7.2 Required Scope Components - Assessment Handbook

During assessment planning, Assessed Entities and/or External Assessors will identify the components in scope following the below scoping criteria. The scope of an assessment includes two distinct categories:

Primary scope components: The main platform(s) being assessed. These include the components defined by the Assessed Entity to be in-scope of the assessment. Primary scope typically consists of the following component types*:
- Application(s)
- Operating System(s)
- Database(s)
- Network(s)
- Facility(s)

*NOTE: The above list includes typical components that comprise a platform. There may be other information technology asset types (e.g., hardware, software, or firmware) that an Assessed Entity can include in the primary scope of its assessment.

Secondary scope components: Components included within an assessment based on the defined primary scope (e.g., supporting infrastructure, systems, and/or tools). Secondary scope components consist of the following component types:
- Wireless Networks & Network Infrastructure
- Endpoints
- Portable Media
- Mobile Devices
- Authentication, Authorization, Accounting (AAA) Platforms
- Data Transmissions
- Reporting Services
- Data Storage Tools
- Hypervisors
- Other Supporting Tools

The key characteristics differentiating primary scope components and secondary scope components include**:

7.2.1 Primary scope components are defined and driven by the Assessed Entity. The Assessed Entity may include in scope of its assessment any component that is considered one of the primary scope component types.

7.2.2 Secondary scope components are determined by the primary scope components. The Assessed Entity must only include secondary scope components that meet the HITRUST criteria.

For example: For any requirement statements that include the assessment of wireless networks, the Assessed Entity must include all wireless networks that connect to the primary scope network(s) when testing wireless networks in the assessment. In addition, the Assessed Entity may not assess a wireless network not connected to a primary in-scope network (without adding that entire network as a primary scope component).

7.2.3 All primary scope components must be considered for each HITRUST requirement statement in an assessment. The primary scope component(s) may only be excluded from testing if the requirement statement is not relevant for the component type or the requirement statement specifically restricts the scope (e.g., in-scope facilities only can be tested for physical security/environmental requirements). If the component(s) is managed by a service provider, see Other Scoping Topics below for additional information.

7.2.4 Secondary scope components must be considered for testing when the HITRUST requirement statement specifically refers or applies to the secondary scope component.

For example: If a requirement statement states, “The organization’s security gateways (e.g., firewalls) (i) enforce security policies; (ii) are configured to filter traffic between domains; …”, then all security gateways identified as a secondary scope component must be included when testing the requirement statement.

**NOTE: It is possible for a scope component to be both a primary and secondary scope component. For example, an Assessed Entity might include its “Active Directory” server as a primary in-scope system. In this instance, it will be part of the primary scope testing, but also included as a secondary scope component when validating requirement statements related to authentication, authorization, and accounting for the other primary scope component(s).

Primary scope components: Scoping considerations

The following must be considered when determining the primary scope component(s) during an assessment:

7.2.5 Any implemented in-scope component that is part of the technology stack for the in-scope platform(s) / system(s) must be included as a primary scope component (i.e., corresponding applications, operating systems, and databases).

7.2.6 Facility(s) hosting any component of technology stack for the in-scope platform(s) / system(s) must be included as a primary scope component.

7.2.7 Additional facility(s) not hosting the in-scope platform(s) / system(s) also may be included as a primary scope component if the facility(s) includes risks to the in-scope platform(s) / system(s) (e.g., employees directly accessing the in-scope platform from the location).

7.2.8 The in-scope facility(s) of an assessment may not include physical locations not controlled by the organization and/or not managed by a service provider of the Assessed Entity (e.g., employee homes, “WeWork” offices). NOTE: An Assessed Entity is not required to include their corporate office(s) in scope of a validated assessment if none of the primary scope components reside at that facility.

7.2.9 Private network(s) connected to the technology stack for the in-scope platform(s) / system(s) must be included as a primary scope component. Private network(s) with infrastructure that allows a direct connection and/or trust relationship with a primary in-scope network also must be included as a primary scope component.

NOTE: The HITRUST glossary defines “Private Network” as: A telecommunications network designed and operated to convey traffic between systems and users who share a common purpose (e.g., branches of a company or individual school campuses).

7.2.10 For a network to be considered segmented from another network, it must apply isolation techniques as described from NIST²: Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both.

7.2.11 Additional network(s) not connecting to the in-scope platform(s) / system(s) may be included as a primary scope component.

7.2.12 The scope of an assessment may include user workstations as primary scope components. However, if workstations are included in-scope, the Operating System for the workstations also must be included as a primary scope component. If those workstations reside permanently at a facility owned by the Assessed Entity (e.g., desktop computers) with a dedicated connection to the network(s) at that facility, the corresponding facility and network(s) also must be included as primary scope components.

