42 results found
-
Propose to update guidance and visual related to calculating CAPs and Gaps based on guidance provided within the v11 Webinar hosted in 1/23
(CAPs and Gaps,13.9.2, Page 79)
6 votes -
Propose to refine guidance around what constitutes as permissible remediation activities
(3.3. Independence Requirements, 3.3.6, Page 7)
6 votes -
Propose to refine guidance around what constitutes as remediation activities for policy and/or procedure consulting assessments
(3.3. Independence Requirements, 3.3.6, Page 7)
6 votes -
Propose to add guidance around the permissibility of providing consulting services to support an AE's HITRUST compliance program
(3.3. Independence Requirements, 3.3.6, Page 7)
6 votes -
Define "separate organization" in Independence Requirements
Opportunity to better define what is truly considered a "separate organization" within this statement - "The External Assessor used for a validated assessment must be a separate organization from the Assessed Entity." (e.g., alternative language: "separate legal entity").
Example, if a PE firm holds a stake in an assessor firm and an assessed entity, under the org structure could the assessor perform the assessment given they are a separate and distinct entity, but are owned by the same investment complex?
(3.3. Independence Requirements, 3.3.1, Page 7)6 votes -
Additions to section 15
- Pg. 81, Second paragraph, update formatting for "a62": "...domain to score at least a62 to achieve certification.
-Pg. 83, 15.3.9, update formatting for "e1validated": "...domain to score at least a62 to achieve certification..."
1 vote -
Additions to section 14
- Pg. 69, "A Sample of Measured and Managed Scores": In the past, HITRUST reviewed ALL measured and managed scores. If this is a change consider mentioning more about this
1 vote -
Additions to section 11
- Pg. 44, 11.1.6: This appears to be a permanent change in approach to testing and so might warrant noting that this is different than onsite tested required pre-COVID
1 vote -
Additions to section 10
- Pg 41., Control Maturity Scoring Rubric: It might be helpful to delineate how system components are the same as scope elements for system related requirements.
1 vote -
Additions to section 8
- P. 35, 8.1 Requirement Statement Background, paragraph 3: "Each Requirement Statement in aa r2, i1 or e1 assessment contains" has an extra "a" before r2
1 vote -
Additions to section 7
Pg.30 7.1.1 "NOTE: The 90-day implementation period may overlap with the 90-day fieldwork period if testing on the implemented system is performed after the 90-day implementation period has been achieved.": It may be helpful to elaborate on this or give an example on how this could be accomplished.
Pg 31. 7.2 Required Scope Components: HITRUST also uses the term elements when discussing scope (e.g. in CCSFP training deck pg 69). The term component as using for both scope and evaluative elements could be confusing
Pg 32 7.2.4: Add an example
-Pg 33 7.2.13 "without using a bastion host, jump server,…
2 votes -
Additions to section 6 pt2
Addition to Organization/Company Background section Pg.28: We recommend that clients avoid using we, us, our, etc. If agreed this can be added to 6.1.15 and 6.1.17
Addition to Primary Mailing Address section Pg.29: In reference to the first bullet point "Platforms/Systems: The Platforms/Systems table should contain all platforms/systems contained within the scope of the assessment. " It would be nice to have an appendix added for each of these webforms would be helpful for the clients to get an idea of how much detail to share.
1 vote -
Additions to section 6
- Pre-Assessment, pg.27 - there is an extra word, "of": "The following section outlines the six webforms of that comprise the pre-assessment.."
- Pg.27 6.1.10 - the link is missing: "The Assessed Entity must select the CSF version to be used during the assessment. For additional information on the various versions of the CSF, see <insert link>."
1 vote -
The External Assessor
4.2 Validated Assessments, pg.13: "The External Assessor will validate the CAPs and then submit the assessment to HITRUST" - what does it mean to validate CAPs?
1 vote -
Additions to section 4
- There is an extra "e" 4.1 Readiness Assessments: "For e r2, i1, or e1 assessments, organizations may choose to perform a Readiness Assessment..."
1 vote -
Additions to section 1
Live links don't work on pg. 5 for the additional resources
1 vote -
Snip of check-in task
pg.18 - Add in a snip of a check-in task where when we receive it what that will look like.
1 vote -
Guidelines on subscriber comments
If we could add some guidelines about how to write subscriber comments clients would benefit from this information.
1 vote -
Suggestion for MyCSF tool
Creating a download report for the list of inheritance. It will be very helpful during QA testing
4 votes -
Scoping
Section 7.1.1 - How would a system be tested without storing or processing data? Provide more context on this scenario.
1 vote