The Overlooked HITRUST Scoping Risk Could Be Your Leased Office

Why your high-rise lease may deserve a seat at your HITRUST r2 scoping table

This post reflects the practitioner’s perspective on a scoping factor that reasonable people read differently. For authoritative guidance, consult HITRUST’s published scoping documentation and discuss your specific situation with your external assessor during readiness.

Author: Steve Meyer, CCSFP and CHQP

Here’s a scenario. You’re an IT compliance leader at a healthcare technology company. Your team occupies two floors of a Class A high-rise. You’re building your HITRUST r2 assessment object in MyCSF, working through scoping factors one by one, and you arrive at this one:

“Is the scoped system(s) (on-premises or cloud-based) accessible by third-party personnel (e.g., business partners, vendors, cloud providers)?”

Your instinct says “No. It feels like a confident no. Your team manages everything internally. Your cloud workloads run on infrastructure you control. You don’t give vendors remote access to your environment. There are no third-party administrators, no outsourced NOC, and no managed service provider with standing credentials.

But before you click “No”, consider who else has keys to your building?

This is one of the most deceptively simple scoping factors in the HITRUST r2 framework, and for organizations operating in leased commercial office space, it demands far more scrutiny than it typically receives. The answer you give here shapes your entire tailored control set, and getting it wrong in either direction creates real problems: unnecessary control burden if you answer “Yes” when you don’t need to, or an assessor finding if you answer “No” and can’t back it up.

Why Leased Office Environments Matter in HITRUST Scoping

As Clearwater assessors, we often see organizations focus heavily on logical access when thinking through HITRUST scoping, and understandably so. Most teams have spent years strengthening IAM controls, tightening VPN access, and improving privileged access management. But this particular scoping factor asks organizations to take a broader view of access.

At its core, the question is simple: can any non-employee third parties, including vendors, business partners, cloud providers, building management personnel, or others, potentially access systems that fall within your r2 assessment scope?

What makes this tricky is the word accessible. HITRUST is not asking whether those third parties actively use your systems every day. It is asking whether your technical architecture, contractual arrangements, or physical environment could enable that access.

That means access should be evaluated holistically, including:

Logical access, such as remote connectivity, credentials, APIs, and support channels
Physical access, including proximity to equipment, network cabling, shared infrastructure, or secured office spaces

In our experience, physical access is often where organizations uncover unexpected scoping considerations, especially in leased office environments. Many healthcare organizations operate in shared buildings, managed suites, or multi-tenant office spaces where parts of the physical environment are not entirely under their control.

That does not automatically create a compliance issue. But it does mean organizations should pause and thoughtfully evaluate how building management, maintenance personnel, shared facilities, or third-party providers could potentially interact with systems or infrastructure considered in scope for the assessment.

This is less about finding fault and more about making sure the scoping conversation reflects the realities of how modern organizations actually operate.

Why Leased Office Space Can Complicate HITRUST Scoping

If you operate in a leased commercial office, there is a cast of characters who may have physical access to your space, and who could, depending on your control environment, potentially interact with scoped systems. Let’s walk through them.

Building Management and Landlord Personnel

Property managers and building engineers typically retain master key or keycard access to all tenant spaces per the terms of the lease agreement. Many commercial leases include “right of entry” clauses that allow the landlord or its representatives to access your space for inspections, maintenance, emergencies, and even prospective tenant showings.

These personnel can physically enter your suite and often without advance notice in emergency scenarios, and sometimes with as little as 24 hours’ notice for non-emergency access, depending on your lease terms.

Janitorial and Cleaning Crews

Almost universally contracted by the building owner, not the tenant. These crews enter your space after hours, often unsupervised, with access to every room that isn’t independently locked.

They work around desks, workstations, server closets, and network equipment nightly. They empty trash cans next to your servers. They vacuum under your developers’ desks. They are in your space more consistently than many of your own employees.

HVAC, Electrical, and Plumbing Maintenance

Building systems maintenance personnel have access to mechanical rooms, electrical panels, and HVAC units that may be co-located with or adjacent to your network infrastructure.

In many high-rise environments, the IDF (intermediate distribution frame) or wiring closet shares space with building mechanical systems, sometimes literally in the same room. A building engineer troubleshooting an HVAC issue may be standing next to your core network switch.

Fire Safety and Inspection Personnel

Fire marshals, sprinkler technicians, and alarm monitoring companies have periodic and emergency access to all tenant spaces. Annual fire inspections require access to every room in your suite, including server rooms, data closets, and utility spaces.

