306 results found
-
15 votes
-
Assigning External Assessor access
Now that Engagement Executive is being formally defined in the object, can we give that user the ability to grant assessor access to those defined in the assessor list? Today, we must reach out to the client each time to get additional access.
15 votes -
Evaluative Elements Report
Create a report that shows a list of the Evaluative Elements for each requirement statement similar to the Illustrative Procedures report - this will help both assessors and assessed entities with ensuring that they are meeting the EEs when working in offline testing workbooks without clicking into each requirement statement within MyCSF.
14 votes -
Removing the lower level nested Requirement Statements from an assessment
When you have a level 3 Requirement statement, can the level 1 and level 2 requirement statement for that same control be removed from the assessment? This would remove redundancy, by not having to ask the business for evidence at each level because it would be inclusive in the level 3. This would also lower the number of overall baselines while still covering the control.
13 votes -
More Specific CAP Permissions (Create, Read, Update, Delete)
Currently, the "Can Manage CAPs?" checkbox allows a user to both Add and Delete CAPs. Allow for an Admin to specify if the user should be able to Create, Read, Update, and/or Delete CAPs.
13 votes -
SSO through OIDC or SAML
SSO through OIDC or SAML. For a framework that places a heavy emphasis on role-based access controls and centralized identity management it seems only fitting that HITRUST implemented either OIDC or SAML.
12 votes -
[BL] Assessor Warning when assigned subscriber role
When a user belonging to an Assessment's Assessor is assigned a subscriber role, a warning message should be thrown to the user setting the permission that this user will not be allowed to do any validation work if this role is assigned.
12 votes -
open support incident via standalone button
Add a button/option to the top menu bar (or in the "need help" pop-out to start a support incident. Currently customers need to either chat, email, or call in a support incident and there is no way to directly start a support incident.
11 votes -
Help popup window color is not enough to read
Dear Team,
Background is in grey and letters in RED color, Really not able to read it, request you to change letters into white color or some visible color combination on all the HELP pop windows.
Thanks
11 votes -
Option to disable test environment notifications.
Allow notifications from test environments to be turned off.
11 votes -
[BL] Control Reference labeled on Statements
Can we add an enhancement to add the control reference to the requirement statements layout. Like the below. People have a hard time of telling what the requirements are related to without the name. Example is the constant confusion on 09.x and 09.y controls. They are all e-commerce and online transaction but some of them do not have either of those terms within the statement so people think it is just a standalone control.
09.x Electronic Commerce Services
!1579275197061-0.png!11 votes -
Move Illustrative Procedures Link to Main Control Page for Easier Access
Move the linked illustrative procedures button/link to the main expanded view of the individual control, as oppose to having to click "More Info".
10 votes -
Authoritative sources should be hyperlinks back to the authoritative source text where possible
When possible, authoritative sources should always appear as hyperlinks to the source itself. For example, anytime we show "NIST 800-53 R4 Control A-20" as a source, it should be presented at a link to https://nvd.nist.gov/800-53/Rev4/control/AC-20. These links should appear when authoritative sources are presented in the "References" section in the tool as well as within the sources presented in the "More Info > Authoritative Sources" window specific to the individual requirement statements.
10 votes -
Requesting Inheritance for a Control - Make it easier submit the request.
After deciding that a control was inheritable, we saw the link in the bottom left menu, but when the page displayed there was no active buttons and nothing to indicate that the request had not been submitted to the cloud service provider.
After our inheritance requests sat in pending status for 3 days, we checked with HITRUST support to discover that we must select the Created link at the top, first, and then select the Submit to Vendor button that appears only after the create step in order to properly send the request.
There is an opportunity to eliminate some…
10 votes -
Submit Individual Questions that are reverted to External Assessor
Capability that allows a user to submit a reverted Question to their External Assessor without waiting for the Domain and/or Assessment to be completed.
10 votes -
Flag for zero-occurrence / 0-pop requirements
HITRUST's guidance allows zero-population requirements to be scored at fully compliant on the implemented level IF a well-defined policy and procedure exists for the assessed entity to observe should the related activity occur. However, MyCSF doesn't currently do a good job of allowing assessed entities and assessors to efficiently communicate this scenario. Because MyCSF requires that evidence be linked to a scored implemented PRISMA level, assessors are often forced to tag the policy or procedure documents to the implemented PRISMA level in this scenario. To remedy, MyCSF should offer a flag (e.g., a checkbox) which can be used to communicate…
10 votes -
GAP Report
When generating a GAP report those controls that are associated with a CAP should be identified in the report as CAP required not just as a GAP.
9 votes -
Allow submission of assessments prior to renewal date without changing annual renewal date
Currently, if we want to maintain our annual reassessment date, we need to submit our assessment on that specific date (i.e., we cannot submit an assessment earlier if it is ready). We should be able to submit at any point and mark the date of the submission, or simply keep the annual assessment date unless a different date is requested.
9 votes -
Automated Sample Test Plan
The process by which we as assessors take to determine what controls need sample testing is time-consuming and tedious. Since all the information is in MyCSF - why not make it much easier for us and develop the test plan automatically based on scope and factors? At least give us a list of which controls need testing and we can place that in the excel spreadsheet format.
9 votes -
Show QA queue status or wait time
Similar to waiting for DMV or to see a doctor, continually show assessment status. For example, state there are 30 assessments ahead of our submission, and update as our submission moves up the queue. Or show submitted assessment has an estimated 8 weeks to be viewed by QA assessor and adjust as the assessment gets closer to being viewed. It would be helpful to know this.
9 votes
- Don't see your idea?