Assessment Handbook

1.1

Table of Contents

Assessment Handbook

1.1
- Assessment Handbook — 1.1

1. Introduction
2. Background
3. Roles & Responsibilities
- 3.1 Assessed Entity
- 3.2 Assessors
- 3.3 Independence Requirements
4. Assessment Types
- 4.1 Readiness Assessments
- 4.2 Validated Assessments
5. HITRUST Assessment Workflow
- 5.1 r2 Validated Assessment Workflow
- 5.2 i1 and e1 Validated Assessment Workflow
- 5.3 r2 Readiness Assessment Workflow
- 5.4 i1 & e1 Readiness Assessment Workflow
- 5.5 Interim and Bridge Assessment Workflow
- 5.6 Assessment Status Dashboards
- 5.7 MyCSF Assessment Status Notifications
6. Pre-Assessment
- 6.1 Pre-Assessment Webforms
- 6.2 Name & Security
- 6.3 Assessment Options
- 6.4 Organization Information
- 6.5 Scope of the Assessment
- 6.6 Default Scoring Profile
- 6.7 Factors
7. Scoping the Assessment
- 7.1 Assessment Scoping
- 7.2 Required Scope Components
- 7.3 Carve-outs
8. Requirement Statements
- 8.1 Requirement Statement Background
- 8.2 Alternate Controls
- 8.3 Not Applicable (N/A) Requirement Statements
9. Control Maturity Levels
- 9.1 Policy Maturity Level
- 9.2 Procedure Maturity Level
- 9.3 Implemented Maturity Level
- 9.4 Measured Maturity Level
- 9.5 Managed Maturity Level
10. HITRUST Scoring Rubric
- 10.1 HITRUST Scoring
11. Testing & Evidence Requirements
- 11.1 Testing Approach
- 11.2 Testing Requirements
- 11.3 Working Papers & Evidence
- 11.4 Population & Sampling
- 11.5 Documenting Exceptions
12. Reliance & Third-Party Coverage
- 12.1 Third-Party Coverage
- 12.2 Reliance on Assessment Results Using Inheritance
- 12.3 Reliance on Audits and/or Assessments Performed by a Third-Party
- 12.4 Reliance on Testing Performed by the Assessed Entity (i.e., Internal Assessors)
- 12.5 Direct Testing of Third-Party Controls
13. Assessment Submission Process
- 13.1 Quality Assurance (QA) Reservation
- 13.2 Audits and Assessments Utilized
- 13.3 Validated Report Agreement
- 13.4 Automated Quality Checks
- 13.5 Test Plan
- 13.6 External Assessor Time Sheet
- 13.7 QA Checklist
- 13.8 Management Representation Letter
- 13.9 CAPs and Gaps
- 13.10 Check-in Process
- 13.11 Addressing Check-in Tasks
14. Undergoing Quality Assurance (QA)
- 14.1 Quality Assurance Process
- 14.2 QA Tasks
- 14.3 Live QA
- 14.4 Escalated QA
15. Reporting & Maintaining a HITRUST Certification
- 15.1 HITRUST Reporting
- 15.2 Report Re-Issuance
- 15.3 Security Events & Fraud
- 15.4 Interim Assessment
- 15.5 Rapid Assessments
- 15.6 Significant Changes
- 15.7 Re-certification
- 15.8 Bridge Assessments
- 15.9 Emerging Mitigation Process (EMP)
- 15.10 HITRUST Treatment of Non-compliance
Appendix A: FAQs & Examples
- A-1: Carve-out Scoring Details
- A-2: Mixed Applicability Errors
- A-3: Not Applicable (N/A) Examples
- A-4: Never N/A Examples
- A-5: N/A Decision Tree
- A-6: Rubric Scoring – Policy, Procedure, and Implemented
- A-7: Rubric Scoring – Measured and Managed
- A-8: Testing & Evidence FAQs & Examples
- A-9: Off-site Validation Procedures
- A-10: Policy & Procedure FAQs & Examples
- A-11: Automated Control Testing Example
- A-12: Inheritance FAQs & Examples
- A-13: Well-written CAP Examples
- A-14: Scoping Approaches
- A-15: Certification Threshold Scoring Examples
- A-16: Sample-based Testing Examples
- A-17: Expected AI Expertise for External Assessors
- A-18: Example Add-on Certification Approach for Existing HITRUST Certifications
- A-19: AI Security Certification Eligibility
Appendix B: Summary of Changes
- B-1: Version 1.0
- B-2: Version 1.1

Appendix A: FAQs & Examples

15.10 HITRUST Treatment of Non-compliance

A-1: Carve-out Scoring Details

A-1: Carve-out Scoring Details
A-2: Mixed Applicability Errors
A-3: Not Applicable (N/A) Examples
A-4: Never N/A Examples
A-5: N/A Decision Tree
A-6: Rubric Scoring – Policy, Procedure, and Implemented
A-7: Rubric Scoring – Measured and Managed
A-8: Testing & Evidence FAQs & Examples
A-9: Off-site Validation Procedures
A-10: Policy & Procedure FAQs & Examples
A-11: Automated Control Testing Example
A-12: Inheritance FAQs & Examples
A-13: Well-written CAP Examples
A-14: Scoping Approaches
A-15: Certification Thresholds Scoring Examples
A-16: Sample-based Testing Examples
A-17: Expected AI Expertise for External Assessors
A-18: Example Add-on Certification Approach for Existing HITRUST Certifications
A-19: AI Security Certification Eligibility

15.10 HITRUST Treatment of Non-compliance

A-1: Carve-out Scoring Details

© 2024 HITRUST All rights reserved. Reproduction, re-use, and creation of derivative works are prohibited.