42 results found
-
6.1.12- "R2 Assessments Only?"
The Assessed Entity must select whether they will be including all CSF security controls within the assessment or only those required for certification, along with whether Privacy controls should be included in the Assessment. – Does this need to read, “for r2 assessments only.”
1 vote -
1 vote
-
Are we still offering "Customized Assessments?"
If not, we need to remove it from the Academy class.
1 vote -
Are we screening for background requirements before individuals sign up for CCSFP class?
3.2 -Certified CSF Practitioner (CCSFP) is a designation reserved for individuals who have completed the CCSFP training course, passed the certification exam, and have met the required background and experience requirements necessary to effectively use the HITRUST CSF. Such individuals typically work for a HITRUST External Assessor organization, a HITRUST Assessed Entity, or a HITRUST licensed firm/practice that provides HITRUST consulting services. Do we screen for "required background and experience requirements" before allowing people to sign up for CCSFP class? If so, what background requirements are we screening for?
1 vote -
11.2.8 - Adding more context on the 90 day incubation period
More context and/or examples for assessed entities to clearly understand what is meant by "newly implemented or remediated controls". This includes a control that was not in place, a deficiency being addressed, a significant change such as a migration, etc.
1 vote -
Inheritance section 12.2.5 lists the Targeted Assessment as a qualified inheriting assessment type.
The Targeted assessment type should not be listed in section 12.2.5 because can't produce a validated assessment.
1 vote -
1 vote
-
Additions to section 15
- Pg. 81, Second paragraph, update formatting for "a62": "...domain to score at least a62 to achieve certification.
-Pg. 83, 15.3.9, update formatting for "e1validated": "...domain to score at least a62 to achieve certification..."
1 vote -
Additions to section 14
- Pg. 69, "A Sample of Measured and Managed Scores": In the past, HITRUST reviewed ALL measured and managed scores. If this is a change consider mentioning more about this
1 vote -
Additions to section 11
- Pg. 44, 11.1.6: This appears to be a permanent change in approach to testing and so might warrant noting that this is different than onsite tested required pre-COVID
1 vote -
Additions to section 10
- Pg 41., Control Maturity Scoring Rubric: It might be helpful to delineate how system components are the same as scope elements for system related requirements.
1 vote -
Additions to section 8
- P. 35, 8.1 Requirement Statement Background, paragraph 3: "Each Requirement Statement in aa r2, i1 or e1 assessment contains" has an extra "a" before r2
1 vote -
Additions to section 6 pt2
Addition to Organization/Company Background section Pg.28: We recommend that clients avoid using we, us, our, etc. If agreed this can be added to 6.1.15 and 6.1.17
Addition to Primary Mailing Address section Pg.29: In reference to the first bullet point "Platforms/Systems: The Platforms/Systems table should contain all platforms/systems contained within the scope of the assessment. " It would be nice to have an appendix added for each of these webforms would be helpful for the clients to get an idea of how much detail to share.
1 vote -
Additions to section 6
- Pre-Assessment, pg.27 - there is an extra word, "of": "The following section outlines the six webforms of that comprise the pre-assessment.."
- Pg.27 6.1.10 - the link is missing: "The Assessed Entity must select the CSF version to be used during the assessment. For additional information on the various versions of the CSF, see <insert link>."
1 vote -
The External Assessor
4.2 Validated Assessments, pg.13: "The External Assessor will validate the CAPs and then submit the assessment to HITRUST" - what does it mean to validate CAPs?
1 vote -
Additions to section 4
- There is an extra "e" 4.1 Readiness Assessments: "For e r2, i1, or e1 assessments, organizations may choose to perform a Readiness Assessment..."
1 vote -
Additions to section 1
Live links don't work on pg. 5 for the additional resources
1 vote -
Snip of check-in task
pg.18 - Add in a snip of a check-in task where when we receive it what that will look like.
1 vote -
Guidelines on subscriber comments
If we could add some guidelines about how to write subscriber comments clients would benefit from this information.
1 vote -
Scoping
Section 7.1.1 - How would a system be tested without storing or processing data? Provide more context on this scenario.
1 vote