The Assurance Intelligence Engine™ uses a patent-pending approach to analyze assessment documentation for oversights, inconsistencies, and errors throughout the information security and privacy assessment process. The Assurance Intelligence Engine adds efficiency to HITRUST’s comprehensive assessment review process by adding a layer of automated checks that complement existing, manual reviews to identify potential issues in assessment reports that might otherwise jeopardize the integrity, accuracy, or consistency of information.
Driving Efficiencies and Elevating Quality
The HITRUST MyCSF SaaS information risk and assessment platform incorporates the Assurance Intelligence Engine to measurably increase assurances delivered through HITRUST Risk-based, 2-year (r2) Readiness (formerly HITRUST CSF Readiness) and HITRUST Risk-based, 2-year (r2) Validated (formerly HITRUST CSF Validated) Assessments. Providing real-time feedback to HITRUST Authorized External Assessors and assessed entities allows for more accurate assessment submissions, thereby reducing the time it takes HITRUST’s centralized reporting and oversight function to issue official reports. Additionally, the Assurance Intelligence Engine allows HITRUST to expand its portfolio of assessment offerings in the future to provide organizations with assurance reporting options for any business need.
During an assessment, the Assurance Intelligence Engine proactively identifies potential issues by performing a real-time analysis against thousands of data points across the body of documentation for an assessment. Through the MyCSF platform, the Assurance Intelligence Engine provides detailed descriptions for potential quality issues, the triggering data point(s), and recommended remedial actions. The types of potential issues the Assurance Intelligence Engine will identity includes, but is not limited to, the below examples.
- Scoping description placeholder– The Assurance Intelligence Engine recognizes placeholder, template, or TBD language in the “Admin & Details” section of the assessment and subsequently flags the issue for correction.
- Missing NA Rationale – The Assurance Intelligence Engine recognizes missing information such as “not applicable” responses that do not have a documented rationale. It flags such issues for correction.
- Reliance on a Type 1 SOC Report – If an external assessor places reliance on a type I SOC report in lieu of direct testing, the Assurance Intelligence Engine flags the issue for correction. Because type I SOC reports test only control design effectiveness (and not control operating effectiveness as is tested in a type II SOC report), type I SOC reports are not robust enough to be relied upon in the context of a HITRUST assessment.
- 100% Process Score Lacking a Procedure – Per the HITRUST CSF Scoring Rubric’s guidance, for any scoring higher than “Somewhat Compliant” on the process control maturity level, it requires the assessed entity to have a written procedure in place. The AI Engine recognizes any contradictions to this requirement and subsequently flags any issues for correction.
The Assurance Intelligence Engine brings awareness for early remediation of quality issues and this awareness also helps to avoid their recurrence. It adds efficiency to the entire assurance lifecycle by reducing the likelihood of surprises during quality assurance reviews of completed assessments. The impacts are mutually beneficial for HITRUST, Authorized External Assessors, and assessed entities.