Secondary scope components: Scoping considerations

The following must be considered when determining the secondary scope component(s) for an assessment:

7.2.13 Requirement statement language takes precedence when determining the components that require testing within an assessment.

For example: The requirement statement “The organization ensures that mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote wipe” may include a broader population of mobile devices for testing than criteria 7.2.16. In this instance, the population requested by the requirement statement takes precedence.

7.2.14 Wireless Networks & Network Infrastructure: HITRUST assessments include specific domains for Wireless Security and Network Protection. Wireless networks and network infrastructure (e.g., security gateways, routers, firewalls, etc.) used on the primary in-scope network(s) must be tested for corresponding requirement statements referencing the wireless network and/or network infrastructure. No additional wireless networks or network infrastructure may be included when testing those requirement statements without including that network segment as a primary scope component.

7.2.15 Endpoints: HITRUST assessments include a specific domain for Endpoint Protection. The scope of endpoint testing must include both server endpoints (physical or virtual) and user endpoints (e.g., phones, tablets, desktops, laptops, or virtual desktops). The scope must include any server or user endpoint that is used or can be used to directly access or connect to a primary scope component, without using a bastion host, jump server, or virtual desktop infrastructure (VDI). All primary scope components also must be in the scope of endpoint testing. If the environment utilizes a bastion host, jump server, or VDI:

The bastion host, jump server, or VDI must be included in the scope of the endpoint testing.
Those endpoints that are using a bastion host, jump server, or VDI may be included as a secondary scope component.

When web applications that can be accessed from any endpoint are a primary scope component, the public endpoints are not considered as secondary scope components.

NOTE: HITRUST uses the following definitions for bastion host, jump server, and VDI:

Bastion host: A special purpose computer on a network specifically designed and configured to withstand attacks.³ The computer is used by endpoints to access other servers or devices on an organization’s private network.
Jump server: A hardened system across two or more networks used to manage access between the networks.
VDI: A centralized server that provides virtual desktops to endpoints upon request. The computing occurs on the VDI environment rather than the endpoint.

7.2.16 Portable Media: HITRUST assessments include a specific domain for Portable Media Security. Portable media includes mobile storage such as memory cards, portable hard drives, USB drives, CDs, DVDs and/or backup tapes. The portable media must include any portable media (organization owned or personally owned) that can be used within the in-scope environment. The in-scope environment used to identify all corresponding portable media includes all endpoints identified as primary or secondary scope component(s). For example, if the primary or secondary in-scope server or user endpoints have functioning USB ports or CD/DVD burners, the corresponding storage technology must be considered as in-scope portable media.

NOTE: For purposes of a HITRUST assessment, laptops are not classified as portable media.

7.2.17 Mobile Devices: HITRUST assessments include a specific domain for Mobile Device Security. Mobile devices include devices such as notebook/laptop computers, personal digital assistants, smart phones, tablets, digital cameras, and any other portable device which can be used to directly access a primary scope component, without using a bastion host, jump server, or virtual desktop infrastructure (VDI). Those mobile devices that are using a bastion host, jump server, or VDI may optionally be included as a secondary scoping component.

7.2.18 Authentication, Authorization, Accounting (AAA) Platforms: HITRUST assessments include specific domains for Password Management, Access Control, and Audit Logging & Monitoring. AAA platforms typically operate to support requirement statements in those domains. The AAA platforms include system(s) or service(s) utilized by an end user to authenticate with and/or access a primary scope component. These must be included as a secondary scope component(s) when testing corresponding requirement statements related to authentication, authorization, and accounting for the primary scope component(s).

7.2.19 Data Transmissions: HITRUST assessments include a specific domain for Transmission Protection. Transmissions of sensitive information to/from the primary scope components must be included when testing corresponding requirement statements related to the transmission of sensitive electronic information.

7.2.20 Reporting Services, Data Storage Tools, and Hypervisors: HITRUST assessments include a specific domain for Data Protection & Privacy. When sensitive information from the primary scope components is stored and/or processed via a transmission from the primary scope components to these tools or systems, the systems and/or tools must be included when testing the corresponding requirement statements related to the storage and/or processing of sensitive electronic information.

7.2.21 Other Supporting Tools: Other supporting tools not addressed above must be tested as needed to satisfy specific requirements that include functionality and/or controls supporting the primary scope components. Other supporting tools utilized in the performance or operation of HITRUST requirements within an assessment may include:

Disaster Recovery Facilities
Remote Access Solutions (i.e., VPN, SSH, etc.)
Back-up tools / media
Anti-virus software
Vulnerability Scanners
Mobile Device Management (MDM) solutions
Security Information and Event Management (SIEM) solutions
Configuration Management Databases
Source Code repositories
Change Management tools
Change and/or Incident Management ticketing systems
Password vaults
Encryption software
Data Loss Prevention (DLP) software