The AICPA Assurance Services Executive Committee (ASEC) has developed a set of criteria (trust services criteria) to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity.
The following table presents the trust services criteria and the related points of focus. In the table, criteria and related points of focus that come directly from the COSO framework are presented using a normal font.
| CONTROL ENVIRONMENT | |
| CC1.1 | COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. |
| The following points of focus highlight important characteristics relating to this criterion: | |
| Points of focus specified in the COSO framework: | |
• Sets the Tone at the Top — The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integ- rity and ethical values to support the functioning of the system of internal control. |
|
| • Establishes Standards of Conduct — The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the enti- ty’s standards of conduct and understood at all levels of the entity and by out- sourced service providers and business partners. | |
| • Evaluates Adherence to Standards of Conduct — Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct. | |
| • Addresses Deviations in a Timely Manner — Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner. | |
| Additional point of focus specifically related to all engagements using the trust services criteria: | |
| • Considers Contractors and Vendor Employees in Demonstrating Its Commitment — Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adher- ence to those standards, and addressing deviations in a timely manner. | |
| CC1.2 | COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. |
| The following points of focus highlight important characteristics relating to this criterion: | |
| Points of focus specified in the COSO framework: |
• Establishes Oversight Responsibilities — The board of directors identifies and ac- cepts its oversight responsibilities in relation to established requirements and expec- tations. |
|
| • Applies Relevant Expertise — The board of directors defines, maintains, and peri- odically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action. | |
| • Operates Independently — The board of directors has sufficient members who are independent from management and objective in evaluations and decision making. | |
| Additional point of focus specifically related to all engagements using the trust services criteria: | |
| • Supplements Board Expertise — The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants. | |
| CC1.3 | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
| The following points of focus highlight important characteristics relating to this criterion: | |
| Points of focus specified in the COSO framework: | |
• Considers All Structures of the Entity — Management and the board of directors consider the multiple structures used (including operating units, legal entities, geo- graphic distribution, and outsourced service providers) to support the achievement of objectives. |
|
| • Establishes Reporting Lines — Management designs and evaluates lines of report- ing for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity. | |
| • Defines, Assigns, and Limits Authorities and Responsibilities — Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. |
| Additional points of focus specifically related to all engagements using the trust services crite- ria: | |||||||||||||||||||||||||||||||
| • Addresses Specific Requirements When Defining Authorities and Responsibilities — Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining author- ities and responsibilities. | |||||||||||||||||||||||||||||||
| • Considers Interactions With External Parties When Establishing Structures, Report- ing Lines, Authorities, and Responsibilities — Management and the board of direc- tors consider the need for the entity to interact with and monitor the activities of ex- ternal parties when establishing structures, reporting lines, authorities, and respon- sibilities. | |||||||||||||||||||||||||||||||
| CC1.4 | COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain com- petent individuals in alignment with objectives. | ||||||||||||||||||||||||||||||
| The following points of focus highlight important characteristics relating to this criterion: | |||||||||||||||||||||||||||||||
| Points of focus specified in the COSO framework: | |||||||||||||||||||||||||||||||
• Establishes Policies and Practices — Policies and practices reflect expectations of competence necessary to support the achievement of objectives. |
|||||||||||||||||||||||||||||||
| • Evaluates Competence and Addresses Shortcomings — The board of directors and management evaluate competence across the entity and in outsourced service pro- viders in relation to established policies and practices and act as necessary to ad- dress shortcomings. | |||||||||||||||||||||||||||||||
| • Attracts, Develops, and Retains Individuals — The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent person- nel and outsourced service providers to support the achievement of objectives. | |||||||||||||||||||||||||||||||
| • Plans and Prepares for Succession — Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control. | |||||||||||||||||||||||||||||||
Additional point of focus specifically related to all engagements using the trust services criteria:
|
| COMMUNICATION AND INFORMATION | |||||||||||||||||||||||||||||||
| CC2.1 | COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. | ||||||||||||||||||||||||||||||
| The following points of focus, specified in the COSO framework, highlight important character- istics relating to this criterion: | |||||||||||||||||||||||||||||||
| • Identifies Information Requirements — A process is in place to identify the infor- mation required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives. | |||||||||||||||||||||||||||||||
| • Captures Internal and External Sources of Data — Information systems capture in- ternal and external sources of data. | |||||||||||||||||||||||||||||||
| • Processes Relevant Data Into Information — Information systems process and transform relevant data into information. | |||||||||||||||||||||||||||||||
| • Maintains Quality Throughout Processing — Information systems produce infor- mation that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the inter- nal control components. | |||||||||||||||||||||||||||||||
| CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. | ||||||||||||||||||||||||||||||
| The following points of focus highlight important characteristics relating to this criterion: | |||||||||||||||||||||||||||||||
| Points of focus specified in the COSO framework: | |||||||||||||||||||||||||||||||
| • Communicates Internal Control Information — A process is in place to communi- cate required information to enable all personnel to understand and carry out their internal control responsibilities. | |||||||||||||||||||||||||||||||
• Communicates With the Board of Directors — Communication exists between management and the board of directors so that both have information needed to ful- fill their roles with respect to the entity’s objectives.
