Impacted Policy/Program Name
CSF Assurance Program Requirements
Publication Date
January 12, 2016
Effective Date
Immediate: This bulletin is to clarify existing policy.
From
Ken Vander Wal, Chief Compliance Officer, HITRUST
Advisory Type
Requirement Clarification
Policy/Program Clarification Details
This bulletin clarifies the treatment of controls required for Certification in situations where certain controls are outsourced to a third party, and the impact of outsourced controls on a HITRUST CSF validated assessment.
Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements.
Under no circumstances are outsourced controls or those supported by a third party considered “Not Applicable” when performing a CSF Assessment. All controls must be tested by an approved External Assessor, or the External Assessor must determine the controls have been satisfactorily tested by another independent party consistent with HITRUST CSF Assurance Program requirements. For example, External Assessors may be able to rely on a current CSF Certification report, CSF Validated Report, or a current SOC 2 report that is based on the HITRUST CSF criteria.
Rationale
HITRUST has seen a growing trend in the outsourcing of certain HITRUST CSF controls. In many instances, the validated assessment is submitted with the outsourced controls listed as “Not Applicable” or the External Assessors are being provided assessments performed with limited understanding of the scope, methodology, or assurance of the accuracy relating to the controls in question. HITRUST has been returning these assessments back to the External Assessor in order to perform the required testing and score the controls in question. HITRUST is releasing this bulletin to clarify the HITRUST CSF Assurance Program requirements related to the outsourcing of controls. This should allow External Assessors to more clearly communicate this requirement to their clients and prevent costly re-work related to outsourced controls.
Timetable for Implementation
Immediate: This bulletin is to clarify existing policy.