5 results found
-
Propose to refine guidance around what constitutes as permissible remediation activities
(3.3. Independence Requirements, 3.3.6, Page 7)
6 votes -
Propose to refine guidance around what constitutes as remediation activities for policy and/or procedure consulting assessments
(3.3. Independence Requirements, 3.3.6, Page 7)
6 votes -
Propose to add guidance around the permissibility of providing consulting services to support an AE's HITRUST compliance program
(3.3. Independence Requirements, 3.3.6, Page 7)
6 votes -
Define "separate organization" in Independence Requirements
Opportunity to better define what is truly considered a "separate organization" within this statement - "The External Assessor used for a validated assessment must be a separate organization from the Assessed Entity." (e.g., alternative language: "separate legal entity").
Example, if a PE firm holds a stake in an assessor firm and an assessed entity, under the org structure could the assessor perform the assessment given they are a separate and distinct entity, but are owned by the same investment complex?
(3.3. Independence Requirements, 3.3.1, Page 7)6 votes -
Are we screening for background requirements before individuals sign up for CCSFP class?
3.2 -Certified CSF Practitioner (CCSFP) is a designation reserved for individuals who have completed the CCSFP training course, passed the certification exam, and have met the required background and experience requirements necessary to effectively use the HITRUST CSF. Such individuals typically work for a HITRUST External Assessor organization, a HITRUST Assessed Entity, or a HITRUST licensed firm/practice that provides HITRUST consulting services. Do we screen for "required background and experience requirements" before allowing people to sign up for CCSFP class? If so, what background requirements are we screening for?
1 vote