Skip to content

HITRUST Assessment Handbook - Exposure Draft

The Assessment Handbook defines the requirements for organizations assessing their information protection programs against the HITRUST CSF through a readiness or validated assessment. The assessment handbook is intended to provide guidance and expectations of the assessment process to the HITRUST community.

HITRUST has published an exposure draft of the Assessment Handbook and invites all stakeholders to review and submit feedback by July 7, 2023.

The Assessment Handbook is not yet final and will not be enforced during the exposure draft review period. HITRUST will continue to enforce the existing guidance published within the HITRUST website (www.hitrustalliance.net).

JUMP TO ANOTHER FORUM

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback

42 results found

  1. 6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  2. 6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  3. 6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  4. 6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  5. Opportunity to better define what is truly considered a "separate organization" within this statement - "The External Assessor used for a validated assessment must be a separate organization from the Assessed Entity." (e.g., alternative language: "separate legal entity").
    Example, if a PE firm holds a stake in an assessor firm and an assessed entity, under the org structure could the assessor perform the assessment given they are a separate and distinct entity, but are owned by the same investment complex?
    (3.3. Independence Requirements, 3.3.1, Page 7)

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  6. Creating a download report for the list of inheritance. It will be very helpful during QA testing

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    • Pg.30 7.1.1 "NOTE: The 90-day implementation period may overlap with the 90-day fieldwork period if testing on the implemented system is performed after the 90-day implementation period has been achieved.": It may be helpful to elaborate on this or give an example on how this could be accomplished.

    • Pg 31. 7.2 Required Scope Components: HITRUST also uses the term elements when discussing scope (e.g. in CCSFP training deck pg 69). The term component as using for both scope and evaluative elements could be confusing

    • Pg 32 7.2.4: Add an example

    -Pg 33 7.2.13 "without using a bastion host, jump server,…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  7. 12.2.1: Internal Inheritance, “Only full cross-version control inheritance is supported when using internal inheritance.” Comment: Why not allow partial internal inheritance? (Example: For a large entity with many business units, the scope of the assessment may be broken up into Year 1 and Year 2 looking at different sets of applications, however they still leverage the same SFTP/site server. We should be able to test once in Year 1 and then Partially inherit in Year 2 (control example: Transmission encryption. The separate part is in-scope applications, the same part is the SFTP site).

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  8. 11.4 - for homogenous applications that are NOT in scope for HITRUST but fall in the population: e.g., change ticketing system and application change that is not in scope for hitrust is selected due to random sampling, is this allowed as a sample since process is same for all applications (that are in scope for hitrust)?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  9. 11.4.11 contradicts 11.4.10 - maybe add note 'with exception to 11.4.10'?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  10. 11.4.10 - can you elaborate - ‘re-validated’ for accuracy of populations? Does the assessor have to re-request the pop? Or can we inquire or corroborate with client that no major changes have occurred with the pop?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  11. 11.2.6 - ‘building a test plan’. Building a test plan may involve discussion with a client to understand scope of that process. Can inquiry with client be allowed when building a test plan?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  12. 11.2.1 - Can you define test workbook or add to glossary? For example, is it interchangeably with a test plan.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  13. 7.3.1 - “For i1 and e1 assessments, third-parties relevant to the in-scope environment may be excluded from testing (i.e., carved-out). In order to exclude the third-party:” - why is exclusion allowed and documentation of N/A allowed as there is still third-party risk? Why not utilize inheritance or a SOC 2 report, or other compensating controls or testing?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  14. A12 inheritance FAQs and examples - “Is it possible to inherit from a Risk-based, 2-year (r2) type of HITRUST Assessment into an Implemented, 1-year (i1) or Essentials, 1-year (e1) HITRUST Assessment (and vice versa)?” spelling error - However, when inheriting from an “inheritable” i1 ore1 into an “inheriting” r2, only...

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  15. 7.2.11 - Could you include example of situation when laptops would not be scoped in?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  16. 7.2.7 “Additional facility(s) not hosting the in-scope platform(s) / system(s) may also be included as a primary scope component. However, the in-scope facility(s) of an assessment may not include physical locations not controlled by the organization and/or not managed by a service provider of the Assessed Entity (e.g. employee homes, “WeWork” offices).” does this statement, excluding employee homes, contradict certain controls that are required to be tested regarding teleworking activities such as control 0407.01y2Organizational.1 that falls under Mobile Domain?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  17. 7.2.6 - “Facility(s) hosting any component of technology stack for the in-scope platform(s) / system(s) must be included as a primary scope component.” Bastion hosts and jump servers are used in below sections to clarify scope. Could they also be used under this section 7.2.6 to help scoping facilities? For example, this excludes facilities that utilize bastion host/jump servers...

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  18. Appendix A (adding under last section since Appendix isn't available as category) – Will the HITRUST glossary of terms and acronyms be contained within the Appendix? For example: is 90-day ‘fieldwork period’, 90-day implementation period defined?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

  19. Introduction – within the first paragraph, it states, “This assessment handbook is intended to provide guidance and expectations to Assessed Entities and HITRUST Assessors on the HITRUST assessment and certification processes...” when referencing HITRUST assessors, clarify if this also includes Authorized Readiness HITRUST Assessors.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

← Previous 1 3