Although HITRUST assessments can be used by organizations to help specify controls85,86 their primary function is to provide what NIST refers to as a current profile based on a controls gap assessment of its target profile.87 The assessment is then used to provide a level of assurance around its current profile via a formal report intended for consumption by relevant stakeholders (also referred to as relying parties) such as internal leadership, business partners, customers, and regulators.
To better understand how different assessment/audit and reporting approaches result in different levels of assurance—whether provided through HITRUST or by, or on behalf of, another standards development organization (SDO)—we need to agree on what the term ‘assurance’ means.
NIST defines assurance in several ways, two of which are as: (1) “a measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy,” and (2) “the grounds for confidence that the set of intended security controls in an information system are effective in their application.” Integral to these definitions is the idea of confidence or trustworthiness, which from a legal perspective may be defined as “worthy of confidence” or more specifically, “being or deriving from a source worthy of belief or consideration for evidentiary purposes.”
It is this level of confidence or trustworthiness that allows an entity to rely upon the evidence provided by an assessment/audit and how it is reported (hence HITRUST’s use of the term, ‘rely-ability’88).
85 For more information about the HITRUST CSF, see HITRUST (2022b).
86 Cline, B. (2017, Sep).
87 For more information on the NIST Cybersecurity Framework, see NIST (2018, 16 Apr).
88 Rely-ability is a term used by HITRUST to describe one’s ability to rely upon, or trust, information provided by another.