In January, the AICPA Assurance Services Executive Committee (ASEC) released the revised version of the Trust Services Principles and Criteria (TSP). The new 2014 version of the TSP, now referenced as TSP Section 100, supersedes the 2009 version and is mandatory for examination periods ending on or after December 15, 2014. With these new modifications enacted, the AICPA offers significant changes for auditors, partners, customers, and regulators to bring confidentiality and security measures in line with current security concerns worldwide. While no specific changes have been finalized for the Privacy Principle criteria, major changes to the non-privacy principles include changes in definitions, an all-encompassing Security principle, and updated risk definitions. By compartmentalizing the security principle into seven unique categories, the AICPA increases the relevance of these documents for stakeholders by providing increased organizational oversight and corporate governance, a comprehensive risk management processes, and increased regulatory oversight. BrightLine reviewed the changes and below is a synopsis of the major changes:
The New Security Principle
One major difference is that the Security Principle is now comprised of “Criteria Common to All Principles.” The Common Criteria are applicable to four of the five TSPs, known as the non-privacy principles, and are addressed only once in the report, rather than each principle addressing portions of common criteria, allowing for greater efficiency in the report. As a result, all SOC 2 examinations performed under the new standards must couple the Security Principle with any non-privacy principle. For instance, a SOC 2 that includes the Availability Principle must also include the Security Principle. Prior to the 2014 updated TSP Section 100, just one of the four non-privacy principles could be included in scope.
The Security Principle was restructured into the following seven categories:
- Organization and management
The criteria relevant to how the organization is structured and the processes the organization has implemented to manage and support people within its operating units. This includes criteria addressing accountability, integrity, ethical values and qualifications of personnel, and the environment in which they function.
The criteria relevant to how the organization communicates its policies, processes, procedures, commitments, and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system.
- Risk management and design and implementation of controls
The criteria relevant to how the entity (i) identifies potential risks that would affect the entity’s ability to achieve its objectives, (ii) analyzes those risks, (iii) develops responses to those risks including the design and implementation of controls and other risk mitigating actions, and (iv) conducts ongoing monitoring of risks and the risk management process.
- Monitoring of controls
The criteria relevant to how the entity monitors the system, including the suitability, and design and operating effectiveness of the controls, and takes action to address deficiencies identified.
- Logical and physical access controls
The criteria relevant to how the organization restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement.
- System operations
The criteria relevant to how the organization manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement.
- Change management
The criteria relevant to how the organization identifies the need for changes to the system, makes the changes following a controlled change management process, and prevents unauthorized changes from being made to meet the criteria for the principle(s) addressed in the engagement.
The other non-privacy principles, Availability, Processing Integrity, and Confidentiality, have also been modified to include criteria that is only applicable the specific principle. This greatly reduces the redundancies found in the old TSPs when more than one non-privacy principle was in scope for the SOC 2 examination.
TSP Section 100 now includes modifications, or clarifications, to the definitions of the four non-privacy principles. The definitions listed below include these modifications:
- Security: The system is protected against unauthorized access, use, or modification
- Availability: The system is available for operation and use as committed or agreed
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized
- Confidentiality: Information designated as confidential is protected as committed or agreed
- Privacy: The system’s collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service organization’s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA.
Risk Definitions For Each Criterion
The new TSPs include illustrative risks that each criterion will not be met. In addition, the new TSPs include illustrative controls designed to mitigate the risk that the criterion will not be met. The illustrative controls are nothing new for the TSPs; however, the combination of the illustrative risks and controls helps define the intent of the criteria. These illustrations are meant as a guide and will vary for each service organization environment.
Currently No Changes to The Privacy Principle
While the Privacy Principle criteria are undergoing modification, they have not yet been modified and remain the same as the criteria within the current GAPP framework. The GAPP management framework does not use the common criteria structure found in the new TSP Section 100 Security Principle for organizing the criteria.
As stated above, the AICPA requires these changes to be in place for all SOC 2 and SOC 3 examinations with reporting periods ending on or after December 15, 2014. Early adoption is permitted and encouraged, as the introduction of the Common Criteria dramatically improves the reporting and examination process. Remember, the importance of the SOC 2 reporting will only continue to increase as organizations continue to outsource internal services. This trend shows no sign of slowing down particularly in industries such as Cloud technology and Software-as-a-Service (SaaS) expands at an increasing rate annually. It is vital that organizations provide evidence to their clients that confidential information remains safely guarded at all times.
About the AuthorMore Content by Debbie Zaller