Episode 4 – How are HITRUST Controls Scored? The HITRUST CSF Maturity Model

by Joseph Kirkpatrick / August 11th, 2017

Whether you are doing a HITRUST CSF Self-Assessment or Validated Assessment, you will be required to score your organization’s compliance with the controls according to the HITRUST Maturity Model. For organizations familiar with the Plan, Do, Check, Act model – a cycle which starts with direction and tone from the top and used as a template for continuous improvement – you will find similarities within the HITRUST Maturity Model and scoring system. This model acts as assurance that each control in the HITRUST CSF has been properly implemented.

The HITRUST CSF Maturity Model

The Maturity Model used by the HITRUST CSF is categorized into 5 steps. This model is to be a continuous improvement cycle, implemented by all organizations seeking to comply with the HITRUST CSF. These steps are as follows:

1. Policy – Does an organization know what it is supposed to do? Are the requirements stated in the policy understood by the organization? Are the appropriate implementation requirements listed in the policy? Is the policy communicated to all employees who need to know?
2. Process – Also known as procedure. Does the organization know how to do what it is supposed to do? Does the process follow the policy, assign responsibility, and give further instruction for carrying out the policy? Keeping the implementation requirements in mind, are they documented within the process? Is the process understood by those who it applies to?
3. Implemented – Has the control been implemented? Does the organization implement all elements of a specified control and is it implemented everywhere it should be implemented? Is the intent of each control being met and followed? Can it be tested?
4. Measured – Are you able to measure the performance of the control? How is that control being measured for success? Can you provide a statistical analysis? Are threats being continuously re-evaluated?
5. Managed – Does the organization correct any problems that are identified while monitoring the effectiveness of the control? Do you understand and are you managing security vulnerabilities? Are controls being adapted to emerging threats and the changing landscape?

While 75% of your score comes from Policy, Process, and Implemented, assurance that the control with continue to be effective is indicated by Measured and Managed. This model should be a cycle of continuous improvement and the core functionality of a successful information security management system. This model is used by HITRUST and by CSF Assessors to assess your overall compliance with each objective in the HITRUST CSF. To obtain certification, you must receive a 3+ or a 3 with a corrective action plan in each of the assessment categories.

How are HITRUST Controls Scored?

During the assessment process, how do you select the right score? It is important to understand how the controls are scored and how the calculation works. The HITRUST scoring process uses a compliance scale consisting of the following:

• Non-Compliant (NC)
• Somewhat Compliant (SC)
• Partially Compliant (PC)
• Mostly Compliant (MC)
• Fully Compliant (FC)

As you work through the many implementation requirements, you will ask yourself, “Am I somewhat compliant with this control based on the calculation?” “Am I fully compliant?” Your scores will determine whether you are compliant with the HITRUST CSF. For help with your HITRUST CSF compliance journey or information security management system, contact me today at s.morris@3.95.165.71.

Hi, this is Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice. Thank you for joining us today! We’re continuing on in our video series for navigating HITRUST CSF compliance. This is video #4 in our series. Just to take you back very briefly on where we’ve been so far – we’ve talked about who HITRUST is and a high-level overview of what the CSF is and why it was developed. We’ve also talked about the controls, how they’re made up, and how to apply them to your organization based on the risk factors involved, and how to apply the levels. We also talked about, in our last video, the assessment types and the report options. That’s all leading you to where we are today. Today’s discussion is going to be about the scoring mechanism and how the controls are scored.

Whether you’re doing a Self-Assessment or a Validated Assessment, you must score your compliance with the controls according to the Maturity Model. This makes sense knowing that the CSF was developed based on ISO principles. If you’re familiar with the “Plan, Do, Check, Act” model, which starts with direction and tone at the top, what’s implemented, and then continuing that cycle of improvement by monitoring and acting on those controls in motion. In the Maturity Model scoring that’s used by HITRUST and the CSF for either a Self-Assessment or a Validated Assessment, there are 5 areas, beginning with policy. Policies, Process (Procedures), Implemented, Measured, and Managed – those are the 5 different areas.

We’re all pretty familiar with policies. “Are there requirements stated in the policy or standard that are understood by the organization?” In this situation, what you’re doing is you’re looking through the CSF and you’re looking for those implementation requirements. As an assessor, we’re looking for if it’s listed in a policy and if it’s communicated with employees who need to know. The second area, which involves process/procedures, follows those policies. They assign responsibility and they give further instruction on carrying out that overall policy. Taking those implementation requirements in mind, you’re going to want to know if they’re documented within the procedures, or if that procedure is understood by those that are responsible for following that procedure.

