Common Criteria Updates for Trust Service Principles
Statement of Standards for Attestation Engagements (SSAE) No. 18 – Attestation Standards: Clarification and Recodification, went into effect on May 1, 2017. This post is the fourth in a four-part series on the changes that will come along with this new standard, and what practitioners and service organizations need to know to ensure continued compliance.
In March 2016, the American Institute of Certified Public Accountants (AICPA) released updates to the Trust Services Principles (TSP) section 100 criteria used to obtain assurance over outsourced services that are relevant to user entities, but non-financial in nature. The updated criteria took effect for System and Organization Controls (SOC) reports issued on or after December 15, 2016.
The five trust service principles are:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
In 2014, The AICPA restructured the Security, Availability, Processing Integrity and Confidentiality principles, and introduced common criteria for all principles to reduce redundancies and needs for cross-checking criteria among various principles. The common criteria applicable to all five TSP are organized into seven categories:
- Organization and management
- Communications
- Risk management and design and implementation of controls
- Monitoring of controls
- Logical and physical access controls
- System operations
- Change management
Criteria unique to the Confidentiality principle (TSP section 100, C1.7 and C1.8) were updated to address the needs for data retention policies that safeguard confidential information, retain such information only as long as it is needed, and then safely dispose of such information.
The privacy principle, which relates to personal information, such as a person’s address, phone number or driver’s license number, was revised in the 2016 update and supersedes Generally Accepted Privacy Principles (GAPP) guidance from TSP section 100A. The restructured Privacy principle is more concise and alleviates uncertainty as to whether practitioners should follow TSP or GAPP guidance for SOC Privacy reporting purposes.
The restructured Privacy principle criteria are organized into eight categories:
- Notice
- Choice and consent
- Collection
- Use, retention and disposal
- Access
- Disclosure and notifications
- Quality
- Monitoring and enforcement
Service organization customers need to evaluate existing controls and policies now to ensure their practices align with TSP criteria revisions when conducting a SOC 2 or SOC 3 audit. To determine which SOC report is needed for your organization, take Weaver’s short SOC quiz.