Inspection frequency and scope vary by jurisdiction and occupancy classification; in many cases, inspections extend to server rooms and data closets and are not practically refusable.

Security Guards

Building security personnel patrol common areas and may have access to tenant floors. In some building configurations, building security manages the access control system for the entire property, including your suite’s card readers and door controllers.

If building security has administrative access to grant or revoke badge access to your space, that constitutes third-party control over your physical security perimeter.

Telecom and ISP Technicians

Internet service providers and telecom carriers may need access to wiring closets, demarc points, or patch panels, infrastructure that may sit within or immediately adjacent to your scoped environment.

When your ISP dispatches a technician to troubleshoot a circuit issue, that technician may end up in a room with your network equipment.

Pest Control Services

Quarterly or monthly pest control services access every area of the suite, including closets and utility spaces. They open every door, inspect every corner, and spray in every room, including the one with your network rack.

Recommendations

Whether you’re approaching this scoping factor for the first time or revisiting it for a reassessment, here’s what I’d recommend:

Walk your space with fresh eyes. Before answering this scoping factor, physically walk every room, closet, and shared space in your leased environment. Note every door that a non-employee could open. Check whether your server room lock is on the building master. Photograph the current state. You may be surprised by what you find. I’ve seen server rooms with no lock at all, wiring closets doubling as supply storage, and network switches sitting on open shelves in shared hallways.

Read your lease — carefully. The right-of-entry, maintenance, and common-area provisions in your commercial lease may surprise you. These clauses were negotiated by your real estate team, not your security team, and they often grant broader access than your compliance posture requires. If necessary, negotiate amendments or addenda that support your security requirements.

Talk to your assessor early. If you’re on the boundary between “Yes” and “No,” discuss it with your external assessor during readiness. A good assessor will tell you whether your compensating controls are sufficient to support a “No” answer or whether you should scope in the third-party access controls and plan accordingly. This conversation is far better to have during readiness than during validated testing.

Consult HITRUST’s own scoping guidance. HITRUST publishes guidance on scoping and tailoring. Blog posts and practitioner commentary (including this one) are interpretive; HITRUST’s own documentation and your assessor’s read are the authoritative sources.

Document your rationale. Regardless of whether you answer “Yes” or “No,” write it down. A brief scoping rationale memo that explains your analysis of third-party access in your leased environment, who has access to the building, what controls are in place, and why you reached your conclusion demonstrates rigor and gives your assessor confidence in your scoping decisions.

Don’t let the building be your blind spot. IT compliance teams focus on logical access, cloud architecture, and vendor management, and rightfully so. But the physical environment, especially a leased one you don’t fully control, is often the last thing evaluated and the first thing an assessor notices when they visit your office for testing. Make it part of your assessment preparation from day one.

Physical Access is a Vector to System Access

Why does physical access matter for a scoping factor that asks about system accessibility? Because physical presence in an uncontrolled environment is a path to system access. Here’s how that plays out in practice:

An unattended workstation in a space accessible to janitorial staff is a system accessible by third-party personnel — unless you can demonstrate controls that prevent interaction. Enforced screen locks, locked offices, and clean desk policies are your defense here. Without them, a logged-in workstation with access to your scoped cloud environment is an open door.
A server rack or network switch in a shared mechanical/electrical room is accessible to building maintenance — unless it’s in a separately locked cabinet or enclosure with access restricted exclusively to your personnel. An unlocked rack in a room that building engineers can enter is, from an assessor’s perspective, a system accessible by third parties.
Network cabling that runs through building risers and shared conduit is physically accessible to telecom technicians and building engineers. While cable-layer attacks are not the most common threat vector, the HITRUST framework thinks in terms of risk surface, not probability.
A wiring closet that doubles as a janitorial supply storage area — more common than anyone wants to admit — means cleaning crews have regular, unsupervised access to your network infrastructure. If the mop bucket lives next to your patch panel, you have a scoping problem.

The question isn’t whether these third parties intend to access your systems. It’s whether the environment permits it. Under a conservative reading of this factor, the relevant question isn’t whether third parties access your systems, but whether the environment reliably prevents them from being able to and whether you can demonstrate that prevention.

Key Insight

Many organizations assume this scoping factor only applies when third parties have direct logical access through credentials, remote connections, or APIs. But HITRUST often views access more broadly.

Even if outside parties do not have system credentials, their ability to physically access infrastructure, workstations, or network equipment may still be considered “access” depending on the controls you do (or do not) have in place. For organizations operating in leased office environments, this is a common and understandable reality that deserves thoughtful evaluation during HITRUST scoping.

