TSPC16D

Issued by the AICPA Assurance Services
Executive Committee (ASEC)
Trust Services
Principles
and Criteria
Issued by the AICPA Assurance Services
Executive Committee (ASEC)
Trust Services
Principles
and Criteria
19496-349
Copyright 2016 by
American Institute of Certified Public Accountants, Inc.
New York, NY 10036-8775
All rights reserved. For information about the procedure for requesting permission to
make copies of any part of this work, please e-mail copyright@aicpa.org with your
request. Otherwise, requests should be written and mailed to the Permissions
Department, AICPA, 220 Leigh Farm Road, Durham, NC 27707-8110.
1 2 3 4 5 6 7 8 9 0 BRAAS 1 9 8 7 6
AAG-EBP-Copyright.indd 1 2/25/16 2:38 PM

iii
Trust Services Principles and Criteria
Copyright 2016 by American Institute of Certified Public Accoun-

tants, Inc. and Chartered Professional Accountants of Canada (CPA
Canada).
Permission is granted to make copies of this work provided that such
copies are for personal, intraorganizational, or educational use only
and are not sold or disseminated and provided further that each copy
bears the following credit line: "Copyright 2016 by American Insti-
tute of Certified Public Accountants, Inc. and Chartered Professional
Accountants of Canada (CPA Canada). Used with permission."
This document is available on AICPA Online at www.aicpa.org.
2016, AICPA TSP

Table of Contents v
TABLE OF CONTENTS
Section Paragraph
TSP Section 100Trust Services Principles and Criteria for Security,

Availability, Processing Integrity, Confidentiality, and Privacy .01-.19
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .01-.07
Principles, Criteria, Controls, and Risks . . . . . . . . . . . . . . . . . . . . . . . .08-.12
Trust Services Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Trust Services Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Trust Services Principles and Criteria . . . . . . . . . . . . . . . . . . . . . . . . . .15
Effective Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Appendix ADefinitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Appendix BIllustration of Risks and Controls for a
Sample Entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Appendix CMapping of the Trust Services Principles and
Criteria to Extant Generally Accepted Privacy Principles . . . .19
TSP Section 100ATrust Services Principles and Criteria for Security,

Availability, Processing Integrity, Confidentiality, and Privacy .01-.20
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .01-.07
Principles, Criteria, Controls, and Risks . . . . . . . . . . . . . . . . . . . . . . . .08-.12
Trust Services Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Trust Services Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Trust Services Principles and Criteria . . . . . . . . . . . . . . . . . . . . . . . . . .15-.16
Privacy Principles and Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Effective Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Appendix ADefinitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Appendix BIllustrative Risks and Controls . . . . . . . . . . . . . . . . . . . .19
Appendix CGenerally Accepted Privacy Principles . . . . . . . . . .20
TSP Section 200Trust Services Principles and Criteria for

Certification Authorities Version 2.0 .01-.65
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .01-.08
Introduction to Trust Service Principles and Criteria for
Certification Authorities Version 2.0 . . . . . . . . . . . . . . . . . . . . . .01-.05
Importance of PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .06-.08
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .09-.41
What Is a Public Key Infrastructure? . . . . . . . . . . . . . . . . . . . . . . . . .09-.14
What Is a Digital Signature? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-.19
What Are the Differences Between Encryption Key
Pairs and Signing Key Pairs? . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-.22
What Is a Certification Authority? . . . . . . . . . . . . . . . . . . . . . . . . . . .23-.24
What Is a Registration Authority? . . . . . . . . . . . . . . . . . . . . . . . . . . .25-.28
What Is the Impact of an External RA? . . . . . . . . . . . . . . . . . . . . . .29-.30
2016, AICPA Contents

vi Table of Contents
Section Paragraph
TSP Section 200Trust Services Principles and Criteria for

