Overview of Privacy Principle and SOC 2 Updates
In order to clarify and eliminate redundancy within the requirements of the trust services criteria for privacy, changes have been made to the SOC 2 privacy principle guidelines. While most of these changes are clarification-based, the addition of privacy to the common criteria and the addition of new confidentiality criteria can have a larger impact on the control framework of many service organizations. These changes are currently available for early adoption and will be required for review periods beginning on, or after, December 15, 2016. Below are the most significant changes to the existing trust services principles and criteria.
Privacy Added to Common Criteria
One of the major changes is the integration of the privacy principle criteria into the common criteria (as was done in the initial release of TSP section 100 with the availability, processing integrity, and confidentiality principles). Existing privacy criteria will be superseded by the common criteria, and the additional criteria for the privacy principle. Additionally, GAPP (Generally Accepted Privacy Principles) will be changed accordingly through the AICPA as a framework for the appropriate protection and management of personal information.
New Confidentiality Criteria
Two new confidentiality criterion were added, C1.7 and C1.8. Both of these changes deal with the appropriate retention and disposal of confidential information in accordance with the entity’s confidentiality commitments and system requirements.
Changes to CC3.1 and CC3.3
Common Criteria CC3.3 was removed, while CC3.1 was clarified. The clarification specifies that potential threats include those that arise from the use of vendors or third-party providers, in addition to threats that arise from customer personnel and others with access to the system.
Illustrative Risks and Controls Related to Privacy
In Appendix B of the Trust Services Principles and Criteria, “Illustrative Risks and Controls” of TSP (Trust Services Principles) section 100 has been modified to include the additional privacy criteria, as well as examples of risks that may prevent the privacy criteria from being met and how to address those risks. Additionally, revisions have been made to the illustrative risks and controls to conform to the addition of the privacy criteria.