The HITRUST CSF is built upon the following model: [0134]

The HITRUST CSF is structured around a hierarchical model:

Control Categories → 14 high-level groupings (e.g., Access Control, Incident Management).

Control Objectives → Define goals under each category.

Control References → Specific implementation requirements aligned to objectives.

This structure ensures traceability from high-level objectives down to actionable control requirements.

Option B describes NIST Cybersecurity Framework (CSF), not HITRUST.

Option A/C include COBIT, which is integrated but not the structural foundation.

Extract Reference (HITRUST CSF Overview, CCSFP Guide [0134]):

The CSF is organized into Control Categories, Control Objectives, and Control References.