Certification Authorities Version 2.0continued
What Is an Extended Validation Certificate? . . . . . . . . . . . . . . . . .31-.32
What Is a Certification Practice Statement and a
Certificate Policy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
What Are the Hierarchical and Cross-Certified
CA Models? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34-.38
What Is the Impact of Subordinate CAs? . . . . . . . . . . . . . . . . . . . .39
What Are Some of the Business Issues Associated
With CAs? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40-.41
Principles and Criteria for Certification Authorities . . . . . . . . . . . . .42-.54
CA Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43-.52
CA Business Practices Disclosure . . . . . . . . . . . . . . . . . . . . . . . . .43-.45
Service Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46-.49
CA Environmental Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50-.52
Intended Use of the Trust Services Principles and Criteria . . . .53-.54
Trust Service Principles and Criteria for Certification
Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55-.61
1. CA Business Practices Disclosure . . . . . . . . . . . . . . . . . . . . . . . . .55
2. CA Business Practices Management . . . . . . . . . . . . . . . . . . . . . .56
3. CA Environmental Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
4. CA Key Life Cycle Management Controls . . . . . . . . . . . . . . . . .58
5. Subscriber Key Life Cycle Management Controls . . . . . . . . . .59
6. Certificate Life Cycle Management Controls . . . . . . . . . . . . . .60
7. Subordinate CA Certificate Life Cycle Management
Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Appendix ARFC 3647, RFC 2527, and WebTrust
Program for Certification Authorities v1 Business
Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Appendix BIllustrative Examples of Practitioner Reports . . . . . .63
Appendix CIllustrative Examples of Managements
Assertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Appendix DIllustrative Example of Managements
Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Contents 2016, AICPA

Security, Availability, Processing Integrity, Confidentiality, and Privacy 1
TSP Section 100
Trust Services Principles and Criteria for Security, Availability,
Processing Integrity, Confidentiality, and Privacy
(To amend TSP section 100 and supersede appendix C, "Generally Ac-
cepted Privacy Principles," of TSP section 100A, Trust Services Princi-
ples and Criteria for Security, Availability, Processing Integrity, Con-
fidentiality, and Privacy. The criteria in TSP section 100 are effective
for periods ending on or after December 15, 2016, with earlier im-
plementation permitted. TSP section 100A will retain the superseded
material until March 31, 2018. The practitioner should identify which
set of criteria was used for the report and assertion.)
Introduction
.01 The AICPA Assurance Services Executive Committee (ASEC) has de-
veloped a set of principles and criteria (trust services principles and criteria) to
be used in evaluating controls relevant to the security, availability, or process-
ing integrity of a system, or the confidentiality or privacy of the information
processed by the system. In this document, a system is designed, implemented,
and operated to achieve specific business objectives (for example, delivery of
services or production of goods) in accordance with management-specified re-
quirements. System components can be classified into the following five cate-
gories:
r Infrastructure. The physical structures, IT, and other hardware
(for example, facilities, computers, equipment, mobile devices, and
telecommunications networks).
r Software. The application programs and IT system software that
supports application programs (operating systems, middleware,
and utilities).
r People. The personnel involved in the governance, operation, and
use of a system (developers, operators, entity users, vendor per-
sonnel, and managers).
r Processes. The automated and manual procedures.
r Data. Transaction streams, files, databases, tables, and output
used or processed by a system.
.02 This document presents the trust services principles and criteria for
assessing the effectiveness of an entity's controls over a system relevant to the
security, availability, processing integrity, confidentiality, or privacy. Manage-
ment of an entity may use the trust services principles and criteria to evaluate
its controls over a system or may engage a CPA to report on or provide consult-
ing services related to those controls.
.03 Attestation services, performed under the AICPA Statements on
Standards for Attestation Engagements1 (commonly known as the attestation
1
At the time of publication, the AICPA's Auditing Standards Board (ASB), has completed clar-
ifying Statements on Standards for Attestation Engagements (SSAEs or attestation standards) and
will be issuing its clarified attestation standards as SSAE No. 18, Attestation Standards: Clarification
and Recodification. The ASB expects SSAE No. 18 to be available in April 2016 and to be effective for
practitioners' reports dated on or after May 1, 2017.
2016, AICPA TSP 100.03

