By Jeremy Huval, Vice President, Compliance & Internal Audit
Completing HITRUST CSF Assessments will now require less time and fewer resources—thanks to the “Using Work of Others” initiative just announced as part of the ongoing improvements being made to the HITRUST Assurance Program. This is just the latest example of how HITRUST continually enhances and expands its CSF Assurance Program to ensure the highest level of quality is maintained as the program is employed in a growing number of markets and industries.
As part of the initiative, HITRUST has issued updated guidance for External Assessors (previously referred to as CSF Assessors) who rely on the results of previously-performed IT control assessments and inspections. The policy and methodology updates create opportunities for greater assessment efficiency and customer cost savings.
In this blog, we provide a rundown of what organizations and assessors can expect.
A New Role in the CSF Assurance Process
In the past, HITRUST offered two approaches for External Assessors to rely on the results of previously-performed control testing:
- The inheritance of results of other HITRUST CSF Assessments;
- The reliance on audit reports and certifications issued by third-party assessors, such as SOC 2
The most recent update from HITRUST further builds upon and clarifies these two options—specifying associated timing, scope, and documentation requirements. The update also promotes a culture of risk management within the organization as it introduces opportunities for an organization’s internal auditors to directly participate and support the CSF Assessment process.
This comes from a new role in the process, called the Internal Assessor. Personnel who meet the qualifications associated with this role can assist in the CSF Assessment process by performing control testing and verification. As a result, External Assessor organizations now have the option of relying on work performed by Internal Assessors employed by an assessed entity. This not only creates efficiencies but also drives greater organizational alignment with IT security and privacy control requirements and the teams responsible for these efforts.
The Benefits of the “Using Work of Others” Initiative
The “Using Work of Others” initiative generates benefits for both External Assessors and assessed entities. For example, assessed entities already performing pre-assessment testing in advance of a HITRUST CSF Assessment can now expect lower overall assessment costs. That’s because duplicate testing that would typically be performed by External Assessors, as well as assessment-related requests and interviews, can be eliminated.
Additionally, personnel with in-depth knowledge of an organization’s IT controls (such as internal audit, risk management, and compliance teams) can now play a more formally-defined role in the overall HITRUST CSF Assessment process. This will facilitate more engagement and collaboration among internal teams—generating additional insights about an organization’s IT security controls and further promoting a culture of security and risk management throughout the organization.
From the External Assessor standpoint, the new initiative from HITRUST allows them to focus on a more strategic role with regards to the way they engage with organizations. Time previously allocated for assessing controls can be shifted to focus on high-level security and compliance consulting; again, further promoting a culture of security, moving organizations beyond the checkboxes of compliance.
Updates to the HITRUST CSF Program Terms
As part of the “Using Work of Others” Assurance Program initiative, HITRUST also clarified the definitions of several terms:
- Internal Assessment Function:The function performing the internal testing that will be relied upon during a validated assessment. This function will typically be an Internal Audit Department or a team of consultants, but it doesn’t have to be.
- Internal Assessor:The Certified CSF Practitioners (CCSFPs) performing internal testing. All internal assessment work being relied upon by the External Assessor must be performed by a CCSFP.
- Authorized External Assessor Organization:The external organization performing a validated assessment. This is the new name for what HITRUST has historically referred to as an Authorized CSF Assessor.
- External Assessor:The CCSFP performing the validated assessor role associated with an Authorized External Assessor Organization. This is a new name for what HITRUST has historically called an Assessor.
HITRUST clarified these terms to help facilitate the conversations about CSF Assessments that take place among organizations and their independent assessors as well as customers, vendors, and HITRUST.
Assessors Still Ultimately Accountable
Now that it’s possible to use assessment work performed by others, the CSF Assurance Program is making it easier for organizations and independent assessors to go through the process of assessing IT security controls. As organizations leverage the work of internal and external assessment resources, the program also makes sure they maintain quality and consistency in their evaluation of IT security controls. This will effectively raise the bar across the board while also ensuring roles and responsibilities are clearly defined.
A vital aspect of the “Using Work of Others” initiative to note is that it does not require External CSF Assessors to utilize the work of others during a validated assessment. The decision on whether to rely on an organization’s internal resources still lies solely with the External Assessor organization. HITRUST CSF Assurance program does provide guidance on the level of review and sampling that must occur relating to the “Work of Others.” As has always been the case, External Assessors are ultimately accountable for validating the implementation of the HITRUST CSF Assessment. When using the work of others, External Assessors should ensure they are still sufficiently involved in the validated assessment process.
For more information, check out the HITRUST CSF Assessment Methodology and CSF Assurance Program requirements and the HITRUST CSF Assurance Program bulletins. Organizations interested in having individuals recognized as Internal Assessors should review the criteria found in the Assurance bulletin.