The fifth maturity level, Managed, reviews the organization’s management of its control implementations based on its identified measurements. The organization should be able to demonstrate that it has a management process for the measurement/metric and when variations occur, it has performed a root cause analysis and taken corrective actions using its risk treatment process. Scoring is based on whether there is a documented risk treatment plan in place and the number of criteria addressed within that documented risk treatment process (“strength”) and the percent of issues included in the risk treatment process for the corresponding evaluative elements (“coverage”).
9.5.1 To be classified as a risk treatment process for HITRUST assessment purposes, one or more of the following criteria must be documented. The number of documented criteria determines the “strength” of the risk treatment process:
i. initial involvement of an appropriate level of management or a defined escalation or review process to be observed if / when the appropriate level of management is not initially involved,
ii. a defined mechanism to track issues, risks, and risk treatment decisions, and
iii. cost, level of risk, and mission impact considered in risk treatment decisions.
9.5.2 If none of the criteria in 9.5.1 were documented but a risk treatment process was observed to be in place the risk treatment process may be considered as “undocumented”.
9.5.3 In order to determine “coverage”, the total issues identified from the corresponding measure of the requirement statement’s evaluative elements should be identified. The percent of those issues that were included in the risk treatment plan will determine the “coverage” component of the maturity score. NOTE: If no issues were identified in the corresponding measure, “coverage” is considered to be Very High.
9.5.4 Since measures and/or metrics are required as input into the Managed scoring, the Managed score cannot exceed that of Measured ”coverage.” However, the overall Managed score can be higher than the overall Measured score. If the final Managed score is higher than Measured coverage, the Managed score must be lowered to equal the Measured “coverage” score. For examples of Measured and Managed score calculations, see Appendix A-7: Rubric Scoring – Measured & Managed.