HITRUST CSF Assurance Program Updates

October 2019

Summary

On September 3, 2019, HITRUST released three CSF Assurance Bulletin.
 
CSF Assurance Bulletin Advisory Type Change Implementation Date
HAA 2019-007:
Updated PRISMA Attribute Weights
 
Assurance Program Methodology The individual weights for each of the PRISMA maturity levels have been updated. December 31, 2019
HAA 2019-008:
Automated Quality Checking of HITRUST CSF Assessment Objects
 
Quality 30 distinct automated quality checks within the MyCSF tool are being implemented. December 31, 2019
HAA 2019-009:
Updated Scoring Rubric
 
Assurance Program Methodology The HITRUST scoring rubric is changing to improve usability and add clarity.
 
December 31, 2019
 
The published bulletins are available here. The changes announced in each bulletin, their benefits and implementation date are detailed below:
 

HAA 2019-007: Updated PRISMA Attribute Weights

Change
The individual weights for each of the PRISMA maturity levels were updated as follows:

Chart of PRISMA maturity levels
 
Benefits for organizations
This new weighting better reflects the value that each maturity level brings to an organization’s risk management stance.
 
Implementation Date
The updated weights will be effective on all validated and self-assessment objects created on or after December 31, 2019.
 
Note: Assessment objects created prior to December 31, 2019 will continue to observe the current PRISMA attribute weights. Interim assessments performed after December 31, 2019 will observe the PRISMA weights in effect at time of performance of the original validated assessment.
 

HAA 2019-008: Automated Quality Checking of HITRUST CSF Assessment Objects

Change
Over 30 distinct automated quality checks within the MyCSF tool are being implemented. Users can also run these checks manually at any time prior to submission to HITRUST.
 
Benefits for organizations
Potential issues will be identified and include recommendations on how to address.  This will:
  • Increase the consistency and quality of the assessments through systematic checks.
  • Reduce the amount of time between submission of an assessment and delivery of the draft report.
 
Implementation Date
          This change will go live in MyCSF on December 31, 2019.
 

HAA 2019-009: Updated Scoring Rubric

Change
The HITRUST scoring rubric is significantly changing. Key changes include:
  • Addition of definitions, assessment examples and guidance on important concepts.
  • Creation of scoring lookup tables for each of the five levels of HITRUST’s PRISMA maturity model.
  • Replacing qualitative terms with quantitative scoring ranges.
  • Removing ambiguous terms.
 
The updated scoring rubric is available for download at  https://hitrustalliance.net/csf-assurance-related-programs/.
 
Benefits for organizations
The changes are designed to improve usability, add clarity and define maturity scoring ranges for control effectiveness.
 
Implementation Date
The updated scoring rubric will be required for assessment objects submitted and accepted on or after December 31, 2019. 
 
Note: All validated assessments that are in progress and intend to observe the old scoring rubric must be accepted and accepted by HITRUST prior to December 31, 2019. Interim assessments performed after December 31, 2019 will observe the rubric in effect at time of performance of the validated assessment.
 

CONTACT:
 
Josh Ayers
Assurance Partner, HITRUST Practice Leader
Deepak Chaudry
Advisory Director, Strategy, Technology & Transformation