What Evidence Does Your HITRUST Assessor Expect When a Control Does Not Operate

HITRUST High Growth Tech Blog

Hopefully, your organization did not need to discipline any users for security policy violations, experience a security incident, disclose covered information to law enforcement, or store covered information unencrypted this past year.  If so, what type of evidence should you present to your HITRUST External Assessor Organization?

For a zero population of events related to a requirement statement, I request an email from the security officer, compliance director, or manager leading the validated assessment for the assessed entity confirming that a particular event did not occur during the assessment period.  This provides management assertion that the control did not operate with a time and date stamp from the email.  But then what?

It’s not enough to say that things didn’t happen during the assessment period, and assessed entities should provide the training and standard operating procedures that instruct users on how to handle the situation.  Your External Assessor wants to see how the organization instructs the users to act if the control does operate.

The External Assessor would like to see the training material describing the procedure for the event.  Training material demonstrates the assessed entity’s commitment to educating staff about incident identification and reporting to reduce confusion and improve outcomes for rare situations.

The External Assessor would also like to see the process and procedural documentation describing the actions the user should take in the situation described in the requirement statement.

Additionally, if training or procedural documents need to be clarified, meeting minutes and/or quarterly reports noting that the control was unnecessary to add credibility to the claim of a zero population of events.

Remember to ensure that all evidence provided is accurate, up-to-date, and relevant to the time frame of the validated assessment.

Would you like to know more about preparing training materials and standard operating procedures for rare events scored in HITRUST-validated assessments?  Please get in touch with risk3sixty for help.

Share to


Share to

Like our content? Subscribe and stay informed.