Written by: Julie A. Fougere, CCSFP
The HITRUST CSF was created to ensure an organization’s cybersecurity controls are strong enough to withstand inherent threats and support resiliency in the event of a disruption or attack. Complying with requirements of the HITRUST CSF and obtaining HITRUST certification will provide customers and clients with assurance in your organization’s ability to protect their confidential data.
Although receiving this certification can be a lengthy and arduous process, with the right guidance and preparation during the HITRUST Readiness Assessment phase, organizations can ensure accurate and objective testing prior to completing the Validated Assessment.
What’s a HITRUST CSF Readiness Assessment?
The Readiness Assessment is the first phase in the HITRUST certification process. One of the first steps when beginning this phase includes scoping, which allows the assessing firm to understand:
- The size of the organization
- How much data is stored in their systems
- What systems are included in the environment
- Where the data lies
- How the organization and customers are accessing the data
The scope must cover an implemented system. Additionally, the organization can determine their own scope for the assessment. Once scope is determined, the number of HITRUST controls for the assessment can be determined from the HITRUST MyCSF tool. (Note: A subscription to MyCSF is required for this).
Scoping occurs before the client signs the engagement letter with the assessing firm and before the Readiness Assessment is scheduled. All in-scope control requirements for the organization’s environment would then be reviewed to ensure a policy statement, procedural statement, and implementation evidence at minimum can be provided for all control requirements. The ways in which the Readiness Assessment is conducted with your HITRUST assessor will vary based on the presence or lack of written policies and procedures prior to the engagement.
Situation 1: The organization doesn’t have policies and procedures already written
If an organization doesn’t already have written policies and procedures, once the scope of the assessment is determined, Wolf’s Virtual Chief Information Security Officer (vCISO) Advisory Services can be utilized to create compliant policies and provide detailed outlines for organizational procedures.
As part of this process, Wolf can provide a template procedural document that the organization will be tasked with completing. Due to the granularity of these procedural statements required by HITRUST, assessor firms must rely on the client to thoroughly document these step-by-step procedures. Although the client is tasked with developing these procedures, Wolf’s vCISO services can be used to ensure comprehensive procedural compliance.
Situation 2: The organization believes they have adequate policies and procedures already documented
In this case, the organization would identify the policies and procedures in which all in-scope control requirements are located. Wolf would perform the HITRUST Readiness Assessment, identifying control gaps and providing specific remediation information.
Even if the organization has written policies and procedures, it’s highly recommended to engage a qualified professional services firm to write the policies and outline the procedures first. Many organizations aren’t aware of the level of detail required by HITRUST, which often leads to inadequate policies and procedures. When this occurs, organizations end up having to use valuable resources to fix a significant amount of their original statements to remediate all gaps. Having a firm with the necessary knowledge and experience create your organization’s policies and procedures would reduce the time, effort, and resources needed during the HITRUST Readiness Assessment.
The Request List
Whether or not an organization has written policies and procedures, or they engage a firm to write them, a request list will be administered before the HITRUST Readiness Assessment begins. A request list tells an organization what specific documents must be provided to evidence that a certain control requirement is actually implemented. In this case, the assessor firm would request the organization’s current asset and service inventory, and perform validation testing that it’s complete and accurate for the entire environment in scope. This part of the Readiness Assessment, depending on the scope, can be a much heavier lift for the organization. For example, if there are over 600 controls in scope for the assessment, there could be over 600 pieces of evidence needed to show all controls are fully implemented.
Deliverables Provided After the Readiness Assessment
Once the Readiness Assessment is complete, we produce and provide to the organization two types of reports.
Report 1
The first report is an in-depth review of all the control requirements in scope throughout all 19 HITRUST domains. This report identifies gaps in the organization’s policies, procedures, or implementation. The report also includes recommendations and tracking columns for all identified gaps, to ensure the organization is detailed in tracking all gaps until they’re fully remediated. Once the organization remediates all gaps, this report (along with all documented remediation) can be returned back to the HITRUST assessor firm for review and to ensure the organization is prepared for the Validated Assessment phase.
Report 2
The second report is an executive summary and high-level overview of any major gaps and vulnerabilities found in the organization’s controls.
Conclusion
The HITRUST CSF Readiness Assessment can seem like a daunting process. However, it’s necessary to ensure your organization will obtain certification during the validated audit. Being prepared for your roles and responsibilities during the beginning stages of the Readiness Assessment will allow for a smooth, streamlined engagement.
