Populations used for a sample-based test will either be selected from a list of items at a point in time (“item-based”) or over a period of time (“time-based”). As described in criteria 11.4.10, the “item-based” populations tested at a point in time must be tested within the fieldwork period. Those “time-based” samples selected to test a HITRUST requirement over a period of time must meet the date requirements outlined in criteria 11.4.7 and 11.4.8 (see Chapter 11.4 Population & Sampling). Below are examples of sample-based tests and whether the test and/or population would be considered “item-based” or “time-based”.
| HITRUST CSF Requirement Statement | Illustrative Procedure for Implemented Sample-based Test (Partial text for example purposes) | Test/Population Type |
| BUID: 06.09B1SYSTEM.2: CVID: 2368.0 Changes to information systems (including changes to applications, databases, configurations, network devices, and operating systems and with the potential exception of automated security patches) are consistently 1 documented, 2. tested, and 3. approved. |
Select a sample of changes made to information systems (including changes to applications, databases, configurations, network devices, and operating systems and with the potential exception of automated security patches) and confirm that they were documented, tested, and approved. | Time-based: This test will sample changes over a historic period of time to validate the control operation.. |
| BUID: 0201.09J1ORGANIZATIONAL.124: CVID: 0873.0 Technologies are implemented for the 1. timely installation of anti-malware protective measures, 2. timely upgrade of anti-malware protective measures, and 3. regular updating anti-malware protective measures, automatically whenever updates are available. Periodic reviews/scans… [truncated for brevity]. |
Select a sample of endpoint devices (desktops, laptops, servers, BYOD, etc.), determine if anti-malware software is installed, operating, and up-to-date. | Item-based: This test will sample from a current list of endpoints to validate: 1. Each sampled endpoint currently has installed anti-malware software, 2. The anti-malware software on each sampled endpoint is operating (e.g., active), and 3. The anti-malware software on each sampled endpoint contains the most recent updates and signatures. |
| BUID: 1301.02E1ORGANIZATIONAL.12: CVID: 0333.0 Security awareness training 1. commences with a formal induction process designed to introduce the organization’s security and privacy policies, state and federal laws, and expectations before access to information or services is granted and no later than 60 days after the date the employee is hired Ongoing training includes… [truncated for brevity] |
Select a sample of employees and determine if each was trained on the organization’s security and privacy policies at the time of hire and annually thereafter. | Item-based: Although the evidence may be historic, the population being sampled from is a current list of employees, so this should follow the item-based population timing criteria. |
| BUID: 1015.01D1SYSTEM.1: CVID: 0074.0 Users 1. acknowledge receipt of passwords. |
Select a sample of users that received new passwords and examine evidence to confirm that an acknowledgement was received from the user upon receipt. A sample of users can be selected from population of new user access requests to determine control implementation. | Time-based: This test will sample new users over a historic period of time. |
| BUID: 1002.01D1SYSTEM.1: CVID: 0067.0 Passwords 1. are prohibited from being displayed when entered. |
Examine the password configuration settings for a sample of systems/applications and confirm that they have been configured to not display passwords in plain text. | Item-based: This test will sample from the current in-scope systems to validate password configuration at a point in time. |