42 results found
-
Propose to update guidance and visual related to calculating CAPs and Gaps based on guidance provided within the v11 Webinar hosted in 1/23
(CAPs and Gaps,13.9.2, Page 79)
6 votes -
Propose to refine guidance around what constitutes as permissible remediation activities
(3.3. Independence Requirements, 3.3.6, Page 7)
6 votes -
Propose to refine guidance around what constitutes as remediation activities for policy and/or procedure consulting assessments
(3.3. Independence Requirements, 3.3.6, Page 7)
6 votes -
Propose to add guidance around the permissibility of providing consulting services to support an AE's HITRUST compliance program
(3.3. Independence Requirements, 3.3.6, Page 7)
6 votes -
Define "separate organization" in Independence Requirements
Opportunity to better define what is truly considered a "separate organization" within this statement - "The External Assessor used for a validated assessment must be a separate organization from the Assessed Entity." (e.g., alternative language: "separate legal entity").
Example, if a PE firm holds a stake in an assessor firm and an assessed entity, under the org structure could the assessor perform the assessment given they are a separate and distinct entity, but are owned by the same investment complex?
(3.3. Independence Requirements, 3.3.1, Page 7)6 votes -
Suggestion for MyCSF tool
Creating a download report for the list of inheritance. It will be very helpful during QA testing
4 votes -
Additions to section 7
Pg.30 7.1.1 "NOTE: The 90-day implementation period may overlap with the 90-day fieldwork period if testing on the implemented system is performed after the 90-day implementation period has been achieved.": It may be helpful to elaborate on this or give an example on how this could be accomplished.
Pg 31. 7.2 Required Scope Components: HITRUST also uses the term elements when discussing scope (e.g. in CCSFP training deck pg 69). The term component as using for both scope and evaluative elements could be confusing
Pg 32 7.2.4: Add an example
-Pg 33 7.2.13 "without using a bastion host, jump server,…
2 votes -
Internal Inheritance
12.2.1: Internal Inheritance, “Only full cross-version control inheritance is supported when using internal inheritance.” Comment: Why not allow partial internal inheritance? (Example: For a large entity with many business units, the scope of the assessment may be broken up into Year 1 and Year 2 looking at different sets of applications, however they still leverage the same SFTP/site server. We should be able to test once in Year 1 and then Partially inherit in Year 2 (control example: Transmission encryption. The separate part is in-scope applications, the same part is the SFTP site).
1 vote -
Homogenous applications for one population
11.4 - for homogenous applications that are NOT in scope for HITRUST but fall in the population: e.g., change ticketing system and application change that is not in scope for hitrust is selected due to random sampling, is this allowed as a sample since process is same for all applications (that are in scope for hitrust)?
1 vote -
11.4.10
11.4.11 contradicts 11.4.10 - maybe add note 'with exception to 11.4.10'?
1 vote -
RE-Validated Populations
11.4.10 - can you elaborate - ‘re-validated’ for accuracy of populations? Does the assessor have to re-request the pop? Or can we inquire or corroborate with client that no major changes have occurred with the pop?
1 vote -
Building a Test Plan
11.2.6 - ‘building a test plan’. Building a test plan may involve discussion with a client to understand scope of that process. Can inquiry with client be allowed when building a test plan?
1 vote -
Test Workbook
11.2.1 - Can you define test workbook or add to glossary? For example, is it interchangeably with a test plan.
1 vote -
Third-Parties
7.3.1 - “For i1 and e1 assessments, third-parties relevant to the in-scope environment may be excluded from testing (i.e., carved-out). In order to exclude the third-party:” - why is exclusion allowed and documentation of N/A allowed as there is still third-party risk? Why not utilize inheritance or a SOC 2 report, or other compensating controls or testing?
1 vote -
Spelling Error
A12 inheritance FAQs and examples - “Is it possible to inherit from a Risk-based, 2-year (r2) type of HITRUST Assessment into an Implemented, 1-year (i1) or Essentials, 1-year (e1) HITRUST Assessment (and vice versa)?” spelling error - However, when inheriting from an “inheritable” i1 ore1 into an “inheriting” r2, only...
1 vote -
Laptop Scoping
7.2.11 - Could you include example of situation when laptops would not be scoped in?
1 vote -
Telework vs Employee home
7.2.7 “Additional facility(s) not hosting the in-scope platform(s) / system(s) may also be included as a primary scope component. However, the in-scope facility(s) of an assessment may not include physical locations not controlled by the organization and/or not managed by a service provider of the Assessed Entity (e.g. employee homes, “WeWork” offices).” does this statement, excluding employee homes, contradict certain controls that are required to be tested regarding teleworking activities such as control 0407.01y2Organizational.1 that falls under Mobile Domain?
1 vote -
Bastion Host
7.2.6 - “Facility(s) hosting any component of technology stack for the in-scope platform(s) / system(s) must be included as a primary scope component.” Bastion hosts and jump servers are used in below sections to clarify scope. Could they also be used under this section 7.2.6 to help scoping facilities? For example, this excludes facilities that utilize bastion host/jump servers...
1 vote -
Glossary of Terms
Appendix A (adding under last section since Appendix isn't available as category) – Will the HITRUST glossary of terms and acronyms be contained within the Appendix? For example: is 90-day ‘fieldwork period’, 90-day implementation period defined?
1 vote -
Introduction Clarification of Assessor
Introduction – within the first paragraph, it states, “This assessment handbook is intended to provide guidance and expectations to Assessed Entities and HITRUST Assessors on the HITRUST assessment and certification processes...” when referencing HITRUST assessors, clarify if this also includes Authorized Readiness HITRUST Assessors.
1 vote