SOC 2 Compliance Handbook: The 5 Trust Services Criteria
Table of Contents 2
What are the Trust Services Criteria?
3
Security
5
Availability
6
Confidentiality
7
Processing Integrity
8
Privacy
10
1
Which Trust Services Criteria Apply to My Organization?
Table of Contents
What are the Trust Services Criteria? Once your organization has decided that you are ready to pursue a SOC 2 attestation, the first thing you have to decide is which of the five Trust Services Criteria (TSP) you want to include in your SOC 2 audit report. A unique benefit of a SOC 2 audit is that you aren’t required to address all five Trust Services Criteria in your SOC 2 report; instead, you only select the categories that are relevant to the services you provide to customers. Becoming familiar with the categories of security, availability, confidentiality, processing integrity, and privacy should be one of the first steps in your scoping process. On a basic level, you can think about the Trust Service Criteria in terms of these concepts: • Security – Is the system protected against unauthorized access? • Availability – Is the system available for operation and use as agreed upon? • Confidentiality – Is the information that’s designated as confidential protected as agreed upon? • Processing Integrity – Are the processing services provided in a complete, accurate, and timely, manner? • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the service organization’s privacy notice and business objectives? Let’s discuss the criteria set forth by the AICPA in TSP Section 100 so that your organization can gain a better understanding of which Trust Services Criteria it should include in a SOC 2 report.
2
What are the Trust Services Criteria?
Security Security is the category that applies to all engagements and is what the remaining Trust Services Criteria are based on; in a non-privacy SOC 2 engagement, the security category must be included. This category addresses whether a system is protected, both physically and logically, against unauthorized access. The security category consists of the complete set of the common criteria, which integrate with the 2018 COSO Internal Control – Integrated Framework. The common criteria include the following principles: • Control Environment • Does the service organization show a commitment to integrity and ethical values? • Does the service organization’s board of directors demonstrate independence from management and oversee the progress and functionality of internal control? • Does the service organization’s management delegate responsibilities and authorities over the pursuit of business objectives? • Does the service organization show a commitment to attracting, developing, and retaining confident employees that align with business objectives and values? • Does the service organization hold employees accountable for their responsibilities? • Communication and Information • Does the service organization use relevant internal and external data to make information-based decisions about the functionality of internal control? • Does the service organization clearly communicate, both internally and externally, about matters impacting the functionality of internal control? • Risk Assessment • Does the service organization name specific business objectives so that it can identify and assess the risks that those objectives face? • Does the service organization identify risks that threaten the achievement of its objectives, and determine how to manage those risks? • Does the service organization consider how fraud can impact risk? • Does the service organization assess how changes within the organization could impact the system of internal control? • Monitoring Activities • Does the service organization monitor whether all components of internal control are present and functioning? • Does the service organization monitor and communicate internal control flaws in a timely manner and to the appropriate parties?
3
Security
Security • Control Activities • Does the service organization implement control activities that mitigate risks? • Does the service organization implement control activities over technology that supports business objectives? • Does the service organization implement control activities through policies and procedures? • Logical and Physical Access Controls • Does the service organization protect information assets through logical and physical access controls? • Does the service organization register and authorize all new internal and external users before issuing system credentials? • Does the service organization remove system credentials when the user’s access is no longer authorized? • Does the service organization use the concepts of least privileges and segregation of duties when authorizing access to information assets? • Does the service organization only allow authorized personnel to enter sensitive locations that hold information assets? • Does the service organization have policies and procedures in place for data and software disposal? • Does the service organization implement security measures that protect against external threats? • Does the service organization protect data in transmission, movement, and removal? • Does the service organization implement controls that prevent and detect malicious or unauthorized software? • System Operations • Does the service organization detect and monitor changes to its system operations in order to identify new vulnerabilities? • Does the service organization monitor system components in order to identify anomalies that indicate malicious acts or errors? • Does the service organization evaluate security incidents? • Does the service organization have and use a defined incident response program? • Does the service organization implement recovery activities after a security incident? • Change Management • Does the service organization design, develop, configure, document, test, authorize, and implement any changes to its infrastructure, data, software, or policies and procedures? • Risk Mitigation • Does the service organization select or develop specific risk mitigation activities? • Does the service organization assess and manage risks coming from vendors or business partners?
4
Security
Availability The availability category ensures that the information and systems that a service organization provides to their clients is available for operation and use as agreed upon. The availability category typically applies to service organizations providing colocation, data center, or hosting services to their clients. The availability category consists of the complete set of common criteria, as well the following additional criteria: • Does the service organization monitor and evaluate processing capacity and have a way to implement additional capacity if needed? • Does the service organization design, develop, configure, document, test, authorize, and implement environment protections, software, back-up processes, and recovery infrastructure in support of business objectives? • Does the service organization test system recovery plan procedures?
