The Impact of New Evidence Requirements for HITRUST Assessments

The HITRUST Alliance Common Security Framework (HITRUST CSF) is a cybersecurity framework that helps organizations manage risk and meet regulatory compliance when handling sensitive data. It’s a comprehensive, flexible and certifiable security and privacy framework that uses a risk-based approach to integrate various regulations and standards. While the framework was first based on ISO 27001/27002, it also includes several recognized frameworks such as the HIPAA Security Rule, the NIST Cybersecurity Framework, NIST Special Publication 800-53 or COSO and many others. Those organizations that pursue HITRUST certifications or require their vendors to be HITRUST certified know the HITRUST framework well.

In October of 2023, the HITRUST Alliance issued an Assessment Handbook for external assessors and enforcement of the new assessment standards began on April 16, 2024. The handbook defines the standards for external assessors performing assessments and applies new requirements for evidence requests. This impacts all assessed entities evaluating their information protection programs against the HITRUST CSF through a readiness or validated assessment. While the requirements may seem to only affect external assessors, assessed entities will feel the impact of these new evidentiary requirements for all levels of assessments. Failure to meet the expectations of the Assessment Handbook could impact both the assessed entities’ ability to be certified and the assessor’s ability to remain in that role.

There are several requirements in the new handbook that may mean organizations must develop revisions to their current validation preparation and fieldwork processes. What follows is a summary of some of the more impactful changes we believe entities should consider.

Evidence requirements

The handbook has identified several new evidence requirements, but the hardest and most complex revolve around “how and when to pull a population.” This impacts the timing of when the evidence can be gathered and then, when it can be provided to the validated assessor. Assessed entities will now be actively involved in pulling testing populations during the validation fieldwork versus pulling that information prior to before the fieldwork starts.

Many assessed entities begin preparing for validation fieldwork months in advance and, while this is still a viable option for meeting the requirements for policy and procedure, the evidence necessary for selecting populations to meet the requirements for implementation will need to align with updated guidelines. Populations may be pulled 30 days prior to the start of fieldwork or may need to be pulled once fieldwork has started.

When sampling is required, there are two types of populations from which an external assessor will select the sample:

  • Time-based populations: events that occur based on established timing and are pulled over a period of time, such as daily backups, monthly vulnerability scans or change tickets associated with weekly changes. For these controls, each assessed entity will need to accumulate a list or population of these events so the assessor can select a sample for testing.
    • Populations should include at least 90 days but not more than 365 days prior to fieldwork.
    • Additionally, the assessed entity must include at least one occurrence within the fieldwork dates. For example:
      • Fieldwork starts June 1
      • Population dates can begin as early as June 2 of the prior year or at a minimum, beginning March 3 of the current year
      • End date of the population should include dates after June 1
      • The external assessor can identify this time span as part of pre-planning for the assessment
  • Item-based populations: grouping of data that remains constant, generated at a point-in-time and time is not an element.
    • May be created prior to fieldwork, but no greater than 30 days prior. For example:
      • Fieldwork starts June 1
      • Population can be pulled as early as May 2 and provided to the assessor
      • The validated assessor cannot provide the assessed entity they selected prior to June 1

Therefore, let’s walk through a few use cases using some specific Baseline Unique IDs (BUID):

  • BUID #0135.02f1Organizational.56 requires a “sample of instances in which personnel were sanctioned for failing to comply with established information security policies.” This would be considered a time-based population, so the assessed entity would want to wait until the beginning of the assessor’s fieldwork to pull the population for sampling or pull a sample with dates less than one year prior to fieldwork and then provide a sample for the assessor to review during the fieldwork.
  • BUID #1106.01b1System.1 requires a “sample of provisioned users on a system.” This would be considered an item-based population and could be pulled within the 30 days prior to fieldwork.
  • BUID #0209.09m3Organizational.7 requires a “sample of wireless devices…to confirm that file sharing has been disabled.” This would also be an item-based population and could be pulled within 30 days prior to fieldwork.

The identification of timing and the type of population is key to determining when a population can be pulled and critical aspects, such as the inclusion of dates within the fieldwork and limitations on when that information can be shared with the assessors.

At this point, one might think about those controls that are automated and will only require a screenshot and a sample of one. There are updates to those evidence requirements as well. For example, all screenshots necessary to support automated configurations and such, must be clearly dated in the screenshot (this would be for the samples selected by the validated assessor mentioned above and for the sample of one) and be within the fieldwork dates; therefore, these cannot be gathered prior to the start of fieldwork.

Finding a trusted partner

While these changes may feel overwhelming, the Protiviti Data Protection team has reviewed every detail of the handbook. As a premier HITRUST validated assessor, we have the expertise needed to navigate a successful assessment.

To learn more about our HITRUST methodology, contact us 

Juli Ochs

Associate Director
Security and Privacy

Subscribe to Topics

Generative #AI is set to revolutionize the field of enterprise architecture. Get a comprehensive overview of the impact of #GenAI on EA activities, plus challenges, risks and limitations in the latest Technology Insights blog post. https://ow.ly/foPJ50SkUW6 #ProtivitiTech

Protiviti’s @KonstantHacker will join a panel to speak on “Quantum Leap: Securing Manufacturing's Next Frontier with Post Quantum Cryptography” on July 18 in Chicago, IL. Register today for this in-person event. https://ow.ly/s02X50SkfcI #ProtivitiTech #Quantum

Protiviti’s Kim Bozzella explains why it’s crucial for businesses to establish trust through transparent and secure data practices: “Losing trust means losing business.” Learn how to take action now. https://ow.ly/mIAX50Sjjju #ProtivitiTech #DataPrivacy

Protiviti’s Mark Carson discusses the importance of measuring analytics capabilities, the importance of taking an agile approach to analytics assessment, and the future of analytics maturity. Read more in TechTarget: https://ow.ly/GJKw50Siri7 #ProtivitiTech

Protiviti’s @KonstantHacker and guest Benedikt Fauseweh, of TU Dortmund University, discuss Richard Feynman’s 1981 quantum simulator idea, its relevance today and whether this work has anything to do with ‘The Three-Body Problem’ novel and Netflix show. https://ow.ly/CrRY50SibFV

Load More