External Assessors are often required to perform sampling to validate management’s scoring. The first step in the sampling process is to identify the population. The population for the assessment scope may use common process aggregation to group those systems or auditable business units that are subject to the same controls into a single population. When possible, this may be a more efficient approach than separately testing those populations. This is often the case where IT general controls are being tested and common IT processes such as change management or password administration support multiple systems. For populations, the following requirements must be met:
11.4.1 Each sample-based test must be designed appropriately to detect potential errors. For example, the population should not be obtained from a source that only contains items that already adhere to the control being tested (e.g., a test around whether anti-virus is installed should not have a sample selected from the anti-virus console since that will never yield a deviation).
11.4.2 Assessors are expected to use a sample-based test when testing the Implemented PRISMA level for a requirement statement and the illustrative procedures for the Implemented PRISMA level indicates to ‘select a sample’. HITRUST has not contemplated within the illustrative procedures all situations where the External Assessor may need to perform sampling to address the requirement statement so the External Assessor may need to perform a sample-based test even when not specifically stated to obtain sufficient evidence the requirement statement score is supported.
11.4.3 For i1, e1, and r2 (CSF v11 and later) assessments, HITRUST has included sampling badges on the requirement statement within MyCSF where sampling is expected.
11.4.4 For all validated assessments, the External Assessor is expected to document its rationale when they decide it is not necessary to perform a sample-based test when the requirement statement in MyCSF indicates that a sample-based test is expected to be performed.
11.4.5 There may be situations where the External Assessor will perform a sample-based test at the Measured or Managed PRISMA level. In those situations, the External Assessor must follow the HITRUST Population and Sampling guidance outlined in this chapter.
11.4.6 The population used to select a sample must be homogeneous. This similarity may allow certain populations to be aggregated if it follows a common process subject to the same controls. When aggregating populations with different characteristics, each process must be reviewed to validate the homogeneity, and the rationale must be documented. For example, if testing change approvals for a sample of changes, the External Assessor may determine to combine the population for two different change ticketing tools. The rationale for combining the populations may be determined by performing walkthroughs of each tool and identifying the approvals for both tools follow the same process under the same control owner.
11.4.7 For time-based populations (e.g., daily backups, population of change tickets over a period of time, list of new hires/terminations), the period used for sampling must be at least 90 days and may not begin more than one year from the start of the fieldwork period. The total population period also may not be greater than one year.
11.4.8 All time-based populations should include dates within the fieldwork period. When the population used for sampling does not include a date within the fieldwork period, an additional item must be sampled within the fieldwork period to validate the control is operating as expected.
11.4.9 Item-based populations generated at a point-in-time (e.g., population of assets, list of current employees) may be generated prior to the fieldwork period as part of the planning procedures (no greater than 30 days prior).
11.4.10 Samples selected from item-based populations may not be provided to the Assessed Entity until the fieldwork start date.
11.4.11 Sampled items that are no longer able to be tested within the fieldwork period (e.g., decommissioned assets) must be re-selected.
11.4.12 When a control has not been performed by the Assessed Entity within one year prior to the start of fieldwork, there is no population that can be tested. The External Assessor must confirm the non-occurrence of the control using a review of evidence greater than inquiry (e.g., if there were no system changes during the period, the External Assessor should review the change management log to validate that statement OR if there were no new hires, the External Assessor should review the validity of that statement in the Human Resources employment system). After corroborating the inquiry, the full Implemented score may be used for that requirement.
11.4.13 After the population has been identified, the External Assessor must determine the appropriate sample size. HITRUST has documented the following minimum requirements for sampling within the HITRUST scoring rubric:
11.4.14 Where an External Assessor organization has its own internal guidance on sample sizes, they must meet the minimum amounts specified by the HITRUST sampling guidance but can perform more sampling as necessary according to its methodology.
11.4.15 The sampling method utilized may be any type of probability sampling chosen by the External Assessor (e.g., random, systematic, haphazard, etc.) however the rationale for the method used must be documented.
11.4.16 Evidence must be uploaded to MyCSF for each sample selection within the sample-based test.
11.4.17 Electronic markups should be included on at least one piece of evidence (or clearly documented elsewhere) demonstrating where each of the tested attributes is located, to allow reviewers to understand how the testing was performed. When the evidence is homogeneous, markups on additional pieces of evidence are not necessary. However, if additional evidence artifacts vary from the initial evidence that included markup, additional markups must be included.
11.4.18 An automated control is a control performed by systems—not people—based on configurations, rulesets, or programming. An example of an automated control is a forced password expiration by the system after the number of days specified in the associated configuration.
11.4.19 For automated controls, testing must include evidence of both the configuration of the tool/system and a sample of one showing the tool/system is operating as expected. For example, to test that passwords expire after a certain number of days, the testing approach must address:
- Configuration in the system showing the number of days until user password expiration.
- Test of one user demonstrating that its password expired when that number of days was achieved.
For an automated control testing example, see Appendix A-11: Automated Control Testing Example.
11.4.20 If a control contains both manual and automated elements, the manual element(s) must be tested using the population and sampling requirements for a manual control, while the automated element may be tested using the automated control guidance. For example, a user access review may:
- Perform an automated comparison between the HR system list of terminated employees and the system users to identify accounts to be removed. This part of the control may be tested using the automated control guidance.
- Require a manual review to determine whether the access level for each user account is appropriate. This part of the control is tested using the HITRUST manual population and sampling guidance.