To help provide additional context for an assessor’s evaluation of a HITRUST control’s maturity, NIST provides a tabular description of the maturity levels used in the PRISMA model, which HITRUST has modified as shown in the table below to help organizations understand the five maturity levels used in the HITRUST model.
Table 4. General Guidelines for the Evaluation of Control Implementation Maturity Levels
| Maturity Level |
General Guidelines |
| Policy |
- Formal, up-to-date documented policies or standards stated as “shall” or “will” statements exist and are readily available to employees
- Formal, up-to-date documented policies or standards stated as “shall” or “will” statements exist and are readily available to employees
- Policies are written to cover all facilities and operations and/or systems within scope
- Policies are approved by key affected parties
- Policies delineate the information security management structure, clearly assign security responsibilities, and lay the foundation necessary to reliably measure progress/compliance
- Policies or standards identify specific penalties/disciplinary actions if the policy not followed
|
| Procedure |
- Formal, up-to-date, documented procedures are provided to implement the security controls identified by the defined policies
- Procedures clarify where the procedure is to be performed, how the procedure is to be performed, when the procedure is to be performed, who is to perform the procedure, and on what the procedure is to be performed
- Procedures clearly define information security responsibilities and expected behaviors for (1) asset owners and users, (2) information resources management and information technology personnel, (3) management, and (4) information security administrators
- Procedures identify the individuals to be contacted for further information or guidance
- Procedures document the implementation of and the rigor in which the control is applied
- Procedures are communicated to individuals who are required to follow them
|
| Implemented |
- Information security procedures and controls are implemented in a consistent manner everywhere that the procedure applies and are reinforced through training
- Ad hoc approaches that tend to be applied on an individual or case-by-case basis are discouraged
- Initial testing is performed to ensure controls are operating as intended
|
| Measured |
- Tests are routinely conducted to evaluate the adequacy and effectiveness of all implementations
- Tests ensure that all policies, procedures, and controls are acting as intended and that they provide an appropriate level of information security
- Self-assessments are routinely conducted to evaluate the adequacy and effectiveness of all implementations
- Independent audits are an important check on organization performance, but are not to be viewed as a substitute for evaluations initiated by organizational management
- Information gleaned from records of potential and actual Information security incidents and security alerts, e.g., those issued by software vendors, are considered measurements, help identify specific vulnerabilities, and provide insights into the latest threats and resulting risk
- Threats are continually re-evaluated
- Evaluation requirements, including requirements regarding the type and frequency of testing, are documented, approved, and effectively implemented
- The frequency and rigor with which individual controls are tested depend on the risks that will be posed if the controls are not operating effectively
- Costs and benefits of information security are measured as precisely as practicable
- Status metrics for the information security program as well as individual information security investment performance measures are established
|
| Managed |
- Effective corrective actions are taken to address identified weaknesses, including those identified as a result of potential or actual information security incidents or through information security alerts issued by US-CERT, vendors, and other trusted sources
- Policies, procedures, implementations, and tests are continually reviewed, and improvements are made
- Information security is integrated into capital project/budget planning processes
- An active enterprise-wide information security program achieves cost-effective information security
- Security vulnerabilities are understood and managed
- Controls are adapted to emerging threats and the changing information security environment
- Decision-making is based on cost, risk, and mission impact
- Additional or more cost-effective security alternatives are identified as the need arises
- Status metrics for the information security program as well as individual information security investment performance measures are met
|
By understanding these guidelines, assessors will be better prepared to assess the maturity of a HITRUST CSF control requirement’s implementation using assessment criteria specific to that requirement.
![]()
