During QA, HITRUST may identify testing and evidence that does not sufficiently support the scoring within the validated assessment. The following questions and scenarios are related to testing and evidence along with clarification on HITRUST’s expectations for each situation.
If the company’s policy and/or procedure did not specifically cover all evaluative elements, but in general the documentation meets the ‘spirit’ or ‘intent’ of the requirement statement, does that support a fully compliant score?
No. Per the HITRUST rubric, each requirement statement’s Policy and/or Procedure PRISMA level is scored using a maturity model that evaluates strength and evaluative element coverage. If the company’s policy and/or procedure does not specifically address all evaluative elements even at Tier 2 strength, a score of 100% is not supported.
For example, the company’s documented policy formally addressed three of five evaluative elements, while the remaining two evaluative elements are inferred. The maturity score will be calculated as follows:
- Strength: Tier 2 because the policy was documented.
- Coverage: Moderate coverage because three of five (60%) evaluative elements were explicitly addressed in the policy. The remaining two evaluative elements are not specifically addressed by the policy and/or procedure since they were inferred.
Based upon the strength and coverage, a score of Partially Complaint (50%) would be supported.
We tested a sample as noted in our Test Plan and linked the testing lead sheet to the requirement. Why am I required to provide the supporting evidence for each sample item contained in the lead sheet?
The HITRUST QA Analyst must be able to view all supporting documents in order to re-perform scoring. As a result, a lead sheet alone and/or example of one is insufficient to support the work performed by the External Assessor.
We are being asked for corroborating evidence to support a population of zero. How do we prove a negative?
HITRUST expects a reasonable level of relevant due diligence performed during fieldwork corroborating any inquiry. The External Assessor should evaluate the nature of the requirement statement, and inspect the relevant system(s) of record that might be available to view a history of the requirement statement’s operation. The following examples include potential evidence that can support a zero population:
| HITRUST CSF Requirement Statement | Assessed Entity Comments | Potential Validation of Zero Population |
| 0120.05a1Organizational.4 “Capital planning and investment requests include the resources needed to implement the security program, employ a business case (or Exhibit 300 and/or 53 for federal government); and the organization ensures the resources are available for expenditure as planned.” | The Assessed Entity reports there have been no security program expenditures in the past year. | For validation, the External Assessor may inspect procurement / purchase records, change control records, and/or budget records. |
| 1117.01j1Organizational.23 “Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use.” | The Assessed Entity reports there have been no instances where vendor partners and business partners remotely accessed the environment. | For validation, the External Assessor may inspect change control records, break / fix incident tickets, and/or third-party contracts to determine if remote services have been provided. |
| 1539.11c2Organizational.7 “Incident response is formally managed and include specific elements.” | The Assessed Entity reports there have been no incidents since the control was implemented 12 months ago. | For validation, the External Assessor may inspect incident registers covering a 12-month period (even if empty), examine legal records pertaining to incident communication to external parties, or examine customer inquiry records pertaining to incident disclosures. |
We used a vendor whitepaper to support a score of 100%. Why has this raised a QA concern?
While a whitepaper, admin guide, user guide, or sales sheet describes controls that can be implemented for a particular solution, it is not a policy or procedure owned by the Assessed Entity nor is it evidence of a control’s implementation. Therefore, this type of evidence is insufficient to support scoring independently. For additional information on acceptable evidence for a HITRUST assessment see Chapter 11.3 Working Papers & Evidence.
We used a third-party report (e.g., SOC report, PCI Compliance report, or ISO 27001 report) to support a 100% score for the Implemented maturity level. Why has this raised a QA concern?
This may be due to one or more of the following reasons:
- The External Assessor used a SOC 1 report, which is not acceptable per requirement 12.3.5 in Chapter 12.3. SOC 1 reports contain a restricted use paragraph in the Auditor’s Opinion that limits distribution of the report to the service organization, the service organization’s customers, and their auditors. All other parties, including HITRUST, are not authorized to use the report.
- The External Assessor used a SOC 2 Type I report, which is not acceptable per requirement 12.3.9 in Chapter 12.3. Only those audits and assessments featuring tests of control design / operation / implementation / effectiveness utilizing audit procedures such as inspection of evidentiary matter and sampling (utilizing statistically meaningful sample sizes as applicable) are suitable reliance. For example, procedures executed by a service organization’s auditor during a SOC 2 Type I examination should not be relied upon given a SOC 2 Type I examination’s lack of substantive testing.
- The External Assessor used a SOC 3 report, which is not acceptable per requirement 12.3.9 in Chapter 12.3. SOC 3 reports do not include detail of tests of control design / operation / implementation / effectiveness utilizing audit procedures such as inspection of evidentiary matter and sampling.
- The External Assessor used a PCI Attestation of Compliance (AoC) Criteria, which is not acceptable per requirement 12.3.9 in Chapter 12.3. Only those audits and assessments featuring tests of control design / operation / implementation / effectiveness utilizing audit procedures such as inspection of evidentiary matter and sampling (utilizing statistically meaningful sample sizes as applicable) are suitable for reliance.
The External Assessor may utilize a PCI RoC which provides a Report on Compliance (RoC) and is issued by a Qualified Security Assessor (QSA). The report details an organization’s security posture, environment, systems, and protection of cardholder data.
