Skip to content

HITRUST Assessment Handbook - Exposure Draft

The Assessment Handbook defines the requirements for organizations assessing their information protection programs against the HITRUST CSF through a readiness or validated assessment. The assessment handbook is intended to provide guidance and expectations of the assessment process to the HITRUST community.

HITRUST has published an exposure draft of the Assessment Handbook and invites all stakeholders to review and submit feedback by July 7, 2023.

The Assessment Handbook is not yet final and will not be enforced during the exposure draft review period. HITRUST will continue to enforce the existing guidance published within the HITRUST website (www.hitrustalliance.net).

HITRUST Assessment Handbook - Exposure Draft

Categories

JUMP TO ANOTHER FORUM

(thinking…)

Provide comments here

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback

6 results found

  1. Additions to section 7

    • Pg.30 7.1.1 "NOTE: The 90-day implementation period may overlap with the 90-day fieldwork period if testing on the implemented system is performed after the 90-day implementation period has been achieved.": It may be helpful to elaborate on this or give an example on how this could be accomplished.

    • Pg 31. 7.2 Required Scope Components: HITRUST also uses the term elements when discussing scope (e.g. in CCSFP training deck pg 69). The term component as using for both scope and evaluative elements could be confusing

    • Pg 32 7.2.4: Add an example

    -Pg 33 7.2.13 "without using a bastion host, jump server,…

    2 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  7. Scoping the Assessment  ·  Admin →

  2. Third-Parties

    7.3.1 - “For i1 and e1 assessments, third-parties relevant to the in-scope environment may be excluded from testing (i.e., carved-out). In order to exclude the third-party:” - why is exclusion allowed and documentation of N/A allowed as there is still third-party risk? Why not utilize inheritance or a SOC 2 report, or other compensating controls or testing?

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  7. Scoping the Assessment  ·  Admin →

  3. Laptop Scoping

    7.2.11 - Could you include example of situation when laptops would not be scoped in?

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  7. Scoping the Assessment  ·  Admin →

  4. Telework vs Employee home

    7.2.7 “Additional facility(s) not hosting the in-scope platform(s) / system(s) may also be included as a primary scope component. However, the in-scope facility(s) of an assessment may not include physical locations not controlled by the organization and/or not managed by a service provider of the Assessed Entity (e.g. employee homes, “WeWork” offices).” does this statement, excluding employee homes, contradict certain controls that are required to be tested regarding teleworking activities such as control 0407.01y2Organizational.1 that falls under Mobile Domain?

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  7. Scoping the Assessment  ·  Admin →

  5. Bastion Host

    7.2.6 - “Facility(s) hosting any component of technology stack for the in-scope platform(s) / system(s) must be included as a primary scope component.” Bastion hosts and jump servers are used in below sections to clarify scope. Could they also be used under this section 7.2.6 to help scoping facilities? For example, this excludes facilities that utilize bastion host/jump servers...

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  7. Scoping the Assessment  ·  Admin →

  6. Scoping

    Section 7.1.1 - How would a system be tested without storing or processing data? Provide more context on this scenario.

    1 vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    0 comments  ·  7. Scoping the Assessment  ·  Admin →