatory exposure, data types, and technology stack. HITRUST uses them to automatically determine control applicability and depth of testing. System factors describe the technical scope—suc...

Episode 58 — Tailoring and Scoping for r2 17.10.2025

Tailoring and scoping define the foundation of an r2 assessment, determining which controls apply based on system, organization, and regulatory context. Candidates must understand that HITRUST uses predefined factors—such as organizational type, data volume, and geographic footprint—to automatically tailor control applicability. However, assessors and organizations refine this further by reviewing...

Episode 57 — HITRUST QA Expectations and Rework Loops 17.10.2025

Quality Assurance (QA) is the final gate before HITRUST issues certification, and understanding its requirements is critical for r2 success. Candidates must know that QA reviewers independently verify the completeness, accuracy, and traceability of submitted evidence. The QA process checks for consistent scoring, proper application of PRISMA levels, and adequate sampling justification. If deficien...

Episode 56 — Why r2 and What It Requires 17.10.2025

The r2 assessment is the highest level of assurance within the HITRUST framework, designed for organizations seeking comprehensive validation of security and compliance maturity. Candidates must understand that r2 builds on the principles of e1 and i1 but extends testing depth, evidence rigor, and control coverage. It evaluates the full PRISMA maturity model—from Policy through Managed—and include...

Episode 55 — i1 Recap & Quick Reference 17.10.2025

The i1 program represents a significant step up in operational assurance from e1, validating that security controls are actively implemented, monitored, and improved. This recap highlights key i1 principles: PRISMA maturity at the Implemented level, evidence-based testing, and assessor validation. Candidates should see how i1 acts as a bridge between foundational compliance and comprehensive risk...

Episode 54 — CAPs and Maintaining Momentum for i1 17.10.2025

Corrective Action Plans (CAPs) are formal mechanisms for addressing deficiencies identified during an i1 assessment. Candidates must understand that HITRUST requires CAPs to be structured, time-bound, and traceable to specific controls. Each plan must outline the issue, remediation steps, responsible parties, and target completion dates. CAPs ensure continuous improvement and accountability, preve...

Episode 53 — Packaging and Submitting an i1 Assessment 17.10.2025

Packaging and submission represent the final stages of the i1 journey, where all documentation, evidence, and assessor testing results are consolidated for HITRUST QA review. Candidates should understand that successful packaging requires consistency, accuracy, and completeness. Each control must contain its narratives, cross-references, and supporting evidence in MyCSF with proper labeling and ve...

Episode 52 — Writing Narratives and Cross-References for i1 17.10.2025

Writing clear narratives and cross-references is a crucial part of demonstrating control effectiveness within MyCSF. Candidates must understand that narratives explain how a control functions, while cross-references connect policies, procedures, and proofs. HITRUST requires these elements to be concise, factual, and aligned with PRISMA maturity definitions. A well-written narrative allows assessor...

Listen to the Framework: HITRUST podcast in Replaio

Radio and podcasts in one app - free, with no sign-up. Install today and do not miss the launch

Get it on Google Play

Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.