By Bimal Sheth, Vice President of Assurance Services

During a recent team meeting, the Assurance team was discussing some commonly observed issues with assessments and thought it may be helpful to share those issues with the HITRUST® community, along with some tips on how to avoid them. We focused on identifying and avoiding common issues with the check-in process and how to avoid issues with Technical Factors, since these were two of the most commonly observed types of issues.

Avoiding Common Check-In Issues

‘Check-in’ is the initial procedure that the QA team performs on each validated assessment that is submitted to HITRUST. During check-in, a member of the QA team performs a high-level review of the submission to ensure that it is ready to begin QA. The review focuses on ensuring that all required documents are present, fully completed, and completed using the correct templates.

If any issues are uncovered during check-in, the assessment is sent back to the HITRUST Authorized External Assessor for remediation, delaying the start of the QA process. The following are some commonly observed check-in issues and how to avoid them:

1. 1. Common issue: One or more outdated document templates were used.
      1. Description: HITRUST provides four document templates that must accompany every validated assessment. Collectively these are referred to as the ‘required documents’ and consist of the Organizational Overview and Scope document, the Third-Party Participation Agreement (soon to be renamed to the Validated Report Agreement), the Management Representation Letter, and the HITRUST CSF Assessor Quality Checklist.
      2. How to Avoid:
         1. Always ensure that the latest required document templates are used, which can be found at https://help.mycsf.net/templates.
            
         2. These templates are also accessible from within the HITRUST MyCSF® platform (MyCSF) within the required document upload screens.
            
         3. Also, when preparing the Management Representation Letter, ensure that the correct template version is used corresponding to the type of assessment being performed (self-assessment or validated assessment).
            

1. 1. Common issue: The Organizational Overview and Scope document was not populated correctly.
      1. Examples:
         1. Removing whole sections from the document.
         2. Renaming section titles within the document.
         3. The written description of in-scope systems does not reconcile to the scope overview table.
         4. Failure to clearly explain scope exclusions (e.g., excluding a mobile app but including the back-end APIs and infrastructure used by the mobile app—a common approach, as HITRUST does not certify mobile apps).
         5. Failing to explain scope exclusions within the scope overview table, and instead describing scope exclusions in unrelated sections of the document.
         6. A statement of “see MyCSF for technical testing” was provided in lieu of providing a hand-written list of technical tests.
         7. A statement of “see MyCSF for documentation” was provided in lieu of providing a hand-written list of documentation examined.
         8. Not providing enough information about third-party assessments executed against the organization’s ISMP. In addition to the assessment name (e.g., Acme Co. SOC2), HITRUST also needs the name of the professional services firm that performed the assessment as well as the date of the assessment’s final report (for point-in-time assessments) or the time period that the assessment covered (for period-of-time assessments) (e.g., Acme Co. SOC2—CPA Firm LLP—1/1/19 to 9/30/19).
         9. The last day of External Assessor fieldwork doesn’t reconcile or even closely tie to the date that the assessed entity signed the Management Representation Letter.
      2. How to Avoid: The Organizational Overview and Scope document should be populated without amending the template sections. All scope exclusions should be clearly explained, all technical testing should be bulleted, and all documentation reviewed over the course of the external assessment should be listed. Any third-party assessment reports listed should include an identification of the professional services firm that performed the assessment as well as the related reporting dates.

1. 1. Common issue: The scope section of the Third-Party Participation Agreement was not complete.
      1. Description: The Third-Party Participation Agreement contains a section in which the assessment scope must be summarized. This is often missed:
         
      2. How to Avoid: Ensure that the scope section of the Third-Party Participation Agreement is populated (e.g., “XYZ application, ABC platform, and supporting infrastructure”).

1. 1. Common Issue: The Management Representation Letter was not completed properly.
      1. Examples:
         1. The Management Representation Letter was not provided to HITRUST on the assessed entity’s company letterhead.
         2. The title of the individual that signed the Management Representation Letter was not included.
            
         3. The [Assessed Entity] placeholder in the first paragraph of the Management Representation Letter was not replaced.
            
         4. The Management Representation Letter was not dated as of the last day of the External Assessor’s validated assessment fieldwork.
            
      2. How to Avoid: Ensure that the letter is provided on company letterhead, is signed on the last date of the External Assessor’s validated assessment fieldwork, includes the signatory’s title, and has the [Assessed Entity] placeholder replaced.

1. 1. Common Issue: The HITRUST CSF Assessor Quality Checklist was not completed properly.
      1. Examples:
         1. Blank checkboxes/signoff fields are present in the checklist.
         2. Discrepancies exist between the signatories of the HITRUST CSF Assessor Quality Checklist and the names in the External Assessor’s timesheet.
      2. How to Avoid:
         1. Ensure that the HITRUST CSF Assessor Quality Checklist is completely filled out. This means that all signoffs are collected from both the Engagement Executive and the QA Review Executive down the checklist and at the bottom of the checklist.
         2. Ensure that the individuals who populated the HITRUST CSF Assessor Quality Checklist as the Engagement Executive and QA Review Executive are the same individuals listed in the External Assessor timesheet as serving the engagement in those roles.

