42 results found
-
Internal Inheritance
12.2.1: Internal Inheritance, “Only full cross-version control inheritance is supported when using internal inheritance.” Comment: Why not allow partial internal inheritance? (Example: For a large entity with many business units, the scope of the assessment may be broken up into Year 1 and Year 2 looking at different sets of applications, however they still leverage the same SFTP/site server. We should be able to test once in Year 1 and then Partially inherit in Year 2 (control example: Transmission encryption. The separate part is in-scope applications, the same part is the SFTP site).
1 vote -
Homogenous applications for one population
11.4 - for homogenous applications that are NOT in scope for HITRUST but fall in the population: e.g., change ticketing system and application change that is not in scope for hitrust is selected due to random sampling, is this allowed as a sample since process is same for all applications (that are in scope for hitrust)?
1 vote -
11.4.10
11.4.11 contradicts 11.4.10 - maybe add note 'with exception to 11.4.10'?
1 vote -
RE-Validated Populations
11.4.10 - can you elaborate - ‘re-validated’ for accuracy of populations? Does the assessor have to re-request the pop? Or can we inquire or corroborate with client that no major changes have occurred with the pop?
1 vote -
Building a Test Plan
11.2.6 - ‘building a test plan’. Building a test plan may involve discussion with a client to understand scope of that process. Can inquiry with client be allowed when building a test plan?
1 vote -
Test Workbook
11.2.1 - Can you define test workbook or add to glossary? For example, is it interchangeably with a test plan.
1 vote -
Third-Parties
7.3.1 - “For i1 and e1 assessments, third-parties relevant to the in-scope environment may be excluded from testing (i.e., carved-out). In order to exclude the third-party:” - why is exclusion allowed and documentation of N/A allowed as there is still third-party risk? Why not utilize inheritance or a SOC 2 report, or other compensating controls or testing?
1 vote -
Spelling Error
A12 inheritance FAQs and examples - “Is it possible to inherit from a Risk-based, 2-year (r2) type of HITRUST Assessment into an Implemented, 1-year (i1) or Essentials, 1-year (e1) HITRUST Assessment (and vice versa)?” spelling error - However, when inheriting from an “inheritable” i1 ore1 into an “inheriting” r2, only...
1 vote -
Laptop Scoping
7.2.11 - Could you include example of situation when laptops would not be scoped in?
1 vote -
Telework vs Employee home
7.2.7 “Additional facility(s) not hosting the in-scope platform(s) / system(s) may also be included as a primary scope component. However, the in-scope facility(s) of an assessment may not include physical locations not controlled by the organization and/or not managed by a service provider of the Assessed Entity (e.g. employee homes, “WeWork” offices).” does this statement, excluding employee homes, contradict certain controls that are required to be tested regarding teleworking activities such as control 0407.01y2Organizational.1 that falls under Mobile Domain?
1 vote -
Bastion Host
7.2.6 - “Facility(s) hosting any component of technology stack for the in-scope platform(s) / system(s) must be included as a primary scope component.” Bastion hosts and jump servers are used in below sections to clarify scope. Could they also be used under this section 7.2.6 to help scoping facilities? For example, this excludes facilities that utilize bastion host/jump servers...
1 vote -
Glossary of Terms
Appendix A (adding under last section since Appendix isn't available as category) – Will the HITRUST glossary of terms and acronyms be contained within the Appendix? For example: is 90-day ‘fieldwork period’, 90-day implementation period defined?
1 vote -
Introduction Clarification of Assessor
Introduction – within the first paragraph, it states, “This assessment handbook is intended to provide guidance and expectations to Assessed Entities and HITRUST Assessors on the HITRUST assessment and certification processes...” when referencing HITRUST assessors, clarify if this also includes Authorized Readiness HITRUST Assessors.
1 vote -
6.1.12- "R2 Assessments Only?"
The Assessed Entity must select whether they will be including all CSF security controls within the assessment or only those required for certification, along with whether Privacy controls should be included in the Assessment. – Does this need to read, “for r2 assessments only.”
1 vote -
1 vote
-
Are we still offering "Customized Assessments?"
If not, we need to remove it from the Academy class.
1 vote -
Are we screening for background requirements before individuals sign up for CCSFP class?
3.2 -Certified CSF Practitioner (CCSFP) is a designation reserved for individuals who have completed the CCSFP training course, passed the certification exam, and have met the required background and experience requirements necessary to effectively use the HITRUST CSF. Such individuals typically work for a HITRUST External Assessor organization, a HITRUST Assessed Entity, or a HITRUST licensed firm/practice that provides HITRUST consulting services. Do we screen for "required background and experience requirements" before allowing people to sign up for CCSFP class? If so, what background requirements are we screening for?
1 vote -
11.2.8 - Adding more context on the 90 day incubation period
More context and/or examples for assessed entities to clearly understand what is meant by "newly implemented or remediated controls". This includes a control that was not in place, a deficiency being addressed, a significant change such as a migration, etc.
1 vote -
Inheritance section 12.2.5 lists the Targeted Assessment as a qualified inheriting assessment type.
The Targeted assessment type should not be listed in section 12.2.5 because can't produce a validated assessment.
1 vote -
1 vote