By Fairuz Rafique
In the previous blog we discussed the process an organization must execute in order to prepare for and undergo their HITRUST CSF certification. This blog will focus on the HITRUST CSF interim assessment process. The interim assessment is required for all organizations that have successfully achieved their HITRUST CSF certification. As discussed in the previous blog in this series, an organization is required to complete their assessment process successfully without exhibiting any control gaps. However, acceptable weaknesses in control implementation is tolerated during the assessment process.
These weaknesses are recorded as corrective action plans (CAPs) in the validated assessment report. To recall, there are a total of three deliverables to any organization that successfully completes the HITRUST CSF 3PAO assessment, and they include:
The HITRUST CSF Interim Assessment Process:
Unlike the actual HITRUST CSF assessment, the interim assessment is a scaled assessment. It does not incorporate the full list of the requirement statements that were applicable during the actual 3PAO led HITRUST CSF validated assessment. Even better, the interim assessment incorporates only 19 requirement statements, one per control domain. These 19 requirement statement are randomly picked for you within the myCSF portal. In case if you are wondering what the myCSF portal is, you can refer to my previous blog for a brief overview or listen to our recent webinar for a deeper dive.
Let’s dive in. The HITRUST interim assessment process at a high level consists of a total of 8 steps. Here’s an illustration that outlines these 8 steps with brief details:
Step 1: Selecting a 3PAO
Similar to when you were seeking an accredited HITRUST 3PAO, you’ll have to make a decision on whether or not you should go with the same 3PAO you partnered with during your HITRUST CSF validated assessment process. Once again, your 3PAO will perform similar review and assessment activities that you encountered with your 3PAO during the assessment process.
Step 2: Update scoping questions
If you were part of the HITRUST CSF assessment process, you are well familiar with the myCSF portal. The myCSF portal is also central to the interim assessment process. Once you log into the myCSF portal, you’ll have to make any adjustments to risk factors and other attributes about the assessment object that may impact the scope.
Step 3: Review Updates to Questionnaire
When you initiate a HITRUST interim assessment in your myCSF portal, you will be presented with a few questions so that the myCSF tool can determine whether or not changes need to be made to the assessment object, and whether changes will need to be made to your organizational details previously defined during the HITRUST CSF validated assessment.
Step 4: Responding to Requirement Statements
You’ll be required to respond to a total of 19 requirement statements during your interim assessment, and these 19 requirement statements will be picked at random for you by the myCSF tool. For each requirement statement you will have to provide sufficient evidence and artifacts that back up your response. This will require for you to provide scan results, screenshots, and other pertinent documentation that will serve as proof of your response.
Step 5: Determine Changes to Scope
At this point of the interim assessment, the 3PAO will begin to determine changes to the scope within your assessment object since you received your HITURST CSF certification. Changes to the scope will be determine by a few factors, such as:
Step 6: Test Requirement Statements
This is another step in the process that is solely the responsibility of your 3PAO. The 3PAO will send their consultants to your offices to perform three activities that are pivotal to the interim assessment process. These activities are performed to ensure that the 19 requirement statements that were required for the interim assessment are being adequate fulfilled by your organization, and include:
Step 7: Review CAPs
This is the last step of the interim assessment that’s the sole responsibility of the 3PAO. The 3PAO will also review your CAPs and determine whether or not sufficient progress has been made. This indicates that your organization has been active towards improving any cybersecurity weaknesses identified during the HITRUST CSF validated assessment. The key point here is that you will need to exhibit sufficient improvement for all of your CAPs. Keep in mind, if you fail to exhibit adequate improvement towards your CAPs, your HIRUST CSF certification may be revoked.
Step 8: Interim Review Letter Issued
Once your 3PAO has reviewed your improvements and deemed the satisfactory, HITRUST will issue you a letter indicating continued certification. Keep in mind, you are required to undergo the interim assessment on a yearly basis.
EmberSec (A Division of By Light Professional IT Services, LLC) is an accredited HITRUST CSF 3PAO. We have a proven history of successfully partnering with clients as their HITRUST CSF 3PAO in performing their validated assessment and annual interim assessment.
In each case, our clients were able to successfully:
We will be happy to extend this insightful leadership to your HITRUST CSF certification objectives as you seriously consider on taking your cybersecurity program to the next level