2 Trust Services Principles and Criteria
standards), include examination, review,2 and agreed-upon procedures engage-

ments. In the attestation standards, the CPA performing an attest engagement
is known as a practitioner. In an examination engagement, the practitioner
provides a report that expresses an opinion on subject matter or an assertion
about the subject matter in relation to an identified set of criteria. For example,
a practitioner may report on whether controls over a system were operating
effectively to meet the trust services criteria for processing integrity and con-
fidentiality. In an agreed-upon procedures engagement, the practitioner does
not express an opinion but rather performs procedures agreed upon by the
specified parties and reports the results of those procedures. Examination en-
gagements are performed in accordance with AT section 101, Attest Engage-
ments, of the attestation standards and agreed-upon procedures engagements
are performed in accordance with AT section 201, Agreed-Upon Procedures
Engagements (AICPA, Professional Standards).
.04 The following are the types of subject matter a practitioner may ex-
amine and report on using the trust services principles and criteria:
r The fairness of the presentation of a description of a service or-
ganization's system relevant to one or more of the trust services
principles of security, availability, processing integrity, confiden-
tiality, and privacy using the description criteria in paragraph
1.26 (and paragraph 1.27 for descriptions addressing controls over
privacy) of the AICPA Guide Reporting on Controls at a Service
Organization: Relevant to Security, Availability, Processing In-
tegrity, Confidentiality, or Privacy (SOC 2 ), as of July 1, 2015;
the suitability of the design of controls included in the description
to meet the related trust services criteria; and the operating ef-
fectiveness of those controls throughout a specified period to meet
those trust services criteria (a type 2 SOC 2 engagement). A type
2 SOC 2 engagement, which includes an opinion on the operat-
ing effectiveness of controls, also includes a detailed description
of tests of controls performed by the service auditor and results
of those tests. A type 1 SOC 2 engagement addresses the same
subject matter as a type 2 SOC 2 engagement, however, a type 1
report does not contain an opinion on the operating effectiveness
of controls nor a detailed description of tests of controls performed
by the service auditor and results of those tests.
r The design and operating effectiveness of a service organization's
controls over a system relevant to one or more of the trust services
tiality, and privacy (SOC 3 engagement). A SOC 3 report contains
an opinion on the operating effectiveness of controls but does not
include a detailed description of tests of controls performed by the
service auditor and results of those tests.
2
Review engagements generally consist of the performance of inquiries and analytical proce-
dures designed to provide a moderate level of assurance (that is, negative assurance). However, the
Assurance Services Executive Committee believes that a practitioner ordinarily could not perform
meaningful analytical procedures on an entity's controls or compliance with requirements of specified
laws, regulations, rules, contracts, or grants to achieve this level of assurance, and it is uncertain
what other procedures could be identified that, when combined with inquiry procedures, could form
the basis for a review engagement. Also due to this uncertainty, users of a review report are at
greater risk of misunderstanding the nature and extent of the practitioner's procedures. Accordingly,
the feasibility of a review engagement related to trust services is uncertain.
TSP 100.04 2016, AICPA

