The AICPA recently released an exposure draft of the proposed revisions to the Trust Services Principles and Criteria. The most significant change in the proposed revisions is the integration of the privacy principles and criteria into the common criteria.
At the time of the last update to the Trust Services Principles and Criteria, which became effective in 2014, the Privacy Principle remained untouched and was not restructured into the same common criteria and principle-specific incremental criteria as the other four principles: Security, Confidentiality, Availability and Processing Integrity. As a result, service organizations’ issuing Service Organization Control (SOC) 2 reports addressing the Privacy principle continued to utilize the Generally Accepted Privacy Principles (GAPP) as the criteria, and experience redundancy and inefficiencies within their SOC examination and reporting processes as a result.
This change will make Service Organization Control (SOC) reports covering privacy more streamlined and consistent with the updated common criteria that became effective in 2014. It also clarifies the common criteria’s security underpinnings as important to achieving the privacy criteria.
Most of the other changes to the principles and criteria serve to clarify the existing intent of the common criteria.
One of the significant changes throughout the criteria is a focus on strengthened service organization requirements for vendor management and monitoring. For example, Privacy Criteria P6.6 states,
“Unauthorized disclosures of personal information by vendors and other third parties, including breaches, are identified, reported to appropriate personnel, and acted on in accordance with the entity's established incident response procedures, privacy commitments, and system requirements.”
This criteria appears to set a high standard for organizations, as it can be difficult for service organizations to monitor at this level the activities of a third party.
Service organizations should start planning and evaluating now for sufficient vendor management programs to meet the proposed criteria changes and, if current programs are not sufficient, augment their controls where necessary.
We encourage our clients to comment on the exposure draft. The exposure draft and instructions for submitting comments are available online. Comments are requested by August 15, 2015.
For more information on the Trust Services Principles and Criteria or SOC reporting, or learn how Baker Tilly specialists can help, contact our team.