Menu

Articles & Blogs

SOC2 Trust Services Criteria (TSC) – A Comprehensive Guide

June 12, 2023 | By Accorian
SOC2 Trust Services Criteria (TSC) A Comprehensive Guide

Written By Om Hazela & Sarthak Makkar ll  

Information security is a major concern for organizations, especially those that rely on third-party vendors such as cloud service providers and SaaS providers. The potential risk of these providers mishandling data might leave firms vulnerable to attacks and data breaches. According to cybersecurity statistics, the average cost of a data breach in the US is $9.44 million, emphasizing the need to prioritize data security and adhere to regulatory standards such as SOC2 compliance. SOC2 is a valuable business tool, enabling operational efficiency, robust reporting capabilities, and compliance with regulatory requirements. The initial step in pursuing SOC2 compliance is selecting the SOC2 Trust Services Criteria (TSC) framework. During a SOC2 audit, the auditor evaluates an organization’s internal controls against the five TSCs to ensure alignment with industry standards.

What are SOC2 Trust Services Criteria (TSC)?

SOC2 reports play a vital role in demonstrating an organization’s compliance with the Trust Services Criteria (TSC) established by the American Institute of Certified Public Accountants (AICPA). These reports provide assurance to clients and stakeholders that the organization has implemented adequate controls to safeguard the Security, Availability, Processing Integrity, Confidentiality, and Privacy of their systems and data. Hence serving as an important tool to showcase the organization’s commitment to protecting sensitive information and meeting regulatory requirements.

The SOC2 Trust Services Criteria (TSC) for information technology provide a comprehensive framework for developing, implementing, and evaluating information system controls. These controls are essential to ensure that your information system can effectively achieve its objectives.

SOC2 Trust Services Criteria (TSC)

THE FIVE TRUST SERVICES CRITERIA (TSC)

1. SECURITY

Security is the fundamental and essential TSC for SOC2, encompassing several vital components of an organization’s control environment. Since many evaluation criteria are applicable across all five Trust Services Criteria (TSCs), the security TSC is also referred to as the “common criteria.” The primary objective of the security TSC is to ensure that the organization effectively protects its systems against intrusion and other risks that could compromise the delivery of services to clients.

Below are the common criteria for Security:

  • Control Environment

This refers to the overall structure and framework of an organization’s control activities. It involves establishing a robust control environment to ensure that management sets clear expectations regarding security and implements appropriate policies and procedures.

  • Communication and Information

This ensures establishing effective communication channels within the organization to facilitate sharing of relevant information about security controls and concerns. It involves implementing mechanisms that enables employees to report security incidents or vulnerabilities.

  • Risk Assessment:

This emphasizes the importance of organizations identifying and assessing risks and vulnerabilities associated with their systems and data. It involves conducting regular risk assessments to stay updated on emerging threats and potential impacts.

  • Monitoring Activities

This highlights the importance of regularly monitoring systems and controls to identify and address any security issues promptly. It involves implementing processes to monitor the effectiveness of security controls and identify any security incidents or breaches.

  • Control Activities

This focuses on implementing a comprehensive set of control activities to mitigate identified risks and safeguard systems and data. It includes implementing logical and physical access controls, encryption mechanisms, intrusion detection systems, and incident response procedures.

  • Logical and Physical Access Control

This emphasizes the need for organizations to implement controls that restrict logical and physical access to their systems and data. It involves employing mechanisms such as authentication, authorization, and physical security measures.

  • System Operation

This focuses on the importance of implementing controls necessary for the ongoing operation of systems to ensure their security. It includes maintaining comprehensive system logs and conducting regular reviews to detect and address any anomalies or suspicious activities.

  • Change Management

This highlights the significance of implementing effective change management processes to manage and control the introduction of new systems and applications or changes to existing ones. It ensures that authorized individuals securely authorize, test, and implement changes.

