315 results found
-
Rep Letter Upload Requirement
Remove edit check that requires client to upload a rep letter in order to submit a domain to the assessor. This is too early in the process to provide a rep letter - currently, clients must upload a fake / placeholder document as a workaround.
4 votes -
7 votes
-
Documents Repository and Linkage
One of the most time consuming tasks in performing assessments is the linkage of documentation. I think it would be helpful if our documentation repository creates a slot for each document. The slot is then mapped in a one to many relationship model to control requirements. The documents are then uploaded to the virtual slot. The big advantage is that documents in the slots can be automatically mapped to any assessment object and if the most recently reviewed version of a policy is uploaded to the slot to replace the old version, the new one automatically mapped as well. This…
6 votes -
Validated Targeted Assessment (PCI, AODG, CMMC, etc)
Scoped to any authoritative source or combination or multiple sources
Would require updates to the Assurance process and program
Can be based on any tailored combination controls1 vote -
assessor agree
for N/A requirements, change to a single "agree with N/A"
8 votes -
Authoritative sources should be hyperlinks back to the authoritative source text where possible
When possible, authoritative sources should always appear as hyperlinks to the source itself. For example, anytime we show "NIST 800-53 R4 Control A-20" as a source, it should be presented at a link to https://nvd.nist.gov/800-53/Rev4/control/AC-20. These links should appear when authoritative sources are presented in the "References" section in the tool as well as within the sources presented in the "More Info > Authoritative Sources" window specific to the individual requirement statements.
10 votes -
Average Domain by Maturity Rating Report
Enhance the Average Domain by Maturity Rating Report to also report on the Assessor's suggested maturity scores. The current Average Domain by Maturity Rating Report only reports the maturity scores entered by the subscriber. During an assessment project, there is not a method for the customer to generate a report that reflects the proposed maturity scores from the assessor. In order to prioritize their efforts, subscribers often need to understand whether a domain has obtained a passing score or not. Currently, they need to accept all the scores from the assessors or create a manual report outside of the MyCSF…
3 votes -
inheritance
Integrate the Shared Responsibility Matrix (SRM) into the inheritance selection process. Currently, it is feasible for a subscriber to select inheritance for a requirement that is categorized as not inheritable in the SRM. Recently, a customer submitted inheritance, which was ultimately rejected. Upon further research, HITRUST support indicated that the requirement was not inheritable, as described in the SRM. A subscriber should not be able to select inheritance for those requirements defined as not inheritable.
7 votes -
Comment fields for each control maturity level
When populating an assessment, MyCSF should offer comment fields for each control maturity level instead of just having one big comment field for the whole requirement. See attached pic.
3 votes -
Display scoring weights in use on the assessment page
MyCSF should display the scoring weights that are in use for the assessment object on the assessment page to avoid confusion around which weights are being utilized.
7 votes -
Add reporting of user activity
Add reporting of user activity. Specifically provide reporting of returned requirements (user activity reporting) for an assessment. Providing the ability to specific a date range and see the user specific activities on each requirement (history).
3 votes -
Add 'Maturity Domains Deficient' column to CAP Report for subscribers and assessors
The CAP Report that Subscribers and Assessors can download should include a column to indicate which maturity domains (policy, process, or implemented) are deficient. This will help subscribers and assessors review CAPs to ensure that the corrective actions are addressing all deficient levels.
3 votes -
Option to NOT include attachments from previous certification in the next assessment object
When creating a new assessment object AFTER already having been certified (i.e., in a re-certification scenario), MyCSF should have an option to include or NOT include the documentation linkages present in the previous assessment object.
26 votes -
Real-Time CAP Report
Create a Report that can identify any mandatory Corrective Actions using the existing scores of the Statements in an Assessment
3 votes -
Field for HITRUST to explain why a submission was reverted
When HITRUST reverts an submitted assessment back to either an assessor or to the subscriber, MyCSF should have a field available for HITRUST to state why the assessment was reverted. This field should be required, and this field's contents should be made visible to the subscriber and assessor.
3 votes -
Offline Assessment for Interims & Bridges
MyCSF should allow a user to download and use the Offline Assessment for Interim and Bridge Assessment
5 votes -
Add a submission check for failing scores (requires override)
There are a variety of quality checks imposed, some that require overrides from the assessor team to continue with submission. One of those should be 'scores are already too low to certify'.
Please add a little flag or warning note at the time of submission to simply say, "You're submitting an assessment for certification, but the scores are too low to certify. Proceed Y/N?"
Our particular case was due to errors in the inheritance process, but it could happen in other scenarios. Best to alert the assessor and confirm that they are not seeking certification.
7 votes -
Introduce the notion of CHQP (Assessor firm internal QA) start and end times
There are times when the addition of assessor team quality review pushes past the 90-day window. We get backlogged the same way you do. We always adhere to the 90-day window for accepting and reviewing evidence, and we can demonstrate that reasonably. But it would be helpful if there was some flexibility around the submission date. If we plug in the real dates of assessment, and then submit 91 days after we started testing, the system errors due to >90.
Introducing the notion of the defined assessment window of 90 days, and the CHQP review period (stated dates) might help…
3 votes -
Allow offline work and upload to MyCSF for CAPs
Allow offline work and upload to MyCSF for CAPs
16 votes -
Unlock Doc Repository when any Task are created during QA
Unlock Doc Repository when any Task are created during QA
2 votes
- Don't see your idea?