1. 1. Common Issue: The External Assessor’s timesheet was not completed properly.
      1. Examples:
         1. The Certified CSF Practitioner (CCSFP) certification numbers provided for identified individuals do not match up with HITRUST’s CCSFP credentialing database, indicating that the wrong CCSFP numbers were provided.
         2. Individuals were not identified as having performed one or more of the roles that HITRUST requires for External Assessor teams.
      2. How to Avoid:
         1. Ensure that the correct CCSFP certification numbers (e.g., 54321) are provided for all individuals listed in roles other than ‘Non-Certified Practitioners’.
         2. Ensure that individuals are identified as serving the engagement in the roles of Engagement Executive, Field Manager, and QA Review Executive. The Engagement Executive and Field Manager roles can be performed by the same individual, but the QA Review Executive cannot perform any other role during the engagement.

1. 1. Common Issue: The assessment’s Scoping Factors contradict the assessment’s scoring or contradict information conveyed in the Organizational Overview and Scope document.
      1. Examples:
         1. The Systematic Factor of “Is the system accessible from a public location?” was answered as “No,” but kiosks were described in the Organizational Overview and Scope document.
            
         2. The Systematic Factor of “Are Mobile devices used in the environment?” was answered as “No,” but all control requirements in the Mobile Device assessment domain were scored by the entity and tested by the assessor.
            
         3. Requirement statements dealing with non-organizational users (e.g., contractors, vendor maintenance personnel) were labeled not applicable on the basis of the organization never allowing non-organizational personnel access into the environment, but the Systematic Factor of “Is the system accessible by a Third Party?” was answered as “Yes.”
            
         4. The Organizational Overview and Scope document describes in-scope overseas locations, but the Geographic Scoping Factor was answered as “State.”
            
      2. How to Avoid:
         1. Prior to the start of the validated assessment fieldwork and/or during the External Assessor’s pre-submission quality review, the External Assessor should carefully review and reconcile the assessed entity’s populated Organizational Overview and Scope document, the assessment object’s Scoping Factors, and the basis for labeling any requirement statements as not applicable.

Avoiding Common Issues with Factors

An error with a Technical Factor can be extremely time-consuming to resolve during QA as the assessment object must be sent back to the assessed entity to change the Factor. Additionally, Factor changes can result in additional requirement statements being added to the assessment that would need to be scored by the assessed entity and validated by the External Assessor.

A best practice to implement is for the assessed entity to complete the Organization Overview and Scope template, separately document their proposed answers to the Systematic Factors prior to inputting them into MyCSF, and have their External Assessor review and offer feedback on their Factor responses.

The following are some common issues we see during QA around Systematic Factors and how to avoid them:

1. Common issue: “Is the system(s) accessible from the Internet?” is answered “No,” but contradictory information is present in the Organization Overview and Scope document.
   1. Description: The Factor was answered as “No”; however, in the Organization Overview and Scope document there is a publicly facing portal, web application, or other system that is internet-facing.
   2. How to Avoid: Always compare the answers to Systematic Factors to the systems in the Organization Overview and Scope document to ensure consistency.
2. Common issue: “Is the system(s) accessible from the Internet?” is answered “No,” but systems are accessible via VPN.
   1. Description: The Factor was answered as “No”; however, a system can be reached by establishing a VPN session and passing through an additional layer of authentication. HITRUST’s definition of the Factor is: “An information system or application to which users are able to gain access from a public network (e.g., Internet). Applies whether the application is publicly exposed or is behind a firewall accessible only after first establishing access to an internal domain (e.g., VPN).” The Factor should be answered as “Yes.”
   2. How to Avoid: When responding to Factors, always review the definitions of the Factors, which are available here: https://help.mycsf.net/factors/. Consider the definition in conjunction with the completed Organization Overview and Scope document to determine what the appropriate answer for the Factor is.
3. Common issue: “Are mobile devices used in the environment?” is answered “No,” but mobile device requirement statements are scored within the assessment.
   1. Description: The Factor was answered as “No”; however, mobile device requirement statements were scored within Domain 4 – Mobile Device Security of the assessment object.
   2. How to Avoid: When completing the Organization Overview and Scope document, the assessed entity should consider how in-scope systems are accessed, including the types of devices used and how those devices connect to the systems (e.g., VPN, wireless, etc.). Prior to submission to the External Assessor, the assessed entity should check whether the scored requirement statements align with their responses on the Factors.
4. Common issue: Factors related to third parties are answered as “No,” but (per information conveyed in the Organization Overview and Scope document) systems are accessed by third parties and/or data is exchanged with third parties.
   1. Description: One or both of the Third-Party Scoping Factors is answered as “No”; however, in reviewing the Organization Overview and Scope document there is a description of a system which would indicate that data is exchanged with a third party or the system is either accessed by a third party directly or hosted by a cloud service provider.
   2. How to Avoid: Review the definitions of the Third-Party Factors on the help site prior to answering the Factor question. Specifically, consider the role of the in-scope systems as they relate to third parties that the assessed entity may interact with. Also, systems that are hosted at cloud providers are specifically considered accessible by a third party based upon the definition of the Scoping Factor.

Closing Thoughts

As my team periodically debriefs on common issues, we will continue to share commonly seen issues and how to avoid them. If you have feedback that you would like to share, please submit it through your Customer Success Manager or feedback@hitrustalliance.net.