External Assessor Access to MyCSF
December 15, 2016
Policy/Program Change Details
This bulletin is to communicate some changes in policy regarding the access levels and functional capability of External Assessors within the MyCSF tool.
The first policy change deals with the test (scoping) objects available to External Assessors. External Assessor test objects will be moved to and created in the MyCSF Demo environment. The number of assessment objects in the Demo environment will be determined by the participation tier of the Assessor firm with large assessors receiving 50, medium assessors 25 and small assessors 10 test objects. These objects will expire after nine months and will no longer be exportable.
A related policy change removes the capability to export content from the Production MyCSF environment (test objects that might have previously been used to do this are now in the Demo environment) unless they are working with a client that has purchased that capability. External Assessors requiring an electronic copy of an assessment to evidence the work that was performed, may request an electronic PDF copy be published to the MyCSF portal for archival purposes. Requests for archive copies of assessments can be made to email@example.com.
The last policy change addresses those engagements where External Assessors are assisting a client with a Readiness Assessment. Assessors can now be assigned to the Self-Assessment objects of their clients without the need for a client email address and additional MyCSF user ID.
HITRUST has had numerous requests from External Assessors regarding increasing the number of test objects and having the ability to preview forthcoming releases of the HITRUST CSF. Implementation of this policy will afford Assessors the preview capability they desire and increase the number of assessment objects, while better enforcing the MyCSF test objects intended use. Test objects in MyCSF assigned to External Assessors are limited to internal use only and are afforded to allow for scoping and pricing of potential assessment engagements.
These changes will also allow External Assessor firms to better assist their clients with readiness assessments without having to create multiple IDs in MyCSF.
Timetable for Implementation
March 1, 2017
View the Frequently Asked Questions for this advisory.