  • Risk Mitigation

This emphasizes the importance of organizations implementing controls to mitigate identified risks effectively. It includes developing and implementing security measures to reduce the likelihood and impact of potential threats.

2. AVAILABILITY

The Availability TSC in SOC2 emphasizes the importance of demonstrating that a service organization’s systems are consistently readily accessible. This TSC focuses on ensuring that the organization’s systems are available and accessible to users. It includes components such as system uptime, monitoring, and maintenance to minimize downtime and ensure continuous service availability.

3. PROCESSING INTEGRITY

The Processing Integrity TSC focuses on ensuring that systems process data entirely, accurately, and precisely, aiming to demonstrate the trustworthiness of an organization’s data processing techniques. By including the Processing Integrity TSC in SOC2 reports, organizations showcase their commitment to processing data thoroughly, quickly, and reliably.

4. CONFIDENTIALITY

The Confidentiality TSC focuses on demonstrating that sensitive data is effectively protected and prevented from unauthorized access, disclosure, or use. Its purpose is to showcase the organization’s dedication to safeguarding the privacy of client and user information. Omitting this TSC may indicate that the organization does not prioritize protecting sensitive data which is a significant aspect of its services.

5. PRIVACY

The Privacy TSC is included in SOC2 reports to demonstrate that personally identifiable information (PII) is protected and managed responsibly by the organizations that collect, use, retain, release, and dispose of such information. Including the Privacy TSC in SOC2 reports signify the organization’s commitment to protecting individual privacy and ensuring compliance with relevant privacy laws and regulations. It showcases assurance to clients that the organization handles PII responsibly and respects the individual’s right to privacy and data protection.

Tailoring TSC in SOC2 Assessments

Generally including all the TSC’s in a SOC2 attestation is not mandatory for every organization. The specific TSCs applicable to an organization’s operations depend on the nature of its services and the requirements of its clients. However, there are instances where clients request all TSCs due to uncertainty or lack of understanding about their specific needs. In such a scenario, it is beneficial to clarify the purpose and relevance of each TSC with the client. One can also assess their requirements and concerns regarding their data’s Security, Availability, Process Integrity, and Privacy.

Applicability of TSC for Your Business

The Security TSC is the only mandatory criteria in the SOC2 attestation, providing customers with the assurance they need regarding protecting their information and systems. It encompasses a wide range of security checks, including data usage, creation, utilization, processing, transfer, and preservation. Systems involved in the Security TSC encompass anything that electronically processes, stores, or transmits information relevant to the services provided by the organization. Rigorous controls are tested to prevent and detect security or processing issues. The security criteria, also known as the Common Criteria, are closely aligned with the 17 internal control principles of the COSO framework.

Considerations for Selecting TSC in SOC2

In order to determine the applicable Trust Service Criteria (TSCs) for an organization, it is crucial to assess various aspects, including the business itself, service boundaries, infrastructure, procedures, data, software, and personnel involved. This evaluation plays a key role in defining the scope of the assessment and identifying the trust service criteria that are relevant to the organization’s services. Subsequently, the auditor will evaluate the organization based on these specific requirements. It is important to exclude criteria that are not applicable, as including them would not provide any benefits. Seeking guidance from an experienced firm can be highly advantageous in navigating and selecting the appropriate SOC2 compliance requirements.

It is important to evaluate whether the inclusion of a specific TSC will provide a worthwhile return on investment. Businesses should take into consideration the potential competitive advantages that certain TSCs may offer, as well as the contractual requirements imposed by their clients. By assessing the value proposition of each TSC, organizations can make informed decisions about which criteria to prioritize and include in their SOC2 attestation.

