Working Papers
External Assessors must create working papers based on the artifacts collected during the validated assessment which were used to support the External Assessor’s review and validation of the Assessed Entity’s scoring.
11.3.1 Each requirement statement that includes sample-based testing must have a testing lead sheet. The testing lead sheet must:
- Reference the population evidence (including creation date and source)
- Include the population size, population date range and sample size
- Document the sampling approach
- List the attributes tested (addressing all illustrative procedure elements / evaluative elements within the requirement statement) including description of the test procedure
- List the items selected for testing (with identifier back to the population and references to evidence for each sampled artifact)
- Include the results of testing for each sampled item and corresponding attribute(s)
11.3.2 For the Policy and Procedure maturity levels, there must be clear references to the evidence supporting the scores. The Assessed Entity or External Assessor should map each requirement statement’s evaluative element to the location within the document (e.g., section, page #, paragraph, etc.) where it describes the corresponding policy and/or procedure.
11.3.3 For the Measured and Managed maturity levels, there must be clear references to the supporting measure(s), metric(s) and/or risk treatment plan supporting the scores. Additionally, documentation must demonstrate how criteria of a measure, metric, or risk treatment plan were achieved (for criteria, see Chapter 9.4 Measured Maturity Level and Chapter 9.5 Managed Maturity Level). In cases where sampling was performed the same testing lead sheet requirements in criteria 11.3.1 must be followed, along with all requirements in Chapter 11.4 Population & Sampling.
Evidence
Evidence must be collected to support the scores documented within the assessment.
Evidence is the information obtained by performing procedures during a HITRUST assessment. Evidence may include distinct types of information that influence the nature and/or extent of audit procedures needed to reach a conclusion on the requirement statement score. The various types of information include:
- Verbal information: Information obtained via responses to inquiries during the assessment.
- Observed information: Information obtained via observation (e.g., datacenter visit or a screenshot of a system configuration setting observed on a screen).
- Paper documents: Information obtained using documents (e.g., an original IT Service Level Agreement or a policy/procedure).
- Electronic information: Information obtained using electronic documents (e.g., a scanned version of a signed approval form) or data stored in an IT system (e.g., system-generated user access lists or change tickets from a ticketing system).
HITRUST has specific requirements related to evidence used during an assessment as indicated below.
11.3.4 Persuasiveness of the evidence relates to the External Assessor obtaining appropriate evidence that is sufficient for the auditor to draw reasonable conclusions. The External Assessor may rely on evidence that is persuasive rather than conclusive. The External Assessor must use professional judgment and professional skepticism in evaluating the quantity and quality of the evidence, and thus its sufficiency and appropriateness, to support the results.
11.3.5 The External Assessor must obtain more than verbal information to obtain sufficient evidence to support its procedures. Inquiry alone does not provide sufficient evidence to evaluate the maturity level of the corresponding requirement statement.
11.3.6 Evidence is more reliable (and persuasive) if there are multiple items of consistent supporting evidence obtained from different sources or of a different nature than from evidence considered individually. For example, corroborating information by observing a wireless access point in a data center may increase the reliability of a network diagram obtained from management containing the wireless access point. Alternatively, when evidence obtained from one source is inconsistent with that obtained from another, additional procedures must be performed to reconcile the discrepancy.
11.3.7 All evidence collected that supports the requirement statements scores within a validated assessment must be uploaded to MyCSF and properly referenced within the Test Plan and/or MyCSF. A validated assessment’s collective body of working papers is considered incomplete if validation of only a portion of an assessment’s scope and/or requirement statements are reflected in the working papers. The only exception is if the assessment will be undergoing Live QA (see Chapter 14.3 Live QA).
11.3.8 Observations and inspections performed to test the operation of a control at a point in time (e.g., configuration screenshots, system parameters, audit logs, etc.) must be performed within the fieldwork period. The evidence provided by the Assessed Entity to the External Assessor supporting those observations and inspections must include a corresponding date within the fieldwork period. The evidence supporting any observation and/or inspection must be uploaded into MyCSF (see Chapter 14.1 Quality Assurance Process).
11.3.9 Policy and procedure documents used to support scoring must be current, final (non-draft), and periodically reviewed by the Assessed Entity in accordance with its requirements. The documents attached as evidence in MyCSF must include all relevant sections of the final, approved policy or procedure documents to support scoring of the corresponding requirement statements.
