Assessment Handbook
1.1
  • 1.1
Table of Contents
Assessment Handbook
  • 1.1
    • Assessment Handbook — 1.1
GrabGrab
GrabGrab
  • 1. Introduction
  • 2. Background
  • 3. Roles & Responsibilities
    • 3.1 Assessed Entity
    • 3.2 Assessors
    • 3.3 Independence Requirements
  • 4. Assessment Types
    • 4.1 Readiness Assessments
    • 4.2 Validated Assessments
  • 5. HITRUST Assessment Workflow
    • 5.1 r2 Validated Assessment Workflow
    • 5.2 i1 and e1 Validated Assessment Workflow
    • 5.3 r2 Readiness Assessment Workflow
    • 5.4 i1 & e1 Readiness Assessment Workflow
    • 5.5 Interim and Bridge Assessment Workflow
    • 5.6 Assessment Status Dashboards
    • 5.7 MyCSF Assessment Status Notifications
  • 6. Pre-Assessment
    • 6.1 Pre-Assessment Webforms
    • 6.2 Name & Security
    • 6.3 Assessment Options
    • 6.4 Organization Information
    • 6.5 Scope of the Assessment
    • 6.6 Default Scoring Profile
    • 6.7 Factors
  • 7. Scoping the Assessment
    • 7.1 Assessment Scoping
    • 7.2 Required Scope Components
    • 7.3 Carve-outs
  • 8. Requirement Statements
    • 8.1 Requirement Statement Background
    • 8.2 Alternate Controls
    • 8.3 Not Applicable (N/A) Requirement Statements
  • 9. Control Maturity Levels
    • 9.1 Policy Maturity Level
    • 9.2 Procedure Maturity Level
    • 9.3 Implemented Maturity Level
    • 9.4 Measured Maturity Level
    • 9.5 Managed Maturity Level
  • 10. HITRUST Scoring Rubric
    • 10.1 HITRUST Scoring
  • 11. Testing & Evidence Requirements
    • 11.1 Testing Approach
    • 11.2 Testing Requirements
    • 11.3 Working Papers & Evidence
    • 11.4 Population & Sampling
    • 11.5 Documenting Exceptions
  • 12. Reliance & Third-Party Coverage
    • 12.1 Third-Party Coverage
    • 12.2 Reliance on Assessment Results Using Inheritance
    • 12.3 Reliance on Audits and/or Assessments Performed by a Third-Party
    • 12.4 Reliance on Testing Performed by the Assessed Entity (i.e., Internal Assessors)
    • 12.5 Direct Testing of Third-Party Controls
  • 13. Assessment Submission Process
    • 13.1 Quality Assurance (QA) Reservation
    • 13.2 Audits and Assessments Utilized
    • 13.3 Validated Report Agreement
    • 13.4 Automated Quality Checks
    • 13.5 Test Plan
    • 13.6 External Assessor Time Sheet
    • 13.7 QA Checklist
    • 13.8 Management Representation Letter
    • 13.9 CAPs and Gaps
    • 13.10 Check-in Process
    • 13.11 Addressing Check-in Tasks
  • 14. Undergoing Quality Assurance (QA)
    • 14.1 Quality Assurance Process
    • 14.2 QA Tasks
    • 14.3 Live QA
    • 14.4 Escalated QA
  • 15. Reporting & Maintaining a HITRUST Certification
    • 15.1 HITRUST Reporting
    • 15.2 Report Re-Issuance
    • 15.3 Security Events & Fraud
    • 15.4 Interim Assessment
    • 15.5 Rapid Assessments
    • 15.6 Significant Changes
    • 15.7 Re-certification
    • 15.8 Bridge Assessments
    • 15.9 Emerging Mitigation Process (EMP)
    • 15.10 HITRUST Treatment of Non-compliance
  • Appendix A: FAQs & Examples
    • A-1: Carve-out Scoring Details
    • A-2: Mixed Applicability Errors
    • A-3: Not Applicable (N/A) Examples
    • A-4: Never N/A Examples
    • A-5: N/A Decision Tree
    • A-6: Rubric Scoring – Policy, Procedure, and Implemented
    • A-7: Rubric Scoring – Measured and Managed
    • A-8: Testing & Evidence FAQs & Examples
    • A-9: Off-site Validation Procedures
    • A-10: Policy & Procedure FAQs & Examples
    • A-11: Automated Control Testing Example
    • A-12: Inheritance FAQs & Examples
    • A-13: Well-written CAP Examples
    • A-14: Scoping Approaches
    • A-15: Certification Threshold Scoring Examples
    • A-16: Sample-based Testing Examples
    • A-17: Expected AI Expertise for External Assessors
    • A-18: Example Add-on Certification Approach for Existing HITRUST Certifications
    • A-19: AI Security Certification Eligibility
  • Appendix B: Summary of Changes
    • B-1: Version 1.0
    • B-2: Version 1.1

Appendix A: FAQs & Examples

15.10 HITRUST Treatment of Non-compliance
A-1: Carve-out Scoring Details
  • A-1: Carve-out Scoring Details
  • A-2: Mixed Applicability Errors
  • A-3: Not Applicable (N/A) Examples
  • A-4: Never N/A Examples
  • A-5: N/A Decision Tree
  • A-6: Rubric Scoring – Policy, Procedure, and Implemented
  • A-7: Rubric Scoring – Measured and Managed
  • A-8: Testing & Evidence FAQs & Examples
  • A-9: Off-site Validation Procedures
  • A-10: Policy & Procedure FAQs & Examples
  • A-11: Automated Control Testing Example
  • A-12: Inheritance FAQs & Examples
  • A-13: Well-written CAP Examples
  • A-14: Scoping Approaches
  • A-15: Certification Thresholds Scoring Examples
  • A-16: Sample-based Testing Examples
  • A-17: Expected AI Expertise for External Assessors
  • A-18: Example Add-on Certification Approach for Existing HITRUST Certifications
  • A-19: AI Security Certification Eligibility
15.10 HITRUST Treatment of Non-compliance
A-1: Carve-out Scoring Details
© 2024 HITRUST All rights reserved. Reproduction, re-use, and creation of derivative works are prohibited.