Written by: Julie Fougere
The Importance of Sampling
Sampling is an important aspect of HITRUST Validated Assessments, but it’s often overlooked. Proper sampling and collection of appropriate evidence is paramount for achieving full credit in the implementation category for a majority of HITRUST CSF requirement statements. Although your controls may be designed appropriately, they must operate over an extended period of time to be truly effective.
What is Sampling?
A good example of a control that’s usually sampled is security awareness training. Let’s say an organization has 100 employees and they need to ensure training is being completed. Instead of taking the time to review evidence that every single person has completed training, the organization would take a sample of 10% of the population. This way, the organization can spend less time testing evidence while remaining confident that the training process is working effectively.
Sampling Requirements
Sampling is expected to be performed on any requirement statement where the illustrative procedures indicate one should be taken. This is included in the ‘implemented’ section of the illustrative procedures and explicitly includes the phrase ‘select a sample.’ Furthermore, sampling must cover all in-scope applications and implemented systems. If there are multiple applications in scope, evidence must be provided for each to satisfy the requirement statement.
In order to gather the correct evidence, population ranges must be selected to ensure sampling evidence is pulled during the fieldwork period. Similar to System and Organization Controls (SOC) and Sarbanes-Oxley (SOX) sampling, populations should abide by completeness and accuracy guidelines. Populations that haven’t been influenced or filtered by the client are ideal, unless it’s not possible to pull such a population. Screenshots showing how the population is pulled should be included with the evidence. For the initial Validated Assessment, the sampling period must be at least three months from the start of fieldwork. Subsequent Validated Assessments typically have a sampling period of one year to ensure sufficient audit coverage.
Sampling Lead-Sheets
A majority of the Validated Assessment fieldwork is spent testing and documenting sampled controls within sampling lead sheets. HITRUST provides a template within the MyCSF tool, but HITRUST Assessors can enhance this documentation to include additional fields. Each requirement statement must have a corresponding lead-sheet to show how it was tested and the results of the test. This is to ensure the operating effectiveness over individual controls. If any exceptions are noted in the sample testing, this will reduce the implementation score. For example, if only 75% of the employee workforce completed security awareness training, then the implementation score wouldn’t reach 100%.
HITRUST recommends including the following items on sampling lead sheets:
- Name of the HITRUST Assessor performing the testing
- Date of test performed
- Procedure for testing the requirement statement
- Population size, date range, and source
- Sample size that was selected
- Results of the testing
Lead sheets must be attached as a linked document to each control in MyCSF as implementation evidence. This tells the HITRUST Assessor that proper sampling was conducted.
Sampling Methodology
HITRUST recommends leveraging several industry standard sampling methodologies, such as:
- Random Sampling
Random sampling is recommended because it removes bias from the entity selecting the sample.
- Systematic Sampling
Systematic sampling entails choosing every “n’th” row (i.e. every first, second, or third) or item in a population. This provides similar assurance to random sampling, but it can often be easier to use a random number generator to conduct this sampling.
- Haphazard Sampling
Haphazard sampling involves a random selection that’s performed by the HITRUST Assessor. Ideally, haphazard sampling should only be used after attempting random or systematic sampling, since it often incurs a level of unconscious bias.
Finally, there are certain controls that can’t be reasonably sampled since they’re operating in real-time rather than at a defined frequency. These are referred to as automated controls. For example, event logging and monitoring systems may generate thousands of alerts at undefined frequencies. Therefore, the HITRUST Assessor will request the scope of logging, configuration of alert logs, and a sample of one recent email alert from management.
HITRUST Sample Sizes
|
Sample Sizes |
|
| Sampling Scenario |
Minimum Number of Items to Test |
| Testing a manual control operating at a defined frequency |
|
| Testing a manual control operating at an undefined frequency (i.e., “as needed”) | Sample size varies based on population size:
|
| Testing an automated control
(NOTE: If configured on or embedded within multiple systems/tools, each system/tool must be tested) |
Can perform a test of 1 if the following are performed / met (otherwise, a full sample must be tested using the manual control sampling guidance provided above):
|
| Sampling from point-in-time populations (e.g., endpoints, servers) |
|
Conclusion
The HITRUST Validated Assessment can be an intense process, but it’s essential to provide reasonable assurance that your environment is operating effectively and in alignment with HITRUST CSF. It’s imperative to get sampling correct to achieve the highest marks possible in the implementation scoring category. Your score may be negatively affected if you don’t provide properly documented sampling lead-sheets and supporting evidence. Engaging a HITRUST Assessor with vast experience in planning, testing, and documenting the operational effectiveness of HITRUST controls will ensure you receive the highest scores possible in the implementation category.