11.3.10 Policy and procedure documents may be obtained by the External Assessor prior to the start of the fieldwork period but must be reviewed and validated by the External Assessor within the fieldwork period.
11.3.11 External Assessors must link supporting evidence individually to each of the related requirement statements as well as the related control maturity level(s) within MyCSF. The External Assessor may not:
- Only list and/or reference the supporting evidence in a Test Plan and/or lead sheet (instead of linking the evidence in MyCSF).
- Use zip files that contain all evidence for a particular domain and/or requirement statement. (NOTE: sample-based evidence for the same test may be in a zip file if properly labeled to identify each sample item)
- Embed all evidence for a particular domain and/or requirement statement within a spreadsheet.
11.3.12 The External Assessor must include evidence documenting the date when each evidence artifact was generated. For each type of evidence, this date will be:
- Verbal Information: Date of the inquiry response
- Observed Information: Date of the observation
- Paper Documents: Date when the document was provided by the Assessed Entity
- Electronic Information: Date when the electronic record or system-generated report/document was generated by the corresponding system of record.
11.3.13 Evidence is expected to be submitted in English. Where translations of all evidence are not possible, the Assessed Entity and/or External Assessor must provide written translations from a translation service for all items selected for review during the Quality Assurance process.
11.3.14 The MyCSF assessment object will continue to retain all working papers and evidence until expiration of the certification. Assessed entities will not be able to delete the object and/or evidence within the object until expiration of the certification. For details on the HITRUST data retention policy, see Chapter 5.1 r2 Validated Assessment Workflow and Chapter 5.2 i1 and e1 Validated Assessment Workflow Assessment Object Archiving.
11.3.15 Assessed entities may be able to archive an assessment prior to certificate expiration with approval from HITRUST. However, HITRUST will continue to retain access to the assessment evidence and work papers until expiration of the certification. For archiving approval prior to expiration of the certification, the Assessed Entity must contact HITRUST Support (support@hitrustalliance.net) with its rationale for the request.
11.3.16 Regardless of the evidence collection method (e.g., manual or automated), the evidence must meet all HITRUST requirements.
Evidence Generated by Intermediate Software Platforms
When External Assessors receive evidence supporting the requirement statement scores in a HITRUST assessment, they must consider the persuasiveness and reliability of the evidence, as noted in HITRUST Assessment Handbook criteria 11.3.4 and 11.3.6. As stated within the criteria, this must include an evaluation of the quality of the evidence, including its sufficiency and appropriateness.
HITRUST allows the transmission of assessment evidence from authorized intermediate software platforms into MyCSF. An intermediate software platform is a platform operated and configured by a third-party to manage an Assessed Entity’s compliance efforts through integrations with the Assessed Entity’s systems, tools and/or service providers. When an Assessed Entity outsources the generation of assessment evidence to a third-party there are risks of misconfiguration within these platforms that must be addressed by the External Assessor during the Assessed Entity’s HITRUST assessment.
11.3.17 If the intermediate software platform:
i. Utilized integration parameters and/or queries to generate the evidence directly from the Assessed Entity’s system(s), supporting tool(s), and/or service provider’s system(s) or supporting tool(s), AND
ii. Transmitted the assessment evidence from the intermediate software platform directly into MyCSF,
then the below criteria must be followed to evaluate the evidence quality (in addition to all current guidance within the HITRUST Assessment Handbook). The criteria listed below are intended to validate both completeness and accuracy of evidence generated and transmitted via an intermediate software platform.
The below criteria are not required to be applied to evidence generated by the Assessed Entity and directly uploaded into the intermediate software platform. In this instance, the intermediate software platform is acting as a conduit for the transfer of the Assessed Entity’s evidence into MyCSF (similar to the Assessed Entity directly uploading evidence into MyCSF). Evidence generated by the Assessed Entity in this manner should continue to follow all other HITRUST Assessment Handbook criteria related to evidence quality.
11.3.18 The External Assessor must indicate in MyCSF (e.g., within a test plan, separate workpaper, etc.) when evidence in a HITRUST assessment was provided via an intermediate software platform utilizing integration parameters and/or queries to generate the evidence directly from the Assessed Entity’s system(s), supporting tool(s), and/or service provider’s system(s) or supporting tool(s).
11.3.19 All procedures supporting evidence quality must be documented within MyCSF by the External Assessor. There is no required format for the documentation (e.g., within the test plan, separate workpaper, etc.) but any supporting procedures must be attached to the requirement statement(s) containing the linked evidence and reference the corresponding evidence.
