Evidence gathering is one of the biggest tasks your organization will undertake during your HITRUST validated assessment.
Certainly, evidence gathering is nothing new in audits, but supplying the volume of evidence required for HITRUST CSF® Certification will be new to many organizations. You will need evidence to support every single requirement and for each maturity aspect being covered.
For example, if your assessment scope consists of 300 requirements — and those requirements are being scored for policy, procedure and implementation — you will need, at a minimum, 900 evidence references.
One other important thing to note about evidence gathering is that you are ultimately responsible for identifying the evidence needed to support the scores you assert during an assessment. This differs from other types of assessments/audits, where often times a clearly defined evidence request list is provided by an auditor. This is due to the fact that a HITRUST assessment is not pass/fail; there are different levels of compliance based on the scoring.
One other difference between HITRUST and other audits is that HITRUST consists of requirements rather than controls. In this case, it is the client who chooses the controls to address those requirements, so in some cases there may be significant variability in the controls implemented for certain requirements.
Although this may seem overwhelming to you now, your HITRUST External Assessor can offer different tips to help guide you through the process. Ultimately, you will need to set your own scope and collect your own evidence to support your self-assessed scores, but you can ask your assessor questions along the way.
How to prepare ahead of your assessment
Collecting evidence throughout the year will be critical once you begin the two-year cycle of HITRUST recertification — it will help you stay organized and save time. But organizations who are about to undergo their first HITRUST validated assessment can also benefit from this best practice.
Once your assessment is set up in MyCSF®, your first action is to review the requirements and associated illustrative procedures (IP) and ensure you understand what HITRUST is actually asking for. In some cases, it may not be obvious, so you should seek out the help of your external assessor or HITRUST itself for answers.
But no matter when your assessment actually begins, start collecting evidence now. Look at the requirements that have been assigned and then determine what evidence will be required to show compliance. Store evidence in categorized folders or using a program (such as a GRC tool) that can organize items.
By doing so, you’ll save time during your assessment — when you’ll be trying to coordinate with all the different subject matter experts and gather what you need — because you’ll already have the evidence available. This can also be helpful to use during interviews with your external assessor, as you can obtain feedback on how well the evidence collected meets the requirement’s IPs before the testing actually begins.
What to do in your readiness phase
Set expectations: Make sure your internal team — including your subject matter experts who own the different requirements — are a part of the evidence-gathering and scoring processes. Don’t rely on just one person to run point on the overall HITRUST certification project, either, as they will not have all the information necessary. Subject matter expert involvement is critical.
Sample-based testing: Many of the IPs call for sample-based testing, so be prepared to provide population lists that will have a sample selected from them. The populations that will be needed are tied to what is identified as part of the scope of the audit. This could include workstations, servers, incidents, etc. A tip we have is to use tools such as Excel to view the assessment requirements and IPs, and apply a conditional format to filter “sample of.” When this language does show up, that same IP will also identify what the “sample of” is specifically.
Policy and procedural documentation: The purpose of a policy is to document management’s expectation on what the rules are within the company or what controls (technical, physical and organizational) are required to be in place within an environment. A procedure documents how the rule or control is put into place. Put simply, a policy is a statement, and procedures are detailed instructions. Very commonly, these are not the same documents for a single requirement.
Also, policy and procedural documentation alone will almost never satisfy an implementation requirement. You will also need evidence that shows a requirement has actually been implemented. For example, if a requirement is about a password reset procedure, providing only a help desk instructional document won't be sufficient. You will also need to provide evidence of helpdesk tickets to show help desk employees are actually using the documented procedure.
Policy and procedure requirements: In addition to understanding what the IPs are, you’ll also need to understand and comply with the criteria for each as defined by the HITRUST scoring rubric. At a high level, the criteria (which are identified on the HITRUST scoring rubric) are requirements that are looking for information that answer the following questions:
- Do the policy and procedure documents outline who is responsible for implementing the controls within an environment and list specifically what they need to do?
- Has management officially approved the documents?
- Have the documents been communicated to the relevant employees?
So, in addition to ensuring all of the required content of the IP is included, to get full scores for policy and procedure, evidence must also be produced that shows that the previous three questions have been answered. Review the scoring rubric before your assessment begins so you understand the methodology and how to actually score yourself.
Read more — HITRUST scoring 101: How scoring works and how to self-score
Crosswalks: Once a comfort level is reached for what is needed for an assessment, the task will then become how do you keep it all organized to be able to present the information effectively? The two most effective ways we have found for this type of organization is to either create a crosswalk matrix or make notes directly in MyCSF. Within the MyCSF tool, there are two places where notes can be made at the requirement statement level, either in “subscriber comments” or using the “diary entry” feature. With either method, be sure to note the name of the evidence you have identified for each maturity aspect of a requirement. One way to do a crosswalk would be to create an Excel spreadsheet with the requirement statement in the first column and the evidence location in the second. With this crosswalk, if asked a question by an external assessor, you can easily point to the evidence they are seeking.
What to do during your assessment
Interviews and collecting evidence: When collecting evidence consisting of screen shots, be sure to capture the date that the screen is being captured. The easiest ways to do this is to capture the computer time. On a PC, it is in the lower righthand corner, and for Macs, it is in the upper righthand corner. Remember to capture both the time and the full date (xx/xx/xxxx).
For other types of evidence — such as reports, graphs or spreadsheets — ensure there are dates on these documents. The date might be a “creation” or “last revised” notation. Also, with the date identifier, ensure they are within the testing period or the specific parameters of the HITRUST requirements for evidence. For example, if the requirement states you’re required to review system accounts every 60 days, the evidence you provide should show a report of this review within 60 days, not a date outside of that range (i.e., from two years ago).
Interviews with your HITRUST external assessor: During these interviews, be sure to take good notes on what the assessor will look for on each requirement. Be sure to associate the information to the specific requirement rather than just taking general notes (this would be a good place to use a crosswalk or the MyCSF comment field as mentioned above).
If a talking point or request is not clear, ask as many questions as necessary. It’s much easier to answer these questions during a live discussion than over emails or messages through MyCSF.
Also, make sure to have the right subject matter experts on the call to ensure there is coverage of requirement owners for the entire scope.
Additional evidence: During the assessment, your external assessor will send back requirements if additional evidence is needed. Be sure to fully read the assessor’s comments and requests, and answer all of their points. Being incomplete in your reply will likely impact the duration of testing for your assessment.
If your assessor provides evidence request lists, ensure you understand the requests. Ask clarifying questions as needed.
Scoring: Our last tip is to be realistic in your scoring. It’s okay to not be 100% compliant for every single requirement. HITRUST CSF® certification is not pass/fail. You can be at 50% or 75% for a number of requirements and still achieve certification. When there are requirement statements that you can’t find good evidence for, those scores will be lower.
With scoring, ultimately, your external assessor will be reviewing your scores and evaluating them with the evidence you provide, and if they have to send a lot of them back to you because they do not appear accurate, it will increase the time and level of effort for the assessment. This could end up costing you more money for the extra effort of your assessors. Being realistic in your scoring can actually deliver savings.
Wipfli can help
Questions about your upcoming HITRUST validated assessment or how to achieve HITRUST CSF Certification? We can help. A HITRUST External Assessor since 2013, Wipfli has completed over 100 HITRUST assessments. Click here to contact us or to learn more.
What is HITRUST, and why does it matter?
How to choose the right HITRUST External Assessor
The path to HITRUST Certification: Five reasons to start now
Common misconceptions from a HITRUST Authorized External Assessor