Who Ya Gonna Call? CSF Assessors

June 9, 2016

The HITRUST Alliance places a great deal of reliability on the CSF assessors that perform the validated assessments necessary for pursuing HITRUST certification. Given the level of reliance, it is understandable why HITRUST requires a rigorous application process for becoming a CSF assessor.

In order to even be considered for application purposes, an organization has to provide the HITRUST Alliance a series of methodology and required experience fulfillments for review.  The individual employees within the organization that are listed on the application to perform the HITRUST assessments must have minimum experience levels within both IT security compliance and healthcare compliance as part of their professional resume. Even after acceptance and approval of the organization’s application to become a CSF assessor, the application remains contingent upon the employees’ completion of HITRUST practitioner training and their successful acquisition of the certified CSF practitioner certification by passing its required exam.

All the individual CSF practitioners that obtain their certification must undergo annual refresher training courses each year, and full training and recertification courses every three years. The HITRUST Alliance performs audits of its CSF assessor organizations to ensure that these training requirements have been fulfilled.

Once all of the requirements for becoming a CSF assessor organization are met, there are additional compliance requirements that must also be met during the performance of validated assessments. HITRUST mandates that a minimum percentage of auditors participating in a validated assessment must be certified CSF practitioners. This percentage level is currently 75%.

It is also important to understand that any HITRUST practitioner that is performing invalidated assessment cannot assist in the design or implementation of any controls necessary to satisfy HITRUST requirements. That violation of independence could result in a failed assessment overall

Now that you have an understanding of some of the hurdles an organization must go through to become a CSF assessor, it is also important to consider the assessors’ individual methodologies and processes that are used when performing assessments. During your vetting or proposal process for selecting a CSF assessor, make sure that you are comfortable with the assessors’ experience levels and their history of providing quality service for their clients. The process for becoming CSF certified is long and arduous, so having a partner that is both qualified and compatible with your organization’s team can be a critical factor in your success.

Previous Article
Apple vs. the F.B.I.: Why you should care
Apple vs. the F.B.I.: Why you should care

Encryption has become a fundamental part of our everyday lives. Nearly everything we do online, from sendin...

Next Article
How CISOs Can Work With Other Execs to Manage Information Security Risks
How CISOs Can Work With Other Execs to Manage Information Security Risks

Unfortunately, 2015 saw some seriously impressive information security hacks, the likes of which included t...


Subscribe now
to receive content updates once a week

First Name
Error - something went wrong!