5
Availability
Confidentiality The confidentiality category addresses the agreements that service organizations have in place with their clients in regard to the use of their information, access to their information, and protection over their information. It ensures that the information designated as confidential is protected as agreed upon. The confidentiality category is especially important if a service organization has contractual obligations with clients or handles sensitive data like Personally Identifiable Information (PII) or Protected Health Information (PHI). The confidentiality category consists of the complete set of common criteria, as well the following additional criteria: • Does the service organization have procedures in place to identify and protect confidential information? • Does the service organization have procedures in place for proper disposal of confidential information?
6
Confidentiality
Processing Integrity The processing integrity category ensures that service organizations provide services in a complete, accurate, and timely manner. The processing integrity category is especially important if a service organization provides financial or e-commerce services and are concerned with transactional integrity. The processing integrity category consists of the complete set of common criteria, as well the following additional criteria: • Does the service organization use and communicate relevant, quality information, regarding the business objectives related to processing, to support the use of its products and services? • Does the service organization implement policies and procedures over system inputs? • Does the service organization implement policies and procedures over system processing? • Does the service organization implement policies and procedures so that output is available or delivered in a complete, accurate, and timely manner? • Does the service organization implement policies and procedures to store inputs, items in processing, and outputs in a complete, accurate, and timely manner?
7
Processing Integrity
Privacy The privacy category stands on its own and specifically addresses how service organizations collect, use, retain, disclose, and dispose of personal information. Do data subjects have rights to opt out of how their information is used? Do they have the ability to file a complaint and get a response on how their information is being utilized? The privacy category ensures that service organizations are handling person information in accordance with any commitments in its privacy notice, and with standards defined in the generally accepted privacy criteria issued by the AICPA. The privacy category consists of the complete set of common criteria, as well the following additional criteria: • Notice and Communication of Objectives Related to Privacy • Does the service organization provide notice to data subjects about its privacy practices, as well as communicate when the notice is updated? • Choice and Consent • Does the service organization inform data subjects about the choices available to them in relation to the collection, use, retention, disclosures, or disposal of their personal information? • Does the service organization inform data subjects about implicit and explicit consent? • Collection • Does the service organization limit the collection of personal information to that which is necessary to meet business objectives? • Does the service organization collect personal information in fair and lawful ways? • Does the service organization obtain explicit consent for sensitive information? • Use, Retention, and Disposal • Does the service organization limit the use of personal information only to intended purposes? • Does the service organization retain and protect personal information in a way that’s consistent with its business objectives? • Does the service organization dispose of personal information in a way that’s consistent with its business objectives? • Access • Does the service organization permit authorized data subjects to access their personal information? • Does the service organization correct, amend, or append personal information when data subjects provide updated information?
8
Privacy
Privacy • Disclosure and Notification • Does the service organization only disclose personal information to third parties when they have obtained explicit consent? • Does the service organization keep a complete, accurate, and timely record of authorized disclosures of personal information? • Does the service organization keep a complete, accurate, and timely record of detected or reported unauthorized disclosures or personal information? • Does the service organization obtain privacy commitments from vendors, business partners, and other third parties who have access to personal information? • Does the service organization obtain commitments from vendors, business partners, and other third parties to provide notification of suspected or actual unauthorized disclosures of personal information? • Does the service organization notify impacted data subjects and other appropriate parties of breaches or incidents? • Does the service organization give data subjects an accounting of their personal information held and disclosure of their personal information? • Quality • Does the service organization demonstrate a commitment to collect and maintain accurate, up-to-date, complete, and relevant personal information? • Monitoring and Enforcement • Does the service organization have a process for resolving inquiries, complaints, and disputes from data subjects?
9
Privacy
Which Trust Services Criteria Apply to My Organization? Your organization is not required to address all five of the Trust Services Criteria in your SOC 2 report, however, you should select the categories that are relevant to the services you provide to your clients. Security, availability, processing integrity, confidentiality, and privacy – which apply to your organization? As a licensed CPA firm, SOC 2 audits are one of our specialties. We deliver hundreds of SOC 2 reports per year and hold the Advanced SOC for Service Organizations certificate. KirkpatrickPrice Information Security Specialists are senior-level experts, holding certifications like CISSP, CISA, and CRISC, to help you maintain SOC 2 compliance. Our audit delivery tool, the Online Audit Manager, streamlines the audit process, helps reduce the complexity of compliance efforts, and gives our clients the ability to combine multiple audit frameworks into one audit. We’ve spent over a decade honing this process so that clients can complete one audit process while receiving multiple reports. If you’re ready to begin your SOC 2 engagement, connect with us today to receive help in scoping and deciding which of the five Trust Services Criteria apply to your organization.
10
Which Trust Services Criteria Apply to My Organization?