|
| • Communicates System Changes — System changes that affect responsibilities or the achievement of the entity’s objectives are communicated in a timely manner. | |
| CC2.3 | COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. |
| The following points of focus highlight important characteristics relating to this criterion: | |
| Points of focus specified in the COSO framework: | |
• Communicates to External Parties — Processes are in place to communicate rele- vant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. |
|
| • Enables Inbound Communications — Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial ana- lysts, and others, providing management and the board of directors with relevant in- formation. | |
| • Communicates With the Board of Directors — Relevant information resulting from assessments conducted by external parties is communicated to the board of direc- tors. | |
| • Provides Separate Communication Lines — Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inop- erative or ineffective. | |
| • Selects Relevant Method of Communication — The method of communication con- siders the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. | |
| Additional point of focus that applies only to an engagement using the trust services criteria for confidentiality: | |
| • Communicates Objectives Related to Confidentiality and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives and changes to ob- jectives related to confidentiality. |
| Additional point of focus that applies only to an engagement using the trust services criteria for privacy: | |
| • Communicates Objectives Related to Privacy and Changes to Objectives — The en- tity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. | |
| Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: | |
• Communicates Information About System Operation and Boundaries — The en- tity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to un- derstand their role in the system and the results of system operation. |
|
| • Communicates System Objectives — The entity communicates its system objec- tives to appropriate external users. | |
| • Communicates System Responsibilities — External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring sys- tem controls receive communications about their responsibilities and have the in- formation necessary to carry out those responsibilities. | |
| • Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters — External users are provided with information on how to re- port systems failures, incidents, concerns, and other complaints to appropriate personnel. | |
| RISK ASSESSMENT | |
| CC3.1 | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identifica- tion and assessment of risks relating to objectives. |
| The following points of focus highlight important characteristics relating to this criterion: | |
| Points of focus specified in the COSO framework: | |
| Operations Objectives |
• Reflects Management’s Choices — Operations objectives reflect management’s choices about structure, industry considerations, and performance of the entity. |
|
| • Considers Tolerances for Risk — Management considers the acceptable levels of variation relative to the achievement of operations objectives. | |
| • Includes Operations and Financial Performance Goals — The organization reflects the desired level of operations and financial performance for the entity within opera- tions objectives. | |
| • Forms a Basis for Committing of Resources — Management uses operations objec- tives as a basis for allocating resources needed to attain desired operations and fi- nancial performance. | |
| External Financial Reporting Objectives
• Complies With Applicable Accounting Standards — Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances. |
|
| • Considers Materiality — Management considers materiality in financial statement presentation. | |
| • Reflects Entity Activities — External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions. | |
| External Nonfinancial Reporting Objectives
• Complies With Externally Established Frameworks — Management establishes ob- jectives consistent with laws and regulations or standards and frameworks of recog- nized external organizations. |
|
| • Considers the Required Level of Precision — Management reflects the required level of precision and accuracy suitable for user needs and based on criteria estab- lished by third parties in nonfinancial reporting. | |
| • Reflects Entity Activities — External reporting reflects the underlying transactions and events within a range of acceptable limits. | |
| Internal Reporting Objectives
• Reflects Management’s Choices — Internal reporting provides management with accurate and complete information regarding management’s choices and information |
| needed in managing the entity. | |
| • Considers the Required Level of Precision — Management reflects the required level of precision and accuracy suitable for user needs in nonfinancial reporting ob- jectives and materiality within financial reporting objectives. | |
| • Reflects Entity Activities — Internal reporting reflects the underlying transactions and events within a range of acceptable limits. | |
| Compliance Objectives
• Reflects External Laws and Regulations — Laws and regulations establish mini- mum standards of conduct, which the entity integrates into compliance objectives. |
|
| • Considers Tolerances for Risk — Management considers the acceptable levels of variation relative to the achievement of operations objectives. | |
| Additional point of focus specifically related to all engagements using the trust services criteria: | |
| • Establishes Sub-objectives to Support Objectives — Management identifies sub- objectives related to security, availability, processing integrity, confidentiality, and privacy to support the achievement of the entity’s objectives related to reporting, operations, and compliance. | |
| CC3.2 | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the enti- ty and analyzes risks as a basis for determining how the risks should be managed. |
| The following points of focus highlight important characteristics relating to this criterion: | |
| Points of focus specified in the COSO framework: | |
• Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives. |
|
| • Analyzes Internal and External Factors — Risk identification considers both internal and external factors and their impact on the achievement of objectives. | |
| • Involves Appropriate Levels of Management — The entity puts into place effective |
| risk assessment mechanisms that involve appropriate levels of management. | |
| • Estimates Significance of Risks Identified — Identified risks are analyzed through a process that includes estimating the potential significance of the risk. | |
| • Determines How to Respond to Risks — Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk. | |
| Additional points of focus specifically related to all engagements using the trust services crite- ria: | |
| • Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities — The entity’s risk identification and assessment process includes
(1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organiza- tional roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identi- fied assets. |
|
| • Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties — The entity’s risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services, as well as threats and vulnerabilities arising from business partners, customers, and others with access to the entity’s information systems. | |
| • Considers the Significance of the Risk — The entity’s consideration of the potential significance of the identified risks includes (1) determining the criticality of identi- fied assets in meeting objectives; (2) assessing the impact of identified threats and vulnerabilities in meeting objectives; (3) assessing the likelihood of identified threats; and (4) determining the risk associated with assets based on asset criticali- ty, threat impact, and likelihood. | |
| CC3.3 | COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives. |
| The following points of focus highlight important characteristics relating to this criterion: | |
| Points of focus specified in the COSO framework: | |
• Considers Various Types of Fraud — The assessment of fraud considers fraudulent |
| reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur. | |
| • Assesses Incentives and Pressures — The assessment of fraud risks considers incen- tives and pressures. | |
| • Assesses Opportunities — The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts. | |