We’re also testing to see if that control has been implemented. Taking into consideration, again, those implementation requirements, part of our testing as an assessor or part of your internal testing during a Self-Assessment is measuring out: is that implemented? Is this control and the intent of the control being followed? Can it be tested? Can it be tested for operational effectiveness? Again – Policy, Procedures, Implemented. These 3 areas make up about 75% of the overall score. HITRUST realizes it’s very much a “walk before you run” scenario. In the Maturity Model, as far as achieving certification goes, these are the 3 most important areas to make sure are in place for every control. The other 2 that make up the other 25% of the 100% of the score are Measured and Managed. Measured meaning can you put some sort of statistical analysis, can you use a calculation to measure the performance of that control. Again, taking into consideration the implementation requirements, how is that control measured? How is it being measured for success? You obviously can’t really manage something unless you have a measurement system to tell how it’s reacting, so Measured and Managed very must go together. Managed meaning are you taking that feedback from your measurement, are you actually acting upon it, are you making improvements. Again, this very much follows along the lines of the “Plan, Do, Check, Act” model. It’s a cycle of continuous improvement. It’s the core functionality of an effective security management system. This is the model that HITRUST utilizes and we as assessors use to manage your overall compliance with that control objective.

One of the most important things to understand, and I think this is missed when you first download the CSF initially and it’s your first take at looking at it, is that you really don’t know or have an understanding of how controls are scored. I want to walk you through that today because if you’re going for the Validated Assessment, this is what the assessor is going to be assessing you against. This is what will dictate whether or not you are certified. In order to achieve certification, you must have a 3+ or a 3 with a Corrective Action Plan in each of the 19 assessment categories. This is something that you initially start, you evaluate yourself using the tool, and I’m going to walk you through that. The assessor comes and either agrees or disagrees with your evaluation after some testing. Then HITRUST gathers all of that information and decides whether or not you are meeting compliance and can achieve certification. That, from a high-level, is how that works.

To dig in deeper to how the controls are actually scored, I’ve presented you with this graphic. This happens behind the scenes when you’re working in the MyCSF tool, but I think it’s important to understand how the calculation works. If you’re reading through all of the implementation requirements, you have to understand if you’re somewhat compliant with X control based on the calculation, or if you’re fully compliant with X control. There’s a lot of different categories and areas in which you’re scored. Just stepping through this, we have across the top: Policy, Procedures, Implemented, Measured, and Managed. It’s really important to understand that 75% of your overall score, meaning 75% of that total that goes towards that 1-3 rating, comes from Policy, Procedure, and Implemented. That’s because the most important thing in this “walk before you run” scenario that HITRUST has in place, is that it’s in a policy, it’s in a procedure, people know how to do it, and it’s fully implemented, meaning it can be tested to prove effectiveness. Measured and Managed are more for those mature organizations that have systems in place to measure the performance of a control. Think about internal audit, think about gathering statistics, vulnerability scanning, think about antivirus, think about ways that you can apply a statistical analysis to how effective a control is. Maybe it’s, “Every time I test it, it’s 90% effective.” Maybe it’s, “Every time I test it, it fails 30% of the time.” Whatever that measurement is, think about Measured as the testing and monitoring of controls. Managed is really taking those measurements and making changes to your environment based on that statistical analysis. It’s that continuous cycle of improvement. It’s about Policy, Procedure, Implemented, and then measuring it and managing it from a monitoring standpoint. Again, across the top you’re looking at Policy, Procedures, Implemented, Measured, and Managed. Along those lines, you have an opportunity to receive a 0-100 score even in those categories from a subcategory level. Let’s say, for example, Policy. Your policy may consider 0% of the implementation requirements. In that case, you would receive no score for that particular item. But, for example, if you had some of the CSF implementation requirements being met or there’s some sort of ad hoc way of testing and understanding of that, you may be able to achieve 75% in that category. As you’re answering questions in the MyCSF tool or as you’re measuring your own compliance using the HITRUST documentation, just keep in mind that this is how you’re going to be scored when you’re going for either a Validated Assessment or you’re doing a Self-Assessment evaluation. You need to know if you’re meeting the control, if you’re meeting some of the control, or if you’re meeting none of it. That’s how the scoring model works.

The important thing to take away from this is not that you’re expected to know all of these calculations that are going on behind the scenes. The point that I want to make is that if you’re a smaller organization and you don’t have a robust internal audit department or a way to effectively or cost-effectively do the measuring and managing that’s need to meet compliance 100% across the board, focus in on the Policy, Procedure, and Implementation areas. If you can show that you’re meeting 100% compliance – meaning that your policies are meeting the implementation requirements, your procedures are documented and can be understood by the employees that that are performing then, and that it can be tested for operational effectiveness – you are going to pass that control. You are going to meet compliance with that control. There is a certain percentage of Measured and Managed that should be in place in order to achieve certification, but it’s important to understand that the focus needs to be placed on the Policy, Procedure, and Implementation areas. From a smaller company perspective, even a larger company, that may not have 100% coverage of all of these controls, focusing in on those 3 key areas will help you achieve certification.

Thank you so much for joining us for this video. We hope that you found the information useful. Next up in our video series, we’re going to give you steps 1-5 of things you should do right now to get yourself on your way to HITRUST compliance or certification. We look forward to seeing you then! If you need any information right now, you can reach out to KirkpatrickPrice directly by clicking the link below. We’d love to see you at our next video!