Assessment scoping is the process of identifying the specific organizational business units, physical locations, systems, and other components to be considered in a HITRUST assessment. The scoping process is designed to be flexible and adaptive so that it can be tailored to fit the unique environment of an Assessed Entity. The scope of an assessment determines the boundary of what will be subject to assessment procedures in a HITRUST assessment. The scope defined by the Assessed Entity depends on several considerations, which may include:
- Needs of the Assessed Entity’s relying parties
- Assessed Entity’s available personnel and/or resources to support the assessment
- Security and privacy program maturity of the Assessed Entity
- Use and flow of covered and/or confidential data
- Potential short-term significant changes in the IT environment
For additional examples of how an Assessed Entity may decide to approach its scoping process, see Appendix A-14 Scoping Approaches.
HITRUST has defined specific criteria to assist Assessed Entities with determining the scope of their assessments:
7.1.1 HITRUST only certifies implemented systems under control of the Assessed Entity. An implemented system is a system that has been installed and configured within the assessed control environment for at least 90 days. The installation and configuration must include all primary scope components (see Chapter 7.2 Required Scope Components) of the system (e.g., operating system, database, etc.) for the entire 90-day period. There is no requirement for the system to be storing or processing data during the 90-day period, but it must be operating in the production environment.3
NOTE: The 90-day implementation period may overlap with the fieldwork period if testing on the implemented system is performed after the 90-day implementation period has been achieved. The following example timeline demonstrates how a system’s implementation period may overlap the fieldwork period.
7.1.2 HITRUST utilizes the NIST definition of a “system” which is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.4
NOTE: HITRUST uses the terms “system”, “information system”, and “platform” interchangeably.
7.1.3 HITRUST cannot certify application(s) where the application instance(s) is not under the control of the Assessed Entity (e.g., HITRUST cannot certify mobile applications). However, the back-end infrastructure supporting that application can be certified. For example, a cloud service provider (CSP) can certify the system(s) it provides to customers, but the customer is responsible for certifying the specific platform it will be customizing and operating utilizing the CSP’s infrastructure.
7.1.4 HITRUST incorporates the facility(s) included in the scope of an assessment within the certification letter to provide the Assessed Entity and its relying parties context around the location of in-scope platform(s).
The Assessed Entity’s scope definition helps direct its control implementation and remediation efforts as they relate to the HITRUST CSF. A properly defined scope for the HITRUST assessment is necessary to create a targeted environment for the assessment. Scope components that influence the in-scope technical environment should be clearly understood to determine the extent of testing necessary within each HITRUST requirement statement.
3 In this instance, HITRUST considers the following NIST definition of ‘production environment’: An environment where functionality and availability must be ensured for the completion of day-to-day activities.
4 NIST Special Publication 800-171 Revision 2