HITRUST, a leading data protection standards development and certification organization, continues its commitment to improving and ensuring the quality, consistency, and efficiency of information security and privacy assessments with the establishment of a new Quality Assurance Subcommittee of its Board of Directors, release of new Assurance Advisories, and introduction of new quality verification capabilities within the HITRUST MyCSF.
The unique approach of HITRUST’s Assurance Program affords numerous oversight and quality advantages over other assurance programs and certifying bodies, most notably that HITRUST has centralized the assurance and compliance aspects for all HITRUST CSF reporting. This translates into HITRUST CSF Assessment Reports being more consistent and more reliable than other reports which do not centralize robust reporting and review processes. Many advantages are gained by incorporating assessment requirements, assessment guidance, assessor training, assessment platform, and automated and manual quality assurance reviews into a single holistic program across the overall assurance ecosystem. This approach enables HITRUST to continuously monitor adherence to assessment requirements by assessed entities, assessor firms, and the HITRUST Assurance team.
Leveraging this centralized reporting and oversight enables continuous improvement to each aspect of the HITRUST CSF Assurance Program thereby increasing efficiency, integrity, transparency, consistency and ultimately the ‘rely-ability’—a term defined by HITRUST as the ability to rely upon, or trust, the information provided by another—of the HITRUST CSF Assessment Reports.
To provide additional governance and oversight of the CSF Assurance Program, a new Quality Assurance Subcommittee of the Board of Directors is being formed. This further demonstrates HITRUST’s recognition of the importance of quality and consistency.
Ken Vander Wal, HITRUST’s Chief Compliance Officer and Chairman of the new Quality Assurance Subcommittee, spoke to his new role, saying, “I view the role of the Quality Subcommittee similar to that of an Audit Committee. It will independently review what controls and processes HITRUST has in place to ensure quality and consistency across the entire program, review metrics used by HITRUST to measure quality at every level of the process, provide feedback where changes are required, and make recommendations for process improvements when appropriate.”
Other prominent subcommittee members include Kevin Charest, Divisional Vice President and Chief Information Security Officer, Health Care Service Corporation; Robert Booker, Chief Information Security Officer, UnitedHealth Group; and Mike Calhoun, Director of Benefit Plan and Supplier Governance, AT&T. The subcommittee will be briefed on key indicators quarterly by HITRUST’s Vice President of Assurance, Bimal Sheth, and HITRUST’s Vice President of Compliance, Jeremy Huval.
HITRUST also recently released new Assurance Advisories which introduce an updated assessment scoring rubric, updated PRISMA control maturity weightings, and a new automated quality checking capability that will be released in the HITRUST MyCSF platform. These advisories are based on analysis and feedback into areas that can improve upon HITRUST’s assurance process.
- HITRUST’s scoring rubric assists organizations and their assessors in assessment scoring level determinations. This rubric’s recent enhancements bring improved usability, added clarity, and better harmonization with HITRUST’s Risk Analysis Guide. Key changes include adding definitions for assessment terminology, assessment examples and guidance, and inclusion of a scoring lookup table for each of the five levels of HITRUST’s PRISMA maturity model (Policy, Procedure, Implemented, Measured, and Managed).
- The PRISMA maturity model’s updated point weightings better reflect the value that each maturity level brings to an organization’s risk management stance. The increased weighting of the Implemented level, which is now worth double any other single level, aligns to the priority that mature organizations place on the implementation and operation of controls relative to other maturity levels.
- The use of quality-focused analytics is reflective of HITRUST’s ongoing commitment to innovation. Dozens of automated routines will help identify potential issues prior to submissions of an assessment. Potential scoring inconsistencies, compliance gaps, and commenting issues will be brought to the attention of organizations and their assessors before submitting the assessment for assurance review by HITRUST. This automation also equips HITRUST to perform Quality Assurance checks in a more timely manner— reducing the lead time between assessment submission and report issuance.
To read more about the newly implemented Assurance Advisories, visit https://hitrustalliance.net/csf-assurance-bulletin/.
Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from the public and private sectors, HITRUST develops, maintains, and provides broad access to its widely adopted common risk and compliance management frameworks as well as related assessment and assurance methodologies.
For more information, visit www.hitrustalliance.net.