Skip to content
← The HITRUST CSF

How can we improve the HITRUST CSF?

The HITRUST CSF: Clarity

Categories

JUMP TO ANOTHER FORUM

(thinking…)

An easy way to determine exact number of CSF elements in the policy illustrative procedure

Assessors and assessed entities could benefit from something communicating the exact number of CSF implementation specifications present in the policy illustrative procedures. This could be through something like a number that precedes the policy illustrative procedure or even consistent use of roman numerals in the policy illustrative procedure. This would help everyone involved in preparing for, performing, and reviewing assessments ensure they are working with a generally understood denominator for scoring calculations.

For example:
Instead of saying "Inspect written policies to determine that they contain X, Y, and Z.", the policy illustrative procedure could display as,
"Inspect written policies to determine that they contain (i) X, (ii) Y, and (iii) Z"
or even
"{3} Inspect written policies to determine that they contain X, Y, and Z."

14 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

AdminJeremy Huval (Chief Innovation Officer, HITRUST) shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Zach Shales commented  ·   ·  Report

    I'd advocate to take this idea further and dissolve the mandate for assessing the at the Illustrative Procedure level. It would make assessor and client lives much easier if we solely assessed at the requirement level and had the number of elements defined within the requirement level. This would also allow for the Illustrative Procedures to truly be illustrative and provide context or additional details on what the intent of the requirement is.

  • Zach Tracy commented  ·   ·  Report

    Maybe include a statement somewhere in the illustrative procedure that notes, "There are # policy elements." This will make scoring faster for assessors, and more accurate and repeatable. As of now, we are manually counting based on our judgment in some cases.

  • Keith Marceau commented  ·   ·  Report

    I think the numerals beside each element makes more sense because it is difficult to pick out what the elements are especially in Illustrative procedures like the one below. Putting a number out front still requires us to determine which {3} or which {6} that Hitrust considers to be elements.

    Examine policies and/or standards related to user roles and responsibilities and determine if the organization has developed, disseminated, and annually reviewed/updated a formal, documented personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Further, document procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. Validate the existence of a written policy or standard.