CSF Assurance Program Requirements
August 3, 2016
Policy/Program Change Details
This advisory clarifies the treatment of controls required for certification in situations when certain controls are outsourced to a third party and they are inherited by the assessed entity.
Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements.
All controls must be tested by an approved External Assessor, or the External Assessor must determine the controls have been satisfactorily tested by another independent party consistent with HITRUST CSF Assurance Program requirements. Where the testing involves inheriting the control from another HITRUST CSF Validated Assessment, the assessor should obtain the current status of the relied upon HITRUST CSF Validated Assessment to ensure it is still valid and in good standing. If that is the case, no further testing of the control should be required.
HITRUST has seen a growing trend in the outsourcing of certain HITRUST CSF controls. Often this involves a hosting or third-party service provider arrangement. In order to keep the assessment process as efficient as possible, HITRUST has introduced the concept of inheriting validated controls from a hosting or service provider. This should streamline the validation that takes place for an organization that uses a participating hosting provider by only testing the controls the assessed entity is responsible for and not having to re-test controls that were previously validated by the host provider. The inheritance feature should also transfer the scores for these controls which will eliminate the manual transfer of scores and provide greater consistency of results. HITRUST is releasing this advisory to clarify the HITRUST CSF Assurance Program requirements related to the inheritance of controls.
Timetable for Implementation
Effective Date: Immediate