Advisories

HAA 2020-003: Assessment Scoping Factor Enhancements Designed to Reduce the Effort Associated with and Increase the Accuracy of CSF Assessments

Written by HITRUST | Mar 15, 2024 5:00:17 AM

Policy/Program Change Details 
HITRUST is making the following changes to the assessment scoping factor questions in MyCSF for HITRUST CSF Validated Assessments and HITRUST CSF Readiness Assessments: 

  • Adding more than ten additional technical scoping factor questions to better capture inherent risk factors present in the assessed environments and tailor the HITRUST CSF requirements included in assessments accordingly. 
  • Re-wording the existing technical scoping factor “Is the system(s) accessible by a Third Party?” to further clarify the definition of a third party. 
  • Removing the “Are Mobile devices used in the environment?” technical scoping factor. 
  • Adding additional HITRUST CSF requirements to existing technical scoping factors. 
  • Adding additional information around certain factors as part of the help page. 

Additionally, MyCSF will now require an assessed entity to provide a documented rationale for each technical scoping factor answered “No.” This rationale should contain sufficient detail to allow the External Assessor and HITRUST QA to evaluate the “No” answer. These rationales will also appear in the HITRUST CSF Validated Assessment Report. 

Rationale 
The changes related to MyCSF’s assessment scoping factors will: 

  • Reduce the number of requirement statements that appear in the assessment when a factor is marked as “No.” 
  • Reduce the amount of repetitive “This is not applicable because…” responses that are currently documented during assessments and reflected in HITRUST CSF assessment reports. Assessed entities will instead be asked to explain the absence of inherent risk factors once rather than multiple times throughout the assessment, thus reducing the level of effort required to complete and review the assessment. 
  • Add clarity around the terminology used in assessment scoping factors. 

Timetable for implementation 
Effective for all new objects created on or after June 1, 2020. 

6/1/20 Update: 

  • The changes described in this advisory are now live in MyCSF’s production environment. Twelve newly added technical scoping factor questions (e.g., “Are hardware tokens used as an authentication method within the scoped environment?”) have been introduced. 
  • These newly added scoping factor questions only serve to remove / filter requirements from being included in an assessment and do not add any requirements to the assessment. When determining which requirements to include in an assessment object, MyCSF first uses all other scoping information to identify the necessary requirements and THEN removes any requirements associated with the twelve newly added scoping factor questions when these questions are answered as “No”. 
  • All HITRUST CSF assessments benefit from these newly added questions. Instead of having to explain why similar requirements aren’t applicable to the assessment multiple times (at the requirement level), assessed entities now need to explain that the associated risk factor doesn’t apply once (at the scoping level). Because of this change, HITRUST anticipates the number of requirements marked as Not Applicable on assessments to drop considerably. As an added benefit, the speed by which HITRUST’s QA takes place will improve as a result of us needing to review fewer requirements marked as Not Applicable. 
  • HITRUST has made these new scoping factor questions available on all assessment objects, including those created before 6/1/20 so that they may optionally benefit from these newly added scoping factor questions. By default, the newly added questions default to a visible option of “Please choose an option” which is treated by MyCSF as “Yes”. The net effect of defaulting to a “Yes” value is the same as not having the scoping factors present at all: Because these questions are only reductive (never additive), no requirements are added or removed from any previously created assessment object without action from the assessed entity. 
  • Organizations with previously created assessment objects who wish to take advantage of these newly added scoping factors, and have not yet submitted their assessment to HITRUST, are encouraged to visit the “Admin & Scoping > Factors” page, answer the newly added scoping factor questions (providing the required “No” explanations where necessary), and then press the “Refresh Assessment” button. Requirements linked to any questions answered “No” will then be removed from the assessment object. 
  • No action is required for Organizations with previously created assessment objects who do not wish to take advantage of these newly added scoping factor questions.