35 results found
-
Add "Implemented: Sampling" flag to controls in MyCSF where they are missing
Upon review of sample testing required for a v9.5 assessment, I noticed that quite a few controls have illustrative procedures that state "select a sample of . . .", however when you look in MyCSF the control requirement, they don't have the "Implemented: Sampling" flag. Is there a plan to ensure the flag is evident for all control requirements in MyCSF that require sample testing per IP?
2 votes -
Allow submission of assessments prior to renewal date without changing annual renewal date
Currently, if we want to maintain our annual reassessment date, we need to submit our assessment on that specific date (i.e., we cannot submit an assessment earlier if it is ready). We should be able to submit at any point and mark the date of the submission, or simply keep the annual assessment date unless a different date is requested.
8 votes -
Post Submission QA Tasks
It would be helpful to partially unlock the specific items/areas that QA has assigned tasks to post submission. Currently, we have to request help from the support team and it prolongs the process of QA unnecessarily.
1 vote -
5 votes
-
Electronic Signature for Auditors
For timesheets and QA Sheets - it would be best to have this done electronically. Especially since we are remote - it's easier to have Executive and QA use the same document and electronically sign/initial.
4 votes -
assessor agree
for N/A requirements, change to a single "agree with N/A"
8 votes -
Rep Letter Upload Requirement
Remove edit check that requires client to upload a rep letter in order to submit a domain to the assessor. This is too early in the process to provide a rep letter - currently, clients must upload a fake / placeholder document as a workaround.
4 votes -
Sort requirements by Unique ID
It would be great if there was an option to sort/filter requirements based on the Unique ID, not just the level or control.
31 votes -
Review sign off
Add a checkbox or field for external reviewers to sign off on requirement statement after they have reviewed them.
1 vote -
All fields that appear in the final report should be indicated as such with an icon on the page
Within an Assessment, the tool should clearly indicate/label inputs that are included in the HITRUST issued Report.
15 votes -
Introduce the notion of CHQP (Assessor firm internal QA) start and end times
There are times when the addition of assessor team quality review pushes past the 90-day window. We get backlogged the same way you do. We always adhere to the 90-day window for accepting and reviewing evidence, and we can demonstrate that reasonably. But it would be helpful if there was some flexibility around the submission date. If we plug in the real dates of assessment, and then submit 91 days after we started testing, the system errors due to >90.
Introducing the notion of the defined assessment window of 90 days, and the CHQP review period (stated dates) might help…
3 votes -
Submit Individual Questions that are reverted to External Assessor
Capability that allows a user to submit a reverted Question to their External Assessor without waiting for the Domain and/or Assessment to be completed.
10 votes -
Flag for zero-occurrence / 0-pop requirements
HITRUST's guidance allows zero-population requirements to be scored at fully compliant on the implemented level IF a well-defined policy and procedure exists for the assessed entity to observe should the related activity occur. However, MyCSF doesn't currently do a good job of allowing assessed entities and assessors to efficiently communicate this scenario. Because MyCSF requires that evidence be linked to a scored implemented PRISMA level, assessors are often forced to tag the policy or procedure documents to the implemented PRISMA level in this scenario. To remedy, MyCSF should offer a flag (e.g., a checkbox) which can be used to communicate…
9 votes -
[BL] Control Reference labeled on Statements
Can we add an enhancement to add the control reference to the requirement statements layout. Like the below. People have a hard time of telling what the requirements are related to without the name. Example is the constant confusion on 09.x and 09.y controls. They are all e-commerce and online transaction but some of them do not have either of those terms within the statement so people think it is just a standalone control.
09.x Electronic Commerce Services
!1579275197061-0.png!11 votes -
Date of Submission should be when HT approves Assessment
Date of Submission should be when HT approves Assessment
9 votes -
Draft report automatic removal
MyCSF will automatically delete the draft report files 7 days after the final reports are posted.
5 votes -
Provide assessors the ability to revert entire domains back to clients
Provide assessors the ability to revert entire domains back to clients- even if the feature was only available when the status of the domain is "assessor review pending". This would avoid needing to request HITRUST to revert domains if clients accidentally hit submit too early.
8 votes -
[BL] Edit/Delete Diary Entries
Feature allowing a user to edit or remove a diary entry
9 votes -
Custom Tagging for Requirement Statements
The ability for customers to create their own tags on the Requirement Statements and sort/filter based upon their custom tags.
8 votes -
Add Multi-Select of Requirements for Delegating Responsibilities
There needs to be a half-way point between the requirement statement and domain level for delegating responsibilities. It would be nice to have the ability to select multiple requirement statements within a domain and then delegate those statements rather than completing each one individually.
2 votes
- Don't see your idea?