What is the AICPA’s Trust Services Criteria (TSC) and How Can it Improve Your Business?

The AICPA designed the Trust Services Criteria (TSC) to evaluate internal controls over the security, availability, processing integrity, confidentiality, or privacy of information and systems. The criteria was established in 2017 by the AICPA’s Assurance Services Executive Committee (ASEC) for use in SOC 2 audit and consulting engagements. Comprised of the following areas, each element measures compliance and efficiency within internal controls.

1. Security (Common Criteria) – According to the AICPA, the security (common criteria) establishes benchmarks for protecting information and systems against unauthorized access/disclosure of information and damage to systems. This highlights particular damages that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect a company’s ability to achieve its objectives.

This criteria also incorporates the COSO framework that helps organizations implement internal controls in an effort to operate ethically and in compliance with industry standards. The security (common criteria) acts as a foundation for internal controls from which additional criteria can be applied.  

For example, a common control in achieving the security criteria is for “employees to undergo regular security trainings.” In the event the “privacy” criteria is also in scope, we would expect these trainings to cover privacy topics as well.

2. Availability – The availability criteria, according to the AICPA, is used to promote information and systems that are available for operation and accessible to meet an organization’s objectives.

3. Confidentiality – According to the AICPA, the confidentiality criteria is utilized to ensure controls are designed to protect confidential information. This is not to be confused with the privacy criteria, which is discussed below.

Instead, confidentiality addresses an organization’s ability to protect information throughout its lifecycle—from collecting or creating to final disposition and removal from a company’s control.  

Confidential information is that which must be protected through limited access, retained securely and restricted from disclosure. This criteria follows requirements outlined in laws/regulations or contracts/agreements that contain commitments made to customers and other stakeholders.  

4. Processing Integrity – This criteria is used to measure whether systems process data completely, accurately and timely to meet a company’s objectives.

The processing integrity criteria addresses whether systems achieve the purpose and intention for which they are provisioned and that they operate in an unimpaired manner, according to the AICPA.

5. Privacy – This criteria demonstrates that personal information is collected, used, retained, disclosed and disposed of to meet an organization’s objectives.

The privacy criteria applies only to personal information; whereas confidentiality can apply to various types of sensitive information, as noted above.

Determining Which Trust Service Criteria to Use

Of the five TSCs, only the security (common criteria) is required. Determining which of the other criteria to use should begin with an organization identifying relevant servers and system boundaries through a scoping exercise. 

Knowing that SOC 2 reports intend to provide assurance over an organization’s ability to meet service commitments, it’s helpful for organizations to map out its existing service commitments when selecting the applicable, in-scope TSC. This involves reviewing service-level commitments, master service agreements, and other contracting vehicles and terms of service.

For example, an organization that makes a commitment to “system up-time” should include the availability TSC. Those companies that handle Personally Identifiable Information (PII) should include the privacy TSC. 

Identifying Controls for the Trust Service Criteria

Once the applicable scope is established, organizations can begin setting up controls to meet the relevant criteria. SOC 2, unlike other frameworks, does not establish a standard set of controls. Rather, organizations must design and implement controls to ensure it meets the requirements listed in the applicable criteria. But while specific controls may vary, there are some common SOC 2 controls that organizations typically implement across these areas.

1. Security/The Common Criteria

• Access Controls: Safeguards that only authorized users can access systems and data by implementing tools, such as multi-factor authentication (MFA) and role-based access controls (RBAC), as well as making sure to regularly review access.
• Encryption: Implement encryption for data at rest and in transit to protect sensitive information.
• Firewall and Network Security: Use firewalls, intrusion detection/prevention systems (IDS/IPS) and network segmentation to secure an organization’s network infrastructure.
• Vulnerability Management: Conduct regular vulnerability scans and penetration testing to identify and remediate security weaknesses.
• Endpoint Security: Protect devices (e.g., laptops, servers) with antivirus software, patch management, and endpoint detection and response (EDR) tools.
• Incident Response Plan: Develop a plan to detect, respond to and recover from security incidents. This should include roles and responsibilities, communication protocols, and incident documentation.

2. Availability

• Disaster Recovery Planning: Establish a disaster recovery plan that includes backup procedures, recovery time objectives (RTO) and recovery point objectives (RPO).
• System Monitoring: Implement monitoring tools to track system performance and detect any issues that could impact availability.
• Data Backup Procedures: Regularly back up critical data and store backups securely offsite. Test backups and restore processes periodically.
• Capacity Planning: Monitor system capacity and usage trends to ensure that resources can handle current and anticipated future workloads.
• Service Level Agreements (SLAs): Maintain SLAs to define the expected availability and performance levels for systems and services.

3. Processing Integrity

• Data Validation Checks: Implement validation checks to ensure data integrity, such as verifying input data for accuracy and consistency.
• Transaction Monitoring: Monitor and log transactions to detect any deviations or errors in processing.
• Error Handling Procedures: Establish procedures to detect, correct and document data processing errors.
• Change Management: Control changes to systems and applications to ensure that updates do not negatively affect data processing accuracy. This includes change approvals, testing and documentation.
• Quality Assurance Testing: Perform testing to confirm that system changes meet quality and functionality requirements.

4. Confidentiality

• Data Classification: Classify data based on its sensitivity (e.g., public, internal, confidential) and apply appropriate protection measures.
• Access Restrictions: Limit access to confidential data to individuals with a legitimate business need.
• Data Disposal Policies: Establish procedures for securely disposing of data that is no longer needed, such as data destruction or de-identification.
• Confidentiality Agreements: Require employees, contractors, and vendors to sign confidentiality or non-disclosure agreements (NDAs).
• Secure File Transfer: Use secure methods (e.g., encrypted email, secure file transfer protocols) to share confidential information.

5. Privacy

• Consent Management: Obtain and manage user consent for collecting, processing, and sharing personal data.
• Data Minimization: Limit the collection of personal information to what is necessary for business purposes.
• User Access Requests: Implement procedures to handle user requests to access, update or delete their personal information.
• Data Retention Policies: Establish data retention schedules that specify how long personal information is kept and when it is deleted.
• Privacy Impact Assessments: Conduct assessments to identify potential privacy risks when implementing new systems or processes that involve personal data.

Next Steps

The SOC 2 TSC provides guidance for organizations as it designs its controls. Aligning with TSC helps organizations maintain robust information security practices and be ready for a SOC 2 audit. The team at Sikich can help your organization go through the steps to achieving compliance with a SOC 2 audit and the proper TSC benchmarks. Please contact us to talk about building your TSC framework or enhancing your existing audit processes.