The American Institute of Certified Public Accountants recently updated the criteria for the Trust Services Principles (TSP) related to security, availability, processing integrity, and confidentiality (most commonly reported out using SOC 2 and SOC 3). AICPA Assurance Services Executive Committee (ASEC) published the updated TSP in their latest guidance (note: the documentation is available for purchase, but the content is available as part of a ZenGRC subscription). Reporting periods ending on or after December 15, 2016 will be required to use the updated guidance, though early implementation is permitted. The revisions look to further clarify the criteria and eliminate redundancy—continuing the changes made in late 2014—and reflect how rapidly the technology and business environments are changing.
What exactly is changing?
The changes enacted in 2014 overhauled the 2009 TSPs by creating Common Criteria (CC) which apply to all of the principles as well as specific, incremental criteria for the Availability (A), Processing Integrity (PI), and Confidentiality (C) principles. The 2014 changes excluded updates to the original privacy principle, however, and the current update is designed to remove those redundant, legacy privacy criteria.
The three most significant changes in this round include:
- Restructured privacy criteria. The updates present additional criteria for the privacy principle that include illustrative risks and controls related to privacy (e.g., notice, choice and consent, collection, use, retention, disposal, access, disclosure, notification, quality, monitoring, and enforcement). You can still leverage the Generally Accepted Privacy Principles as a management framework for protection and management of personal information.
- Calling out risk management. The 2016 version calls for more specific risk management practices than the previous version. This includes third-party risks, customer-identified risks, and an emphasis on having processes in place to address risks that are identified internally.
- New confidentiality criteria. The updates also require a more robust emphasis on the data lifecycle, with a specific focus on the requirements for retaining and disposing of confidential data.
What do these changes mean for you?
The good news is these changes won’t require too many adjustments for most organizations. They’re largely cosmetic, and in the end, they’ll make reporting easier. To prepare for the updates, be sure to review your current exchanges and reports. Organizations that report on the privacy principle will find these updates allow for greater clarity, as this is typically the most complex principle for organizations with geographically diverse users.
The changes also recognize the continued need to evolve risk management practices, and they are a good reminder for organizations to enhance their risk management practices. You can expect more significant changes for TSPs in the coming years with the continued demand to better address cybersecurity risks. Stayed tuned for more to come.
If you are a current Reciprocity customer, please email your Reciprocity Customer Success Manager (email@example.com), for support if you have any questions.