8 results found
-
Homogenous applications for one population
11.4 - for homogenous applications that are NOT in scope for HITRUST but fall in the population: e.g., change ticketing system and application change that is not in scope for hitrust is selected due to random sampling, is this allowed as a sample since process is same for all applications (that are in scope for hitrust)?
1 vote -
11.4.10
11.4.11 contradicts 11.4.10 - maybe add note 'with exception to 11.4.10'?
1 vote -
RE-Validated Populations
11.4.10 - can you elaborate - ‘re-validated’ for accuracy of populations? Does the assessor have to re-request the pop? Or can we inquire or corroborate with client that no major changes have occurred with the pop?
1 vote -
Building a Test Plan
11.2.6 - ‘building a test plan’. Building a test plan may involve discussion with a client to understand scope of that process. Can inquiry with client be allowed when building a test plan?
1 vote -
Test Workbook
11.2.1 - Can you define test workbook or add to glossary? For example, is it interchangeably with a test plan.
1 vote -
11.2.8 - Adding more context on the 90 day incubation period
More context and/or examples for assessed entities to clearly understand what is meant by "newly implemented or remediated controls". This includes a control that was not in place, a deficiency being addressed, a significant change such as a migration, etc.
1 vote -
Additions to section 11
- Pg. 44, 11.1.6: This appears to be a permanent change in approach to testing and so might warrant noting that this is different than onsite tested required pre-COVID
1 vote -
old evidence
For section 11.3 would it make sense to also mention that old evidence is not accepted, such as an assessed entity giving a screenshot from 9 months ago with timestamp of a configuration. It might have been provided to the assessor during the 90 day window but the evidence provided by the assessed entity is maybe an old screenshot they borrowed from their SOC 2, 9 months ago and as such that is not indicative of the current environment.
1 vote