There are certain requirement statements that HITRUST has determined can typically not be marked N/A. The following examples include requirement statements HITRUST expects to be scored along with HITRUST’s rationale for not being able to mark the requirement statements as N/A:
| HITRUST CSF Requirement Statement | Example (Incorrect) Assessment N/A Rationale | HITRUST Rationale for not allowing N/A | Suggested Testing Approach |
| 0505.09m2Organizational.3 Quarterly scans are performed to identify unauthorized wireless access points, and appropriate action is taken if any unauthorized access points are discovered. |
“The in-scope facility does not use wireless access.” | The requirement statement expects a detective control to identify unauthorized wireless access points connected to the in-scope network(s). (NOTE: A similar rationale applies to other monitoring requirement statements within a HITRUST assessment) | The requirement statement should be tested for all in-scope networks. |
| 0403.01×1Organizational.5 The organization (1) monitors for unauthorized connections of mobile devices. |
“Mobile devices are not allowed in the scoped environment.” | The requirement statement expects a detective control to identify unauthorized mobile device connections. | The requirement statement should be tested. |
| 0828.09m2Organizational.8 Technical scanning tools and solutions (1) are implemented. Scans (2) are performed on a quarterly basis to identify unauthorized components/devices. |
“The company has outsourced its vulnerability scanning.” | Unless the third-party was carved-out (only allowed for i1 and e1), a third-party performing the control does not make a requirement statement not applicable. The requirement statement expects scanning solutions and scans to be performed on the in-scope environment, regardless of who performs it. | For an r2, the third-party’s performance of the requirement statement should be tested. For an i1 or e1, the third-party can be carved-out which will allow an N/A. |
| 1119.01j2Organizational.3 Periodic monitoring (1) is implemented to ensure that installed equipment does not include unanticipated dial-up capabilities. |
“The company does not maintain equipment with dial-up capabilities.” | The requirement statement expects a detective control to identify a system with dial-up capabilities where the company was not aware. | The requirement statement should be tested. |
| 0858.09m2Organizational.12 The organization (1) monitors for all authorized and unauthorized wireless access to the information system and (2) prohibits installation of wireless access points (WAP) unless explicitly authorized, in writing, by the CIO or his/her designated representative. |
“The in-scope facility does not use wireless access points.” | For #1, The requirement statement expects a detective control to identify unauthorized wireless access. For #2, the requirement contemplates that the organization must have a requirement for a wireless access point’s installation in the future. This can be more prohibitive than the HITRUST requirement but there still must be a requirement. | The requirement statement should be tested. |
| 19134.05j1Organizational.5 The public has access to information about the organization’s security and privacy activities and is able to communicate with its senior security official and senior privacy official. |
“The company does not deal with the public” OR “The scoped environment does not have public facing components, application, and/or systems” | The rationale assumes ‘general public’ only. The requirement is not solely dependent on interacting with the ‘general public.’ This requirement statement applies if the company has customers. | The requirement should be tested by the Assessed Entity taking its customers and/or users into consideration. |
| Domain 18 Physical & Environmental Security | “The company hosts all information in the cloud so there are no physical and environment security requirements.” | Even if the information is hosted in the cloud, the cloud service provider maintains a physical presence which should be addressed in the assessment (unless carved-out in an i1 or e1 assessment). | If the service provider is not carved-out, Physical Security requirement statements must be scored either by direct testing or relying on testing of the service provider (i.e., reliance or inheritance). |