In advance of a validated assessment, an Assessed Entity may perform assessment procedures against the HITRUST CSF internally, either using an organizational function (e.g., Internal Audit) or using an outside party (e.g., an authorized CSF Assessor organization, a professional services firm possessing a HITRUST readiness license). The individuals performing this testing are referred to as “Internal Assessors” and their function / team is referred to as the “Internal Assessor Function.” The results of recently completed testing performed by Internal Assessors can—at the External Assessor’s discretion—be relied upon by the External Assessor to reduce the extent of the External Assessor’s direct testing.
Please note that only External Assessors are eligible to validate scores on a validated assessment. However, if the Assessed Entity chooses to perform testing that can be leveraged by its External Assessor, HITRUST has established guidance which:
- Establishes a framework for the External Assessor—at its discretion—to rely on that testing.
- Defines the requirements that must be met by both by the Assessed Entity and by the External Assessor for reliance to occur.
- Sets forth requirements which prevent over-reliance and undue reliance on an Internal Assessor’s testing.
12.4.1 Regardless of the amount of reliance placed upon the work of an Internal Assessor function, the External Assessor must lead and/or participate in walkthroughs of the Assessed Entity’s control environment.
In addition, the following requirements must be met in order for an External Assessor to place reliance on an Internal Assessor’s testing:
12.4.2 Testing performed on behalf of management by an outside party lacking a license to use the HITRUST CSF in a commercial context should not be relied upon by the External Assessor. If an outside party performed or was engaged to act as an Internal Assessor (i.e., using a “facilitated self-assessment”), that outside party must be either:
i. A professional services firm designated as an Authorized External Assessor Organization,
ii. In possession of a HITRUST readiness license specific to the engagement, or
iii. An agent of management (e.g., a loan staff, staff augmentation, or contractor arrangement.)
12.4.3 The Internal Assessor function must be approved by HITRUST via an application process. See Internal Assessors for more information. Testing performed by an organizational function not previously authorized by HITRUST should not be relied upon by the External Assessor.
12.4.4 The Internal Assessor’s testing conclusions (i.e., per requirement statement, per-PRISMA level scoring) must be entered into MyCSF. Also, accompanying work papers must be attached to or referenced in MyCSF.
12.4.5 The Internal Assessor function must be objective of the controls and processes being tested. “Objectivity” refers to a lack of bias, judgment, or prejudice. Example situations where objectivity is not considered to exist include:
- When the Internal Assessor function and the function being assessed (e.g., IT) roll up to the same executive.
- When the Internal Assessors are involved in the design, implementation, or operation of the controls being tested.
12.4.6 The Internal Assessor must be competent with respect to the HITRUST CSF, the HITRUST Assurance Program, and the overall HITRUST validated assessment process. “Competence” is the set of demonstrable characteristics and skills that enable, and improve the efficiency of, performance of a job. Testing performed by individuals lacking the necessary competence should not be relied upon by the External Assessor.
12.4.7 All Internal Assessors must hold an active CCSFP credential for testing to be relied upon by the External Assessor (i.e., 100% of hours incurred by the Internal Assessor function must be incurred by a CCSFP). If this 100%-hour threshold is not met, the External Assessor should not rely on the Internal Assessor function’s testing.
12.4.8 The Internal Assessor’s testing cannot be based on evidence more than 90 days old. Internal Assessor testing using evidence greater than 90 days old should not be relied upon by the External Assessor. This 90-day age threshold is determined by comparing External Assessor’s validated assessment fieldwork start date to:
i. The date the associated evidence was produced / generated / captured (for point-in-time evidence such as screenshots of configurations),
ii. The end date of the population date range (for period-of-time populations such as the listing of newly hired employees), or
iii. The date of the observation (for observation-based tests).
12.4.9 The scope of the Internal Assessor’s testing (in terms of systems, facilities, and business units) must mirror that of the HITRUST validated assessment. An Internal Assessor’s testing of out-of-scope systems, facilities and organizational elements should not be relied upon by the External Assessor.
12.4.10 The depth / rigor of testing performed by the Internal Assessor must adhere to the HITRUST’s testing expectations placed upon External Assessors. Specifically, the Internal Assessor’s testing must be performed in accordance with requirements set forth in this document. Internal Assessor testing which fails to adhere to HITRUST’s assessment requirements should not be relied upon by the External Assessor.
12.4.11 The testing documentation and supporting work papers produced by the Internal Assessor must adhere to HITRUST’s assessment documentation requirements placed upon External Assessors. Specifically, the Internal Assessor’s testing must be documented in accordance with requirements set forth in Chapter 11 Testing & Evidence Requirements. Poorly documented testing performed by Internal Assessors should not be relied upon by the External Assessor.
12.4.12 To gain comfort that the Internal Assessor’s tests were adequately executed, the External Assessor:
i. must document its review performance of the Internal Assessor’s work papers (including its reperformance approach and methodology) and
ii. must reperform (by inspection of those work papers) a portion of the Internal Assessor’s testing. NOTE: “Reperforming” an Internal Assessor’s testing involves inspecting, in detail, the evidence examined by the Internal Assessor and reconciling the information therein to (a) the conclusions reached by the Internal Assessor, and (b) to information gleaned via the External Assessor’s walkthroughs of the control environment.
12.4.13 When reperforming an Internal Assessor’s testing, the External Assessor must gain reasonable comfort that the Internal Assessor collected the same evidence, tested the same attributes, and reached the same conclusions.
12.4.14 When placing reliance on an Internal Assessor’s sample-based test, the External Assessor must reperform at least 20% of the Internal Assessor’s sample testing (rounding up to the nearest whole number as necessary).
12.4.15 If reperformance of the Internal Assessor’s testing yields results that call into question the adequacy of the Internal Assessor’s testing or accompanying documentation, the External Assessor should either not place reliance on that testing, supplement the Internal Assessor’s testing to address the identified testing gap(s), or allow the Internal Assessor the opportunity to remediate the testing gap.
12.4.16 When reliance is placed on an Internal Assessor’s testing to reduce the extent of the External Assessor’s direct testing, the External Assessor’s documentation, as captured in MyCSF, must clearly include:
i. An identification of the requirement statements where reliance on the Internal Assessor’s testing was placed.
ii. Confirmation that External Assessor reperformed the Internal Assessor’s testing and addressed identified testing flaws by either:
a. not placing reliance on the flawed testing,
b. supplementing the testing to address the identified testing flaws, or
c. allowing the Internal Assessor the opportunity to remediate the flawed testing.
12.4.17 For sample-based tests being relied upon, an identification of which and how many sample(s) were reperformed by the External Assessor along with the conclusions reached by the External Assessor for each reperformed item is required. When reliance is placed on an Internal Assessor’s testing to reduce the extent of the External Assessor’s direct testing, the Internal Assessor’s documentation, as captured in MyCSF, must clearly reflect / include:
i. The scoring levels reached by the Internal Assessor on a per requirement statement, per-PRISMA level basis.
ii. A populated Internal Assessor timesheet reflective of the hours incurred by the Internal Assessor function.
iii. The Internal Assessor’s work papers / supporting evidence (either attached to or referenced).