The primary way to create mappings is to use the bulk mapping Excel file. This involves downloading a Microsoft Excel file from PSD which is pre-populated with the HITRUST CSF, indicating in this Excel file the HITRUST CSF requirement statements the offering maps to, and then uploading that populated Excel file back into PSD.
To create mappings using the bulk mapping Excel file:
- Login to the PSD Admin Homepage.
- Select the pencil icon next to the offering you would like to map against.
Pictured: Use the pencil icon (right side of this screenshot, next to the “Published” / “Unpublished” badge) at the offering level to access the offering’s mappings and associated functionality.- Select “Bulk Mapping Template” from the horizontal menu.
Pictured: The bulk template mapping tab.- Select the “Download Bulk Mapping Template” button which generates the Excel mapping file for the offering.
- Save the Excel file locally and open it for editing in Microsoft Excel.
- Go to the “Mapping” sheet within the Excel workbook. This worksheet includes all requirement statements present in the HITRUST CSF, along with several columns that can be used to filter and perform searches against. These columns include:
- Baseline Unique ID (BUID) – Unique identifier for each HITRUST CSF requirement statement.
- Domain Name – HITRUST CSF domain (control family/category) with grouped similar controls (i.e., vulnerability management, endpoint protection, third-party assurance, incident management, risk management, etc.).
- In e1 and in i1 – Indicates whether the control is included in e1 or i1 assessments.
- Cross Version ID – Unique identifier for each HITRUST CSF requirement statement that enables controls to be mapped across different versions of the HITRUST CSF.
- Requirement Statement – HITRUST CSF control language/requirement statements.
- r2 Frequency (v9 and v11, as separate columns) – Indicates the percentage of assessments where a requirement statement appears.
- Policy, Procedure, Implemented, Measured, Managed – Control maturity levels used to map more specific aspects of controls to offerings. Providers should change these fields to “True” if their offerings align with each value. For example, if a provider prepares policies and procedures related to the HITRUST CSF control, they should mark these fields as “True.” If the offering is meant to implement, measure, or manage the control, the relevant fields should be marked as “True.”
- Rationale – Narrative about how their offering supports some or all of the requirement statement.
- Mapped – True/False statement that facilitates the bulk mapping process. If marked as “True” the requirement statement will be mapped in PSD once the template is uploaded back into PSD.
- Publish – True/False statement that facilitates publishing the newly added mappings at time of Excel workbook upload. If marked as “True” the mapping will be published in PSD once the template is uploaded back into PSD, else the mapping will be entered into PSD as unpublished.
- Once the template is populated with mappings and rationales, select the “Choose File” button on the “Bulk Template Mapping” page in PSD and select the completed file to upload back to PSD.
- Select the “Start Upload” button to have PSD perform the mapping using the results within the template.
- Review the upload result log in PSD and address any data quality issues preventing mappings from being created. For example, any mappings lacking a rationale or control maturity level cannot be created.