‍

The HITRUST Common Security Framework (CSF) helps organizations implement stringent security controls and comply with over 50 major regulations and standards. In particular, its data-driven assessment and certification processes enable effortless trust building with customers and other stakeholders.

‍

Obtaining a HITRUST certificate requires a solid understanding of the platform’s unique scoring system, known as the Control Maturity Scoring Rubric (also called “the Rubric”). It’s a specific tool devised to numerically measure an organization’s cybersecurity and compliance efforts, and how well they align with HITRUST CSF requirements.

‍

In this guide, you’ll learn:

‍

• How to use the Control Maturity Scoring Rubric
• What score thresholds get your organization certified
• What challenges you might run into while scoring your controls

‍

What is the Control Maturity Scoring Rubric?

The Control Maturity Scoring Rubric is a visual self-assessment tool used during the HITRUST certification process. It helps both the assessed entities and external assessors score the control maturity of each requirement statement involved in the HITRUST audit.

‍

Using the Rubric, you can score your security controls against the PRISMA model, which consists of five maturity levels:

‍

1. Policy
2. Procedure
3. Implemented
4. Measures
5. Managed

‍

While the Rubric’s scoring elements vary according to maturity levels, they refer to two dimensions of security control implementation—as explained below:

‍

‍

These two dimensions and their ranges form a matrix that you’ll use to place a security control in the corresponding field that reflects its maturity level.

‍

Additionally, the maturity levels you need to evaluate depend on your HITRUST certification level (e1, i1, or r2):

‍

• e1 and i1: Only the Implemented level is evaluated
• r2: All five PRISMA maturity levels are evaluated

‍

Regardless of the certification level, the scoring process will be the same.

‍

{{cta_withimage19="/cta-modules"}} | HITRUST Compliance Checklist

‍

How to use the Control Maturity Scoring Rubric

Once you choose your preferred HITRUST certification level and determine the assessment scope, you can use the Rubric to score the in-scope requirement statements. To demonstrate what this looks like in practice, let’s follow a simplified example of the following requirement statement:

‍

“The organization has a formal information protection program based on an accepted industry framework that is reviewed and updated as needed.”

‍

• If we assume you implement such a program for 80% of your IT infrastructure, this implies the implementation strength is 80% and falls under Tier 3 (66%–89% of scope)
• If the percentage of compliant evaluative elements is 93%, this means the coverage is graded as Very High (90%–100%)

‍

‍

By looking at the Implemented Rubric, we can see that in this case, the control would be rated as Mostly Compliant, which means you’d get 75% of the total points awarded for it. For reference, the following table shows the point percentage for all compliance scenarios:

‍

‍

If you were pursuing r2 certification, you’d repeat the process for the other maturity levels (Policy, Procedure, Measures, and Managed) and use the following weights to calculate the final score:

‍

‍

In our example, the final score for the implemented maturity level would be 30 (40% of 75). After doing the same calculation for each maturity level, you’ll add up all scores to get the total for the requirement statement.

‍

{{cta_webinar3="/cta-modules"}} | Choosing the right HITRUST certification level and streamlining implementation

‍

What score must you reach to obtain a HITRUST certificate?

The HITRUST certification threshold depends on your chosen certification level:

‍

• 83+ points for e1 and i1
• 62+ points for r2

‍

Keep in mind that these thresholds refer to the total scores for each control domain, not the individual requirement statements. They are expressed as the average score of all requirement statements for each of HITRUST’s 19 control domains:

‍

1. Information Protection Program
2. Endpoint Protection
3. Portable Media Security
4. Mobile Device Security
5. Wireless Security
6. Configuration Management
7. Vulnerability Management
8. Network Protection
9. Transmission Protection
10. Password Management
11. Access Control
12. Audit Logging & Monitoring
13. Education, Training and Awareness
14. Third Party Assurance
15. Incident Management
16. Business Continuity & Disaster Recovery
17. Risk Management
18. Physical & Environmental Security
19. Data Protection & Privacy

‍

There are several certification scenarios you might encounter. Besides full certification without issues, you might achieve certification with gaps or CAPs (corrective action plans).

‍

For example, a gap may be present if the requirement didn’t score Fully Compliant, but the associated control reference has a score of 80 or more (71 or more for r2). If the control reference has a lower score, a CAP might be needed. Once identified, CAPs are addressed through a form that explains how and when you plan to remediate the discovered issue.

‍

{{cta_withimage19="/cta-modules"}} | HITRUST Compliance Checklist

‍

Control Maturity Scoring Rubric: Common challenges

Using the HITRUST Rubric demands comprehensive security reviews and evidence collection, considering that the self-assessed scores need to be demonstrated to the HITRUST external assessor during the validated assessment.

‍

Naturally, maintaining elaborate evidence that can back up each score without any ambiguity is the most challenging part of the process. Typically, the assessor would need evidence in the form of:

‍

1. Observed information
2. Verbal information
3. Electronic information
4. Paper documents

Other issues related to collecting and demonstrating evidence for rubric scores include:

‍

• Blocked workforce: Disparate documentation and evidence collection systems slow down both internal and external HITRUST assessments and lead to extensive busy work.
• Pressure on IT and security teams: Your team might be overwhelmed by the amount of manual evidence maintenance work they need to complete to demonstrate the effectiveness of in-scope controls.
• Prolonged certification timeframe: HITRUST certification can take unnecessarily long if you don’t have a streamlined way to track evidence and make it readily accessible to assessors.

‍

The good news is that you can now complete the evidence-gathering process in a more organized and efficient manner with Vanta, an automation solution vetted by HITRUST.

‍

Get your organization HITRUST-ready with Vanta

Vanta is an end-to-end trust management platform that automates up to 80% of the HITRUST certification requirements. It’s the first (and currently the only) automaton platform with HITRUST-approved frameworks to get ready for e1/i1 and r2 assessments.

‍

The platform offers a dedicated HITRUST CSF solution that helps you perform a readiness assessment seamlessly and address control deficiencies before external reviews.

‍

Vanta streamlines evidence collection by integrating with over 350 other platforms, including HITRUST’s MyCSF audit platform for seamless evidence upload. It can also perform a gap analysis to help you assess your progress and patch up your controls to improve the relevant rubric scores..

‍

Here are some other key features that bring peace of mind during your certification journey:

‍

• Prescriptive guidance to automate several HITRUST requirements with centralized tracking
• Automated cross-referencing of supported frameworks to reduce duplicative work
• Resources like policy templates and tests for efficient workflows

‍

Vanta also helps you find expert HITRUST assessors via its service partner network.

‍

You can schedule a custom demo today to explore Vanta’s HITRUST CSF features firsthand.

‍

{{cta_simple16="/cta-modules"}} | HITRUST product page

‍