11.3.20 All evidence quality procedures must be performed within the fieldwork period or no more than 30 days prior to the start of fieldwork. The evidence must continue to meet all fieldwork timing requirements within the HITRUST Assessment Handbook.
11.3.21 Evidence quality procedures may be performed once for multiple evidence files when identical integration parameter and/or queries were used to generate the evidence.
11.3.22 The External Assessor must validate appropriate scope coverage for the evidence. As the evidence is generated via an integration originating from the intermediate software platform (without direct Assessed Entity oversight), there is a risk the integration is configured with the incorrect system and/or tool.
This validation could include inspection of the intermediate software platform’s integration with the Assessed Entity’s or service provider’s system to confirm evidence collection from the accurate system(s) or supporting tool(s). When performing this approach, the inspection should identify if the defined integration parameter and/or query is with the appropriate system and/or tool.
For example: If “System A” uses “Active Directory server A” to manage its password settings, the External Assessor may inspect the intermediate software platform’s integration parameter has been correctly defined to integrate with “Active Directory server A” to obtain the password settings (rather than another location, such as “Active Directory server B”).
External Assessors may utilize alternate methods for scope validation if it appropriately validates that the evidence was generated from the correct system and/or tool.
11.3.23 The External Assessor must validate the integration parameters and/or queries used to generate the evidence were accurately configured. As the evidence is generated via an integration originating from the intermediate software platform (without direct Assessed Entity oversight), there is a risk that incorrect parameters and/or queries could result in the evidence containing incomplete or missing data.
This validation could include inspection that the parameters and/or queries were appropriately designed in the intermediate software platform. This inspection should verify the correct parameter and/or query configuration, such as data and/or record requests, dates, and/or appropriate request exclusions.
For example: If the intermediate software platform generates a population of changes to “System A” across a period of nine months, the External Assessor is expected to inspect the defined query included the request for all expected “System A” changes with correctly defined dates corresponding to the expected population.
If an Assessed Entity has documentation supporting the initial setup of a parameter and/or query, the External Assessor may use this as evidence if they can validate systematically that the design and evidence source has not been modified in the intermediate software platform (e.g., validation through a system change date, log, etc.). However, the initial configuration must be re-inspected every two years at a minimum.
11.3.24 If the External Assessor is unable to validate the integration parameters and/or queries used to generate the evidence were accurately configured (as described in criteria 11.3.23), the External Assessor must corroborate the provided evidence with the Assessed Entity’s system(s), supporting tool(s), and/or service provider’s system(s) or supporting tool(s) to reasonably conclude the completeness and accuracy of the provided evidence (e.g., using record counts, re-production of evidence, etc.).
When multiple evidence files have been generated using identical parameters and/or queries within the intermediate software platform, the External Assessor may corroborate a sample (following the HITRUST sampling methodology) of evidence files to confirm accuracy of the integration parameter and/or query.
11.3.25 The External Assessor may not rely on any conclusions made by the intermediate software platform on whether the evidence achieves a specific HITRUST requirement and/or maturity score. The External Assessor must reach independent conclusions through a review of the underlying evidence utilized by the intermediate software platform to reach its conclusion. This evidence must meet all criteria outlined here and within the HITRUST Assessment Handbook.
An Assessed Entity may also be utilizing an intermediate software platform to monitor the implementation and effectiveness of a control. The Assessed Entity may use this monitoring as a measurement in support of scoring at the Measured maturity level if it meets the criteria of a measure or metric (see Chapter 9.4 Measured Maturity Level) and the criteria below.
11.3.26 When an Assessed Entity is using an intermediate software platform to monitor its control performance for the Measured maturity level, it must also have a process to validate the intermediate software platform’s performance and calculation of the measure or metric (as defined in criteria 9.4.1, vi). This process must include a periodic review (minimum once every 12 months) of the measure or metric’s integration parameter and/or query (as described in criteria 11.3.22 – 11.3.24) to ensure the parameters and/or queries have been correctly defined for the correct system(s) or supporting tool(s) and/or have not been modified since the previous review. The External Assessor must obtain evidence of this review to support the Assessed Entity’s Measured maturity score.
The criteria above is not considered to be an exhaustive approach to evaluating the quality of evidence within a HITRUST assessment. External Assessors must perform the procedures they deem necessary to gain sufficient assurance around the quality of any evidence within a HITRUST assessment.