r The design and operating effectiveness of the controls of an entity,
other than a service organization, over a system relevant to one
or more of the trust services principles of security, availability,
processing integrity, confidentiality, and privacy.
r The suitability of the design of an entity's controls over a system
relevant to one or more of the trust services principles of security,
availability, processing integrity, confidentiality, and privacy to
meet the related trust services criteria. (Interpretation No. 7, "Re-
porting on the Design of Internal Control," of AT section 101, Attest
Engagements [AICPA, Professional Standards, AT sec. 9101 par.
.59.69], explains the context for this type of engagement, which
typically is performed prior to the system's implementation.)
.05 Details about the services an entity agrees to provide to its customers
(for example, what, how and when they will be provided) generally are in-
cluded in written contracts, service level agreements, or public statements (for
example, a privacy notice). The trust services principles and criteria refer to
such agreements as commitments. Some commitments are applicable to all cus-
tomers (baseline commitments), while others are designed to meet individual
customer needs and result in the implementation of processes or controls in
addition to those required to meet the baseline commitments. System specifi-
cations regarding how the system should function to meet the entity's commit-
ments to customers, and relevant laws, regulations, or guidelines of industry
groups, such as trade or business associations, are referred to as system require-
ments in the trust services principles and criteria. Many of the trust services
criteria refer to commitments and system requirements, for example:
CC1.4. The entity has established workforce conduct standards, im-
plemented workforce candidate background screening procedures, and
conducts enforcement procedures to enable it to meet its commitments
and system requirements as they relate to [insert the principle(s) ad-
dressed by the engagement: security, availability, processing integrity,
confidentiality, or privacy, or any combination thereof].
Management is responsible for meeting its commitments and for maintaining
and operating the system in a manner that enables it to meet the system
requirements.
.06 Trust services engagements do not entail reporting on an entity's
compliance, or internal control over compliance, with laws, regulations, rules,
contracts, or grant agreements, related to the principles being reported upon.
If the practitioner is engaged to report on compliance with laws, regulations,
rules, contracts, or grant agreements in conjunction with an engagement to
report on the operating effectiveness of an entity's controls (for example, a
privacy engagement in accordance with AT section 101), the compliance portion
of the engagement would be performed in accordance with AT section 601,
Compliance Attestation (AICPA, Professional Standards).
.07 Consulting services include developing findings and recommendations
for the consideration and use of management of an entity when making deci-
sions. In a consulting engagement, the practitioner does not express an opinion
or form a conclusion about the subject matter. Generally, the work is performed
only for the use and benefit of the client. Practitioners providing such services
follow CS section 100, Consulting Services: Definitions and Standards (AICPA,
Professional Standards).
2016, AICPA TSP 100.07

Principles, Criteria, Controls, and Risks

.08 Trust services principles represent attributes of a system that support
the achievement of management's objectives.
.09 For each of the principles there are detailed criteria that serve as
benchmarks used to measure and present the subject matter and against which
the practitioner evaluates the subject matter. The attributes of suitable criteria
are as follows:
r Objectivity. Criteria should be free from bias.
r Measurability. Criteria should permit reasonably consistent mea-
surements, qualitative or quantitative, of subject matter.
r Completeness. Criteria should be sufficiently complete so that
those relevant factors that would alter a conclusion about sub-
ject matter are not omitted.
r Relevance. Criteria should be relevant to the subject matter.
.10 ASEC has concluded that the trust services criteria for each individual
principle, including the common criteria, have all of the attributes of suitable
criteria. In addition to being suitable, AT section 101 indicates that the criteria
must be available to users of the practitioner's report. The publication of the
principles and criteria makes the criteria available to users.
.11 The trust services principles and criteria are designed to be flexible
and to meet the business and assurance needs of users and management.
Accordingly, a practitioner may be engaged to perform an engagement related
to a single principle, multiple principles, or all of the principles.
.12 The environment in which the system operates, commitments made
to customers and other third parties, responsibilities entailed in operating and
maintaining a system, and the nature of the components of the system result
in risks that the criteria will not be met. These risks are addressed through
the implementation of suitably designed controls that, if operating effectively,
provide reasonable assurance that the criteria are met. Because each system
and the environment in which it operates are unique, the combination of risks
to meeting the criteria and the controls necessary to address the risks will
be unique. As part of the design and operation of the system, management of
an entity needs to identify the specific risks that the criteria will not be met
and the controls necessary to address those risks. Appendix B, "Illustration of
Risks and Controls for a Sample Entity," provides examples of risks that may
prevent the criteria from being met, as well as examples of controls that would
address those risks. These illustrations are not intended to be applicable to any
particular entity or to be all-inclusive of the risks to meeting the criteria or the
controls necessary to address those risks.
Trust Services Principles