| • Assesses Attitudes and Rationalizations — The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate ac- tions. | |
| Additional point of focus specifically related to all engagements using the trust services criteria: | |
| • Considers the Risks Related to the Use of IT and Access to Information — The as- sessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information. | |
| CC3.4 | COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control. |
| The following points of focus highlight important characteristics relating to this criterion: | |
| Points of focus specified in the COSO framework: | |
• Assesses Changes in the External Environment — The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates. |
|
| • Assesses Changes in the Business Model — The entity considers the potential im- pacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies. | |
| • Assesses Changes in Leadership — The entity considers changes in management and respective attitudes and philosophies on the system of internal control. |
| Additional point of focus specifically related to all engagements using the trust services criteria: | |
| • Assesses Changes in Systems and Technology — The risk identification process considers changes arising from changes in the entity’s systems and changes in the technology environment. | |
| • Assesses Changes in Vendor and Business Partner Relationships — The risk identi- fication process considers changes in vendor and business partner relationships. | |
| MONITORING ACTIVITIES | |
| CC4.1 | COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evalua- tions to ascertain whether the components of internal control are present and functioning. |
| The following points of focus highlight important characteristics relating to this criterion: | |
| Points of focus specified in the COSO framework: | |
• Considers a Mix of Ongoing and Separate Evaluations — Management includes a balance of ongoing and separate evaluations. |
|
| • Considers Rate of Change — Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evalua- tions. | |
| • Establishes Baseline Understanding — The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations. | |
| • Uses Knowledgeable Personnel — Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated. | |
| • Integrates With Business Processes — Ongoing evaluations are built into the busi- ness processes and adjust to changing conditions. | |
| • Adjusts Scope and Frequency — Management varies the scope and frequency of separate evaluations depending on risk. |
| • Objectively Evaluates — Separate evaluations are performed periodically to provide objective feedback. | |
| Additional point of focus specifically related to all engagements using the trust services criteria: | |
| • Considers Different Types of Ongoing and Separate Evaluations — Management uses a variety of different types of ongoing and separate evaluations, including pen- etration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments. | |
| CC4.2 | COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior man-
agement and the board of directors, as appropriate. |
| The following points of focus, specified in the COSO framework, highlight important character- istics relating to this criterion: | |
• Assesses Results — Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations. |
|
| • Communicates Deficiencies — Deficiencies are communicated to parties responsi- ble for taking corrective action and to senior management and the board of direc- tors, as appropriate. | |
| • Monitors Corrective Action — Management tracks whether deficiencies are reme- died on a timely basis. | |
| CONTROL ACTIVITIES | |
| CC5.1 | COSO Principle 10: The entity selects and develops control activities that contribute to the mit- igation of risks to the achievement of objectives to acceptable levels. |
| The following points of focus, specified in the COSO framework, highlight important character- istics relating to this criterion: | |
| • Integrates With Risk Assessment — Control activities help ensure that risk respons- es that address and mitigate risks are carried out. |
| • Considers Entity-Specific Factors — Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteris- tics of its organization, affect the selection and development of control activities. | |
| • Determines Relevant Business Processes — Management determines which rele- vant business processes require control activities. | |
| • Evaluates a Mix of Control Activity Types — Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, con- sidering both manual and automated controls, and preventive and detective controls. | |
| • Considers at What Level Activities Are Applied — Management considers control activities at various levels in the entity. | |
| • Addresses Segregation of Duties — Management segregates incompatible duties and, where such segregation is not practical, management selects and develops al- ternative control activities. | |
| CC5.2 | COSO Principle 11: The entity also selects and develops general control activities over technol- ogy to support the achievement of objectives. |
| The following points of focus, specified in the COSO framework, highlight important character- istics relating to this criterion: | |
| • Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls — Management understands and determines the de- pendency and linkage between business processes, automated control activities, and technology general controls. | |
| • Establishes Relevant Technology Infrastructure Control Activities — Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availabil- ity of technology processing. | |
| • Establishes Relevant Security Management Process Controls Activities — Man- agement selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats. | |
| • Establishes Relevant Technology Acquisition, Development, and Maintenance Pro- cess Control Activities — Management selects and develops control activities over |
| the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives. | |
| CC5.3 | COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. |
| The following points of focus, specified in the COSO framework, highlight important character- istics relating to this criterion: | |
| • Establishes Policies and Procedures to Support Deployment of Management’s Di- rectives — Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions. | |
| • Establishes Responsibility and Accountability for Executing Policies and Proce- dures — Management establishes responsibility and accountability for control activ- ities with management (or other designated personnel) of the business unit or func- tion in which the relevant risks reside. | |
| • Performs in a Timely Manner — Responsible personnel perform control activities in a timely manner as defined by the policies and procedures. | |
| • Takes Corrective Action — Responsible personnel investigate and act on matters identified as a result of executing control activities. | |
| • Performs Using Competent Personnel — Competent personnel with sufficient au- thority perform control activities with diligence and continuing focus. | |
| • Reassesses Policies and Procedures — Management periodically reviews control activities to determine their continued relevance and refreshes them when neces- sary. | |
| Logical and Physical Access Controls | |
| CC6.1 | The entity implements logical access security software, infrastructure, and architectures over pro- tected information assets to protect them from security events to meet the entity’s objectives. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Identifies and Manages the Inventory of Information Assets — The entity identifies, |
| inventories, classifies, and manages information assets. | |
| • Restricts Logical Access — Logical access to information assets, including hard- ware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. | |
| • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. | |
| • Considers Network Segmentation — Network segmentation permits unrelated por- tions of the entity’s information system to be isolated from each other. | |
| • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and man- aged. The types of individuals and systems using each point of access are identified, documented, and managed. | |
| • Restricts Access to Information Assets — Combinations of data classification, sepa- rate data structures, port restrictions, access protocol restrictions, user identifica- tion, and digital certificates are used to establish access-control rules for infor- mation assets. | |
| • Manages Identification and Authentication — Identification and authentication re- quirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. | |
| • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to be- ing granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. | |
| • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropri- ate based on assessed risk. | |
| • Protects Encryption Keys — Processes are in place to protect encryption keys dur- ing generation, storage, use, and destruction. | |
| CC6.2 | Prior to issuing system credentials and granting system access, the entity registers and authorizes |
| new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no
longer authorized. |
|
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Controls Access Credentials to Protected Assets — Information asset access cre- dentials are created based on an authorization from the system’s asset owner or au- thorized custodian. | |
| • Removes Access to Protected Assets When Appropriate — Processes are in place to remove credential access when an individual no longer requires such access. | |
| • Reviews Appropriateness of Access Credentials — The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate indi- viduals with credentials. | |
| CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving con-
sideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Creates or Modifies Access to Protected Information Assets — Processes are in place to create or modify access to protected information assets based on authoriza- tion from the asset’s owner. | |
| • Removes Access to Protected Information Assets — Processes are in place to re- move access to protected information assets when an individual no longer requires access. | |
| • Uses Role-Based Access Controls — Role-based access control is utilized to sup- port segregation of incompatible functions. | |
| • Reviews Access Roles and Rules — The appropriateness of access roles and access rules is reviewed on a periodic basis for unnecessary and inappropriate individuals with access and access rules are modified as appropriate. | |
| CC6.4 | The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to
meet the entity’s objectives. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Creates or Modifies Physical Access — Processes are in place to create or modify physical access to facilities such as data centers, office spaces, and work areas, based on authorization from the system’s asset owner. | |
| • Removes Physical Access — Processes are in place to remove access to physical re- sources when an individual no longer requires access. | |
| • Reviews Physical Access — Processes are in place to periodically review physical access to ensure consistency with job responsibilities. | |
| CC6.5 | The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required
to meet the entity’s objectives. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Identifies Data and Software for Disposal — Procedures are in place to identify da- ta and software stored on equipment to be disposed and to render such data and software unreadable. | |
| • Removes Data and Software From Entity Control — Procedures are in place to re- move data and software stored on equipment to be removed from the physical con- trol of the entity and to render such data and software unreadable. | |
| CC6.6 | The entity implements logical access security measures to protect against threats from sources out- side its system boundaries. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. |
| • Protects Identification and Authentication Credentials — Identification and authen- tication credentials are protected during transmission outside its system bounda- ries. | |
| • Requires Additional Authentication or Credentials — Additional authentication in- formation or credentials are required when accessing the system from outside its boundaries. | |
| • Implements Boundary Protection Systems — Boundary protection systems (for ex- ample, firewalls, demilitarized zones, and intrusion detection systems) are imple- mented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts. | |
| CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to
meet the entity’s objectives. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Restricts the Ability to Perform Transmission — Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement, and removal of information. | |
| • Uses Encryption Technologies or Secure Communication Channels to Protect Data
— Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. |
|
| • Protects Removal Media — Encryption technologies and physical asset protections are used for removable media (such as USB drives and backup tapes), as appropri- ate. | |
| • Protects Mobile Devices — Processes are in place to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets. | |
| CC6.8 | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Restricts Application and Software Installation — The ability to install applications and software is restricted to authorized individuals. | |
| • Detects Unauthorized Changes to Software and Configuration Parameters — Pro- cesses are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. | |
| • Uses a Defined Change Control Process — A management-defined change control process is used for the implementation of software. | |
| • Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and re- mediation of malware. | |
| • Scans Information Assets from Outside the Entity for Malware and Other Unauthor- ized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the net- work. | |
| System Operations | |
| CC7.1 | To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly
discovered vulnerabilities. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Uses Defined Configuration Standards — Management has defined configuration standards. | |
| • Monitors Infrastructure and Software — The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achieve- ment of the entity’s objectives. | |
| • Implements Change-Detection Mechanisms — The IT system includes a change- detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. | |
| • Detects Unknown or Unauthorized Components — Procedures are in place to de- |
| tect the introduction of unknown or unauthorized components. | |
| • Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis. | |
| CC7.2 | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its
objectives; anomalies are analyzed to determine whether they represent security events. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Implements Detection Policies, Procedures, and Tools — Detection policies and procedures are defined and implemented and detection tools are implemented on in- frastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of in- telligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities. | |
| • Designs Detection Measures — Detection measures are designed to identify anoma- lies that could result from actual or attempted (1) compromise of physical barriers;
(2) unauthorized actions of authorized personnel; (3) use of compromised identifi- cation and authentication credentials; (4) unauthorized access from outside the sys- tem boundaries; (5) compromise of authorized external parties; and (6) implemen- tation or connection of unauthorized hardware and software. |
|
| • Implements Filters to Analyze Anomalies — Management has implemented proce- dures to filter, summarize, and analyze anomalies to identify security events. | |
| • Monitors Detection Tools for Effective Operation — Management has implemented processes to monitor the effectiveness of detection tools. | |
| CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address
such failures. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Responds to Security Incidents — Procedures are in place for responding to securi- ty incidents and evaluating the effectiveness of those policies and procedures on a periodic basis. | |
| • Communicates and Reviews Detected Security Events — Detected security events are communicated to and reviewed by the individuals responsible for the manage- ment of the security program and actions are taken, if necessary. | |
| • Develops and Implements Procedures to Analyze Security Incidents — Procedures are in place to analyze security incidents and determine system impact. | |
| Additional points of focus that apply only in an engagement using the trust services criteria for privacy: | |
| • Assesses the Impact on Personal Information — Detected security events are evalu- ated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations. | |
| • Determines Personal Information Used or Disclosed — When an unauthorized use or disclosure of personal information has occurred, the affected information is iden- tified. | |