Navigating the SOC2 Trust Services Criteria (TSC) Selection Process

The following considerations can guide you in the TSC selection process:

  • The Confidentiality TSC is a crucial component of the SOC2 audit if the organization handles sensitive or confidential data, such as medical records, financial data, or personal information, or if it is subject to regulatory or contractual obligations regarding the protection of confidential information.
  • The Privacy TSC differs from the Confidentiality TSC with respect to the type of data it protects. Privacy focuses on protecting personally identifiable information (PII) such as an individual’s name, address, contact information, gender, race, etc. If your organization includes this TSC, then the controls must be in accordance with the generally accepted privacy principles (GAPP) of AICPA.
  • The Confidentiality TSC may not be necessary to include in the SOC2 audit if an organization offers a service that doesn’t include managing sensitive or private data, such as a general-purpose online marketplace.
  • Similarly, the Privacy TSC may not apply to the organization’s SOC2 audit if it does not handle sensitive or personal data or provide any services requiring privacy protection. Besides, if the organization already has a privacy program subject to another audit or certification, such as GDPR or HIPAA, the Privacy TSC need not be considered in the SOC2 assessment.
  • Security and Availability have a direct relationship within an organization. If your organization has an agreement with customers to ensure a certain level of accessibility to a product or service being evaluated. In that case, both parties will have agreed to a set level of availability, and your auditor will verify that you are honouring your commitment.
  • The Availability TSC may not be relevant to include in the audit if the organization’s service or products do not require high availability.
  • The Processing Integrity TSC can be avoided if an organization provides a product or service that does not entail the processing of sensitive or critical data or if data processing is not a critical component of the product or service.

Get SOC2 Ready with Accorian

Accorian is a leading cybersecurity firm specializing in providing comprehensive services to help companies achieve and maintain SOC2 compliance. Our team of auditors with extensive technical backgrounds and expertise in data security possess the capability to conduct thorough assessments of your organization’s system and controls.

Our audit professionals are skilled in preparing Type 1 and Type 2 reports for SOC2 audits. This includes conducting gap assessments, identifying necessary controls, and implementing them on behalf of your service business.

We can help enhance your marketplace value with effective privacy and security measures, giving you a competitive edge.

Recent Blog

Article

Adobe's Common Controls Framework of Industry-acclaimed security standards

Today’s world is an ever-changing scenario with changes to the technology sector happening more frequently than ever due to emerging technologies. The case is quite similar in the field of Cyber Security. There are a few industry-acclaimed cybersecurity standards for governing the processes and execution of these standards. These standards are usually built upon a framework of control objectives that need to be implemented by the organizations to comply with these standards. Compliance is measured in terms of control objectives meeting the compliance criteria and also other regulatory and statutory criteria. Since most of these Cybersecurity standards speak of similar control objectives or lay emphasis on similar control areas, it is advisable to have the ‘Adobe’s Common Control Framework’, which means that if we are able to comply with a single requirement from a particular framework, in theory, we should be able to use the adherence of that requirement for ALL the similar frameworks. There are several approaches to achieving this Adobe's Common Controls Framework both in theory and in practice and will be discussed in detail later on in this article. The most relevant security and privacy frameworks are ISO 27001, NIST, PCIDSS, GDPR, SOC Type 2. There is a significant overlap of controls contained in these standards as all of these standards primarily deal with one requirement which is the protection of data. Protection of information from unauthorized disclosure, compromise, and theft forms the backbone or the building blocks of an Adobe's Common Control Framework. This leverages the fact that similar controls or that the essence of the controls is the same across standards and can be used to gauge the adherence or compliance of an organization to the standard. In actual execution, while gauging the compliance of an organization, the Adobe's Common Controls Framework is not only holistic but can reduce the effort and cost otherwise required by the organization to comply with individual standards. There are two methods of developing the Adobe's Common Control Framework for an organization and there are very subtle differences between the two methods. They are Controls harmonization and Controls Mapping. Controls Harmonization: Harmonization is the creation of a brand-new control language set from several source languages of standards taking into consideration content & context. In theory, the intent and meaning of the words and sentences remain intact, but the language and actual words of the individual standards have been changed with a new harmonized meaning defined. To achieve the usage of a single language as an industry, globally, it would have significant benefits and it would be the most efficient way to operate not only as security professionals but also as humans. Adobe’s Common Control Framework is an example of this type of construct. The benefits of having a single operating language can truly be amazing in terms of effort reduction and cost reduction. Control Mapping: Today, most brilliant and forward-thinking security professionals are using the control mapping method. The main idea behind this method is to keep the original language intact as much as possible while mapping and matching the intent and meaning of each sentence and word. This is the most practical and realistic approach because this is how humans fundamentally interact with each other globally. One can see this working in real life where two different languages are being spoken by individuals and kept mainly intact, but an interpreter or linguist is translating between the two — the map is developed in the mind of the linguist. Some real-life examples of mapping for cybersecurity frameworks can be seen in HITRUST Framework, Cloud Security Alliance Framework, and even the U.S. Government formally...

