What are the Two Different Types of CSF Assessments that HITRUST Offers?
  1. A HITRUST Self-Assessment allows an organization to conduct a review and assessment of its internal control environment using the standard methodology, requirements, and tools provided under the CSF Assurance Program. The self-assessment option removes any potential barriers for organizations that lack the resources for an onsite assessment, but nonetheless must still implement data protection controls, maintain HIPAA/HITECH compliance, and report to external parties.
  2. A Validated Assessment is conducted by a HITRUST approved CSF Assessor, such as I.S. Partners, LLC. Using the CSF Assurance methodology, an organization’s internal controls are scored accordingly. Assessments meeting or exceeding the current CSF Assurance scoring requirements for certification will be indicated as “HITRUST CSF Certified” on the certification report from HITRUST.
Why Should You Choose the HITRUST CSF Over Other Available Frameworks (NIST, ISO, etc.)?

The HITRUST CSF includes and embodies requirements from various authoritative sources such as ISO, NIST, PCI DSS, HIPAA and others, and tailors the requirements to healthcare organizations based on specific organizational, system and regulatory risk factors. The level of integration and prescription in the framework, along with the quality and rigor of the CSF Assurance Program and supporting HITRUST products and services, makes the HITRUST CSF the easy choice for healthcare organizations.

How Can My Organization Utilize the CSF Framework for a SOC 2 Report?

HITRUST and the American Institute of Certified Public Accountants (AICPA) have joined together to map HITRUST CSF controls to the Service Organization Controls (SOC) 2 Trust Principles and Criteria, specifically the Trust Services Principles of Security, Confidentiality and Availability. I.S. Partners, LLC, as both a CPA firm and a HITRUST CSF Assessor, can perform a SOC 2 audit leveraging the CSF framework. If an organization requires both a SOC 2 and a HITRUST certification report, the two reports can be combined into a singular report.

How Often Do I Need to Get a Report?

Given the positive fulfillment of an interim review, where no breach has occurred and no significant changes have developed relating to the scoped control environment, HITRUST CSF reports with Certification are valid for two years. However, at the one-year anniversary of the Certification, I.S. Partners, LLC can assist your organization’s reassessment by:

  • Requesting your organization to update the scoping questions
  • Reviewing the updated questionnaire for any changes to original questionnaire
  • Testing at least one control/statement in each domain
  • Reviewing the status of any Corrective Action Plan (CAP) from the original assessment to ensure that satisfactory progress/milestones are being met

PCI Audit

What must penetration testing include?
A penetration test must include manual testing, performed by qualified individuals who can accurately emulate the activities of a malicious user attempting to compromise the cardholder environment.
What does the PCI DSS require?
The PCI DSS requires internal and external network penetration testing, as well as application-layer penetration testing, as a means to find exploitable vulnerabilities.
To whom does PCI apply?
PCI applies to ANY organization or merchant, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) is a security standard adopted by many companies and organizations that gather, store and use customers’ payment card data for purchases of services and products.

SOC Audit

What is the difference between a Type I audit and a Type II audit?
A Type I audit results in a report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specific date. A Type II audit is the same as a Type I audit but with a report on the operating effectiveness of the controls throughout a specified period.
Why is I.S. Partners qualified to perform SOC audits?
I.S. Partners, LLC is a Certified Public Accounting firm registered with the AICPA (American Institute of Certified Public Accountants) and PCAOB (Public Company Accounting Oversight Board), and is managed by a group of highly-seasoned partners who have vast experience in performing SAS 70 / SSAE 16 / SOC audits, FISMA, HIPAA HITECH, Sarbanes-Oxley (Section 404) management self-assessments, Model Audit Rule compliance, and other specialized information technology audits.

SSAE-18 Audit

How much does an SSAE-18 audit cost?
Fees are based on the time required by the auditors assigned to the engagement and take into account the agreed-upon level of preparation and assistance from the company’s personnel. Fees will vary based on the number of control objectives and control activities within a service organization, whether the audit is a Type I or Type II, and the number of locations included in the audit scope. Talk to an I.S. Partners representative to discuss the scope of your company’s SSAE 18 audit.
How long does it take to complete an SSAE-18 audit?
A Type I audit typically takes from 6 to 10 weeks, while a Type II audit typically takes from 12 to 14 weeks. Depending on the unique circumstances of each SSAE 18 audit, including the client resources assisting with the project, the amount of report preparation, and the quality review process, the actual completion time may be shorter or longer than anticipated.
What is the difference between SSAE-18 and SAS-70?
One primary change is that we, as your independent service auditor, will examine the procedures your organization follows to monitor the controls of your subservice providers, and how your organization assesses the risks that may be associated with your use of subservice providers. Additionally, under SSAE 18, a service organization’s controls are designed with the assumption that subservice organizations have implemented complementary subservice organization controls that are necessary to achieve the service organization’s control objectives.
Is SSAE-18 a certification?
No such certification exists. Officially, service organizations can only claim that they have been examined in accordance with SSAE 18 attestation standards and that the corresponding Service Organization Controls (SOC) 1 report should be read for further details. SOC 1 reports are “restricted use” reports intended only for existing customers and their auditors, and not for the general public.
What is SAS-70?
SAS-70 stands for “Statement on Auditing Standards No. 70”, and was the guidance established by the American Institute of Certified Public Accountants (AICPA) for reporting on controls at a service organization. This guidance was replaced by Statement on Standards for Attestation Engagements (SSAE) No. 16, effective on June 15, 2011.
Request a Quote

Request a Quote

Please fill out the fields below and one of our experts will contact you shortly to discuss your project and provide you with a quote.

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.