| CC7.4 | The entity responds to identified security incidents by executing a defined incident-response pro- gram to understand, contain, remediate, and communicate security incidents, as appropriate. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Assigns Roles and Responsibilities — Roles and responsibilities for the design, im- plementation, maintenance, and execution of the incident response program are as- signed, including the use of external resources when necessary. | |
| • Contains Security Incidents — Procedures are in place to contain security incidents that actively threaten entity objectives. | |
| • Mitigates Ongoing Security Incidents — Procedures are in place to mitigate the ef- fects of ongoing security incidents. |
| • Ends Threats Posed by Security Incidents — Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. | |
| • Restores Operations — Procedures are in place to restore data and business opera- tions to an interim state that permits the achievement of entity objectives. | |
| • Develops and Implements Communication Protocols for Security Incidents — Pro- tocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity’s objectives. | |
| • Obtains Understanding of Nature of Incident and Determines Containment Strategy
— An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a deter- mination of the appropriate response time frame, and (2) the determination and ex- ecution of the containment approach. |
|
| • Remediates Identified Vulnerabilities — Identified vulnerabilities are remediated through the development and execution of remediation activities. | |
| • Communicates Remediation Activities — Remediation activities are documented and communicated in accordance with the incident-response program. | |
| • Evaluates the Effectiveness of Incident Response — The design of incident-response activities is evaluated for effectiveness on a periodic basis. | |
| • Periodically Evaluates Incidents — Periodically, management reviews incidents re- lated to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. | |
| Additional points of focus that apply only in an engagement using the trust services criteria for privacy: | |
| • Communicates Unauthorized Use and Disclosure — Events that resulted in unau- thorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. | |
| • Application of Sanctions — The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance |
| with entity policies and legal and regulatory requirements. | |
| CC7.5 | The entity identifies, develops, and implements activities to recover from identified security inci- dents. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Restores the Affected Environment — The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed. | |
| • Communicates Information About the Event — Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of fu- ture security events are made to management and others as appropriate (internal and external). | |
| • Determines Root Cause of the Event — The root cause of the event is determined. | |
| • Implements Changes to Prevent and Detect Recurrences — Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. | |
| • Improves Response and Recovery Procedures — Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. | |
| • Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is per- formed on a periodic basis. The testing includes (1) development of testing scenari- os based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results. | |
| Change Management | |
| CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Manages Changes Throughout the System Life Cycle — A process for managing system changes throughout the life cycle of the system and its components (infra- structure, data, software, and procedures) is used to support system availability and processing integrity. | |
| • Authorizes Changes — A process is in place to authorize system changes prior to development. | |
| • Designs and Develops Changes — A process is in place to design and develop sys- tem changes. | |
| • Documents Changes — A process is in place to document system changes to sup- port ongoing maintenance of the system and to support system users in performing their responsibilities. | |
| • Tracks System Changes — A process is in place to track system changes prior to implementation. | |
| • Configures Software — A process is in place to select and implement the configura- tion parameters used to control the functionality of software. | |
| • Tests System Changes — A process is in place to test system changes prior to im- plementation. | |
| • Approves System Changes — A process is in place to approve system changes prior to implementation. | |
| • Deploys System Changes — A process is in place to implement system changes. | |
| • Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the ability of the modified system to meet the objectives is evalu- ated throughout the system development life cycle. | |
| • Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified and the change process is initiated upon identification. | |
| • Creates Baseline Configuration of IT Technology — A baseline configuration of IT |
| and control systems is created and maintained. | |
| • Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame). | |
| Additional points of focus that apply only in an engagement using the trust services criteria for confidentiality: | |
| • Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. | |
| Additional points of focus that apply only in an engagement using the trust services criteria for privacy: | |
| • Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy. | |
| Risk Mitigation | |
| CC9.1 | The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Considers Mitigation of Risks of Business Disruption — Risk mitigation activities include the development of planned policies, procedures, communications, and al- ternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include mon- itoring processes, information, and communications to meet the entity’s objectives during response, mitigation, and recovery efforts. | |
| • Considers the Use of Insurance to Mitigate Financial Impact Risks — The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objec- tives. | |
| CC9.2 | The entity assesses and manages risks associated with vendors and business partners. |
| The following points of focus, specifically related to all engagements using the trust services cri- teria, highlight important characteristics relating to this criterion: | |
| • Establishes Requirements for Vendor and Business Partner Engagements — The en- tity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and respon- sibilities, (3) compliance requirements, and (4) service levels. | |
| • Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity’s objectives. | |
| • Assigns Responsibility and Accountability for Managing Vendors and Business Partners — The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. | |
| • Establishes Communication Protocols for Vendors and Business Partners — The entity establishes communication and resolution protocols for service or product is- sues related to vendors and business partners. | |
| • Establishes Exception Handling Procedures From Vendors and Business Partners
— The entity establishes exception handling procedures for service or product is- sues related to vendors and business partners. |
|
| • Assesses Vendor and Business Partner Performance — The entity periodically as- sesses the performance of vendors and business partners. | |
| • Implements Procedures for Addressing Issues Identified During Vendor and Busi- ness Partner Assessments — The entity implements procedures for addressing is- sues identified with vendor and business partner relationships. | |
| • Implements Procedures for Terminating Vendor and Business Partner Relationships
— The entity implements procedures for terminating vendor and business partner relationships. |
|
| Additional points of focus that apply only to an engagement using the trust services criteria for confidentiality: | |
| • Obtains Confidentiality Commitments from Vendors and Business Partners — The entity obtains confidentiality commitments that are consistent with the entity’s con- fidentiality commitments and requirements from vendors and business partners who have access to confidential information. | |
| • Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and re- quirements. | |
| Additional points of focus that apply only to an engagement using the trust services criteria for privacy: | |
| • Obtains Privacy Commitments from Vendors and Business Partners — The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal in- formation. | |
