In recent years, the AICPA has made updates to what’s involved in a SOC 2 examination. Previously called Trust Services Principles, or Trust Services Principles and Criteria, the AICPA has dropped “Principles” and now calls them Trust Services Criteria (TSC).
The updated trust services criteria are necessary on any report issued on or after December 15, 2018. For 2020, any reports should be reference and map to the 2017 trust services criteria.
In this article, we outline the trust services criteria and provide a clear explanation for exactly what each one means.
The Trust Services Framework
Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five TSCs. They are as follows:
- Processing Integrity
Now let’s take a look at each one.
“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.”
The security principle refers to the protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of any software, and improper alteration or disclosure of information.
“Information and systems are available for operation and use to meet the entity’s objectives. Availability refers to the accessibility of information used by the entity’s systems as well as the products or services provided to its customers.”
Availability is a commonly included TSC since providing evidence that systems are available for operation is key to many clients of service organizations. What it boils down to is the reliability of your systems.
Most MSPs will have contractual requirements or service level agreements (SLAs) in place around the services being provided. So, it’s a commonly include TSC in any SOC 2 audit.
“Information designated as confidential is protected to meet the entity’s objectives.”
Data is considered confidential if its access and disclosure are restricted to a specified set of persons or organizations. In practice, this means:
- Locking and securing paper documents
- Using only approved business software for storing and processing confidential information
- Shredding paper documents when no longer needed
- Enforcing a clean desk and clean screen policy
“Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.”
It’s common to struggle with the difference between privacy and confidentiality. The difference between the two is that privacy controls protect personal information (name, social security number, address, etc.), and confidentiality protects non-personal information and data that is still classified as “confidential.
This graphic from PWC provides a simple but thorough run-through of the eight categories that the privacy criteria are organized around.
5. Processing Integrity
“System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”
Is information processed appropriately by your systems? In other words, the processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time).
Organizations like MSPs that provide tech services and systems to third parties will have heard about SOC 2.
The overall framework and end goal are simple: it’s designed to ensure that you process information securely.
If you’re required to pass a SOC 2 audit to partner with or provide services to other companies, you’re going to want to understand the SOC 2 TSCs in more detail. We hope this provides a solid jumping-off point.