With so many firms now engaging and embracing the methodology, how do you choose from the many HITRUST approved assessors to lead you through the process or conduct your assessment? If you are at this point, let’s explore some lessons learned about how to choose your assessor, and some ideas about how to prepare for HITRUST CSF Certification during this phase.
Choosing an Assessor that is Right for Your Organization
To start evaluating assessors, ask yourself the following questions:
How many assessments have the assessor performed, and what’s the quality?
Some assessors have performed countless assessments but may have burned out their staff, and that experience is no longer in-house. Others can count on one hand how many they have performed, but they did them well. Experience matters, but just as important is the quality of the work.
What benefit will they bring to your organization?
Is HITRUST the only offering, or do they provide other services that will add value? Understanding the full scope of solutions will help you determine whether a true partnership is realistic.
Are they a CPA firm, a security firm, or a compliance organization?
Are your goals for the assessment to be more secure, to answer a business partner requirement, or build discipline in your organization? Make sure you seek a partner that can help improve your business, consolidate assessment work, be efficient in their work, and not waste your time.
What are their credentials?
Everyone will tell you they have been doing this a long time, have the best assessors, and can get you across the finish line. But what do their references say? What positions do they hold, if any, on HITRUST councils? What evidence of assessor credentials can they give you? How many CCSFP or CHQP employees do they have (on their team, not contractors), and how long have they been there? Are their customers happy? Did they have trouble representing and supporting their work to HITRUST? Checking references on the front end will pay off in dividends in the long run.
What is the culture of the organization?
Do you like them? Do they return your phone call promptly? Can you call them, or are you directed to a website to ask questions? Do they offer to adapt to your business needs? Do they seem to oversell their capabilities or services? Finding a culture and personality fit is a crucial part of choosing your assessor. After all, you will be working with them.
Where are they located?
While the location isn’t necessarily a key factor, accessibility is. Can they offer quick access, no matter where they are? If their office isn’t local, do they understand your local market? While the location may not be the driving factor in choosing an assessor, make sure whomever you choose is able to meet your needs.
Tips for Choosing a HITRUST Assessor
There are many HITRUST assessors to choose from, and it is not practical to contact everyone. Write down your criteria, and choose deliberately. Here are some other recommendations as you begin your HITRUST Journey.
Don’t go it alone.
- Learn all you can by watching the HITRUST website videos, talking to their sales and support teams, and reading the white papers. These resources will help you identify assessors that know their material.
- Utilize your relationships and ask about their experience with their HITRUST External Assessor. Those that are certified are waiting for your call and would love to share their experience – good or bad.
- Send someone on your team to obtain the HITRUST CCSFP Certification, and leverage this credential to become an authorized HITRUST Internal Assessor. The individual should be part of a team that allows them to be competent and objective (usually an Audit or Compliance group but not required as long as competence and objectivity requirements are met). This certification can be further leveraged to lower your external assessor costs.
Pay attention to the speed and price of the audit.
Beware of anyone who says they can perform a HITRUST audit quickly (or cheaply). HITRUST is not just a stamp of approval or a nice certification to put on your website. It’s a deep dive into the entirety of your information security program.
Any organization that promises to make quick work of this substantial task is likely not being entirely truthful. In that same vein, any organization that claims to be able to complete this process cheaply is throwing a red flag.
Because the assessment process is so intensive, it requires personnel with a high level of expertise (read: these people don’t work for cheap) to work for extended periods of time (again, not cheap) on the project. On the flip side, there’s no guarantee that the most expensive organization will be the one with the most expertise or experience. Your goal is to find a balance of expertise and experience with a price point that works for your company.
Conduct a gap assessment, but not just “a” gap assessment.
Conduct a deliberate, framework or standard-based, security-focused gap assessment. HITRUST will allow you to download their CSF framework for free, and External Assessor firms can assist you in this process as well.
Define your “why.”
You need a baseline statement for why HITRUST CSF Certification is necessary to focus your effort. HITRUST is a dynamic program that can scale to many different business needs. At this time, there are 44 authoritative sources (mostly laws and standards) upon which the HITRUST CSF is mapped. It is easy to lose sight of the goal if it is not defined.
Define your “when.”
It is important to know what your critical milestones will be. Achieving HITRUST CSF compliance is a reward on top of demonstrating good risk, compliance, security, and privacy principles as processes ingrained in your organization. Having a defined plan to achieve that goal is imperative to communicate to your external assessor to determine the optimal time to test your organization. Define your timeline, and whether or not it is flexible.
About LBMC’s HITRUST Practice
As the leader of the “10-year club” of assessors, LBMC Information Security stands as the longest serving assessor in the business with the longest serving, most experienced team in the industry. In February 2010, our leaders signed on the dotted line to join in a movement that has become the modern-day gold-standard in security and privacy assessments. We have cultivated a team of assessors led by those that have been contributing to this success the longest.
We have helped countless organizations reach their HITRUST CSF Certification goal and we have learned many lessons along the way. We feel compelled, and are somewhat obligated, to offer some words of encouragement and advice to those that are embarking on this journey. Please reach out any time with how we can assist you on your journey!
Content provided by LBMC security professional, Robyn Barton.