HITRUST CSF Control Maturity Scoring Rubrics ‡ As specified in the policy level’s illustrative procedure in MyCSF

% of CSF policy elements‡ addressed by the % of CSF policy elements‡ addressed by the
POLICY organization’s policy (Coverage)
PROCEDURE organization’s procedure (Coverage)
IMPLEMENTED % of CSF policy elements‡ implemented (Coverage)

Implementation Strength
Policy Very Low Low Moderate High Very High Procedure Very Low Low Moderate High Very High Very Low Low Moderate High Very High
(As a % of scope elements,
Strength 0% - 10% 11% - 32% 33% - 65% 66% - 89% 90% - 100% Strength 0% - 10% 11% - 32% 33% - 65% 66% - 89% 90% - 100% 0% - 10% 11% - 32% 33% - 65% 66% - 89% 90% - 100%
e.g., systems, facilities)

Documented with all formal Documented with all formal

Tier 4

Tier 4

Tier 4
policy criteria addressed
FC procedural criteria addressed
FC 90% - 100% of scope FC

Documented with >1, but not all,

Documented with >1, but not all,
Tier 3

Tier 3

Tier 3
formal policy criteria addressed
MC formal criteria attributes MC 66% - 89% of scope MC
addressed

Documented with only 1 formal Documented with only 1 formal

Tier 2

Tier 2

Tier 2
policy criterion addressed
PC procedural criterion addressed
PC 33% - 65% of scope PC

Undocumented Undocumented
Tier 1

Tier 1

Tier 1
policy
SC procedure
SC 11% - 32% of scope SC
Tier 0

Tier 0

Tier 0
No policy NC No procedure NC 0% - 10% of scope NC

Varied or incomplete implementation

scope on the Policy, Procedure,
Frequency of applying risk treatment Measured, or Managed levels?
% of CSF policy elements‡ addressed by the
MEASURED organization’s measurement (Coverage)
MANAGED (Coverage, as a % of issues identified Legend
for the CSF Policy elements‡) Perform the following steps

Step 1) Decompose / separate scope into Range of

Very Low Low Moderate High Very High Risk Treatment Process Very Low Low Moderate High Very High Points
Measurement Strength individual elements against which the rubric Rating Averaged
0% - 10% 11% - 32% 33% - 65% 66% - 89% 90% - 100% Strength 0% - 10% 11% - 32% 33% - 65% 66% - 89% 90% - 100% Awarded
can be applied Scores
• Example: Two in-scope data centers (DC1,
Documented with all 0%
Measurement(s) used include an Non-
Tier 4

Tier 4
DC2) each use their own procedure for fire
independent metric
FC formal risk treatment process FC extinguisher maintenance Compliant
0% - 10% of points
criteria addressed awarded

Documented with >1, but not all, Step 2) Apply rubric to each individual scope 25% of
Measurement(s) used include an element Somewhat
Tier 3

Tier 3

operational metric
MC formal risk treatment process MC • Example continued: DC1's procedure Compliant
11% - 32% points
criteria addressed awarded
scores as Mostly Compliant (75%) and DC2's
Documented with only 1 procedure scores as Non-Compliant (0%) 50% of
Measurement(s) used include an Partially
Tier 2

Tier 2

independent measure
PC formal risk treatment process PC Step 3) Calculate an average score Compliant
33% - 65% points
criterion addressed awarded
• Example continued: (75% + 0%) / 2 = 37.5%
75% of
Measurement(s) used include an Undocumented Step 4) Refer to the "Range of Averaged Mostly
Tier 1

Tier 1

operational measure
SC risk treatment process
SC Scores" in the legend (right) to determine a Compliant
66% - 89% points
awarded
rating
• Example continued: Because 37.5% falls 100% of
No risk treatment process Fully
Tier 0

Tier 0

within the range of 33% - 65%, the computed

No measurements used NC OR measured score = NC NC procedure rating is Partially Compliant Compliant
90% - 100% points
awarded