.13 The following are the trust services principles:
a. Security. The system is protected against unauthorized access, use,
or modification to meet the entity's commitments and system re-
quirements.
The security principle refers to the protection of the system re-
sources through logical and physical access control measures in
TSP 100.08 2016, AICPA

order to enable the entity to meet its commitments and system
requirements related to security, availability, processing integrity,
confidentiality, and privacy. Controls over the security of a system
prevent or detect the breakdown and circumvention of segregation
of duties, system failure, incorrect processing, theft or other unau-
thorized removal of data or system resources, misuse of software,
and improper access to, or use of, alteration, destruction, or disclo-
sure of information.
b. Availability. The system is available for operation and use to meet
the entity's commitments and system requirements.
The availability principle refers to the accessibility of the system,
products, or services as committed by contract, service-level agree-
ment, or other agreements. This principle does not, in itself, set
a minimum acceptable performance level for system availability.
The availability principle does not address system functionality
(the specific functions a system performs) and system usability
(the ability of users to apply system functions to the performance
of specific tasks or problems), but does address whether the sys-
tem includes controls to support system accessibility for operation,
monitoring, and maintenance.
c. Processing integrity. System processing is complete, valid, accu-
rate, timely, and authorized to meet the entity's commitments and
system requirements.
The processing integrity principle refers to the completeness, valid-
ity, accuracy, timeliness, and authorization of system processing.
Processing integrity addresses whether the system achieves its aim
or the purpose for which it exists and whether it performs its in-
tended function in an unimpaired manner, free from unauthorized
or inadvertent manipulation. Processing integrity does not auto-
matically imply that the information received and stored by the
system is complete, valid, accurate, current, and authorized. The
risk that data contains errors introduced prior to its input in the
system often cannot be addressed by system controls, and detecting
such errors is not usually the responsibility of the entity. Similarly,
users outside the boundary of the system may be responsible for ini-
tiating processing. In these instances, the data may become invalid,
inaccurate, or otherwise inappropriate even though the system is
processing with integrity.
d. Confidentiality. Information designated as confidential is protected
to meet the entity's commitments and system requirements.
The confidentiality principle addresses the system's ability to pro-
tect information designated as confidential, including, its final dis-
position and removal from the system in accordance with man-
agement's commitments and system requirements. Information is
confidential if the custodian (for example, an entity that holds or
stores information) of the information is required to limit its access,
use, and retention, and restrict its disclosure to defined parties (in-
cluding those who may otherwise have authorized access within the
boundaries of the system). Such requirements may be contained in
laws or regulations, or commitments in user contracts. The need for
information to be confidential may arise for many different reasons.
For example, the information may be proprietary, intended only for
2016, AICPA TSP 100.13