Answering “Yes” and What It Triggers in an Assessment

If you’ve walked through the analysis above and determined that, based on the realities of your leased office environment, the honest answer is “Yes”, third-party personnel can access your scoped systems, then you need to understand what that answer triggers in your assessment.

Answering “Yes” signals to MyCSF that third parties have access to the scoped systems, thereby expanding the tailored control set in areas addressing third-party risk. The Third-Party Assurance domain is the most directly relevant; it covers vendor risk management, assurance activities, and contract-based security provisions. Tailoring may touch other domains as well, depending on the specific combination of scoping factors for your assessment.

A few things worth keeping in mind: the exact requirements tailored in or out by any single scoping factor depend on the CSF version and the full combination of scoping factors for your assessment. MyCSF performs the tailoring, and any specific requirement-by-requirement claim should come from your actual tailored control set, not a general description. Many controls that might sound adjacent to this factor (external user authentication, network connection monitoring, service delivery oversight) are typically in scope regardless, based on other factors; don’t assume “Yes” brings them in or “No” keeps them out. And the practical impact is directional, not easily quantifiable: expect a higher density of third-party-risk requirements that require evidence at the Implemented (Level 3) maturity or above.

CSF Domains and the Additional Requirements that get Triggered

Domain 06 – Configuration Management

Ensures that any changes to the environment are documented, tested, and authorized to prevent security gaps.

Domain 09 – Transmission Protection

Ensures that the physical and logical “pipes” of your communication systems are resilient and private.

Domain 11 – Access Control

Establishes the “rules of entry” for both digital systems and physical areas, ensuring that users only have access to the specific resources required for their job roles.

Domain 14 – Third-Party Assurance

Ensuring that any external entity with access to your data or physical premises doesn’t become a weak link in your security chain.

Note: The exact requirements tailored in or out are determined by MyCSF based on the full combination of scoping factors for your assessment. The domains above are those most commonly expanded when third-party access is in scope; the authoritative view of your tailored control set comes from MyCSF itself.

In practice, answering “Yes” can add a meaningful number of additional requirement statements to the assessment, each requiring evidence at the Implemented (Level 3) maturity or higher. For organizations with otherwise tight scoping, this single factor can meaningfully expand the total control burden.

However, and this is important, answering “Yes” when the honest answer is “Yes” protects you. A scoping answer that doesn’t match what an assessor can observe, whether through a facility walk, interviews, or evidence review, becomes a finding, and findings on scoping decisions tend to cast doubt on other scoping answers. Consistency between the scoping you declare and the environment you operate in is the foundation that the rest of the assessment rests on.

Answering “No” and What You Must Have in Place

Answering “No” is defensible, but only if you can demonstrate a control environment that genuinely prevents third-party personnel from accessing scoped systems, even though those parties may have physical access to your leased space. There’s a critical distinction here: third parties entering your office is not the same as third parties accessing your systems, provided you have the right controls in place and can prove it.

Here’s what that control environment needs to look like, broken down by category.

Physical Segmentation of Scoped Infrastructure

- All servers, network equipment, and infrastructure components within scope must be in a separately secured area, a locked server room, a locked rack with controlled access, or a secured cage with access limited exclusively to authorized employees. Where a tenant occupies a full floor and operates its own badge access system that limits the floor to authorized employees, that arrangement can meet the control requirement.
- Building master keys should not open this space. This typically means a separate lock or an electronic access control system independent of the building’s access control infrastructure.
- Document the access control mechanism, maintain an access log, and review it regularly. Your assessor will ask to see this.

Workstation Security Controls

- Enforced automatic screen lock after a short inactivity timeout — 10 to 15 minutes maximum; shorter is better.
- Group Policy or MDM-enforced screensaver passwords that users cannot override.
- Full-disk encryption on all workstations (BitLocker, FileVault, or equivalent).
- A clean desk policy — no sensitive information, credentials, access tokens, or sticky notes with passwords visible on desks or monitors.
- If individual offices can be locked, lock them after hours. If the environment is open-plan, the clean desk and screen lock controls become even more critical.

Visitor and Third-Party Escort Policies

- A documented visitor management policy that requires all non-employees to be escorted when in areas containing or adjacent to scoped systems.
- A sign-in/sign-out log for all visitors and third-party personnel entering your suite.
- Badge or identification requirements for building maintenance and janitorial staff when entering your space.
- Contractual requirements with the landlord specifying notice periods for entry and escort requirements during non-emergency access.