Managed rating cannot exceed measured rating

v. HT-134-01
 Timeframes Measurement Concepts Other Key Concepts
Window Duration Definition(s) Guidance Definition(s) Guidance
Access window for a MyCSF “Report Only” 90 calendar days for validated assessment objects, MEASUREMENT OPERATIONAL
object 60 calendar days for interim assessment objects With respect to a measure or metric, one Operational measures and metrics are prepared by a
The process of data collection, analysis, and reporting. Examples of measurements in
Assessor’s validated assessment fieldwork 90 calendar days from the date of submission of the [NIST CSRC Glossary of Terms] the context of the HITRUST that is produced by, or otherwise person or group responsible for the control /
window (maximum) validated assessment object to HITRUST CSF include information influenced by, the person or entity requirement being measured (e.g., the control owner)
Measurements are “observations that quantitatively reduce obtained from user access responsible for the requirement/control or by a person or group influenced by the control
Minimum number of days that a 90 calendar days past the control’s implementation or uncertainty.” being tracked by the measure or metric. owner (a subordinate, a peer reporting to the same
remediated or newly implemented control remediation reviews, compliance checks,
[Hubbard, D., Seiersen, R., Geer Jr., D., and McClure, S. (2016). How to [HITRUST Glossary of Terms] department head, etc.).
must operate prior to assessor testing dashboards, alerts, health
Measure Anything in Cybersecurity Risk. John Wiley & Sons] INDEPENDENT
reports, and audits.
Maximum age of testing performed by the 90 calendar days, as determined by comparing the
MEASURE With respect to an assessor or measure, Independent measures and metrics are prepared by a
organization (e.g., by Internal Audit) being external assessor’s fieldwork start date of the internal
one that is not influenced by the person or person or group (e.g., auditors, analysts) who are not
relied upon by the assessor assessor’s fieldwork start date The results of data collection, A measure is mechanism used to formally evaluate and entity that is responsible for the influenced by the person or group responsible for the
Maximum age of third-party 1 year, as determined by comparing the HITRUST CSF analysis and reporting. communicate the operation / performance of an requirement/control being evaluated or operation of the requirement / control being measured
assessments/inspections/audits being validated assessment fieldwork start date to: [NIST CSRC Glossary of Terms] implemented control or requirement. Measures are measured. (e.g., the control owner).
relied upon by the assessor • Period end date (for period-of-time reports) measurements that are prepared in real-time or at a set [HITRUST Glossary of Terms]
• Final report date (for point-in-time reports or A standard used to evaluate and cadence (e.g., weekly, monthly, quarterly, annually) using a AUTOMATED CONTROLS
forward-looking certifications) communicate performance against defined set of inputs (e.g., system-generated reports) by an
expected results (measures are understood / clearly defined owner. Controls that have been programmed, Automated controls are performed by systems—not
Targeted window for HITRUST's 56 calendar days (8 weeks), following acceptance / configured, and/or embedded within a people—based on configurations, rulesets, or
performance of QA and draft report successful check-in of the submission in MyCSF normally quantitative in nature
capturing numbers, dollars, To be classified a measure for HITRUST CSF assessment system. programming. An example of an automated control is
assembly procedures [ISACA Glossary of Terms, adapted]
percentages, etc., but can also forced password expiration after the number of days
Window during which HITRUST will accept 30 calendar days from issuance of draft report purposes, it must (1) address the control’s operation /
address qualitative information such performance, (2) be used at an appropriate frequency, and specified in the associated configuration.
grammatical changes to a draft report
as customer satisfaction; reporting (3) be supported by documentation that addresses PROCEDURE
Days allowed for Corrective Action Plans 30 calendar days from issuance of draft report and monitoring measures help an specifically: A detailed description of the steps Formal documented procedural criteria:
(CAPs) to be entered into MyCSF organization gauge progress toward (i) what is measured, necessary to perform specific operations (i) demonstrably approved by management,
Validity window for a HITRUST CSF 2 years from the HITRUST CSF Validated Report's effective implementation of (ii) who is responsible for gathering the data,
Certification date. Requires successful completion of an interim in conformance with applicable standards. (ii) demonstrably communicated to stakeholders,
strategy). (iii) how the data is recorded,
assessment to remain valid for the 2-year period. [ISACA Glossary of Terms] Procedures are defined as part of (iii) outlines stakeholder responsibilities,
(iv) how the measurement is performed / calculated, and