| • Assesses Compliance with Privacy Commitments of Vendors and Business Partners
— On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary. |
|
| ADDITIONAL CRITERIA FOR AVAILABILITY | |
| A1.1 | The entity maintains, monitors, and evaluates current processing capacity and use of system com- ponents (infrastructure, data, and software) to manage capacity demand and to enable the imple-
mentation of additional capacity to help meet its objectives. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for availability, highlight important characteristics relating to this criterion: | |
| • Measures Current Usage — The use of the system components is measured to estab- lish a baseline for capacity management and to use when evaluating the risk of im- paired availability due to capacity constraints. | |
| • Forecasts Capacity — The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity. | |
| • Makes Changes Based on Forecasts — The system change management process is |
| initiated when forecasted usage exceeds capacity tolerances. | |
| A1.2 | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastruc-
ture to meet its objectives. |
| The following points of focus, which apply only to an engagement using the trust services avail- ability criteria, highlight important characteristics relating to this criterion: | |
| • Identifies Environmental Threats — As part of the risk assessment process, man- agement identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water. | |
| • Designs Detection Measures — Detection measures are implemented to identify anomalies that could result from environmental threat events. | |
| • Implements and Maintains Environmental Protection Mechanisms — Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. | |
| • Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to personnel for analysis to identify environmental threat events. | |
| • Responds to Environmental Threat Events — Procedures are in place for respond- ing to environmental threat events and for evaluating the effectiveness of those poli- cies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). | |
| • Communicates and Reviews Detected Environmental Threat Events — Detected en- vironmental threat events are communicated to and reviewed by the individuals re- sponsible for the management of the system and actions are taken, if necessary. | |
| • Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. | |
| • Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. | |
| • Addresses Offsite Storage — Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environ- |
| mental threat event affecting both sets of data is reduced to an appropriate level. | |
| • Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing to alternate infrastructure in the event normal processing in- frastructure becomes unavailable. | |
| A1.3 | The entity tests recovery plan procedures supporting system recovery to meet its objectives. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for availability, highlight important characteristics relating to this criterion: | |
| • Implements Business Continuity Plan Testing — Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing sce- narios based on threat likelihood and magnitude; (2) consideration of system com- ponents from across the entity that can impair the availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results. | |
| • Tests Integrity and Completeness of Backup Data — The integrity and completeness of backup information is tested on a periodic basis. | |
| ADDITIONAL CRITERIA FOR CONFIDENTIALITY | |
| C1.1 | The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for confidentiality, highlight important characteristics relating to this criterion: | |
| • Identifies Confidential information — Procedures are in place to identify and des- ignate confidential information when it is received or created and to determine the period over which the confidential information is to be retained. | |
| • Protects Confidential Information From Destruction — Procedures are in place to protect confidential information from erasure or destruction during the specified re- tention period of the information. | |
| C1.2 | The entity disposes of confidential information to meet the entity’s objectives related to confidenti- ality. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for confidentiality, highlight important characteristics relating to this criterion: | |
| • Identifies Confidential Information for Destruction — Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached. | |
| • Destroys Confidential Information — Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction. | |
| ADDITIONAL CRITERIA FOR PROCESSING INTEGRITY (OVER THE PROVISION OF SERVICES OR THE PRODUCTION, MANUFACTURING, OR DISTRIBUTION OF
GOODS) |
|
| PI1.1 | The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for processing integrity, highlight important characteristics relating to this criterion: | |
| • Identifies Information Specifications — The entity identifies information specifica- tions required to support the use of products and services. | |
| • Defines Data Necessary to Support a Product or Service — When data is provided as part of a service or product or as part of a reporting obligation related to a product or service:
1. The definition of the data is available to the users of the data 2. The definition of the data includes the following information: a. The population of events or instances included in the data b. The nature of each element (for example, field) of the data (that is, the event or instance to which the data element relates, for ex- ample, transaction price of a sale of XYZ Corporation stock for the last trade in that stock on a given day) c. Source(s) of the data d. The unit(s) of measurement of data elements (for example, fields) e. The accuracy/correctness/precision of measurement f. The uncertainty or confidence interval inherent in each data ele- ment and in the population of those elements g. The date the data was observed or the period of time during which the events relevant to the data occurred h. The factors in addition to the date and period of time used to de- termine the inclusion and exclusion of items in the data elements |
| and population
3. The definition is complete and accurate. 4. The description of the data identifies any information that is necessary to understand each data element and the population in a manner consistent with its definition and intended purpose (metadata) that has not been in- cluded within the data. |
|
| The following point of focus, which applies only to an engagement using the trust services crite- ria for processing integrity for a system that produces, manufactures, or distributes products, highlights important characteristics relating to this criterion: | |
| • Defines Information Necessary to Support the Use of a Good or Product — When information provided by the entity is needed to use the good or product in accord- ance with its specifications:
1. The required information is available to the user of the good or product. 2. The required information is clearly identifiable. 3. The required information is validated for completeness and accuracy. |
|
| PI1.2 | The entity implements policies and procedures over system inputs, including controls over com- pleteness and accuracy, to result in products, services, and reporting to meet the entity’s objectives. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for processing integrity, highlight important characteristics relating to this criterion: | |
| • Defines Characteristics of Processing Inputs — The characteristics of processing inputs that are necessary to meet requirements are defined. | |
| • Evaluates Processing Inputs — Processing inputs are evaluated for compliance with defined input requirements. | |
| • Creates and Maintains Records of System Inputs — Records of system input activi- ties are created and maintained completely and accurately in a timely manner. | |
| PI1.3 | The entity implements policies and procedures over system processing to result in products, ser- vices, and reporting to meet the entity’s objectives. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for processing integrity, highlight important characteristics relating to this criterion: | |
| • Defines Processing Specifications — The processing specifications that are neces- sary to meet product or service requirements are defined. |
| • Defines Processing Activities — Processing activities are defined to result in prod- ucts or services that meet specifications. | |
| • Detects and Corrects Production Errors — Errors in the production process are de- tected and corrected in a timely manner. | |
