Gathering HITRUST Requirements
Organizations need to collect solid evidence of their compliance efforts. In this blog, we’ll delve into how to collect HITRUST evidence that leaves no doubt about what it looks like, providing a roadmap for organizations aiming to meet HITRUST’s stringent requirements. HITRUST evidence may take many forms, including policies, procedures, system configuration screenshots, network diagrams, audit logs, vulnerability scan reports, and other pertinent documentation. Such artifacts offer transparency and demonstrate the organization’s adherence to HITRUST requirements.
Always work closely with your HITRUST External Assessor Organization to determine which source of truth is best for the evidence. This evidence-collection process applies to all HITRUST-validated assessments. To demonstrate compliance with requirement statements, the organization must clearly show how they have implemented specific HITRUST requirements. The evidence should address the requirement statement, the measures taken to meet those objectives, and the ongoing monitoring and review processes.
Screenshots from the system of record are typical for configurations and versions of the technology, such as encryption level, but also to demonstrate how a report was configured for an exported list. I prefer to see a series of screenshots answering a particular requirement statement pasted into a single document with searchable descriptions written for the images. This document should feature the system or application’s name, the configuration screenshot’s time and date, or the report generation window with report criteria (e.g., date range: July 1st, 1900 – June 30th, 1901). Please think about what the screenshot will look like, pasted into a document and on a standard-sized monitor. The information security and security operations center team may work on a 36” or larger monitor, but your External Assessor may not. The active window of the system of record could be resized into the quadrant featuring the time and date of the host system. Please confirm the elements are legible after capturing and pasting the screenshot into a document. Accuracy here is important, as any inconsistencies or inaccuracies could undermine the credibility of the evidence. Double-check the documentation and conduct internal reviews with subject matter experts.
Report output lists are typically generated as a comma-separated value (CSV) file that the External Assessor will export to an interactive spreadsheet (e.g., Excel, Google Sheets, etc.) to make random sample selections, sort categories, or filter for content. A report output list in a screenshot is useless and will cause more work for the External Assessor and your team to recreate the report. Confirm the assessment period (start and end date) for report output lists with your External Assessor.
If you have a challenge collecting evidence from a system, exporting a report, or selecting a screenshot to demonstrate compliance in a system, contact the vendor. Your vendors know the top two reasons your organization employs their system are to protect the asset and provide evidence in a security assessment.
Timeliness is a crucial aspect of good HITRUST evidence. HITRUST requirements must be timely and representative of the current and recent operation of the control during the assessment period. Regular updates and reviews of evidence ensure it remains relevant and accurately reflects the organization’s security practices.
Improving the detail and clarity of HITRUST requirements may take a little longer but will likely streamline other compliance efforts with clear evidence for PCI-DSS, ISO 27001, and SOC 2 reporting. Once a configuration document with screenshots is completed, it can serve as the basis for a standard operating procedure and training material for new team members.
Providing HITRUST evidence is not merely about ticking boxes; it requires compelling evidence of compliance. Good HITRUST evidence includes comprehensive documentation, consistency, accuracy, detailed control implementation, supporting artifacts, industry best practices, ongoing monitoring, third-party validation, and timeliness.
Would you like to learn more about how to collect quality evidence for your HITRUST-validated assessments? If you need assistance, please reach out to risk3sixty.