HITRUST has developed the Control Maturity Scoring Rubric (“Rubric”) to assist Assessed Entities and Assessors with scoring control maturity for each requirement statement in an assessment in a consistent and repeatable way. The Rubric provides guidance on how to score a requirement statement based on an evaluation of strength and coverage for each maturity level. Strength and coverage are defined separately for each of the PRISMA maturity levels, but they generally refer to:
- Strength: The rigor with which the Assessed Entity has implemented the requirement within its organization.
- Coverage: Percentage of evaluative elements where the Assessed Entity is compliant.
The Rubric addresses each of the five maturity levels in separate tables, each similar to the following structure:
The rows in the table, Tiers 0 through 4, represent increasing strength in the maturity criteria. The columns, from very low to very high, represent the level of coverage with respect to the evaluative elements specified for each requirement statement. The Implemented, Measured and Managed maturity levels all contain five tiers for strength. NOTE: The “scope elements” referenced in the HITRUST control maturity scoring rubric are the same as “scope components” (as referenced in Chapter 7.2 Required Scope Components).
For the Policy and Procedure level rubrics, there are only three rows in the table representing strength since the organization will either have: no policy/procedure, an undocumented policy/procedure, or a fully documented policy/procedure. For additional discussion on what constitutes a documented policy/procedure, see Chapter 9 PRISMA Maturity Levels.
For all five maturity levels, the intersection of the level-specific strength and coverage results in one of five maturity ratings: Non-Compliant, Somewhat Compliant, Partially Compliant, Mostly Compliant or Fully Compliant (NC, SC, PC, MC, or FC) from which the requirement statement’s final maturity score is computed. The following table from the Rubric indicates the corresponding maturity scores for each rating.
For variances in scope, the scores for each scope item may be calculated separately and the overall maturity level score for a requirement statement determined based on the average of those scores. Suppose an organization has specified all the evaluative elements of a requirement statement in policy, but the policy only applies to three of the four business units within scope of the assessment. The organization will score FC (100%) for those three business units, but NC (0%) for the fourth business unit, resulting in an overall score of 75% ((100+100+100+0)/ 4).
The scores for each scope item also may be weighted separately if there is a corresponding rationale for the varied weighting. For example, if there are two Data Centers in scope of the assessment and 10 of the in-scope applications are located at one Data Center and two in-scope applications are located at the second Data Center, the scores may be calculated with corresponding weights using that rationale. Similarly, weighting may be calculated based on the number of transactions processed by each in-scope system or location.
10.1.1 If the Assessed Entity determines there should be a difference in weighting of the scope components for a corresponding HITRUST requirement statement, the Assessed Entity and/or External Assessor must apply a rationale to justify the corresponding weight percentages.
NOTE: There is no requirement to use varying weights for scope components. A rationale is not required if the Assessed Entity takes all scope components into account equally.
10.1.2 The Assessed Entity and/or External Assessor must document the rationale used for any varying weight percentages between scope components within the validated assessment.
10.1.3 If HITRUST determines the weight rationale is not justified, it may request additional support and/or request modifications in the requirement statement scores.
For additional details and examples of rubric scoring, see Appendix A-6: Rubric Scoring – Policy, Procedure, and Implemented and Appendix A-7: Rubric Scoring – Measured & Managed.