For background information on the Measured and Managed maturity levels, see Chapter 9 PRISMA Maturity Levels and the HITRUST CSF Control Maturity Scoring Rubric.
We have supporting documentation for a measure that includes all measure criteria except (iv) identify who is responsible for gathering the data. What is the Measured strength?
“Tier 0 – No measurement used”. ALL of the Measured criteria must be met to reach tiers 1 – 4.
The Managed coverage is calculated as a percentage of issues identified. How do I calculate Managed coverage if no issues have been identified in the past year?
When zero issues have been identified, the Managed coverage is “Very High”.
We used a third-party report (e.g., SOC report, PCI RoC) to support a 50% or higher score for the Managed maturity level. Why has this raised a QA concern?
To achieve a 50% score for the Managed maturity level, the Managed strength must be Tier 2 or higher. This requires a risk treatment process that meets at least one of the following risk treatment criteria:
(i) initial involvement of an appropriate level of management or a defined escalation or review process to be observed if / when the appropriate level of management is not initially involved,
(ii) a defined mechanism to track issues, risks, and risk treatment decisions, or
(iii) cost, level of risk, and mission impact are considered in risk treatment decisions.
A third-party report does not typically meet any of the above risk treatment criteria.
Can the Managed score ever be higher than the Measured score?
Yes. While the Managed score cannot exceed the Measured coverage, the Managed score may exceed the Measured score. The following example outlines a scenario where the Measured score is 25% and Managed score is 75%.
Measured: For a requirement statement with four evaluative elements, the External Assessor determines that the organization has an operational measure (“Tier 1” Strength) that addresses all four evaluative elements (“Very High” Coverage). This indicates a Measured score of 25%.
Managed: The operational measure identified one issue in the past year that was remediated (“Very High” Coverage) using the organization’s documented risk treatment process. The risk treatment process met two of the three formal risk treatment process criteria (“Tier 3” Strength). This indicates a Managed score of 75%.
In this scenario, it is acceptable that the Managed score of 75% exceeds the Measured score of 25% because the Managed score does not exceed the Measured coverage of 100% or Very High. In the event the Measured “coverage” was 50% (“Moderate”) and the Managed score was calculated at 75%, then the Managed score will need to be lowered to the Measured “coverage” score of 50%, or Partially Compliant.
Example #1
| Scenario BUID: 1814.08d1Organizational.12 | CVID: 0732.0 Fire extinguishers and detectors are installed according to applicable laws and regulations. Policy Illustrative Procedures: Examine policies and/or standards related to the protection against environmental threats to determine if 1. appropriate fire extinguishers are located throughout the facility, 2. and are no more than fifty (50) feet away from critical electrical components; and fire detectors (e.g., smoke or heat activated) are installed on and in the 3. ceilings 4. and floors. The scope for this assessment includes a corporate office (“Office”), and two data centers (“DC1” and “DC2”). |
Evaluation
Measured:
Internal Audit or “IA” (which is in no way tied to the operation of this requirement) tests that fire extinguishers at the DCs exist and are maintained on an annual basis. IA’s test documentation contains details of who gathered the data, what was tested, the frequency of testing, how the test was performed, and the result. IA also has a written procedure on communicating audit findings to executive management, which is always observed. However, IA doesn’t include any comparison of testing results across time periods and doesn’t identify any thresholds or performance targets.
Measured Strength: To determine the strength, first identify whether the measure or metric criteria are met (see Chapter 9.4 Measured Maturity Level).
To be classified as a measure for HITRUST assessment purposes, supporting documentation must:
(i) address the control’s operation / performance,
(ii) specify an appropriate frequency,
(iii) define what is measured,
(iv) identify who is responsible for gathering the data,
(v) describe how the data is recorded,
(vi) describe how the measurement is performed / calculated, and
(vii) specify how often the measure is reviewed and by whom.
In this example, all of the above criteria for a measure are met by IA’s test documentation. Next, look at the metric criteria to determine whether the tests performed by IA can be considered a metric (see Chapter 9.4 Measured Maturity Level).
To be classified as a metric for HITRUST assessment purposes, the measurement must meet ALL requirements for a measure (listed above) AND:
(i) be tracked over time, and
(ii) have explicitly stated (not implied), established thresholds (i.e., upper and/or lower bounds on a value) or targets (i.e., targeted goals, what the organization is trying to achieve).
In this example, IA doesn’t include any comparison of testing results across time periods and doesn’t identify any thresholds or performance targets. Therefore, the testing performed by IA is classified as a measure, not a metric. This means that the Measured strength is either “Tier 1 – Operational Measure” or “Tier 2 – Independent Measure” (see Chapter 9.4 Measured Maturity Level). Since the IA team is in no way tied to the operation of this requirement, their testing is independent. Thus, the Measured strength is “Tier 2 – Independent Measure”.
Measured Coverage: To determine Measured coverage, identify the percentage of the evaluative elements measured.
Example 1 Assessment Results for Coverage – Measured
| Element of the Requirement | Office | DC1 | DC2 |
| Fire extinguishers throughout | Not Measured | Measured | Measured |
| Fire extinguishers < 50’ | Not Measured | Measured | Measured |
| Fire detectors in ceilings | Not Measured | Not Measured | Not Measured |
| Fire detectors in floors | Not Measured | Not Measured | Not Measured |
| Coverage | 0% | 50% | 50% |
A simple average of the scores indicates overall coverage of the elements is 33.3%, which is “Moderate” coverage.
Measured Score: Use the strength and coverage to determine the final Measured score according to the rubric. “Tier 2” strength and “Moderate” coverage indicate a score of Partially Compliant or 50%.
Managed:
The entity has a “Risk Treatment Procedure” that describes the process for tracking issues, risks, and risk treatment decisions across the organization. In the past year, no issues were identified in IA’s testing of whether fire extinguishers at the DCs exist and are maintained.
Managed Strength: Managed strength is determined by how many of the formal risk treatment criteria listed below are addressed (see Chapter 9.5 Managed Maturity Level).
To be classified as a risk treatment process for HITRUST assessment purposes, the process must include:
(i) initial involvement of an appropriate level of management or a defined escalation or review process to be observed if / when the appropriate level of management is not initially involved,
(ii) a defined mechanism to track issues, risks, and risk treatment decisions, and
(iii) cost, level of risk, and mission impact are considered in risk treatment decisions.
In this example, only criterion (ii) is addressed. Therefore, the strength is “Tier 2 – Documented with 1 formal risk treatment process criterion addressed”.
Managed Coverage: The coverage is calculated as the frequency of applying risk treatment as a percentage of issues identified (see Chapter 9.5 Managed Maturity Level). In this example, no issues have been identified in the past year, so coverage can be considered Very High.
Managed Score: Use the strength and coverage to determine the final Managed score according to the rubric. “Tier 2” strength and “Very High” coverage indicate a score of Partially Compliant or 50%.