SOC 2 Trust Services Criteria: Implementing Effective Controls

To become SOC 2 compliant, organizations need to validate that their internal control framework is effective, reliable, and aligns with the SOC 2 trust services criteria. But what are these SOC 2 trust services criteria? In this article, we will discuss it in detail.

Before we dive into the criteria, let's first address an important question: 'What are SOC 2 trust service criteria?'

SOC 2 trust services criteria (previously known as SOC 2 trust services principles) are a set of standards introduced by the Assurance Service Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA). Accredited auditors generally use these standards/principles to assess the effectiveness of an organization's internal control framework.

Note: Before undergoing a SOC 2 audit or SOC 3 audit, you can choose which SOC 2 trust services criteria (specific standards from TSA) you want the auditors to evaluate your control framework against.

Now that you have gained a basic understanding, let's proceed further and find out which standards are included in the SOC 2 trust services criteria.

Breakdown Of The 5 Key SOC 2 Trust Services Criteria

SOC 2 Trust Services Criteria (TSCs) encompasses five criteria/principles: security, availability, process integrity, confidentiality, and privacy. Each of these criteria focuses on specific aspects of an organization’s control framework and demands fulfillment of unique requirements. To provide you with better clarity, we’ve explained each trust service criteria in detail.

1: Security

Security trust criteria, also known as common criteria, is a key standard that every auditor considers (without fail) while assessing an organization's internal control (administrative control, technical control, and logical control). While the auditors' role is to assess, it's your responsibility to prepare your security setup well in advance to meet security criteria. However, how can service organizations ensure they align with security SOC 2 trust services criteria?

As an organization, you need to focus on protecting customers' sensitive data against unauthorized disclosure and access at every stage—whether it's being collected, used, processed, transmitted, or stored.

For that, you can — enforce security SOC 2 access controls to restrict unauthorized users from accessing sensitive data, implement firewalls to create a barrier between trusted internal networks and external networks, and use antivirus software to identify and remove malware. Along with that, you can also set up an intrusion detection system to monitor and respond to suspicious activities. Plus, you also have to conduct risk assessments on periodic basics to address security gaps before they become a threat.

Also Read: Continuous Monitoring: What It Is, Benefits, Types & More

2: Availability

Note: Security is the only mandatory SOC 2 trust services criteria required for SOC 2 audit. The rest—availability criteria, processing integrity criteria, confidentiality criteria, and privacy criteria—are optional. Thus, it’s totally up to service organizations whether they want to align their security practices with the optional SOC 2 trust services criteria or not.

Now, to align with availability trust criteria, you need to fulfill two major requirements:

• Data Availability: Firstly, you must ensure that data is always readily available when needed for its intended use.
• System/Application Availability: Secondly, you have to ensure that the systems and applications used for accessing, processing, releasing, and storing data remain easily accessible to users (be they employees or customers) and perform effectively (without causing any downtime).

To fulfill the above requirements, you need to implement a network performance monitoring system to guard against Distributed Denial-of-Service (DDoS) attacks (cyber criminals flood servers or networks that applications run on with traffic, due to which legitimate users struggle to access data). You also have to prepare a disaster recovery procedure and plan well in advance to minimize the risk of system downtime in the event of an outage/data breach.

3: Processing Integrity

To align with processing integrity criteria, you need to ensure that your systems or applications process the data provided by users accurately—without tampering with it or allowing unauthorized users to manipulate or omit it (while the data is in the processing line).

For that, you need to implement policies around system inputs and system processing and create policies and procedures to ensure the accuracy of data outputs.

However, don't get confused between processing integrity and data integrity. They both are different terms!

Processing integrity is about how your system handles data, such as whether it can process data completely without omitting or missing any information. In contrast, data integrity is about how accurate and reliable the data itself is.

Let's say you run an e-commerce company. If your customer successfully places an order on your site, then you are meeting processing integrity SOC 2 trust services criteria. This is because your system was able to process the order data accurately—for example, it was able to check the product availability, process payment information, and complete the transaction without misinterpreting any of the information.