| • Records System Processing Activities — System processing activities are recorded completely and accurately in a timely manner. | |
| • Processes Inputs — Inputs are processed completely, accurately, and timely as au- thorized in accordance with defined processing activities. | |
| PI1.4 | The entity implements policies and procedures to make available or deliver output completely, ac- curately, and timely in accordance with specifications to meet the entity’s objectives. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for processing integrity, highlight important characteristics relating to this criterion: | |
| • Protects Output — Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meet- ing specifications. | |
| • Distributes Output Only to Intended Parties — Output is distributed or made avail- able only to intended parties. | |
| • Distributes Output Completely and Accurately — Procedures are in place to pro- vide for the completeness, accuracy, and timeliness of distributed output. | |
| • Creates and Maintains Records of System Output Activities — Records of system output activities are created and maintained completely and accurately in a timely manner. | |
| PI1.5 | The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s ob-
jectives. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for processing integrity, highlight important characteristics relating to this criterion: | |
| • Protects Stored Items — Stored items are protected to prevent theft, corruption, de- struction, or deterioration that would prevent output from meeting specifications. | |
| • Archives and Protects System Records — System records are archived and archives are protected against theft, corruption, destruction, or deterioration that would pre- vent them from being used. | |
| • Stores Data Completely and Accurately — Procedures are in place to provide for the complete, accurate, and timely storage of data. | |
| • Creates and Maintains Records of System Storage Activities — Records of system storage activities are created and maintained completely and accurately in a timely manner. | |
| ADDITIONAL CRITERIA FOR PRIVACY | |
| P1.0 | Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy |
| P1.1 | The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for
changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Communicates to Data Subjects — Notice is provided to data subjects regarding the following:
— Purpose for collecting personal information — Choice and consent — Types of personal information collected — Methods of collection (for example, use of cookies or other tracking tech- niques) — Use, retention, and disposal — Access — Disclosure to third parties — Security for privacy |
| — Quality, including data subjects’ responsibilities for quality
— Monitoring and enforcement If personal information is collected from sources other than the individual, such sources are described in the privacy notice. |
|
| • Provides Notice to Data Subjects — Notice is provided to data subjects (1) at or be- fore the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously identi- fied. | |
| • Covers Entities and Activities in Notice — An objective description of the entities and activities covered is included in the entity’s privacy notice. | |
| • Uses Clear and Conspicuous Language — The entity’s privacy notice is conspicu- ous and uses clear language. | |
| P2.0 | Privacy Criteria Related to Choice and Consent |
| P2.1 | The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice.
Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Communicates to Data Subjects — Data subjects are informed (a) about the choices available to them with respect to the collection, use, and disclosure of personal in- formation and (b) that implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or al- lows otherwise. | |
| • Communicates Consequences of Denying or Withdrawing Consent — When per- sonal information is collected, data subjects are informed of the consequences of re- fusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice. | |
| • Obtains Implicit or Explicit Consent — Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon there- |
| after. The individual’s preferences expressed in his or her consent are confirmed and implemented. | |
| • Documents and Obtains Consent for New Purposes and Uses — If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and im- plicit or explicit consent is obtained prior to such new use or purpose. | |
| • Obtains Explicit Consent for Sensitive Information — Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise. | |
| • Obtains Consent for Data Transfers — Consent is obtained before personal infor- mation is transferred to or from an individual’s computer or other similar device. | |
| P3.0 | Privacy Criteria Related to Collection |
| P3.1 | Personal information is collected consistent with the entity’s objectives related to privacy. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Limits the Collection of Personal Information — The collection of personal infor- mation is limited to that necessary to meet the entity’s objectives. | |
| • Collects Information by Fair and Lawful Means — Methods of collecting personal information are reviewed by management before they are implemented to confirm that personal information is obtained (a) fairly, without intimidation or deception, and (b) lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information. | |
| • Collects Information From Reliable Sources — Management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully. | |
| • Informs Data Subjects When Additional Information Is Acquired — Data subjects are informed if the entity develops or acquires additional information about them for its use. | |
| P3.2 | For information requiring explicit consent, the entity communicates the need for such consent as well as the consequences of a failure to provide consent for the request for personal information
and obtains the consent prior to the collection of the information to meet the entity’s objectives re- |
| lated to privacy. | |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Obtains Explicit Consent for Sensitive Information — Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise. | |
| • Documents Explicit Consent to Retain Information — Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is re- tained in accordance with objectives related to privacy. | |
| P4.0 | Privacy Criteria Related to Use, Retention, and Disposal |
| P4.1 | The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy. |
| The following point of focus, which applies only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Uses Personal Information for Intended Purposes — Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained, unless a law or regulation specifically requires otherwise. | |
| P4.2 | The entity retains personal information consistent with the entity’s objectives related to privacy. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Retains Personal Information — Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise. | |
| • Protects Personal Information — Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified re- tention period of the information. | |
| P4.3 | The entity securely disposes of personal information to meet the entity’s objectives related to priva- cy. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Captures, Identifies, and Flags Requests for Deletion — Requests for deletion of personal information are captured and information related to the requests is identi- fied and flagged for destruction to meet the entity’s objectives related to privacy. | |
| • Disposes of, Destroys, and Redacts Personal Information — Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that pre- vents loss, theft, misuse, or unauthorized access. | |
| • Destroys Personal Information — Policies and procedures are implemented to erase or otherwise destroy personal information that has been identified for de- struction. | |
| P5.0 | Privacy Criteria Related to Access |
| P5.1 | The entity grants identified and authenticated data subjects the ability to access their stored per- sonal information for review and, upon request, provides physical or electronic copies of that in-
formation to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s ob- jectives related to privacy. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Authenticates Data Subjects’ Identity — The identity of data subjects who request access to their personal information is authenticated before they are given access to that information. | |
