Trust Services Principles Information
Selecting the correct Principles for your report involves some art and some science. The selection relates to the types of services that you offer, the commitments that you make to your customers as well as what your customers want to have assurance of you performing.
The system is protected against unauthorized access (both physical and logical).
The Security Principle is inherent to all of the Trust Services Principles and is included within the common criteria that are evaluated for Confidentiality, Availability and Processing Integrity. If you are getting a SOC 2 report, then it will minimally contain the Security Principle.
Information designated as confidential is protected as committed or agreed.
The Confidentiality Principle is selected when your company obtains access to your customer’s confidential information as part of the services that you perform. One of the main review areas for this Principle is how your systems and processes keep your customer information segregated so that one customer’s data is not exposed to another customer, especially within multi-tenant environments.
The system is available for operation as committed or agreed.
The Availability Principle is selected when your company has significant commitments to the availability of its services to your customers. Review areas include your company’s monitoring processes for system availability, your Business Continuity and Disaster Recovery Planning processes, data backup and restoration processes and the design and implementation of a resilient system design.
System processing is complete, accurate, timely and authorized.
The Processing Integrity Principle is selected when your company processes transactions on behalf of your customers and they have an interest in the completeness, accuracy and timeliness of your transaction processing services. Review areas are typically tailored to the types of transactions that you are processing on your customer’s behalf, and will typically include inputs to the system, processing steps performed by the system and system outputs.
Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Acceptable Privacy Principles (GAPP).
The Privacy Principle is selected when your company collects Personally Identifiable Information (PII) from users of its services. As this Principle aligns with GAPP, it is approached in a very different manner than the other Principles. One of the common misconceptions in wanting to select Privacy is that the scope of the Principle is intended to address data that your company collects directly from individuals. If your company is receiving PII from your customer (that is a business), then the PII is considered confidential information and is more appropriate to be reviewed using the Confidentiality Principle.