The fourth maturity level, Measured, reviews whether separate or ongoing monitoring activities are performed to measure the implementation and effectiveness of the control’s implementation. Scoring of this level is based on whether there is a Measure or Metric in place and whether review of the Measure or Metric is performed by an Operational or Independent party (see criteria 9.4.3 and 9.4.4).
9.4.1 To be classified as a measure for HITRUST assessment purposes, supporting evidence must:
i. address the control’s operation / performance: the measure must include a description of the control that is being measured by the Assessed Entity and/or third-party;
ii. specify an appropriate frequency: the measure must document how often the control is performed by the Assessed Entity and/or third-party;
iii. define what is measured: the measure must document the data used to determine whether the control is being performed effectively;
iv. identify who is responsible for gathering the data: the measure must document the individual that obtained the supporting documentation on the performance of the control.
v. describe how the data is recorded: the measure must include the supporting data that was obtained and how it was obtained to support the performance of the control;
vi. describe how the measurement is performed / calculated: the measure must include how control effectiveness was determined; and
vii. specify how often the measure is reviewed and by whom: the measure must document the individual that reviewed the performance of the control and frequency of the review.
9.4.2 To be classified as metric for HITRUST assessment purposes, the measurement must meet ALL requirements for a measure (listed above) AND:
i. be tracked over time. This can include documenting the results collected for the measure in a spreadsheet and/or chart to be able to determine whether the control effectiveness is increasing or decreasing; and
ii. have explicitly stated (not implied), established thresholds (i.e., upper and/or lower bounds on a value) or targets (i.e., targeted goals, what the organization is trying to achieve). The threshold or target should be a data point that corresponds to the results being captured in the measure. It may be documented within the same spreadsheet or chart as those results to determine whether the threshold or target has been achieved.
9.4.3 Operational measures and metrics are prepared and/or reviewed by a person or group responsible for the control / requirement being measured (e.g., the control owner) or by a person or group influenced by the control owner (a subordinate, a peer reporting to the same department head, etc.).
9.4.4 Independent measures and metrics are prepared and reviewed by a person or group (e.g., auditors, analysts) who are not influenced by the person or group responsible for the operation of the requirement / control being measured (e.g., the control owner).
For additional information and examples of Measured scoring, see Appendix A-7: Rubric Scoring – Measured & Managed.