| • Permits Data Subjects Access to Their Personal Information — Data subjects are able to determine whether the entity maintains personal information about them and, upon request, may obtain access to their personal information. | |
| • Provides Understandable Personal Information Within Reasonable Time — Per- sonal information is provided to data subjects in an understandable form, in a rea- sonable time frame, and at a reasonable cost, if any. | |
| • Informs Data Subjects If Access Is Denied — When data subjects are denied access to their personal information, the entity informs them of the denial and the reason for the denial in a timely manner, unless prohibited by law or regulation. |
| P5.2 | The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are
informed of the denial and reason for such denial to meet the entity’s objectives related to privacy. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Communicates Denial of Access Requests — Data subjects are informed, in writing, of the reason a request for access to their personal information was denied, the source of the entity’s legal right to deny such access, if applicable, and the individ- ual’s right, if any, to challenge such denial, as specifically permitted or required by law or regulation. | |
| • Permits Data Subjects to Update or Correct Personal Information — Data subjects are able to update or correct personal information held by the entity. The entity provides such updated or corrected information to third parties that were previous- ly provided with the data subject’s personal information consistent with the entity’s objectives related to privacy. | |
| • Communicates Denial of Correction Requests — Data subjects are informed, in writing, about the reason a request for correction of personal information was de- nied and how they may appeal. | |
| P6.0 | Privacy Criteria Related to Disclosure and Notification |
| P6.1 | The entity discloses personal information to third parties with the explicit consent of data subjects and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Communicates Privacy Policies to Third Parties — Privacy policies or other specif- ic instructions or requirements for handling personal information are communicat- ed to third parties to whom personal information is disclosed. | |
| • Discloses Personal Information Only When Appropriate — Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise. | |
| • Discloses Personal Information Only to Appropriate Third Parties — Personal in- formation is disclosed only to third parties who have agreements with the entity to |
| protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has
procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements. |
|
| • Discloses Information to Third Parties for New Purposes and Uses — Personal in- formation is disclosed to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects. | |
| P6.2 | The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy. |
| The following point of focus, which applies only to an engagement using the trust services crite- ria for privacy, highlights important characteristics relating to this criterion: | |
| • Creates and Retains Record of Authorized Disclosures — The entity creates and maintains a record of authorized disclosures of personal information that is com- plete, accurate, and timely. | |
| P6.3 | The entity creates and retains a complete, accurate, and timely record of detected or reported unau- thorized disclosures (including breaches) of personal information to meet the entity’s objectives
related to privacy. |
| The following point of focus, which applies only to an engagement using the trust services crite- ria for privacy, highlights important characteristics relating to this criterion: | |
| • Creates and Retains Record of Detected or Reported Unauthorized Disclosures — The entity creates and maintains a record of detected or reported unauthorized dis- closures of personal information that is complete, accurate, and timely. | |
| P6.4 | The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those par-
ties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Discloses Personal Information Only to Appropriate Third Parties — Personal in- formation is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet |
| the terms of the agreement, instructions, or requirements. | |
| • Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. | |
| P6.5 | The entity obtains commitments from vendors and other third parties with access to personal in- formation to notify the entity in the event of actual or suspected unauthorized disclosures of per-
sonal information. Such notifications are reported to appropriate personnel and acted on in ac- cordance with established incident-response procedures to meet the entity’s objectives related to privacy. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. | |
| • Reports Actual or Suspected Unauthorized Disclosures — A process exists for ob- taining commitments from vendors and other third parties to report to the entity ac- tual or suspected unauthorized disclosures of personal information. | |
| P6.6 | The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. | |
| • Provides Notice of Breaches and Incidents — The entity has a process for providing notice of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy. | |
| P6.7 | The entity provides data subjects with an accounting of the personal information held and disclo- sure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Identifies Types of Personal Information and Handling Process — The types of per- sonal information and sensitive personal information and the related processes, sys- tems, and third parties involved in the handling of such information are identified. | |
| • Captures, Identifies, and Communicates Requests for Information — Requests for an accounting of personal information held and disclosures of the data subjects’ personal information are captured and information related to the requests is identi- fied and communicated to data subjects to meet the entity’s objectives related to privacy. | |
| P7.0 | Privacy Criteria Related to Quality |
| P7.1 | The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Ensures Accuracy and Completeness of Personal Information — Personal infor- mation is accurate and complete for the purposes for which it is to be used. | |
| • Ensures Relevance of Personal Information — Personal information is relevant to the purposes for which it is to be used. | |
| P8.0 | Privacy Criteria Related to Monitoring and Enforcement |
| P8.1 | The entity implements a process for receiving, addressing, resolving, and communicating the reso- lution of inquiries, complaints, and disputes from data subjects and others and periodically moni-
tors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner. |
| The following points of focus, which apply only to an engagement using the trust services crite- ria for privacy, highlight important characteristics relating to this criterion: | |
| • Communicates to Data Subjects — Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes. | |
| • Addresses Inquiries, Complaints, and Disputes — A process is in place to address |
| inquiries, complaints, and disputes. | |
| • Documents and Communicates Dispute Resolution and Recourse — Each complaint is addressed and the resolution is documented and communicated to the individual. | |
| • Documents and Reports Compliance Review Results — Compliance with objectives related to privacy are reviewed and documented and the results of such reviews are reported to management. If problems are identified, remediation plans are devel- oped and implemented. | |
| • Documents and Reports Instances of Noncompliance — Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, cor- rective and disciplinary measures are taken on a timely basis. | |
| • Performs Ongoing Monitoring — Ongoing procedures are performed for monitor- ing the effectiveness of controls over personal information and for taking timely corrective actions when necessary. |
BOTTOM LINE
While meeting the AICPA’s reporting guidelines, we customize your report, including an executive summary that highlights critical information that is most important to your customers. The remainder of the report is organized by topical areas so that stakeholders can easily find details when needed.
E Secure 360 is recognized as one of the market leaders in security, privacy, and internal control services. We have a dedicated practice of risk and control specialists with deep industry focus and experience. The E Secure 360 opinion stating that you’re operating controls meet SOC 2 standards is likely to reinforce customer confidence in your company.