Listen to: "Overview of the HITRUST CSF Validated Assessment"
The validated assessment is the final phase before the quality assurance review, which may result in HITRUST CSF Certification. During the validated assessment phase, HITRUST Authorized External Assessors review the progress made during the earlier phases and prepare the assessment materials for HITRUST® approval.
In this dedicated HITRUST blog series, we provide a detailed guide to each phase of the process towards certification:
- Readiness Assessment
- Validated Assessment
- HITRUST Quality Assurance Review
- HITRUST CSF Certification
Let’s find out more about the validation phase of HITRUST certification.
Who Conducts HITRUST Validated Assessments?
A HITRUST CSF Validated Assessment is performed by HITRUST Authorized External Assessors. They aim to review and validate the organization’s scores for the various controls. Then, they submit their final assessment to HITRUST for quality assurance review. This is when HITRUST evaluates whether an organization has met the necessary minimum requirements for certification.
What Happens During the HITRUST Validated Assessment Process?
If you’re wondering, ‘what do HITRUST CSF Validated Assessments include?’ you’re asking the right questions. In order to be fully prepared for an assessment, it’s best to have a solid idea of what the process demands. This phase includes appointing the Certified HITRUST Quality Professional (CHQP) roles, analyzing the environment, defining and developing the test plan, carrying out examinations, interviews and tests, sampling, drafting the working papers, and submitting documentation for the pre-submission quality assurance review. Let’s take a closer look…
Appointing the Engagement Executive and Engagement Lead
Within the test plan, the compliance assessment team must appoint some key figures. Both roles should be entrusted to CHQPs from the External Assessor organization and they will work closely with the internal project coordinator. The Engagement Executive provides support for the organization undergoing assessment, manages costs related to the certification process, and tracks engagement.
The Engagement Executive and Lead should sign off on the scope and test plan before fieldwork starts. Other important responsibilities include testing oversight, as well as reviewing, documenting, and verifying test results.
Analysis of the Environment
First, the External Assessor should work to better understand the environment. This includes:
- Reviewing the systems, business operations, and physical locations that will be assessed.
- Identifying the risk factors that should be assessed.
- Outlining the populations that will need to be sampled.
- Determining which HITRUST CSF requirement statements involve shared responsibility.
Definition of the Testing Approach
The objective of testing during the HITRUST validation stage is to assess the organization’s controls. This can be done using three main methodologies.
- Examining: Reviewing policies, guidelines, records and procedures in order to evaluate how a control is being addressed by the organization.
- Interviewing: Key personnel with tasks and responsibilities related to a control can be interviewed to collect information about the procedures in place.
- Testing: System configurations and operations can also be tested to ensure that controls are implemented properly and achieve their design function.
Development of the Test Plan
The first step of the validated assessment is creating a test plan. The External Assessor is charged with developing an outline for the tests required for the controls which fall inside the scope. Test procedures need to be written to address each PRISMA level within the in-scope requirement statements.
This plan should be designed specifically for the environment being tested and will serve as a guide for the validated assessment. A clear plan should be laid out for the External Assessors doing the fieldwork, including the directions for sampling and testing.
Examination, Interviews & Testing
As part of the HITRUST CSF Assurance Program Requirements, External Assessors will validate scores and gap remediation through an examination of related documentation, a series of on-site walkthrough procedures, and interviews with key staff members.
External Assessors must also check the performance of security control processes and do testing to validate their implementation. With each testing approach, they will review the documented policies and implemented procedures related to the control being assessed. They will inspect the operational measures used within the organization and management procedures for relevant controls.
During the validation phase, External Assessors perform on-site inspections, interviews, and tests with two specific goals:
- Confirming the organization’s scores from the HITRUST CSF Readiness Assessment.
- Confirming that compliance gaps have been properly identified and are being remediated.
Time Limit: According to the 90-Day Assessment Window Rule, all of testing planned as part of the validated assessment must be done within 90 days of the date that documentation is submitted to HITRUST for the quality assurance review.
Procedures: Testing procedures follow the Technical Guide to Information Security Testing Assessment outlined by NIST.
Get more information about HITRUST CSF Validated Assessment testing procedures.
Documentation: Once the necessary information is gathered, the External Assessor will document any findings.
For the HITRUST CSF Validated Assessments, the External Assessor my test samples of system components in order to verify controls. Samples should fairly represent the systems, applications, databases, networking devices, and connected support systems in the assessment scope. It must also be large enough to allow the External Assessor to draw reliable conclusions about the sample group.
Standard data collected from a sample should include:
- The population source,
- Population size,
- Date range,
- Minimum required sample size,
- Method for selecting the sample – random, systematic, or haphazard, and
- Measures taken to ensure the sample accurately represents the population.
Drafting Working Papers
During the HITRUST CSF Validated Assessment, the External Assessor is responsible for compiling documentation which supports their validation of assessment scoring. Working papers should include the following information:
- Name of the assessment,
- Name of the tester,
- Date of when the testing procedure was carried out,
- Description of the testing procedure,
- Date and timestamp of when the sample was pulled, if possible,
- List of the scoping elements involved, if possible.
Working papers must cover the entire scope in order for the validated assessment to be considered complete.
Before Submitting a Validated Assessment for Quality Assurance Review
Prior to the HITRUST quality assurance review, the organization is required to perform a pre-submission review. This involves the External Assessor’s Engagement Executive and CHQP. They have the responsibility of going over the documentation related to the organization’s assessment.
During the Pre-submission Quality Assurance Review, External Assessors compare the documentation to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assurance Methodology. Their work follows the HITRUST External Assessor Quality Checklist available through the MyCSF® portal.
For more information about this pre-submission process, refer to the next article about the HITRUST Quality Assurance phase.
Finally, the External Assessors will gather the working papers, interview and test results, and submit the documentation to HITRUST for the quality review. At that point, the validated assessment will be reviewed by both the HITRUST Assurance and Compliance teams, which will determine if the organization has met the requirements to achieve certification.
Find out how to Prepare for Your Upcoming HITRUST Assessment with Confidence and refer to our HITRUST CSF Glossary.
Seamless HITRUST Certification Support
HITRUST certification helps organizations demonstrate their compliance of information security standards to help mitigate risk. Put the right protocols in place and make sure your organization’s infrastructure meets or exceeds the industry standard. For more information on becoming HITRUST CSF Certified, call the I.S. Partners team at 215-675-1400 for an in-depth consultation and audit.
Go on to find out more about Phase 4 of the HITRUST certification process: Quality Assurance Review and Certification Requirements