entity personnel. Confidentiality is distinguished from privacy in

that the privacy applies only to personal information, while the
confidentiality principle applies to various types of sensitive infor-
mation. In addition, the privacy principle addresses requirements
regarding collection, use, retention, disclosure, and disposal of per-
sonal information. Confidential information may include personal
information as well as other information, such as trade secrets and
intellectual property.
e. Privacy. Personal information is collected, used, retained, dis-
closed, and disposed to meet the entity's commitments and system
requirements.
Although the confidentiality principle applies to various types of
sensitive information, the privacy principle applies only to per-
sonal information. If the entity is directly responsible for providing
services to data subjects covering all of the categories noted as fol-
lows, then the privacy principle may be appropriate. If the entity
is not directly responsible for significant aspects of the following
categories but retains responsibility for protecting personal infor-
mation, the confidentiality principle may be more applicable.
The privacy criteria are organized into eight categories:
a. Notice and communication of commitments and system re-
quirements. The entity provides notice to data subjects
about its privacy practices its privacy commitments and
b. Choice and consent. The entity communicates choices
available regarding the collection, use, retention, disclo-
sure, and disposal of personal information to data subjects.
c. Collection. The entity collects personal information to
meet its privacy commitments and system requirements.
d. Use, retention, and disposal. The entity limits the use,
retention, and disposal of personal information to meet its
privacy commitments and system requirements.
e. Access. The entity provides data subjects with access to
their personal information for review and correction (in-
cluding updates) to meet its privacy commitments and sys-
tem requirements.
f. Disclosure and notifications. The entity discloses personal
information, with the consent of the data subjects, to meet
its privacy commitments and system requirements. Noti-
fication of breaches and incidents is provided to affected
data subjects, regulators, and others to meet its privacy
commitments and system requirements.
g. Quality. The entity collects and maintains accurate, up to
date, complete, and relevant personal information to meet
its privacy commitments and system requirements.
h. Monitoring and enforcement. The entity monitors compli-
ance to meet its privacy commitments and system require-
ments including procedures to address privacy-related in-
quiries, complaints, and disputes.
TSP 100.13 2016, AICPA

Trust Services Criteria
.14 Many of the criteria used to evaluate a system are shared amongst all
of the principles; for example, the criteria related to risk management apply
to the security, availability, processing integrity, confidentiality, and privacy
principles. As a result, the trust services criteria consist of (1) criteria common
to all five principles (common criteria) and (2) additional principle specific cri-
teria for the availability, processing integrity, confidentiality, and privacy prin-
ciples. For the security principle, the common criteria constitute the complete
set of criteria. For the principles of availability, processing integrity, confiden-
tiality, and privacy, a complete set of criteria consists of the common criteria
and the criteria applicable to the principle(s) addressed by the engagement.
The criteria for a principle addressed by the engagement are considered to be
complete only if all of the criteria associated with that principle are addressed
by the engagement. The common criteria are organized into seven categories:
a. Organization and management. The criteria relevant to how the
entity is structured and the processes the entity has implemented
to manage and support people within its operating units to meet
the criteria for the principle(s) addressed by the engagement. This
includes criteria addressing accountability, integrity, ethical val-
ues and qualifications of personnel, and the environment in which
they function.
b. Communications. The criteria relevant to how the entity communi-
cates its policies, processes, procedures, commitments, and system
requirements to authorized users and other parties of the system
and the obligations of those parties and users to the effective opera-
tion of the system to meet the criteria for the principle(s) addressed
by the engagement.
c. Risk management and design and implementation of controls. The
criteria relevant to how the entity (i) identifies potential risks that
would affect the entity's ability to achieve its objectives, (ii) ana-
lyzes those risks, (iii) develops responses to those risks including
the design and implementation of controls and other risk mitigat-
ing actions, and (iv) conducts ongoing monitoring of risks and the
risk management process to meet the criteria for the principle(s)
addressed by the engagement.
d. Monitoring of controls. The criteria relevant to how the entity mon-
itors the system, including the suitability of the design and operat-
ing effectiveness of the controls, and takes action to address defi-
ciencies identified to meet the criteria for the principle(s) addressed
by the engagement.
e. Logical and physical access controls. The criteria relevant to how
the entity restricts logical and physical access to the system, pro-
vides and removes that access, and prevents unauthorized access to
meet the criteria for the principle(s) addressed by the engagement.
f. System operations. The criteria relevant to how the entity man-
ages the execution of system procedures and detects and mitigates
processing deviations, including logical and physical security de-
viations, to meet the criteria for the principle(s) addressed by the
engagement.
2016, AICPA TSP 100.14

g. Change management. The criteria relevant to how the entity iden-

tifies the need for changes to the system, makes the changes using
a controlled change management process, and prevents unautho-
rized changes from being made to meet the criteria for the princi-
ple(s) addressed by the engagement.
.15 For each of the following trust services criteria, the wording presented
in brackets needs to be tailored for the specific principle(s) addressed by the
engagement. The trust services principles of security, availability, processing
integrity, confidentiality, or privacy may be reported on individually or in com-
bination with any or all of the other trust services principles. For each principle
addressed by the engagement, all of the criteria for that principle should be
addressed. Further, the common criteria should be applied regardless of the
trust services principles being addressed by the engagement.
Criteria Common to All [Security, Availability, Processing Integrity,

