SOC 2 - Trust Services Criteria
AICPA Trust Services Standard for Safeguarding Customer Information
Meet the requirements of the SOC 2 – Trust Services Criteria while managing compliance with ALL your IT Security requirements . . . regardless of source. Experience true Cybersecurity Risk Management based on the guidelines set forth by the Trust Services Criteria.
Download DatasheetWhat is the AICPA Trust Services Criteria?
System and Organization Controls (SOC) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called the Trust Service Criteria. These control criteria are to be used by the practitioner/examiner (Certified Public Accountant, CPA) in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service.
But if you don’t want to get into the weeds of a ton of regulatory lingo, we’ll summarize what you need to know, and how our software can help you navigate the waters of the regulation, and comply with all its requirements, without having to be a regulatory expert.
The Trust Services Criteria Standard for Safeguarding Customer Information.
The Trust Services Criteria, authored by the AICPA, outlines industry standards for managing customer data based on five principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Achieving SOC 2 compliance signals to your clients and partners that your organization is committed to maintaining high levels of data security and integrity.
Pick Your Trust Services Criteria
Compliance Manager GRC gives you the option of preparing for all five SOC 2 Trust Service Criteria at once, or using the built-in variants to work on just the selected criteria you need. Here’s the summary of the five different Trust Services Criteria that make up the SOC 2 standard, and what’s covered by Compliance Manager GRC:
Security Criteria Standard Variant – information and systems are protected against unauthorized access and disclosure, and damage to the system that could compromise the availability, confidentiality, integrity and privacy of the system.
- Firewalls
- Intrusion detection
- Multi-factor authentication
This variant comprises 265 controls, specifically designed for the “Security” category of SOC 2. It addresses the crucial need for robust protection against unauthorized access, data breaches, and system threats. The technical depth of this variant lies in its comprehensive coverage of security measures, from firewall management to intrusion detection, ensuring a fortified defense against cyber threats. The benefit of this focused variant is the streamlined assurance of stringent security protocols, vital for safeguarding sensitive information.
Availability Criteria Standard Variant– information and systems are available for operational use.
- Performance monitoring
- Disaster recovery
- Incident handling
With 19 controls, this variant focuses on the importance of system reliability and uptime, a critical factor for operational continuity. This variant incorporates technical aspects such as performance monitoring and disaster recovery planning, emphasizing the resilience of systems and services. The key benefit here is the reinforced assurance of operational availability, crucial for maintaining service dependability and business continuity.
Confidentiality Criteria Standard Variant – information is protected and available on a legitimate need to know basis. Applies to various types of sensitive information.
- Encryption
- Access controls
- Firewalls
This variant, with 7 controls, focuses on the protection of sensitive information, accessible only on a legitimate need-to-know basis. Technical measures such as advanced encryption and access controls form the core of this variant, safeguarding confidential data against unauthorized disclosure. The benefit here is the enhanced protection of sensitive information, crucial for maintaining trust and complying with data privacy regulations.
Processing Integrity Criteria Standard Variant – system processing is complete, valid, accurate, timely and authorized.
- Quality assurance
- Process monitoring
- Adherence to principle
Encompassing 28 controls, this variant ensures that system processing is accurate, timely, and valid, an essential aspect of data integrity. The technical exposition includes quality assurance measures and process monitoring controls, providing a framework for maintaining the accuracy and reliability of system processing. The advantage of this variant is in ensuring that all processing activities are performed correctly and efficiently, reducing the risk of errors and data mismanagement.
Privacy Criteria Standard Variant – personal information is collected, used, retained, disclosed and disposed according to policy. Privacy applies only to personal information.
- Access control
- Multi-factor authentication
- Encryption
Featuring 84 controls, this variant addresses the management of personal information. It includes technical controls for the collection, use, retention, disclosure, and disposal of personal data in compliance with privacy policies. This variant’s benefit is in its comprehensive approach to privacy management, ensuring that personal data is handled responsibly and in accordance with legal and ethical standards.
Featured Product Highlights for This Standard
- Rapid Baseline Assessments – Quickly identify gaps according to the Trust Services Criteria.
- Technical Risk Assessments – Full risk assessment (based on five principles—Security, Availability, Processing Integrity, Confidentiality, and Privacy).
- Policies & Procedures Manual – Required documentation.
- Employee Awareness Training Portal – Tracking and reporting.
- Customizable standards and controls – Modify your procedures to match your specific way of complying.
- Role-based access — Helps involve others in complying with AICPA SOC 2.
- Automated Documentation & Reporting – Provides documentation for AICPA SOC 2 audits.
- Vendor Management Portal — Perform vendor assessments against the AICPA SOC 2 standard.
- Auditor’s Checklist – Essential in the event of an audit or breach.
Best of all, you can use this same platform to manage compliance with all your other IT requirements — including compliance other government and industry rules and regs, with the security terms of your cyber insurance policy, and even compliance with your own internal IT policies.
Request a Demo today and discover the advantages of Compliance Manager GRC — the purpose-built compliance process management platform for multifunctional IT professionals.
Overcome the Biggest IT Challenges and Responsibilities
- Reduce Risk
- Reduce Complexity
- Save Money