View More

Article

Risk Management Framework – Managing & Measuring what matters

A risk management program allows you to manage overall information security risk.  It is an approach to identify, quantify, mitigate, and monitor risks.  The reason to look at risk in a comprehensive manner is to make sure no one area is getting too much attention or, too little. Frameworks also help you identify the bigger elements of risk that need review and mitigation. Additionally, it help you to prioritize the treatment of certain risks. The adherence to risk frameworks also helps give your customers comfort that a standard risk management is in place and hence, reduce your audit burden.  Typically, a Risk Management program comprises of the following phases: Risk identification Risk analysis Risk evaluation Risk treatment Risk Monitoring A good risk management framework will have the following characteristics: Comprehensive in types of risks it covers Practical for an organization to implement Updated with current real-world risks Based on controls that can be reviewed and audited Reliable so that your vendors and customers can accept it There are many risk management frameworks that one can choose from and it important to understand the advantages of each. Common risk management frameworks include: NIST CSF SOC 2 ISO 27001 HITRUST NIST (National Institute of Standards and Technology) framework is a comprehensive cybersecurity framework (CSF).  It is very widely accepted across different company sizes and business domains. Most cyber-security professionals are well aware of this framework as it is readily available.  Although widely available and very popular there is no certified third-party audit mechanism. Hence, it can only be self-assessed.   SOC 2 Type 2 is an internal controls report based on the scope you define.  It is widely used in the United States to show the maturity of your controls.  A CPA firm that is part of the American Institute of CPAs (AICPA) conducts the audit & issues an assessment report.  The AICPA does not audit/review the assessment for completeness or quality.  HITRUST CSF is a framework that came leverages NIST, SOC, and ISO along with others to create a more comprehensive standard.  It is widely implemented in the United States by organisations in the healthcare space.  Unlike others, although there are external assessors that are involved in the certification process, HITRUST reviews all assessments and issues the certificate. Additionally, among all the frameworks above it tends to be the most expensive to implement.  It is important to choose a framework that matches your long-term security goals & needs.  At Accorian, we work with all of the above frameworks. We help organizations choose the right framework and aid with the implementation. This is done by augmenting our team into your security team to help steer the rollout, aid with query resolution, choosing of the right controls & workaround during mitigation advisory, facilitating the selection of vendors & products and end to end program management. 

View More

Ready to Start?

Security Compliance & Assessment Services

CONSULTING & ASSESSMENT SERVICES

PENETRATION TESTINGRed TEAM ASSESSMENTS
TECHNOLOGY STAFFING

Contact Info

E. info@accorian.com

T. +1-732-443-3468

Contact With Us

Office Address

Accorian Head Office

6,Alvin Ct, East Brunswick, NJ 08816 USA

Accorian Canada

Toronto

Accorian India

Ground Floor,11, Brigade Terraces, Cambridge Rd, Halasuru, Udani Layout, Bengaluru, Karnataka 560008, India

Ready to Start?​

Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide