By Michael Moore, Sr. Manager of Digital Innovation, HITRUST
As part of the HITRUST mission to foster Rely-Able assurances through a transparent assurance program methodology, HITRUST recently revamped the MyCSF help site to include a number of useful (and free) resources. This blog post highlights just a few of these exciting additions with a focus on the new HITRUST calculator tools.
Requirement Scoring Calculator
Accurately performing HITRUST Assessments requires a firm grasp of not only the HITRUST Scoring Rubric, but also an understanding of the HITRUST Assurance Program Advisories with important user-impacting updates (i.e., rubric versions, control maturity weights, and CAP vs. gap scoring thresholds). If you’ve ever been involved in a HITRUST assessment, chances are you have a go-to spreadsheet template to answer the following types of assessment-dependent questions:
- Would a CAP be needed if a requirement scored out at 0% policy, 50% process, and 100% implemented? (Answer: Maybe, depending on the assessment type and how the rest of the requirements in the control reference also scored.)
- What PRISMA grade would result from a requirement that scores at 25% policy, 75% process, 0% implemented, 50% measured, and 25% managed? (Answer: 2 – using the current control maturity weights of 15/20/40/10/15 and 2 using the legacy weights of 25/25/25/15/10.)
- How does requirement-level scoring differ between Basic, Current-state (bC) assessments and Implemented, 1-year (i1) assessments? (Answer: bC uses a 1×3 model and i1 uses a 1×5 model.)
The new HITRUST Requirement Scoring Calculator lets you explore different scoring scenarios for a single requirement across all HITRUST assessment types, including the i1 and bC Assessments. It supports both the current and legacy control maturity weights, and allows measured and managed to be optionally excluded for r2, custom, and targeted assessments. Its logic is up-to-date on HITRUST Assurance Program Advisories and is reflective of requirement-level scoring in MyCSF. To use, simply click on a score for each control maturity level and watch the calculator determine the requirement’s raw score, PRISMA grade (e.g. 2+, 1-), and HITRUST CSF framework compliance status.
HITRUST Inheritance Calculator
The HITRUST Shared Responsibility and Inheritance Program allows organizations to place reliance on shared information protection controls that are available from internal shared IT services and external third-party organizations, including: service providers, vendors and suppliers of cloud-enabled applications and technology platforms (SaaS and IaaS/PaaS), colocation (colo) data center hosting services, and other managed services.
A critical component of this program is the MyCSF inheritance workflow, which allows IT service providers to share their HITRUST Assessment results with their customers in an efficient and controlled manner. It’s the best implementation of control inheritance out there. However, calculating the overall score of a HITRUST CSF requirement inherited from another HITRUST Assessment can be complex. When you add in scenarios like cross-assessment-type inheritance (e.g., from an i1 into an r2) or multiple inheritance providers with varying weights, it’s easy to get lost in the scoring math.
The HITRUST Inheritance Calculator enables you to run a wide range of inheritance scenarios and see how the requirement-level score is calculated. It supports:
- Cross-assessment-type inheritance (example: from an i1 into an r2),
- Inheriting from multiple inheritance providers,
- Varied weights per inheritance provider,
- Converting a raw requirement score to a rubric-normalized score,
- Inheriting from an N/A requirement into an applicable requirement (and vice versa), and
- All HITRUST Assessment types (r2, i1, bC, targeted, and custom).
The HITRUST Inheritance Calculator logic mirrors that of MyCSF, allowing you to explore a scenario without having to actually originate inheritance requests in a real assessment. This is a must-have tool in your HITRUST toolbelt.
HITRUST Sampling Calculator
Online sample size calculators have long been a thing, as have random sampling tools. Until now, none have been freely available that incorporate the HITRUST prescriptive sampling guidance outlined in the HITRUST Scoring Rubric and discussed in the HITRUST Assurance Program Requirements.
The new HITRUST Sampling Calculator can be used in the numerous sampling scenarios encountered in HITRUST r2 and i1 Validated Assessments, including:
- Sampling from a point-in-time population,
- Sampling control occurrences of controls operating at a defined frequency (such as daily, weekly, monthly, quarterly),
- Sampling control occurrences of controls operating at an undefined frequency (like as needed controls), and
- Testing automated controls.
Not only does the HITRUST Sampling Calculator define the minimum sample size required, it also can be used to randomly generate sample selections based on the population size or testing date. The selections can be copied to a clipboard for easy importing into Excel, and the whole calculator can be exported for optional inclusion in the HITRUST Assessment documentation. If you’ve been using something like random.org or a custom spreadsheet for sample size determination and random sample selection in your HITRUST Assessments, consider giving the Sampling Calculator a go.
We’re pretty jazzed about these new calculators and hope you are too – we’d love to hear your feedback. If you have ideas for other utilities that would aid the HITRUST ecosystem, please let us know.
About the Author
Michael Moore, Sr. Manager of Digital Innovation, HITRUST
Michael is a Senior Manager in the Digital Innovation group at HITRUST with a specific focus on delivering new and powerful capabilities through technology enablement. Michael has spent most of his career developing prototypes for clients as a technology consultant using cloud services, web technologies, and machine learning.