Additions to section 7
Pg.30 7.1.1 "NOTE: The 90-day implementation period may overlap with the 90-day fieldwork period if testing on the implemented system is performed after the 90-day implementation period has been achieved.": It may be helpful to elaborate on this or give an example on how this could be accomplished.
Pg 31. 7.2 Required Scope Components: HITRUST also uses the term elements when discussing scope (e.g. in CCSFP training deck pg 69). The term component as using for both scope and evaluative elements could be confusing
Pg 32 7.2.4: Add an example
-Pg 33 7.2.13 "without using a bastion host, jump server, or virtual desktop (VDI)": These terms should be defined including minimum requirements of each
Pg. 33 7.2.14 "Portable Media": One question that comes up is whether the embedded hard drives on laptops are considered portable media since laptops are portable. It would be helpful to speak to that here
Pg. 33 7.2.19 "Other Supporting Tools": This is another area where there can be inconsistency in how these type of tools are treated. For example, if a client is using JIRA (a SaaS-based) solution, does that mean that the entire JIRA platform is in-scope and treated like a primary system) or do you just address the relevant requirements that support the primary system? Clarity surrounding this would be helpful