In late 2014, the American Institute of Certified Public Accountants updated the criteria for the Trust Services Principles related to security, availability, processing integrity, and confidentiality (most commonly reported out using SOC 2 and SOC 3).
Soon, there will be even more updates as proposed in the recent exposure draft.
The AICPA’s planned revisions will look to further clarify the criteria and eliminate redundancy while reflecting how much change is occurring in the technology and business environments. These changes may initially seem like a lot of added work on your end, but they are necessary improvements that will actually make your life easier once they go into effect in spring 2016.
What exactly is changing?
The changes enacted in 2014 overhauled the 2009 TSPs by creating criteria common to all of the principles (CC) as well as specific, incremental criteria for the availability principle (A), the processing integrity principle (PI), and the confidentiality principle (C).
However, the 2014 changes excluded any updates to the privacy principle. So, the next set of updates will strip out redundant legacy privacy criteria until only the incremental criteria are left.
The three most significant changes proposed in this round of changes include:
- Restructured privacy criteria. The updates present additional criteria for the privacy principle that include illustrative risks and controls related to privacy (e.g., notice, choice and consent, collection, use, retention, disposal, access, disclosure, notification, quality, monitoring, and enforcement). The Generally Accepted Privacy Principles can still be leveraged as a management framework for protection and management of personal information.
- Calling out risk management. The 2016 version calls for more specific risk management practices than before. This includes third party risks, customer identified risks, and emphasis on having processes in place to address risks that are identified internally.
- New confidentiality criteria. The updates also require a more robust emphasis on the data lifecycle to specifically call out confidential data retention and disposal commitments and requirements.
What do these changes mean for you?
Changing up your routine can be annoying, but these updates are good news and won’t require too many adjustments on your end. They’re largely cosmetic, and in the end, they’ll only make reporting easier.
To prepare for the updates, be sure to review your current exchanges and reports. Don’t be afraid to ask for help. If you aren’t already reporting on privacy, you might want to consider beginning to do so if you gather personal information directly from end users. And if you’re already doing a SOC report, these updates will make it easier to add to what you’re already doing.
The 2016 updates will allow for greater clarity for organizations that report on the privacy principle as this is typically the most complex principle for organizations with geographically diverse users.
The changes also recognize the continued need to evolve risk management practices, and they are a good reminder for organizations to evaluate their own risk management methods. Are you just blocking and tackling your way through security? Are you merely compliance driven? Or are you truly being proactive in managing your risks and your third party risks? Reflect and act upon these questions in addition to reviewing the changing criteria.
These changes are expected to go into effect for reporting periods ending on or after March 15, 2016, but there’s no point in waiting until then to take action. Early adoption is permitted, and doing so will ensure a smooth transition.