RE: SysTrust for Service Organization Controls Seal Program Cessation
After December 31, 2014, the SOC 3 SysTrust for Service Organization seals program is no longer active nor is it supported by or associated with the AICPA and CPA Canada.
Capital Confirmation will continue to contract attestation/assurance services in the area of systems reliability and service organization controls and will continue to maintain the underlying Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy to ensure the effectiveness of these services over time.
You have arrived here from a SOC 3 certified site which has been examined by an independent accountant. The practitioner's report (see below) on management's assertion(s) that the entity's business being relied upon, is in conformity with the applicable Trust Services Principle(s) and Criteria.
Trust services principles represent attributes of a reliable system that help support the achievement of managementís objectives. For each of the principles there are detailed criteria that serve as benchmarks used to measure and present the subject matter and against which the practitioner evaluates the subject matter. The attributes of suitable criteria are as follows:
Objectivity. Criteria should be free from bias.
Measurability. Criteria should permit reasonably consistent measurements, qualitative or quantitative, of subject matter.
Completeness. Criteria should be sufficiently complete so that those relevant factors that would alter a conclusion about subject matter are not omitted.
Relevance. Criteria should be relevant to the subject matter.
By demonstrating compliance with Trust Services criteria through an examination by an independent practitioner, entities respect the Trust Service Principle(s) of:
The security principle refers to the protection of the system resources through logical and physical access control measures in order to support the achievement of managementís commitments and requirements related to security, availability, processing integrity, and confidentiality. Controls over the security of a system prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or unauthorized removal of data or system resources, misuse of software, and improper access to, or use of, alteration, destruction, or disclosure of information.
The availability principle refers to the accessibility of the system, products, or services as committed by contract, service-level agreement, or other agreements. This principle does not, in itself, set a minimum acceptable performance level for system availability. The availability principle does not address system functionality (the specific functions a system performs) and system usability (the ability of users to apply system functions to the performance of specific tasks or problems), but does address whether the system includes controls to support system accessibility for operation, monitoring, and maintenance.
The processing integrity principle refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether the system achieves its aim or the purpose for which it exists, and whether it performs its intended function in an unimpaired manner, free from unauthorized or inadvertent manipulation. Processing integrity does not automatically imply that the information received and stored by the system is complete, valid, accurate, current, and authorized. The risk that data contains errors introduced prior to its input in the system often cannot be addressed by system controls and detecting such errors is not usually the responsibility of the entity. Similarly, users outside the boundary of the system may be responsible for initiating processing. If such actions are not taken, the data may become invalid, inaccurate, or otherwise inappropriate.
The confidentiality principle addresses the systemís ability to protect information designated as confidential in accordance with the organizationís commitments and requirements through its final disposition and removal from the system. Information is confidential if the custodian of the information, either by law or regulation, commitment, or other agreement, is obligated to limit its access, use, and retention, and restrict its disclosure to a specified set of persons or organizations (including those that may otherwise have authorized access within the boundaries of the system). The need for information to be confidential may arise for many different reasons. For example, the information is proprietary information, information intended only for company personnel, personal information, or merely embarrassing information. Confidentiality is distinguished from privacy in that (i) privacy deals with personal information whereas, confidentiality refers to a broader range of information that is not restricted to personal information; and (ii) privacy addresses requirement for the treatment, processing, and handling of personal information.
The Privacy Principle addresses the systemís collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entityís privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CPA Canada. GAPP is a management framework that includes the measurement criteria for the Trust Services Privacy Principle and consists of 10 sub-principles:
- Management. The entity defines documents, communicates, and assigns accountability for its privacy policies and procedures.
- Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
- Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
- Collection. The entity collects personal information only for the purposes identified in the notice.
- Use and retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal in-formation for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
- Access. The entity provides individuals with access to their personal information for review and update.
- Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
- Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
uality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
- Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.