Learning how to provide compelling HITRUST evidence
Once your organization has collected timely and concise evidence to demonstrate HITRUST compliance, the information must be provided to your HITRUST External Assessor Organization.
Create a clear and detailed document that explains how each control is implemented within your organization. This document should align with the specific information request since one information request may support several HITRUST requirement statements.
Screenshots illustrate firewall configuration settings, encryption configurations, cloud settings, policy availability, and more. Images are important evidence; however, I prefer to see them embedded in a PDF with text describing the images, especially when there are a series of images. Ensure that the evidence is accompanied by any necessary explanations, clarifications, or context to help the assessor understand the significance and relevance of the evidence presented. Often two screenshot images from a landscape monitor, each with a description, will not fit on a portrait page. Still, a landscape page may maximize the image, improving clarity for the external assessor. In addition to the image descriptions, the text of the information request could be placed in a searchable format at the top of the image. Ask yourself, would I be happy to assess this evidence? Would someone outside my department understand what is being expressed?
A population of current users may be used in the Information Protection Program, Endpoint Protection, Password Management, Access Control, Education, Training and Awareness, Physical & Environmental Security domains, and others. If the evidence request, or information request list item, has a unique identifier, that is a great piece of information to use at the beginning of the file name. This makes the files line up in order in a directory and makes it easy to link the file multiple times once uploaded to the HITRUST MyCSF interactive portal. As an External Assessor, if the evidence request item is #301 I would rather see a file named “r301 current users.csv” than “list.csv”.
Policy and procedures documents should be provided to the External Assessor in a searchable format. These documents should serve as a detailed guide for understanding the implemented security measures and the approach to risk management. The External Assessor will likely need to search an entire document for the evaluative elements described in the requirement statement. If the element covered by the document uses different verbiage or would be difficult to search quickly, a separate document describing the location of the section addressing the requirement statement, possibly with a screenshot of the paragraph, is extremely helpful to the External Assessor.
Open-source or non-proprietary file extensions are usually preferred:
- PNG for large org charts, flow charts, and network diagrams
- PDF for documents and collections of screenshots
- CSV for exported lists
Maintain regular and transparent communication with the assessor throughout the evidence delivery process and respond promptly to any queries or requests for clarification.
As you know, compiling evidence of HITRUST compliance creates additional sensitive information that should be protected when stored and transmitted. When sending your evidence files from your organization to your HITRUST External Assessor Organization, be sure to use a cryptographically protected transmission method such as encrypted email or, better yet, a GRC system such as Phalanx powered by risk3sixty. Evidence in Phalanx GRC is saved in an encrypted directory linked to the requirement statement and limited to entity users and only risk3sixty assessors assigned to the assessment.
Would you like to learn more about how to provide useful evidence for your HITRUST-validated assessments? Please get in touch with risk3sixty for help.