Tips for gathering evidence for your HITRUST CSF validated assessment
Evidence gathering is one of the biggest tasks your organization will undertake during your HITRUST CSF validated assessment. This process is crucial for achieving HITRUST certification and ensuring compliance with the HITRUST framework. The HITRUST audit process involves collecting and organizing a substantial amount of documentation, often referred to as working papers.
Certainly, evidence gathering is nothing new in audits, but supplying the volume of evidence required for HITRUST CSF® Certification will be new to many organizations. You will need evidence to support every single requirement and for each maturity aspect being covered in the HITRUST controls list.
For example, if your assessment scope consists of 300 requirements — and those requirements are being scored for policy, procedure and implementation — you will need, at a minimum, 900 evidence references. This comprehensive approach is part of what makes the HITRUST framework so robust.
One other important thing to note about evidence gathering is that you are ultimately responsible for identifying the evidence needed to support the scores you assert during an assessment. This differs from other types of assessments/audits, where often times a clearly defined evidence request list is provided by an auditor. This is due to the fact that a HITRUST assessment is not pass/fail; there are different levels of compliance based on the scoring.
How HITRUST validated assessments differ from others
One other difference between HITRUST and other audits is that HITRUST consists of requirement statements rather than controls. In this case, it is the client who chooses the controls to address those requirements, so in some cases there may be significant variability in the controls implemented for certain requirement statements. This flexibility allows organizations to tailor their approach to their specific needs while still meeting HITRUST standards.
Although this may seem overwhelming to you now, your HITRUST External Assessor can offer different tips to help guide you through the process. Ultimately, you will need to set your own assessment scope and collect your own evidence to support your self-assessed scores, but you can ask your assessor questions along the way. The external assessor plays a crucial role in ensuring the accuracy and completeness of your HITRUST assessment.
How to prepare ahead of your HITRUST validated assessment
Collecting evidence throughout the year will be critical once you begin the two-year cycle of HITRUST recertification — it will help you stay organized and save time. But organizations who are about to undergo their first HITRUST CSF validated assessment can also benefit from this best practice. Consider this process as an ongoing HITRUST readiness assessment.
Once your assessment is set up in MyCSF®, your first action is to review the requirement statements and associated illustrative procedures (IP) and ensure you understand what HITRUST is actually asking for. In some cases, it may not be obvious, so you should seek out the help of your external assessor or HITRUST itself for answers. The MyCSF Assessment Platform is a powerful tool that can help streamline this process.
But no matter when your assessment actually begins, start collecting evidence now. Look at the requirements that have been assigned and then determine what evidence will be required to show compliance. Store evidence in categorized folders or using a program (such as a GRC tool) that can organize items. This approach can serve as a preliminary HITRUST compliance checklist.
By doing so, you’ll save time during your assessment — when you’ll be trying to coordinate with all the different subject matter experts and gather what you need — because you’ll already have the evidence available. This can also be helpful to use during interviews with your external assessor, as you can obtain feedback on how well the evidence collected meets the requirement’s IPs before the testing actually begins.
What to do in your HITRUST assessment readiness phase
Set expectations: Make sure your internal team — including your subject matter experts who own the different requirements — are a part of the evidence-gathering and scoring processes. Don’t rely on just one person to run point on the overall HITRUST certification project, either, as they will not have all the information necessary. Subject matter expert involvement is critical.
Sample-based testing: Many of the illustrative procedures call for sample-based testing, so be prepared to provide population lists that will have a sample selected from them. The populations that will be needed are tied to what is identified as part of the scope of assessment scope. This could include workstations, servers, incidents, etc. A tip we have is to use tools such as Excel to view the assessment requirements and IPs, and apply a conditional format to filter “sample of.” When this language does show up, that same IP will also identify what the “sample of” is specifically. This process is part of the population and sampling methodology in HITRUST assessments.
Policy and procedural documentation: The purpose of a policy is to document management’s expectation on what the rules are within the company or what controls (technical, physical and organizational) are required to be in place within an environment. A procedure documents how the rule or control is put into place. Put simply, a policy is a statement, and procedures are detailed instructions. Very commonly, these are not the same documents for a single requirement.
Also, policy documentation and procedure documentation alone will almost never satisfy an implementation requirement. You will also need implementation evidence that shows a requirement has actually been implemented. For example, if a requirement is about a password reset procedure, providing only a help desk instructional document won’t be sufficient. You will also need to provide evidence of helpdesk tickets to show help desk employees are actually using the documented procedure. This aligns with HITRUST password requirements and other specific controls.
Policy and procedure requirements: In addition to understanding what the IPs are, you’ll also need to understand and comply with the criteria for each as defined by the HITRUST scoring rubric. At a high level, the criteria (which are identified on the HITRUST scoring rubric) are requirements that are looking for information that answer the following questions:
- Do the policy and procedure documents outline who is responsible for implementing the controls within an environment and list specifically what they need to do?
- Has management officially approved the documents?
- Have the documents been communicated to the relevant employees?
So, in addition to ensuring all of the required content of the IPs are included, to get full scores for policy and procedure, evidence must also be produced that shows that the previous three questions have been answered. Review the scoring rubric before your assessment begins so you understand the methodology and how to actually score yourself. This understanding is crucial for an effective HITRUST self-assessment.