processes. (iv) discusses operational aspects such as how, when,
Earliest that an interim assessment can 120 days before the 1-year anniversary of the (v) how often the measure is reviewed and by whom. [ISACA Glossary of Terms, adapted] who, and on what the action / control / requirement is
begin (i.e., earliest that an interim HITRUST CSF Certification (based on the HITRUST CSF
to be performed.
assessment object can be created in Validated Report's date) METRIC
MyCSF) POLICY
Interim assessment object submission due No later than the 1-year anniversary of the HITRUST Tools designed to facilitate decision making and improve To be classified as metric for
performance and accountability through collection, analysis, and HITRUST CSF assessment Overall intention and direction as formally Formal documented policy criteria:
date CSF Certification (based on the HITRUST CSF Validated expressed by management, most often articulated in (i) demonstrably approved by management,
Report's date) reporting of relevant performance-related data. purposes, the measurement
[NIST CSRC Glossary of Terms] must meet ALL requirements documents that record high-level principles or (ii) demonstrably communicated to
Sample Sizes A quantifiable entity that allows the measurement of the
for a measure (listed above) course of actions; the intended purpose is to
influence and guide both present and future decision
stakeholders in the organization and
members of the workforce, and
AND:
Sampling Scenario Minimum Number of Items to Test achievement of a process goal (metrics should be SMART—specific, (i) be tracked over time, and making to be in line with the philosophy, objectives (iii) clearly communicates management's
measurable, actionable, relevant, and timely; complete metric (ii) have explicitly stated (not and strategic plans established by the enterprise’s expectations of the control(s) operation
Testing a manual control • Daily controls: 25 days
operating at a defined • Weekly controls: 5 weeks guidance defines the unit used, measurement frequency, ideal implied), established management teams. (e.g., using "shall", "will", or "must"
target value, if appropriate, and also the procedure to carry out [ISACA Glossary of Terms, adapted] statements).
frequency • Monthly controls: 2 months thresholds (i.e., upper and/or
• Quarterly controls: 2 quarters the measurement and the procedure for the interpretation of the lower bounds on a value) or
assessment). RISK TREATMENT
• Annual controls: 1 year (most recent control occurrence) targets (i.e., targeted goals,
[ISACA Glossary of Terms] what the organization is trying Selecting and implementing Formal documented risk treatment process criteria:
Testing a manual control Sample size varies based on population size: mechanisms to modify risk. (i) initial involvement of an appropriate level of management or a
• Pop. size >=250: 25 items to achieve).
operating at an undefined Measurements provide single-point-in-time views of specific, Risk treatment options can defined escalation or review process to be observed if / when the
frequency (i.e., “as needed”) • Pop. size 50-249: 10% of the population, rounding up as needed discrete factors, while metrics are derived by comparing to a include avoiding, optimizing, appropriate level of management is not initially involved,
• Pop. size <50: Sample size can range from a minimum of 3 items predetermined baseline of two or more measurements taken over transferring, or retaining (ii) a defined mechanism to track issues, risks, and risk treatment
up to the entire population. Use professional judgment. time. [accepting] risk. decisions, and
Testing an automated control Can perform a test of 1 if the following are performed / met [Educause (2017, Mar). Effective Security Metrics: A guide to Effective Security [ENISA Glossary of Terms] (iii) cost, level of risk, and mission impact are considered in risk
(otherwise, a full sample must be tested using the manual control Metrics]
treatment decisions.
(NOTE: If configured on or sampling guidance provided above):
embedded within multiple • If configurable, the associated configuration(s) must be tested UNDOCUMENTED
systems/tools, each • To show that system behaves as configured, the outcome / Please consult the HITRUST Risk Analysis Guide for further Not supported by written Undocumented policies, procedures, and processes are those that are:
system/tool must be tested) result of the configuration must be tested discussion on these concepts proof. (i) well-understood by those required to implement them and / or
[Cambridge Dictionary] adhere to them,
Sampling from point-in-time Observe the sampling guidance provided for the "Testing a manual (ii) consistently observed, and
populations (e.g., endpoints, control with an undefined frequency" scenario provided above © 2019 HITRUST All rights reserved. Any commercial uses or creations of derivative works are prohibited. (iii) unwritten.
servers) No part of this publication may be reproduced or utilized other than being shared as is in full, in any form
or by any means, electronical or mechanical, without HITRUST’s prior written permission.