Now, suppose the customer accidentally enters the wrong shipping address. Will your system still meet processing integrity? Yes, it will because it will process the order data provided by users in a usual manner. You need to understand that the fault lies in the customer's end—they compromised their data integrity (i.e., filled out the wrong address information), and it has nothing to do with your organization's system.

4: Confidentiality

To align with confidentiality SOC 2 trust services criteria, you must focus solely on safeguarding confidential data from accidental disclosure.

Note: This confidential data can be — intellectual property (IP), protected health information (PHI), financial records, trade secrets, legal documents, or other critical datasets mentioned in non-disclosure agreements (NDAs) by clients.

To protect confidential information, you need to clearly define who can access and modify the confidential datasets. You also need to implement access privilege and access limitation controls to restrict access permissions strictly to authorized users. Finally, you need to establish a well-defined procedure for disposing of the confidential information entrusted to your organization by customers.

5: Privacy

‍

To align with privacy trust criteria, you need to focus on protecting customers' personal identifiable information (PII) from being compromised. This personal identifiable information (PII) can be the customer's email address, social security number, phone number, address, or any other personal data.

To keep PII secure, you must follow appropriate protocols for collecting customer data (like obtaining their consent before collecting the data) and ensure that whichever systems and applications access, process, or store PII comply with the AICPA's generally accepted privacy principles.

In addition, you must implement two-factor authentication and encryption to keep the data secure from unauthorized users. You also need to have a proper data disposal process to dispose of PII when it is no longer needed or when a customer requests to delete it.

Note: Do not get mixed up between confidentiality and privacy SOC 2 trust services criteria — they may sound very similar, but their focus and scope differ. To adhere with confidentiality trust service, organizations need to protect all sorts of sensitive data (usually the data you agreed to keep confidential) from accidental disclosure. To adhere to privacy trust service, organizations need to safeguard personal identifiable information (PII) from misuse.

After going through the SOC 2 trust services criteria, you may have a question — 'Which SOC 2 trust services criteria should my organization align with?' Read on to find out the answer.

Which SOC 2 Trust Services Criteria Should Your Organization Align With?

Well! You can determine which SOC 2 trust service criteria applies to your organization by thoroughly evaluating two main factors — your organization type/type of operation your business handles and, most importantly, your client requirements. For example:

• Organizations that offer data-centered services like customer relationship management platforms, database management solutions, and cloud storage providers need to mandatorily align with availability trust criteria. This is because they must provide potential customers with assurance that their data will be readily available when needed.
• If your organization offers products like analytics or supply chain management platforms, which are basically apps that process data provided by customers, then you have to align with processing trust criteria. By adhering to this standard, you can assure your customers that the processed results offered by your products are accurate and reliable.
• If you are a legal firm or a financial institution/bank, you will definitely be handling, processing, or storing data such as client case files and financial records. Since these data types are highly confidential, you must adhere to confidentiality trust criteria.
• Lastly, organizations like healthcare providers and telecommunication providers need to align with privacy trust criteria. These organizations manage personal identifiable information (like PHI or email addresses) that needs to be kept private to protect individuals’ privacy rights and ensure compliance with regulations like HIPAA or GDPR.

Note: Security trust service criteria is a mandatory standard that needs to be met by every organization (regardless of their type or size).

Now, if your client requests you to meet a specific TSC, you must align with it to gain their interest and trust – no matter what! Suppose you run a healthcare institution, and your client asks you to meet availability trust criteria. Now, in this case, you have to meet privacy trust criteria (standard followed by such an industry) and align with availability trust criteria demanded by clients to gain their confidence.

By evaluating these two key factors, you can easily determine which SOC 2 trust services criteria you should focus your effort on.

Regardless of the SOC 2 trust services criteria you choose, you must fulfill certain basic requirements—implementing access controls, conducting reviews of internal controls and user access, managing user access, and a few more—to ultimately get SOC 2 certified.

To do so, you can either opt for a manual approach in which you have to use a spreadsheet and collect data by going through multiple tabs or opt for a more feasible option, such as an automated platform like Zluri. How is Zluri going to help? Let’s quickly find out.

How An Automated Solution Can Help You Meet SOC 2 Trust Services Criteria’s Requirements?

