Flag for zero-occurrence / 0-pop requirements
HITRUST's guidance allows zero-population requirements to be scored at fully compliant on the implemented level IF a well-defined policy and procedure exists for the assessed entity to observe should the related activity occur. However, MyCSF doesn't currently do a good job of allowing assessed entities and assessors to efficiently communicate this scenario. Because MyCSF requires that evidence be linked to a scored implemented PRISMA level, assessors are often forced to tag the policy or procedure documents to the implemented PRISMA level in this scenario. To remedy, MyCSF should offer a flag (e.g., a checkbox) which can be used to communicate a 0-population requirement. When this flag is checked, MyCSF should only allow an implemented prisma score of 100% to be entered IF both the policy and procedure PRISMA levels are scored greater than NC / 0%.
Bimal Sheth commented
would modify this such that in v10 for any RS where sample based testing is flagged it requires input of the population and sample size. edit check #1 would make sure that the sample size is appropriate based upon the population. edit check #2 would be as you described for the zero populations.