Recently, HITRUST established a new quality assurance (QA) subcommittee of its Board of Directors and introduced several new assurance advisories. These updates impact Certified Common Security Framework Practitioners (CCSFP), individuals who have completed and maintained training and certification through HITRUST; HITRUST Authorized External Assessors, organizations (including CPA firms) that have been approved by HITRUST for performing assessment and services associated with the CSF Assurance Program and the HITRUST CSF; and user organizations, who may use the HITRUST CSF to perform a self-assessment and/or a validated assessment.
What do these recent advisories mean for individuals and organizations working with the CSF, a comprehensive security framework, and HITRUST?
To start, the QA subcommittee will now provide added governance and oversight to the CSF Assurance Program and will help improve quality and consistency of External Assessor work and HITRUST’s review process for those assessments going through the validated approach. The subcommittee will include HITRUST personnel and c-suite individuals from outside organizations.
Additionally, the scoring rubric used to perform an assessment (by an organization for a self-assessment or by an External Assessor for a validated assessment) will be updated to further define rating criteria and adjust the weighting of each maturity level to better align to the HITRUST Risk Analysis Guides and may adjust organizations’ current grading. New terminology, examples, and guidance should help clarify some past confusion in this area. This will be effective on all validated and self-assessments created on or after December 31, 2019.
Another advisory announced an enhancement update related to the MyCSF tool which will introduce an automated quality check of assessment objects being submitted to HITRUST. Users of the MyCSF can run these checks any time prior to submitting to help identify over 30 different checked items in order to adjust, correct, remove, etc. prior to finalizing. These checks will also be run at each “handoff” of the assessment (between the assessed entity and their external assessor and between the external assessor and HITRUST). HITRUST will be running these checks among the first steps of their QA process and the object will be held from moving through the QA process until items identified are addressed. This change is also expected to be in effect as of December 31, 2019.
Two more advisories provided information on relying on third-party reports and relying on the work of internal auditors that will help organizations and assessors alike better understand requirements and approach these items more consistently. HITRUST has also introduced the Internal Assessor role, for those individuals internal to the entity being assessed; to allow them to help perform some of the testing required for a validated report. These individuals must be CCSFPs.