Confidentiality, and Privacy] Principles
CC1.0 Common Criteria Related to Organization and Management
CC1.1 The entity has defined organizational structures, reporting lines,
authorities, and responsibilities for the design, development,
implementation, operation, maintenance, and monitoring of the
system enabling it to meet its commitments and system
requirements as they relate to [insert the principle(s) addressed by
the engagement: security, availability, processing integrity,
CC1.2 Responsibility and accountability for designing, developing,
implementing, operating, maintaining, monitoring, and approving
the entity's system controls and other risk mitigation strategies are
assigned to individuals within the entity with authority to ensure
policies and other system requirements are effectively promulgated
and implemented to meet the entity's commitments and system
confidentiality, or privacy or any combination thereof].
CC1.3 The entity has established procedures to evaluate the competency
of personnel responsible for designing, developing, implementing,
operating, maintaining, and monitoring the system affecting [insert
the principle(s) addressed by the engagement: security, availability,
processing integrity, confidentiality, or privacy, or any combination
thereof] and provides resources necessary for personnel to fulfill
their responsibilities.
CC1.4 The entity has established workforce conduct standards,
implemented workforce candidate background screening
procedures, and conducts enforcement procedures to enable it to
meet its commitments and system requirements as they relate to
[insert the principle(s) addressed by the engagement: security,
availability, processing integrity, confidentiality, or privacy, or any
combination thereof].
TSP 100.15 2016, AICPA


CC2.0 Common Criteria Related to Communications
CC2.1 Information regarding the design and operation of the system and
its boundaries has been prepared and communicated to authorized
internal and external users of the system to permit users to
understand their role in the system and the results of system
operation.
CC2.2 The entity's [insert the principle(s) addressed by the engagement:
security, availability, processing integrity, confidentiality, or
privacy, or any combination thereof] commitments are
communicated to external users, as appropriate, and those
commitments and the associated system requirements are
communicated to internal users to enable them to carry out their
responsibilities.
CC2.3 The responsibilities of internal and external users and others
whose roles affect system operation are communicated to those
parties.
CC2.4 Information necessary for designing, developing, implementing,
operating, maintaining, and monitoring controls, relevant to the
combination thereof] of the system, is provided to personnel to
carry out their responsibilities.
CC2.5 Internal and external users have been provided with information
on how to report [insert the principle(s) addressed by the
engagement: security, availability, processing integrity,
confidentiality, or privacy, or any combination thereof] failures,
incidents, concerns, and other complaints to appropriate personnel.
CC2.6 System changes that affect internal and external users'
responsibilities or the entity's commitments and system
requirements relevant to [insert the principle(s) addressed by the
engagement: security, availability, processing integrity,
confidentiality, or privacy, or any combination thereof] are
communicated to those users in a timely manner.
CC3.0 Common Criteria Related to Risk Management and Design
and Implementation of Controls
CC3.1 The entity (1) identifies potential threats that could impair system
combination thereof] commitments and system requirements
(including threats arising from the use of vendors and other third
parties providing goods and services, as well as threats arising
from customer personnel and others with access to the system), (2)
analyzes the significance of risks associated with the identified
threats, (3) determines mitigation strategies for those risks
(continued)
2016, AICPA TSP 100.15


