Michelle Smith: Hi everyone. And welcome to our fourth episode of cyBARR Chats. HITRUST edition. Today, we’ll be talking about interim assessments and how authorized external assessors like bar perform them. So let’s get started with HITRUST manager Swathi West. Swathi, to get started, can you give us some details about HITRUST interim assessments?
Swathi West: Yes. So for HITRUST CSF certification, The certification itself is valid for 24 months from the certification date on the condition that the interim assessment and the continuous monitoring requirements are met. The interim assessment must be completed and submitted to HITRUST in the 90 day window, leading up to the anniversary of the certification assurance date, a lot of words to make it a little bit simple.
So if the certification issuance date as January 1st, the client will have 90 days to do the interim assessment. So that would be between October through December. You have to complete the interim assessment and submit to HITRUST because your issuance date of the validated assessment, which got your certification last year was on January 1st.
So any, any time before the 90 would know you can do the interim assessment. For myCSF subscribers though, the interim assessment will be generated automatically 90 days prior to the required submission date. If you want to, you know, the subscribers can also manually generate the object 120 days prior to the submission.
So that’s one of the differences between my CSF subscribers and the non-subscribers. Usually for the non-subscribers you only have 90 days, which is for everyone else, but. For subscribers, the positive would be, you can manually generate it. You don’t have to wait for the 90 days, but you can manually generated 120 days prior to it.
And another great thing about interim assessments are completely performed in myCSF. And that’s, that’s good for both clients and as well for us, because we don’t have to attach a test plan, which we would do for a validated assessment. This one, we’ll just test everything in the myCSF. And that’s, that’s definitely a big difference, both the clients and for assessors
Michelle Smith: Swathi, is it okay for organizations to change external assessors for interim assessments?
Swathi West: Yes. This is a normal, like a big question every time. Like when I talk to clients, this is one question that pops up all the time. Yes. There is no process. You can always change the external assessor at any point in the engagement.
However, depending on the organizations, um, you know, the assessors as well, the organizations definitely need to keep in mind that sometimes retesting may be required because as an external assessor, we would like to have a greater degree of confidence in our clients and in their HITRUST CSF scope, their process, their implementation.
So if a client wants to change the assessor and they came to BARR and they’re like, Hey, we want to change, but we completed the validation and validation testing. I think we’re good. We have everything in place. We have policies implementation scope. We don’t have to test maybe not every requirement, but you know, BARR would definitely want to do like a random test or just go through the scope itself to make sure.
We get everything right because we are here to help them get certified. So we will set them up for success by doing that little nuance of retesting. That’s one, one of the things to just keep in mind, every assessor is different, but definitely BARR would like to talk through with the client on their scope, their policies and whatnot, just to make sure they get certified.
Michelle Smith: Can you talk a little bit about how an external assessor, like BARR performs, interim testing?
Swathi West: Great question, Michelle, like I said, this is an important subject to discuss because whenever we talk about these interim assessments, right? We definitely ask because it’s been a year.
Um, like I said, just to reiterate type of certification is good for two years. And the first year you have certification grade, but the second year is when we’ll come and we’ll do the retest and then we’ll do the interim testing. And one crucial question, we’ll ask. For our clients is whether there’s any changes to the scope within the last year, because, you know, we’ll definitely talk and do syncs but just to make sure of nothing, no major changes happen, because if there are changes in the environment, then you know, that might indeed change the responses to the controls or requirements.
So we will always want to make sure if there was a change, would that impact any of the responses that you did? Did the control requirements in any of the 19 domain? So that’s the question that we would definitely ask. And then also, if there’s a significant change happened to the domain or the requirement, we’ll assess the impact.
So sometimes, you know, you might have an acquisition or you might bring in another product, or it might be just a feature that you added to your application, but we just want to make sure. Would that, how much impact would that be to your scope? So BARR will assess the impact and test that specific control or the domain.
So if you think, um, you know, we added a new feature and we’re going to give you. New people will have access to a certain, that specific feature. For example, I’m just making this up on the go. But, um, in that case, as we would just test this specific control, whether it’s access control that one control or the whole domain itself.
So depending on the impact, we will definitely test to that, you know, to that specific scope that the change happened. And just to also keep in mind that the interim assessment. HITRUST will randomly select one requirement from each domain and BARR will test and validate the procedures. We don’t test all the control requirements, just like you had in validated assessment.
If you have 300 requirements, BARR will not test everything. We will only test the 19 controls to each control from each domain HITRUST which selects randomly. And we’ll go through all those controls. Being an external assessor, we might not have to attach a test plan. Like I said, everything is done in my CSF.
We don’t do, we don’t have to attach anything external test like we do for validated assessment. But BARR we’ll be testing the 19 controls, the HITRUST selects to the same degree, or even higher degree to how we tested controls or certification. Um, you know, we’re just, we’ll, we’ll do the same review with the maturity scoring.
We’ll do we’ll look at your policy procedure where your implementation, everything that we did for validated assessment, we’ll do the same thing for interim assessment as well. Another important thing we do as part of the interim assessments is we review. The corrective action plans, the caps that you got caps or gaps that you caught from your Validated assessment. We’ll review them as part of your interim assessment to make sure there’s continuous improvement. When I say continuous improvement, um, you know, everyone will go through this exercise when they got first certified, whether you know, just more realistic goals around whether I can complete this within six months or eight months.
I’m going to how much budget it would take, who owns this control. So all of those things we’ll want to make sure you you’re doing what, what you, what you said you’re going to do as part of the first-year certification and at BARR we don’t like to wait till interim assessments to talk about corrective action plans.
Because like I said, the goal of interim assessment is the continuous improvement. So we would have regular syncs and touch bases with our clients to help with that continuous improvement to make sure our clients review their policies, their procedures, risk assessments, if they didn’t and you know, even their system designed to make sure nothing changes or if.
If it changes then, you know, the system design captures that. So we definitely want to make sure everything that’s happening within that continuous improvement process, they follow it. So we usually do the sayings and pieces. So we don’t want to wait until the interim assessment, but that’s, that’s another important thing.
Review corrective action plans as part of the interim assessment process. Once this is all done. We tested all the 19 controls. We. Looked at all the caps that we got from the first year, then BARR will submit the assessment to HITRUST just like, would it validated and HITRUST at the same level of quality assurance performed on the validated assessments that year prior and concludes whether our client should routine certification or not.
If, you know, if HITRUST things, yes, they should retain the certification. Then our clients will have certification. But if there was something that the HITRUST determines, for some reason that we assessment isn’t necessary, Then BARR will perform a reassessment after completing the interim assessment.
The HITRUST CSF certification as again, Valley one more year, just like I said, two years in the middle, we’ll come and do it or no, my assessment and it’s valid for one more year. And the organization after, after that year, they have to go through the recertification for that following year. Important thing to just keep in mind is, you know, HITRUST is valid for two years.
But the reason of doing this interim assessment to make sure, you know, we, we checked the security posture, right? We did great. We got the certification, everything is good, but then we don’t want to wait for two years and we don’t want to, you know, just like we don’t know what’s happening, but having that interim assessment, we know whether that’s, there’s a continuous improvement.
And that ultimately helps our clients improve their security posture. And, you know, that obviously helps their data to be safe and secure. So always, I think interim assessments are great and they help the clients and just keep the, keep their data safe in every possible way.
Michelle Smith: Awesome. Well, thank you. Swathi, we are looking forward to learning more about internal and external inheritance. Next time on cyBARR Chats HITRUST Edition. Thank you and have a great day.
Swathi West: Thank you.