Request a Proposal
Compliance Council Location

Knowledge

30 May 2019
Information Security

What is the SOC 2 trust services criteria?

SOC 2 is achieved by the issuing of an attestation in a SOC 2 report (not certification) which must be completed by a Certified Public Accountant (CPA) who is a member of the American Institute of Certified Public Accountants (AICPA).

The format of the SOC 2 Report is determined by the AICPA and is structured as follows:

  • Opinion letter
  • Management's assertion
  • Description of the system
  • Description of tests of controls and results of testing

What is COSO and how does it relate to SOC 2?

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) is an initiative from five private North American organisations including the AICPA which outlines the 17 Principles of Internal Audit Control that are the basis fore the Trust Services Criteria that are audited against as part of the SOC 2 attestation assessment.

Trust Services Categories

When determining the scope of the SOC 2 attestation there are 5 trust services categories which are:

  • Security
  • Confidentiality
  • Processing Integrity
  • Availability
  • Privacy

Trust Services Criteria and Expected Evidence

An organisation can select which of the categories they want to include in scope which will then determine the criteria used in the attestation assessment which are outlined in Page 10-168 of the Trust Services Criteria document published by the AICPA . If all 5 categories of trust services criteria are selected as in scope the number of criteria to be assessed is around 185. Examples of the criteria include:

Security

Principle/Trust Services Criteria Requirement Evidence Required
COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values . (Trust Services Criteria CC1.1) Upon hire, employees must acknowledge a code of conduct describing the responsibilities and expected behaviour with regard to data and information system usage. Example employee code of conduct acknowledgement
Employees are required to sign a confidentiality agreement upon hire. This agreement prohibits any disclosures of information and other data to which the employee has been granted access Example signed employee confidentiality agreement
Managers are required to complete performance appraisals for direct reports at least annually. Performance appraisals for a example employee (evidence should show performances assessed against the rules of behaviour)
Employees and contractors who violate the code of conduct are subject to disciplinary actions documented in a formalised sanctions policy. Code of conduct and employee sanctions policy
CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. A Mobile Device Management (MDM) system is in place to centrally manage mobile devices supporting the service. Evidence of centrally managed mobile device management system
Portable and removable media devices are encrypted when used. Evidence of encryption on portable and removable media devices
CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. Anti-malware technology is deployed for environments commonly susceptible to malicious attack and is configured to be updated routinely, logged, and installed on all relevant production servers. Screenshot of antimalware configurations (scan schedule, virus definition update schedule, notification configurations, and an example alert notification)
Infrastructure supporting the service is patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure servers supporting the service are hardened against security threats. Evidence of the most recent security patches applied to the in scope environment
A file Integrity Monitoring (FIM) tool is used to notify system administrators of potential unauthorized changes to the production system. File integrity monitoring configuration dashboard, alert configurations, and an example alert

 

Confidentiality

Principle/Trust Services Criteria Requirement Evidence Required
C1.1 The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality. Confidential or sensitive customer data is prohibited, by policy, from being used or stored in non-production systems/environments. Policy prohibiting the storage of production data in non-production systems

 

Processing Integrity

Principle/Trust Services Criteria Requirement Evidence Required
PI1.2 The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives. System logic is coded into the system that generates on-screen alerts in the event that there are any issues when inputting or processing transactions. Observation of on-screen error alerts during data entry
For instances when a card number is manually typed in to the application, the system is configured with input validation checks to ensure that the necessary information is provided to process the transaction. Input validation configuration for data entry into the application
Historical transaction data is retained for the life of a customer. No transactional data is purged until the customer account is deleted. Data retention and disposal policies

 

 

Availability

Principle/Trust Services Criteria Requirement Evidence Required
A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. System capacity is evaluated on an [on-going] [annual] basis and system changes are implemented to help ensure processing capacity can meet demand. Evidence of ongoing system capacity evaluation


Privacy

Principle/Trust Services Criteria Requirement Evidence Required
P1.1 The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy. Privacy policies are formally documented and made readily available to data subjects, internal personnel and third parties who need them. Privacy policies are documented to include the following practices:- Notice- Choice and Consent- Collection- Use, Retention- Access- Disclosure- Security for Privacy- Quality- Monitoring and Enforcement Privacy Policy