By Ken Vander Wal,
Chief Compliance Officer
There is a common theme among many of our clients following their HITRUST CSF® Assessment. They all tend to agree that the skills and knowledge of the professionals conducting their third-party assessment and comprehensiveness of the HITRUST CSF Assurance Program play a critical role in the validity of the final result.
Helping organizations understand and achieve their information risk management and compliance goals is important and we take our integral role seriously. This doesn’t just happen by chance. A lot of planning, preparation and fine tuning takes place to make it all work together.
Indeed, it’s important to have the HITRUST CSF Certification to prove a strong security, privacy and compliance posture to senior management, board of directors, customers and regulators. But along the way to achieving certification, our clients also gain deep visibility and an unmatched understanding about their internal security and privacy controls, giving them the ability to identify better ways to protect the information their customers and partners have entrusted with them. This is oftentimes due in large part to the experience and efforts brought by working with an approved HITRUST CSF Assessor Organization.
That’s why HITRUST takes validating our assessment process and our HITRUST CSF Approved Assessor Organizations so seriously. We continuously invest in the program and the process requirements. We also hold our HITRUST CSF assessors to a high level of integrity. Our customers can rest assured that the work of the assessors meets a high standard and is consistent across all HITRUST CSF Approved Assessors.
Quality Subcommittee Leading the Way
To help us achieve this mission – and to enable our customers to better manage their security risks – HITRUST established a Quality Subcommittee of the HITRUST CSF Assessor Council in 2017. The committee consists of industry leaders charged with partnering with HITRUST in ensuring the integrity and validity of the HITRUST CSF Assurance Program.
Part of the committee’s mission is to make sure that HITRUST CSF Assessments are valid by maintaining standards for integrity, transparency, accuracy, and consistency of information coming from an assessed organization’s risk management program, which ultimately ensures reliability of the assessment. This includes continuously evaluating areas where improvements should be made to the program and to address areas where greater consistency and efficiencies can be achieved.
In addition to reliability, the HITRUST CSF Assurance Program provides efficiencies and cost savings through its ‘Assess Once – Report Many’ approach. With a HITRUST CSF Assessment in hand, organizations can avoid filling out the lengthy security questionnaires that their customers and business partners often require.
Assurance Program Enhancements: Raising the Bar
As part of this mission, we recently announced updates to the HITRUST CSF Assurance Program:
- Assessment Scope Clarity – dictates that clients and assessors must include a more detailed description of each system covered in an assessment along with specific details on the components for each system (e.g., operating system and database); service offerings included in each system; and the specifications for each service offering – such as what is in scope, out of scope, and partially in scope. With this comes a tremendous amount of transparency for the HITRUST validation team and any stakeholders receiving and reading the report. We have also updated the format to make it easier to understand what regulatory factors were included and assessed, such as HIPAA, GDPR and FFIEC.
- Assessment Practitioner Hours – increases the resources required so that at least 50% of a HITRUST CSF Assessment’s hours must be completed by a qualified HITRUST Certified CSF Practitioner (CCSFP). This will ensure that the individuals performing the assessments have the competency and qualifications to perform the validations.
- Plan Guidance for HITRUST CSF Assessor Organizations – provides additional guidance for assessor pre-assessment planning and test plans which is designed to align those elements to HITRUST CSF implementation requirement statements. This update also includes direction on acceptable working paper documentation to support the activities and procedures performed.
- HITRUST CSF Assessor Quality and Consistency Assurance – clarifies the current requirement for assessors to perform independent quality assurance reviews of assessment results, additional training for those performing quality assurance reviews, and the completion of a checklist by the engagement executive and the quality assurance reviewer.
- Changes related to Interim Reviews – changes the name ‘Interim Reviews’ to ‘Interim Assessments’ and outlines additional rigor and assurance around the process, in addition, Interim Assessments must be performed within the HITRUST MyCSF® tool to ensure documentation is available and to streamline review.
As these updates demonstrate, HITRUST, along with the HITRUST Quality Subcommittee, are committed to setting a high benchmark for the HITRUST CSF Assurance Program. This is fundamental in any risk management program in order for all of the stakeholders to understand the effectiveness of the implemented controls – for internal purposes, business partnerships, regulators, and customer relationships alike.
To ensure we succeed in this mission, we will continue to perform routine quality assurance validation on every assessment completed by our HITRUST CSF Assessor organizations. We are unique in this endeavor as most other standards and frameworks lack such a quality assurance program, which creates inconsistency of results and a lack of transparency and assurance. And, by having all of the data submitted to us up front, we will be able to streamline the processes even more and ensure that submissions made by the assessors remains consistent amongst the group and in support of the quality requirements we’ve established.
Clear Roles and Responsibilities in Every Assessment
The HITRUST CSF Assurance Program ultimately seeks to ensure that integrity continues to be maintained in our assessment and certification processes — by setting clear expectations for key assessor roles. The improvements we’re initiating also raise the bar on the program requirements for HITRUST CSF Assessor organizations by providing clear checks and balances for assessments. The following changes are being made:
- HITRUST CCSFP Designations—Both the Engagement Executive and the HITRUST CSF Assessor QA reviewer must be HITRUST CCSFPs.
- CHQP Designations—The HITRUST CSF assessor personnel who perform QA reviews prior to the submission of assessments to HITRUST will be required to complete an online course and pass a test to become a Certified HITRUST Quality Professional (CHQP). This is in addition to the HITRUST CCSFP requirement.
Since the HITRUST CSF Assessment Report is a forward-looking document (versus a SOC 2 report which looks back 12 months), we all need to feel comfortable with what is being done, reported against, and attested. The quality and consistency of the HITRUST CSF Assurance Program — scoping, measuring, documenting, and reporting on an organization’s ongoing risk and security process and posture — bring more transparency to both the process and the certification report. This gives stakeholders confidence that the assessments will hold up under scrutiny by any and all audiences.
In addition, the entire HITRUST community is committed to holding each other accountable. This accountability across the board will ensure integrity, value, and consistency in the assessments — regardless of who did the work.