- The External Assessor only provided the one-page ISO 27001 certification letter, which is not acceptable per requirement 12.3.9 in Chapter 12.3. Only those audits and assessments featuring tests of control design / operation / implementation / effectiveness utilizing audit procedures such as inspection of evidentiary matter and sampling (utilizing statistically meaningful sample sizes as applicable) are suitable for reliance. HITRUST expects the External Assessor to provide the full ISO 27001 certification report with a mapping to the corresponding HITRUST requirement statements.
- The External Assessor did not provide a mapping of the SOC 2 Type II, PCI RoC, or ISO certification report’s testing to the evaluative elements found in the requirement statement. HITRUST must be able to identify at a granular level how the testing performed in the SOC 2 Type II addresses each evaluative element in the HITRUST requirement statement.
- The External Assessor provided a mapping of the SOC 2 Type II, PCI RoC, or ISO certification report, but the report did not test all evaluative elements found in the requirement statement. The SOC2 Type II report must provide sufficient detail to demonstrate that each evaluative element in the HITRUST requirement statement was tested.
- The External Assessor used a SOC 2 Type II, PCI RoC, or ISO certification report, but the scope did not match the HITRUST assessment scope.
We included the necessary sample selection and evidence of testing the requirement statement. However, the HITRUST QA Analyst opened a task stating the evidence did not appear to support a score of 100% for the Implemented maturity level.
HITRUST requirements are written at a granular level to address the various risks and threats for each organization. External Assessors should ensure their testing is performed at that granular level and specifically addresses the wording in the requirement statement for each evaluative element. Additionally, the testing should be performed in alignment with the testing listed within the illustrative procedures for the Implemented maturity level. The following scenarios include situations where an External Assessor may receive a question from a HITRUST QA Analyst:
| Scenario BUID: 0104.02a1Organizational.12 | CVID: 0297.0 Policies and/or standards related to user roles and responsibilities include: 1. implementing and acting in accordance with the organization’s information security policies; 2. protecting assets from unauthorized access, disclosure, modification, destruction, or interference; 3. executing particular security processes or activities; 4. ensuring responsibility is assigned to the individual for actions taken; 5. reporting security events or potential events or other security risks to the organization; and 6. security roles and responsibilities are defined and clearly communicated to users and job-candidates during the pre-employment process. Illustrative Procedure for the Implemented Maturity Level: For example, examine the relevant security policies and confirm that roles and responsibilities have been formally defined in the policy. 1. Further, select a sample of new hires and confirm that the policy was clearly communicated and acknowledged by the employee during the pre-employment process. Assessor Testing In this scenario, the External Assessor selected a sample of new hires. For each new hire, the External Assessor uploaded a signed acknowledgment and reviewed that the evaluative elements were addressed in the acknowledgments. Each acknowledgment was signed by the new employee on their 1st day of employment. |
HITRUST Evaluation
During the review of the testing performed by the External Assessor, the HITRUST QA Analyst was able to confirm most evaluative elements were addressed in the policy and signed acknowledgments. However, the acknowledgments were signed by the new employee on their 1st day of employment, but not during the pre-employment process as required by evaluative element #6. Therefore, testing was not in alignment with the illustrative procedures for Implemented. When scoring the requirement statement, the External Assessor must reduce the corresponding score for the Implemented maturity level since only 5 of 6 evaluative elements were tested.
| Scenario BUID: 0709.10m1Organizational.1 | CVID: 1369.0 Once a potential technical vulnerability has been identified, the organization identifies the 1. associated risks and 2. the actions to be taken. Further, the organization 3. performs the necessary actions to correct identified technical vulnerabilities in a timely manner. BUID: 0787.10m2Organizational.14 | CVID: 1369.0 The organization 1. requires patches installed in the production environment to also be installed in the organization’s disaster recovery environment in a timely manner, as defined by the organization. Assessor Testing In this scenario, the External Assessor scored the Implemented maturity level for “0709” using the same documents linked to “0787”. The External Assessor’s rationale is that the installation of patches demonstrates the risks of vulnerabilities were addressed and actions were taken to address the vulnerabilities. |
HITRUST Evaluation
The HITRUST CSF is a framework for managing information security and privacy risks, which is comprised of granular requirements derived from Authoritative Sources. While 0709.10m1Organizational.1 and 0787.10m2Organizational.14 are similar they are not identical.
- 0709.10m1Organizational.1: The illustrative procedure for the Implemented maturity level calls for selecting a sample of system vulnerabilities identified by the organization and examining evidence to confirm that a risk assessment was performed to identify associated risks. Further, confirming that action plans were identified and carried out.
- 0787.10m2Organizational.14: The illustrative procedure for the Implemented maturity level calls for selecting a sample of patches installed in the production environment and confirming they are also installed in the organization’s disaster recovery environment, and that the installation was performed in a timely manner, as defined by the organization.
Please note the granular differences when comparing the two requirements. Applying patches is an example of carrying out an action plan, but it is not inclusive of all system vulnerability action plans, which is tested in requirement in “0709”. For instance, an action plan to address system vulnerabilities might be to simply retire the system rather than a patch as in the case of a system that is no longer supported by the manufacturer and the risk of continuing to use unsupported systems exceed the organization’s risk tolerance. Requirement “0787” is intended to address the risk of the Disaster Recovery environment not operating in the same manner as the production environment with the same level of security.
As a result, the testing performed for requirement “0787” does not support scoring for requirement “0709”.