Cybersecurity

The Impact of New Evidence Requirements for HITRUST Assessments

Juli Ochs
May 28, 2024
5 min read

The HITRUST Alliance Common Security Framework (HITRUST CSF) is a cybersecurity framework that helps organizations manage risk and meet regulatory compliance when handling sensitive data. It’s a comprehensive, flexible and certifiable security and privacy framework that uses a risk-based approach to integrate various regulations and standards. While the framework was first based on ISO 27001/27002, it also includes several recognized frameworks such as the HIPAA Security Rule, the NIST Cybersecurity Framework, NIST Special Publication 800-53 or COSO and many others. Those organizations that pursue HITRUST certifications or require their vendors to be HITRUST certified know the HITRUST framework well.

In October of 2023, the HITRUST Alliance issued an Assessment Handbook for external assessors and enforcement of the new assessment standards began on April 16, 2024. The handbook defines the standards for external assessors performing assessments and applies new requirements for evidence requests. This impacts all assessed entities evaluating their information protection programs against the HITRUST CSF through a readiness or validated assessment. While the requirements may seem to only affect external assessors, assessed entities will feel the impact of these new evidentiary requirements for all levels of assessments. Failure to meet the expectations of the Assessment Handbook could impact both the assessed entities’ ability to be certified and the assessor’s ability to remain in that role.

There are several requirements in the new handbook that may mean organizations must develop revisions to their current validation preparation and fieldwork processes. What follows is a summary of some of the more impactful changes we believe entities should consider.

Evidence requirements

The handbook has identified several new evidence requirements, but the hardest and most complex revolve around “how and when to pull a population.” This impacts the timing of when the evidence can be gathered and then, when it can be provided to the validated assessor. Assessed entities will now be actively involved in pulling testing populations during the validation fieldwork versus pulling that information prior to before the fieldwork starts.

Many assessed entities begin preparing for validation fieldwork months in advance and, while this is still a viable option for meeting the requirements for policy and procedure, the evidence necessary for selecting populations to meet the requirements for implementation will need to align with updated guidelines. Populations may be pulled 30 days prior to the start of fieldwork or may need to be pulled once fieldwork has started.

When sampling is required, there are two types of populations from which an external assessor will select the sample:

  • Time-based populations: events that occur based on established timing and are pulled over a period of time, such as daily backups, monthly vulnerability scans or change tickets associated with weekly changes. For these controls, each assessed entity will need to accumulate a list or population of these events so the assessor can select a sample for testing.
    • Populations should include at least 90 days but not more than 365 days prior to fieldwork.
    • Additionally, the assessed entity must include at least one occurrence within the fieldwork dates. For example:
      • Fieldwork starts June 1
      • Population dates can begin as early as June 2 of the prior year or at a minimum, beginning March 3 of the current year
      • End date of the population should include dates after June 1
      • The external assessor can identify this time span as part of pre-planning for the assessment
  • Item-based populations: grouping of data that remains constant, generated at a point-in-time and time is not an element.
    • May be created prior to fieldwork, but no greater than 30 days prior. For example:
      • Fieldwork starts June 1
      • Population can be pulled as early as May 2 and provided to the assessor
      • The validated assessor cannot provide the assessed entity they selected prior to June 1

Therefore, let’s walk through a few use cases using some specific Baseline Unique IDs (BUID):

  • BUID #0135.02f1Organizational.56 requires a “sample of instances in which personnel were sanctioned for failing to comply with established information security policies.” This would be considered a time-based population, so the assessed entity would want to wait until the beginning of the assessor’s fieldwork to pull the population for sampling or pull a sample with dates less than one year prior to fieldwork and then provide a sample for the assessor to review during the fieldwork.
  • BUID #1106.01b1System.1 requires a “sample of provisioned users on a system.” This would be considered an item-based population and could be pulled within the 30 days prior to fieldwork.
  • BUID #0209.09m3Organizational.7 requires a “sample of wireless devices…to confirm that file sharing has been disabled.” This would also be an item-based population and could be pulled within 30 days prior to fieldwork.

The identification of timing and the type of population is key to determining when a population can be pulled and critical aspects, such as the inclusion of dates within the fieldwork and limitations on when that information can be shared with the assessors.

At this point, one might think about those controls that are automated and will only require a screenshot and a sample of one. There are updates to those evidence requirements as well. For example, all screenshots necessary to support automated configurations and such, must be clearly dated in the screenshot (this would be for the samples selected by the validated assessor mentioned above and for the sample of one) and be within the fieldwork dates; therefore, these cannot be gathered prior to the start of fieldwork.

Finding a trusted partner

While these changes may feel overwhelming, the Protiviti Data Protection team has reviewed every detail of the handbook. As a premier HITRUST validated assessor, we have the expertise needed to navigate a successful assessment.

To learn more about our HITRUST methodology, contact us 

Juli Ochs

Associate Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
28 Jun

In the latest episode, Protiviti’s @KonstantHacker and guest @JulienCamirand from Nord Quantique discuss a new approach to qubit error correction. Listen now! https://ow.ly/h4Oc50SqWh5 #ProtivitiTech #Quantum #Podcast

Reply on Twitter 1806659414432071968 Retweet on Twitter 1806659414432071968 Like on Twitter 1806659414432071968 Twitter 1806659414432071968
protivititech Protiviti Technology @protivititech ·
27 Jun

#Protiviti is a 2024 Compliance #Microsoft Partner of the Year Finalist. Congrats to this year’s award recipients who were selected based on their commitment to customers, the impact of their solutions, and their exemplary use of Microsoft tech. https://ow.ly/69mt50SqWbB #MSPartner

Reply on Twitter 1806357883640008926 Retweet on Twitter 1806357883640008926 Like on Twitter 1806357883640008926 Twitter 1806357883640008926
protivititech Protiviti Technology @protivititech ·
27 Jun

How can you tell if a #fintech firm is competent with #GenAI? Certification can certainly distinguish a firm from its competitors, says Protiviti’s Christine Livingston, but is also doesn’t tell the full story about how well they leverage the tech overall. https://ow.ly/vy1r50SkquW

Reply on Twitter 1806327001415839967 Retweet on Twitter 1806327001415839967 Like on Twitter 1806327001415839967 Twitter 1806327001415839967
protivititech Protiviti Technology @protivititech ·
19 Jun

Generative #AI is set to revolutionize the field of enterprise architecture. Get a comprehensive overview of the impact of #GenAI on EA activities, plus challenges, risks and limitations in the latest Technology Insights blog post. https://ow.ly/foPJ50SkUW6 #ProtivitiTech

Reply on Twitter 1803458480314925526 Retweet on Twitter 1803458480314925526 Like on Twitter 1803458480314925526 Twitter 1803458480314925526
protivititech Protiviti Technology @protivititech ·
18 Jun

Protiviti’s @KonstantHacker will join a panel to speak on “Quantum Leap: Securing Manufacturing's Next Frontier with Post Quantum Cryptography” on July 18 in Chicago, IL. Register today for this in-person event. https://ow.ly/s02X50SkfcI #ProtivitiTech #Quantum

Reply on Twitter 1803095957912908035 Retweet on Twitter 1803095957912908035 1 Like on Twitter 1803095957912908035 Twitter 1803095957912908035
Load More