The HITRUST CSF Assessment Process and Beyond

by Sarah Harvey / August 25th, 2017

What is the HITRUST Maturity Model?

So far in this webinar series, you’ve learned who HITRUST is, what the HITRUST CSF is, how to scope your environment, and which risk factors affect your defined scope. In this webinar, Jessie Skibbe outlines HITRUST’s Maturity Model for control scoring, the assessment process, report options and timeline projections, and some strategies for maintaining compliance.

HITRUST Maturity Model

You will be required to score your organization’s compliance with the controls according to the HITRUST Maturity Model. This model acts as assurance that each control in the HITRUST CSF has been properly implemented. The Maturity Model used by the HITRUST CSF is categorized into 5 steps, which is to be a continuous improvement cycle. The intent behind the Maturity Model is to avoid the practice of “implementing and forgetting.” The five steps of the HITRUST Maturity Model are as follows:

1. Policy – Does an organization know what it is supposed to do? Requirements must be stated in a policy or standard and understood by the organization.
2. Process – Also known as procedure. Does the process follow the policy, assign responsibility, and give further instruction for carrying out the policy? Is the process understood by those who it applies to? Processes are necessary to ensure the control can be implemented in a repeatable and consistent way.
3. Implemented – Has the control been implemented? Does the organization implement all elements of a specified control and is it implemented everywhere it should be implemented? Can it be tested? Evaluation of the control’s implementation across the organization is the most common way of assessing a control’s effectiveness.
4. Measured – Are you able to measure the performance of the control? How is that control being measured for success? Can you provide a statistical analysis? You cannot manage what you do not measure.
5. Managed – Does the organization correct any problems that are identified while monitoring the effectiveness of the control? Do you understand and are you managing security vulnerabilities? Are controls being adapted to emerging threats and the changing landscape? This level of maturity provides additional assurance that the control will not fail.

Strategies for Maintaining Compliance

• Where certification is granted, certification is valid for two years (24 months) from the certification date on the condition that the interim review and continuous monitoring requirements are met.
• The interim review is vital. It should be completed as close as possible to the one-year anniversary of the initial report date.
• Your Corrective Action Plan should describe the specific measures that are planned to correct deficiencies identified during the assessment for validation or certification.
• Be aware of de-certification criteria.

Listen to the full webinar to hear evaluation examples, see timeline projections, dive deeper into the HITRUST Maturity Model, and learn more about how to maintain HITRUST compliance. Contact us today to get started on your HITRUST journey.