Improving Your HITRUST Scores
A HITRUST Validated Assessment Report not only shows your clients that you are committed to the protection of their confidential information, but also allows them to see how you compare to other organizations. Each report includes the Controls by Assessment Domain Report which compares your results to the average results for each control domain, and also includes your overall rating for each domain.
No one wants to appear below average to their client so you might be wondering how you can increase your control maturity to improve your scoring. In this overview we will offer some options for increasing your control maturity.
Controls by Assessment Domain – Company X
Measured and Managed
During your first assessments you and your External Assessor probably focused on making sure you achieved full maturity scores for you Policy, Process and implementation. As you focus on improving your scores to help you meet or exceed the Validated Assessment Average one area where you may have an opportunity for improvement is in your Measured and Managed scores.
In September of 2019 HITRUST provided detailed guidance on achieving control maturity for Measured with the updated Control Scoring Rubric as shown below. The updated rubric bases the score on the combination of the measurement strength and coverage. The measurement strength is a combination of who performs the measurement and the metrics established for the measurement. The coverage is defined as the percentage of CSF policy elements addressed by the measurement.
HITRUST Measured Scoring Rubric
A measurement should be a standard used to evaluate and communicate performance against expected results (measures are normally quantitative in nature capturing numbers, dollars, percentages, etc., but can also address qualitative information such as customer satisfaction; reporting and monitoring measures help an organization gauge progress toward effective implementation of strategy). HITRUST has stated that documentation for your measurement must meet the following criteria:
- Address the control operation,
- Performed at appropriate frequency, and
- Include the following documentation:
- What is measured?
- Who is responsible for measurement?
- How the data to be measured was recorded?
- How the measurement is performed?
- How often and by whom is the measurement reviewed?
The metric is a quantifiable entity that allows the measurement of the achievement of a process goal. Your metrics should be SMART – Specific, Measurable, Actionable Relevant, and Timely. HITRUST also indicated that metrics should be tracked over time, and have explicitly stated, established thresholds or targets.
Reviewing the scoring rubric above, you can see that if you have an independent measure that covers all the policy requirements you will be “Partially Compliant” resulting in 50% of the available points being awarded. If that independent measure includes a metric you could be Fully Compliant and receive all of the available points.
Independent measures must be done by someone who is not influenced or controlled by the person or entity who owns the control being measured. An independent measure can be performed by an internal resource, such as Internal Audit, or an external resource such as professional services organization.
External assessments, such as PCI assessment, may be used as evidence of an independent measure as long as the control reported in the external assessment maps exactly to your HITRUST MyCSF Control. However, most external assessments would not include a metric so an external assessment alone may not make you fully complaint with the measurement requirement for that control.
Your managed score is based on a combination of the strength of the risk treatments and the frequency of application of the risk treatment. Risk treatment options can include avoidance, transference, acceptance or addressing identified risks.
HITRUST Managed Scoring Rubric
The risk treatment should be based on the results of the measurement and be formally documented. HITRUST has indicated your documented risk treatments should include the following:
- Evidence of the initial involvement of an appropriate level of management or a defined escalation or review process to be observed if/when the appropriate level of management is not initially involved,
- A defined mechanism to track issues, risks, and risk treatment decisions, and
- Evidence the cost, level of risk, and mission impact are considered in risk treatment decisions.
While demonstrating an undocumented risk treatment to your assessor will still provide evidence of management it will limit you to being scored as Somewhat Compliant and receiving only 25% of the available points. Development of formal documented risk treatment plans will allow you to increase your score maturity.
HITRUST has indicated that under no circumstances should the managed score exceed the measured score. For example, no matter how well-crafted your risk treatment plan is if your measurement score only supports an operational measurement without a metric you will only receive a Somewhat Compliant score for managed.
In September of 2019 HITRUST announced an update to the CSF Assurance Program which allows External Assessors to place reliance on the work of “Internal Assessors”. Internal Assessors are Certified CSF Practitioners (CCSFPs) who have a position within the organization to be objective of the controls and processes being assessed. Your Internal Assessors can either be employees of your organization, such as Internal Audit, or you can co-source or outsource this function to a professional service firms. Your Internal Assessors function must consist of at least 2 people who will have CCSFP certification prior to the start of any internal HISTRUST CSF procedures and have at least 2 years of relevant experience.
The benefits of the Internal Assessor program include:
- Increased Efficiency – Internal Assessors can leverage their existing knowledge of your control environment to help complete your assessment in a more efficient manner.
- Flexibility – Working with your External Assessor the organization can decide which controls would best be tested by Internal Assessors and which would be tested by the External Assessor.
- Potential Cost Savings – Internal Assessors can perform up to half of the control requirements in your assessment resulting in savings on External Assessor costs.
Additionally, the Internal Assessor program has the potential to reduce the operational impact of your HITRUST assessment by extending the testing period. Internal Assessors can begin testing 90 days before the start of your HITRUST Assessment period which will allow you to more efficiently schedule your testing to minimize the impact on your normal operations.
Internal Assessor Testing Timeline
In addition, to assistance with the Validated Assessment your Internal Assessor program can also provide you with evidence of an independent measure of your controls by performing periodic testing of the control. As discussed above, having periodic measurements of a control by an independent assessor can increase your control maturity and the inclusion of an established metric could result in being Fully Compliant and receiving all points for your measurement. The development of responses to the findings of your Independent Assessors will also help you increase your managed scores.
Organizations should consider implementing some form of independent measurement of their control compliance either via an Internal Assessor, Internal Audit or outsourcing to a professional services firm to help them meet the HITRUST criteria for Measured and Managed. A robust program for measuring compliance and managing exceptions will increase your score maturity and help you move into the above average category when compared to you peers.
CompliancePoint’s CCSFP personnel can assist you with establishing an internal function or performing periodic measurements and documenting your management responses to help you meet the HITRUST standards. For any questions regarding our services, please feel free to reach out to us at firstname.lastname@example.org.