The AICPA just released an updated version of TSP Section 100. The update amends TSP Section 100 and supersedes Appendix C of TSP Section 100A, which relates to the Generally Accepted Privacy Principles. Below is an overview of all of the updates:
- Revamped Privacy Principle
- Clarification to some of the non-privacy criteria
- 3 was combined with CC3.1 along with other updates to the criteria in CC3.0
- New confidentiality criteria
- Clarification on the Confidentiality Principle versus the Privacy Principle
- Clarifications to paragraphs .03 through .15 of TSP Section 100
Of the changes, the major change is to the Privacy Principle. The changes remove redundancy in the criteria that are also found within the Security Principle. Now the privacy criteria will comprise both the common criteria from the Security Principle and the privacy criteria. The AICPA has also added illustrative risks, similar to the other principles that might prevent the privacy criteria from being met and illustrative controls to address the risks.
The AICPA further clarified that with these additions, the common criteria should be applied regardless of the principles included in the scope of the SOC 2 examination.
You can get the new TSP Section 100 at the AICPA Store.
About the Author
Debbie Zaller is a Principal at Schellman & Company,LLC. Debbie leads the SOC 2 and SOC 3 service line and is also an AICPA SOC Specialist. Debbie has over 15 years of IT attestation experience and currently spearheads Schellman’s SOC 2 practice, where she is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee.More Content by Debbie Zaller