Category 3 - Risk Management

Category 3 in the HITRUST Common Security Framework v11 defines the organization's risk-management program, requiring the identification, assessment, treatment and continuous monitoring of information-security risks. It calls for documented policies, regular risk analyses, mitigation plans aligned with business objectives, and oversight by senior leadership to ensure risks are appropriately prioritized and addressed.