Read more — HITRUST scoring 101: How scoring works and how to self-score
HITRUST validated assessment policies and procedures
HITRUST plans or crosswalks: Once a comfort level is reached for what is needed for an assessment, the task will then become how do you keep it all organized to be able to present the information effectively? The two most effective ways we have found for this type of organization is to either create a crosswalk matrix or make notes directly in MyCSF. Within the MyCSF tool, there are two places where notes can be made at the requirement statement level, either in “subscriber comments” or using the “diary entry” feature. With either method, be sure to note the name of the evidence you have identified for each maturity aspect of a requirement. One way to do a crosswalk would be to create an Excel spreadsheet with the requirement statement in the first column and the evidence location in the second. This could serve as a HITRUST controls spreadsheet. With this crosswalk, if asked a question by an external assessor, you can easily point to the evidence they are seeking.
What to do during your HITRUST validated assessment
Interviews and collecting evidence: When collecting evidence consisting of screen shots, be sure to capture the date that the screen is being captured. The easiest ways to do this is to capture the computer time. On a PC, it is in the lower righthand corner, and for Macs, it is in the upper righthand corner. Remember to capture both the time and the full date (xx/xx/xxxx).
For other types of evidence — such as reports, graphs or spreadsheets — ensure there are dates on these documents. The date might be a “creation” or “last revised” notation. Also, with the date identifier, ensure they are within the testing period or the specific parameters of the HITRUST requirements for evidence. For example, if the requirement states you’re required to review system accounts every 60 days, the evidence you provide should show a report of this review within 60 days, not a date outside of that range (i.e., from two years ago).
Interviews with your HITRUST external assessor: During these interviews, be sure to take good notes on what the assessor will look for on each requirement statement. Be sure to associate the information to the specific requirement rather than just taking general notes (this would be a good place to use a crosswalk or the MyCSF comment field as mentioned above).
If a talking point or request is not clear, ask as many questions as necessary. It’s much easier to answer these questions during a live discussion than over emails or messages through MyCSF.
Also, make sure to have the right subject matter experts on the call to ensure there is coverage of requirement owners for the entire scope. This collaborative approach is essential for a successful HITRUST audit.
Additional evidence: During the assessment, your external assessor will send back requirement statements if additional evidence is needed. Be sure to fully read the assessor’s comments and requests, and answer all of their points. Being incomplete in your reply will likely impact the duration of testing for your assessment and may affect the Quality Assurance (QA) tasks.
If your assessor provides evidence request lists, ensure you understand the requests. Ask clarifying questions as needed. This process is part of the Check-in Process and helps maintain the integrity of the assessment.
Scoring: Our last tip is to be realistic in your scoring. It’s okay to not be 100% compliant for every single requirement statement. HITRUST certification is not pass/fail. You can be at 50% or 75% for a number of requirements and still achieve certification. When there are requirement statements that you can’t find good evidence for, those scores will be lower.
With scoring, ultimately, your external assessor will be reviewing your scores and evaluating them with the evidence you provide, and if they have to send a lot of them back to you because they do not appear accurate, it will increase the time and level of effort for the assessment. This could end up costing you more money for the extra effort of your assessors. Being realistic in your scoring can actually deliver savings.
Remember, the HITRUST reporting process includes various maturity levels, so it’s important to accurately represent your organization’s current state. This approach also helps in developing effective corrective action plans for areas that need improvement.
Interim assessment and continuous improvement
After your initial HITRUST CSF Validated Assessment, you may need to undergo an interim assessment. This process helps ensure ongoing compliance and allows for continuous improvement. During the interim assessment, your external assessor will review any changes in your environment and verify the implementation of any corrective action plans.
The interim assessment is an excellent opportunity to demonstrate progress on any areas that received lower scores in the initial assessment. It's also a chance to update your evidence and ensure that your documentation, including the management representation letter, remains current and accurate.
The role of Quality Assurance in HITRUST assessments
Quality Assurance (QA) plays a crucial role in the HITRUST assessment process. Your external assessor will use a QA Checklist to ensure all aspects of the assessment have been properly addressed. This includes verifying the completeness of working papers, the accuracy of scoring, and the appropriateness of evidence provided.
The QA process also involves a Quality Assurance (QA) Reservation, where the assessment undergoes a final review before the Validated Report Agreement is issued. This step ensures that the assessment meets HITRUST’s rigorous standards and that the final report accurately reflects your organization’s security posture.
HITRUST certification and your HITRUST CSF partner
Achieving HITRUST certification is a significant accomplishment, but it’s important to remember that it’s not the end of the journey. The HITRUST framework is designed to promote ongoing improvement in information security practices. After certification, your organization should continue to monitor and enhance its security controls, preparing for future assessments and adapting to new threats and regulatory requirements.
Many organizations find it helpful to maintain a list of HITRUST certified companies for benchmarking and collaboration purposes. This can provide valuable insights into industry best practices and help you continually refine your approach to information security.
Wipfli can help
Questions about your upcoming HITRUST validated assessment or how to achieve HITRUST CSF Certification? We can help. A HITRUST External Assessor since 2013, Wipfli has completed over 100 HITRUST assessments.
Related content:
