In addition to minor wording updates and clarification, the changes between the exposure draft and version 1.0 of the Assessment Handbook include the key modifications summarized in the table below.
| Chapter | Modification |
|---|---|
| 1. Introduction | Added reference to HITRUST Glossary of Terms and Acronyms. |
| 3.1 Assessed Entity | Updated to include the Assessed Entity responsibilities outlined in the Management Representation Letter. |
| 3.2 Assessors | Updated with previously documented and communicated readiness assessment, readiness license and internal assessor requirements. |
| 3.3 Independence Requirements | Clarified types of remediation activities that are not authorized for External Assessors. |
| 6. Pre-Assessment | Added Chapter numbers for each pre-assessment webform. |
| 6.5 Scope of the Assessment | Included the requirements for description of a platform. |
| 6.7 Factors | Included the requirement for a rationale when a factor question is answered “No”. |
| 7.1 Assessment Scoping | Included visual timeline for system implementation requirement; Added criteria 7.1.4 to clarify HITRUST rationale for reporting facility(s). |
| 7.2 Required Scope Components | Clarified the potential for other component types to be included as a primary scope components; Clarified definition of primary and secondary scope components; 7.2.4 – Added example, Added NOTE clarifying that components may exist as both a primary and secondary scope component; 7.2.7 – Clarified that additional facility(s) not hosting the in-scope platform that are included in scope must present a risk to the in-scope platform; Added new criteria 7.2.12 for clarification on how to determine scope when requirement statement language may conflict with Assessment Handbook guidance; 7.2.14 – Added testing expectations and definitions for bastion host, jump server and VDI; 7.2.15 – Clarified that laptops are not classified as portable media; Other Scoping Topics – Added criteria 7.2.23 – 7.2.25 to provide guidance and expectations on sampling of scope components. |
| 7.3 Carve-outs | Clarified definition of carve-out. |
| 8.1 Requirement Statement Background | Included additional information on Illustrative Procedures (previously documented in HITRUST whitepapers) including criteria 8.1.1 for an External Assessor to use the Illustrative Procedures to support its testing approach. |
| 8.2 Alternate Controls | Added chapter 8.2 on the HITRUST Alternate Control process and requirements. |
| 9.5 Managed Maturity Level | Added criteria 9.5.2 to explain an undocumented risk treatment process. |
| 10.1 HITRUST Scoring | Added criteria 10.1.1 – 10.1.3 to explain HITRUST expectations for weighting of scope components. |
| 11.2 Testing Requirements | 11.2.8 – Clarified 90 day control operation requirement; 11.2.9 – Added visual timeline of a newly implemented control. |
| 11.3 Working Papers & Evidence | Temporary removal of criteria related to completeness and accuracy (for further refinement); 11.3.8 – Clarified date requirements for evidence supporting observations and inspections; 11.3.9 – Clarified requirements for policy and procedure documents; 11.3.11 – Clarified expectations for appropriate evidence linking; Temporary removal of criteria requiring evidence documenting the source of each population. |
| 11.4 Population & Sampling | Temporary removal of criteria requiring evidence documenting the source of each population; Temporary removal of criteria related to completeness and accuracy of the population (for further refinement); 11.4.9 – Added time limit of 30 days to population generation prior to fieldwork; Removed HITRUST criteria to re-validate population size within fieldwork period (if generated prior to fieldwork); Added criteria 11.4.11 to re-select sample items that are selected and not able to be tested; Added criteria 11.4.16 to clarify that evidence must be uploaded for all sample selections. |
| 11.5 Documenting Exceptions | Added criteria 11.5.1 and 11.5.3 to clarify HITRUST expectations when an exception has been identified during testing. |
| 12.1 Third-Party Coverage | Added criteria 12.1.4 to clarify HITRUST expectations for Assessed Entities as it relates to third-parties. |
| 12.2 Reliance on Assessment Results Using Inheritance | Re-organized and re-worded Chapter 12.2 for easier interpretation of HITRUST expectations. |
| 13.2 Audits and Assessments Utilized | Added criteria 13.2.3 to clarify what should and should not be included. |
| 13.8 Management Representation Letter | Added criteria 13.8.4 to include the Rep Letter date requirements. |
| 14.3 Live QA | Added criteria 14.3.3 to clarify what information may and may not be withheld from MyCSF for LiveQA; Added criteria 14.3.7 to communicate HITRUST expectations for the External Assessor during LiveQA. |
| 14.4 Escalated QA | Added criteria 14.4.13 to clarify the purpose of an appeal. |
| 15.3 Security Events & Fraud | Added criteria 15.3.10 to clarify how an External Assessor should answer the interim assessment question related to security breaches. |
| 15.4 Interim Assessment | Added criteria 15.4.5 and 15.4.6 to clarify the impact of lowering scores in an interim assessment; Added criteria 15.4.19 and 15.4.20 to clarify testing approach for remediated CAPs; 15.4.21 – Added items that HITRUST takes into consideration to determine sufficient progress. |
| 15.5 Rapid Assessments | Added diagram to provide visual workflow of the control degradation detection process. |
| 15.9 HITRUST Treatment of Non-compliance | Added Chapter 15.9 to describe potential outcomes when criteria in the Assessment Handbook are not met. |
| Appendix A-4: Never N/A Examples | Updated table to include additional examples. |
| Appendix A-7: Rubric Scoring – Measured and Managed | Updated with additional FAQs. |
| Appendix A-10: Policy & Procedure FAQs & Examples | Updated with additional FAQs. |
| Appendix A-12: Inheritance FAQs & Examples | Updated with additional FAQs. |
| Appendix A-15: Certification Threshold Scoring Examples | New Appendix to provide various certification scoring scenarios. |