HITRUST CCSFP Exam - Topic 5 Question 13 Discussion

Actual exam question for HITRUST's CCSFP exam

Question #: 13
Topic #: 5

A sample of laptops is being selected to ensure AV software has been properly installed/configured. Where should the population be pulled from? [0173]

AThe AV console, as it lists all laptops with AV installed

BThe IT asset inventory, for capital assets only

CThe IT asset inventory, for a list of all laptops

DThe Risk Register, as it lists all firewalls with AV installed

Show Suggested Answer

Suggested Answer: C

When testing implementation, the population must include the full set of in-scope assets, not just a subset filtered by existing controls.

AV console (A) only shows devices with AV installed; it would exclude noncompliant assets.

IT asset inventory (C) provides the complete list of laptops, making it the proper source for random sample selection.

Risk register (D) lists risks, not devices.

Capital assets only (B) not comprehensive for all laptops.

Extract Reference (HITRUST Assessment Sampling Guidance, CCSFP [0173]):

Sampling must be based on the complete population from the IT asset inventory; reliance on control-based systems (e.g., AV console) introduces bias.

by Jill at Apr 07, 2026, 06:17 AM

Limited Time Offer

25%

2 months ago

I think the population should come from the IT asset inventory since it should have a complete list of all laptops, right?

upvoted 0 times

...