Network Infrastructure Protection

- Network equipment (switches, routers, firewalls, patch panels) must be in locked enclosures inaccessible to building personnel.
- If wiring closets are shared with building mechanical systems, your network equipment must be in a separately locked cabinet within that closet — a lock within a lock.
- Cable runs through building risers should be documented, and physical tamper protections (conduit, locked riser access) should be noted in your assessment documentation.

Building Lease and Contract Provisions

- Review your lease agreement for right-of-entry clauses and negotiate amendments or addenda if necessary.
- Establish a written agreement with property management specifying that entry to your suite requires advance notice (except for genuine emergencies) and that your personnel must be present or notified.
- Require background checks for janitorial and maintenance staff if your lease allows it, or obtain attestation letters from the cleaning contractor regarding their screening procedures.

Monitoring and Detection

- Security cameras or access logging at entry points to your suite and to any secured infrastructure areas within the suite.
- Intrusion detection sensors (door contacts, motion sensors) on server room doors that generate alerts when accessed outside business hours.
- Audit trails showing who entered secured spaces and when, with regular review.

Documentation and Evidence

All of the above must be documented in policy, implemented in practice, and evidenced with artifacts. Your assessor will expect to see: photographs of locked server rooms and rack enclosures, access control configurations, GPO exports showing screen lock settings, signed visitor logs, lease provisions with right-of-entry clauses highlighted, clean desk audit results, and camera footage retention policies.

Answering “No” doesn’t mean third parties can’t enter your office. It means you’ve implemented controls sufficient to ensure they cannot access scoped systems, and you can prove it to an assessor who is going to walk your halls, open your closet doors, and ask pointed questions.

The Gray Area When Answering “No” Gets Complicated

In practice, many organizations find themselves in genuinely ambiguous territory. Here are the scenarios I see most often, and how to think through them.

Cloud-only environments

If all your scoped systems are cloud-hosted and your office contains only endpoints, laptops, monitors, and peripherals, does building access matter? It can. If those endpoints can access the scoped cloud environment without MFA, or if session tokens persist after screen lock, then physical access to the workstation is functionally equivalent to system access. An unlocked laptop with an active AWS console session is a scoped system accessible to anyone who walks past it.

Shared wiring closets

You’ve locked your network cabinet, but the building’s ISP demarc is in the same closet, and the ISP tech needs access to the room. You can’t lock the ISP tech out of the closet they need to service the circuit. What you can do is document that your equipment is in a separately secured enclosure within that shared space, that the ISP tech cannot open your cabinet, and that the cabinet lock is on a different key than the closet door. That’s a defensible “No.”

After-hours cleaning with badge access

The cleaning crew has badge access to your floor and your suite but not to your server room. Is this sufficient to answer “No”? Probably — if you can demonstrate that the server room is independently secured and that workstation controls (screen lock, clean desk) are consistently enforced. But if your “server room” is an unlocked closet, or if your clean desk policy exists on paper but not in practice, the answer changes.

Building security is managing access control

If the building’s security team administers the card access system for your suite, they have administrative access to grant or revoke physical entry to your space. This is a form of third-party access to your physical security infrastructure. Consider whether your access control system is independently managed (your own card readers, your own software) or whether you rely entirely on the building’s system, and whether the building’s security vendor could grant themselves access to your suite without your knowledge.

The HITRUST r2 framework is designed to be comprehensive, and this scoping factor is a perfect example of that design philosophy. It forces you to think beyond firewalls and IAM policies and consider the full environment in which your systems operate. For organizations in leased commercial office space, that environment includes a landlord, a property management company, a cleaning crew, a fire marshal, a building security team, and a building full of mechanical systems you don’t control.

The question isn’t whether you can justify answering “No.” The question is whether your control environment genuinely supports that answer and whether you can prove it to an assessor who’s going to walk your halls, try your door handles, peek into your wiring closets, and ask you who else has a key.

Get this scoping factor right, and you build a foundation of credibility that carries through the rest of your assessment. Get it wrong, and you spend the rest of the engagement explaining why your scoping doesn’t match reality.

Start with the building. The rest follows from there.

SME Highlight

Steve Meyer, CCSFP, CHQP

Steve Meyer is the Senior Director of Consulting Services at Clearwater, bringing over 37 years of experience across various aspects of Information Technology to Clearwater customers. Steve leads the HITRUST Assessment Services team.

View All Resources

Cyber Briefings for Healthcare Organizations

Stay informed on the latest healthcare cybersecurity, privacy, and compliance threats. Join Clearwater Cyber Briefings each month for expert insights and actionable risk intelligence.

Register Today to Stay Informed

Related Blogs

No results found.