An Assessed Entity determining the scope of its assessment has several possibilities on where it sets its scope boundary. The following examples include potential scoping approaches that may be undertaken by the Assessed Entity. (NOTE: This list is intended to provide examples of scoping approaches and not intended to be comprehensive guidance on all possible scoping scenarios.)
- Enterprise: This is where the assessment scope includes all the organization’s networks, IT platforms, and supporting infrastructure across the entity. This approach is beneficial when an entity expects the entire organization has adopted the HITRUST CSF framework.
- IT Service or Platform-focused: In this approach, the assessment is scoped to one or more specific IT services or IT platforms and their supporting infrastructure. There are several use cases for this approach, including:
- Regulatory compliance: If an Assessed Entity is seeking a HITRUST certification to demonstrate compliance with a particular standard, the organization should identify those IT services or platforms that need to be in compliance. For example, if the organization intends to use the HITRUST HIPAA compliance pack or the NIST CSF scorecard to demonstrate compliance then the organization should carefully ensure the scope meets the regulatory expectations.
- Building blocks: If the Assessed Entity is in progress of adopting the HITRUST CSF, they may elect to focus on obtaining HITRUST certification for certain IT services or platforms first and then move to other IT services or platforms after those areas have adopted the HITRUST CSF.
- Contract-focused: If the Assessed Entity has contractual obligations to maintain a HITRUST certification, they may elect to focus on those relevant IT platforms and supporting infrastructure that support that contract.
- Enclave-focused: This is similar to the “IT Service or Platform-focused” approach but may be broader since the assessment is scoped to the relevant IT platforms and supporting infrastructure used by one or more specific enclaves (e.g., business units, network segments, hosted environments). The use cases are similar to those in the “IT Service or Platform-focused” approach.
- Shared IT services: In this approach, the assessment is scoped to some or all aspects of the organization’s shared IT services. This approach may be useful when there are multiple separate assessments able to inherit from the Assessed Entity’s centralized shared IT services.
- Follow-the-data: All platforms and supporting infrastructure traversed by a specific type of sensitive information. If the key concern for the organization is protecting a specific set of sensitive data, the organization may elect to identify all IT Systems, Networks, Facilities, and Infrastructure where that data resides and/or transmits to perform its HITRUST assessment.