Zluri offers two advanced solutions – ‘access management’ and ‘user access review.’ Each of them offers different functionalities designed to cater to the requirements of the SOC 2 trust services criteria. For example:

• Zluri’s access management helps maintain data security, confidentiality, and privacy by allowing your team to implement access controls like role-based access control, the principle of least privilege, segregation of duties, and more with just a few clicks. Basically, it provides an automated workflow in which your team can specify the rules of access control, and then it automatically enforces those rules across your security setup.

Let’s say you want only the financial admin to have access to apps like QuickBooks and Datarails (which store critical financial statements). You can detail these actions/rules in Zluri’s automated workflow, like:

Automation rule

Once configured, Zluri’s access management will automatically detect users with the finance admin role and grant them access to QuickBooks and Datarails. This way, you can ensure only authorized users gain access to sensitive data like financial statements, which will further help protect them against misuse, accidental disclosure, and breaches.

• Zluri's access review also helps maintain data security, confidentiality, and privacy, but in a different way. It conducts an in-depth review of your users' access and auto-remediates when any excessive privileges or unwanted access rights are detected (any sort of anomalies).

All your team needs to do is fill out a few specific details regarding which SaaS apps (that store sensitive data) and user types need to be reviewed and what actions you prefer to perform in case any anomalies are identified (like revoking the user access or modifying it).

Based on the specified details, Zluri's access review automatically runs the access review and remediates access permissions when misalignments are detected without any manual intervention. It makes sure authorized personnel have access to sensitive data stored in SaaS apps and no one else.

Finally, it generates a detailed UAR report outlining its actions. The best part is that you can directly present these reports to your official auditor for review. They act as proof that you have fulfilled certain SOC 2 trust services criteria by conducting reviews and remediating anomalies that can compromise data safety.

To gain more clarity on how Zluri conducts reviews, check out its access review tour.

‍https://www.zluri.com/access-reviews/salesforce 

In short, by implementing Zluri, you not only seamlessly meet the requirements set forth by SOC 2 trust services criteria but also improve your chances of becoming SOC 2 compliant. 

Also Read: How to Get SOC2 Certified in 2024

Align With SOC 2 Trust Services Criteria To Gain Clients & Partner's Interest & Assurance

By aligning with SOC 2 trust service criteria, you do more than just clear your way to becoming SOC 2 compliant. You create a bold statement about your commitment to maintaining a well-structured security infrastructure and processing setup that helps maintain data security, confidentiality, and privacy and ensures that data remains available for the intended use.

With such seriousness, you position your organizations as reliable, responsible, and trusted partners. This further helps open doors for new investment opportunities and even strengthens your relationship with your existing partners.

Nonetheless, always remember that your dedication to safeguarding data will be your differentiation factor in the competitive market. So, make sure to invest in measures and implement practices that can actually drive results and help build lasting trust.

Frequently Asked Questions (FAQs)

1. What Are SOC 2 Supplemental Criteria?

SOC 2 supplemental criteria are additional guidelines introduced by the AICPA that require organizations to implement logical and physical access controls, change management and risk mitigation controls, and system and operational controls.

2. What Is The Difference Between SOC 2 Trust Services Criteria And COSO Framework?

Both the SOC 2 trust services criteria and the committee of sponsoring organizations of the Treadway Commission were introduced by the AICPA to assess the effectiveness of the organization’s internal security controls framework. However, they mandate fulfilling different requirements, like TSC’s mandates to fulfill security, availability, processing integrity, confidentiality, and privacy criteria.

Meanwhile, the COSO framework mandates fulfilling risk assessments, information and communication, existing control activities, monitoring activities, and control environment requirements. Also, meeting all the TSC’s criteria (except the security criteria) is not compulsory to become SOC 2 compliant. However, meeting all the requirements of COSO is compulsory to attain SOC 2 certification.

3. What Are the Points Of Focus In SOC 2 Trust Services Criteria?

Trust criteria points of focus are detailed requirements that organizations must fulfill to adhere to TSCs. While there are approximately 300 points of focus, meeting all of them is not compulsory. Organizations are required to meet only the ones relevant to their internal control framework.