(including implementation of controls, assessment and monitoring
of vendors and other third parties providing goods or services, as
well as their activities, and other mitigation strategies), (4)
identifies and assesses changes (for example, environmental,
regulatory, and technological changes and results of the
assessment and monitoring of controls) that could significantly
affect the system of internal control, and (5) reassesses, and
revises, as necessary, risk assessments and mitigation strategies
based on the identified changes.
CC3.2 The entity designs, develops, implements, and operates controls,
including policies and procedures, to implement its risk mitigation
strategy; reassesses the suitability of the design and
implementation of control activities based on the operation and
monitoring of those activities; and updates the controls, as
necessary.
CC4.0 Common Criteria Related to Monitoring of Controls
CC4.1 The design and operating effectiveness of controls are periodically
evaluated against the entity's commitments and system
confidentiality, or privacy, or any combination thereof], and
corrections and other necessary actions relating to identified
deficiencies are taken in a timely manner.
CC5.0 Common Criteria Related to Logical and Physical Access
Controls
CC5.1 Logical access security software, infrastructure, and architectures
have been implemented to support (1) identification and
authentication of authorized internal and external users; (2)
restriction of authorized internal and external user access to
system components, or portions thereof, authorized by
management, including hardware, data, software, mobile devices,
output, and offline elements; and (3) prevention and detection of
unauthorized access to meet the entity's commitments and system
CC5.2 New internal and external users, whose access is administered by
the entity, are registered and authorized prior to being issued
system credentials and granted the ability to access the system to
meet the entity's commitments and system requirements as they
relate to [insert the principle(s) addressed by the engagement:
privacy, or any combination thereof]. For those users whose access
is administered by the entity, user system credentials are removed
when user access is no longer authorized.
TSP 100.15 2016, AICPA


CC5.3 Internal and external users are identified and authenticated when
accessing the system components (for example, infrastructure,
software, and data) to meet the entity's commitments and system
CC5.4 Access to data, software, functions, and other IT resources is
authorized and is modified or removed based on roles,
responsibilities, or the system design and changes to meet the
entity's commitments and system requirements as they relate to
CC5.5 Physical access to facilities housing the system (for example, data
centers, backup media storage, and other sensitive locations, as
well as sensitive system components within those locations) is
restricted to authorized personnel to meet the entity's
commitments and system requirements as they relate to [insert the
principle(s) addressed by the engagement: security, availability,
thereof].
CC5.6 Logical access security measures have been implemented to protect
against [insert the principle(s) addressed by the engagement:
privacy, or any combination thereof] threats from sources outside
the boundaries of the system to meet the entity's commitments and
CC5.7 The transmission, movement, and removal of information is
restricted to authorized internal and external users and processes
and is protected during transmission, movement, or removal,
enabling the entity to meet its commitments and system
CC5.8 Controls have been implemented to prevent or detect and act upon
the introduction of unauthorized or malicious software to meet the
entity's commitments and system requirements as they relate to
(continued)
2016, AICPA TSP 100.15


CC6.0 Common Criteria Related to System Operations
CC6.1 Vulnerabilities of system components to [insert the
principle(s)addressed by the engagement: security, availability,
thereof] breaches and incidents due to malicious acts, natural
disasters, or errors are identified, monitored, and evaluated, and
countermeasures are designed, implemented, and operated to
compensate for known and newly identified vulnerabilities to meet
the entity's commitments and system requirements as they relate
to [insert the principle(s) addressed by the engagement: security,
CC6.2 [Insert the principle(s)addressed by the engagement: security,
combination thereof] incidents, including logical and physical
security breaches, failures, and identified vulnerabilities, are
identified and reported to appropriate personnel and acted on in
accordance with established incident response procedures to meet
the entity's commitments and system requirements.
CC7.0 Common Criteria Related to Change Management
CC7.1 The entity's commitments and system requirements, as they relate
to [insert the principle(s) addressed by the engagement: security,
combination thereof], are addressed during the system
development lifecycle, including the authorization, design,
acquisition, implementation, configuration, testing, modification,
approval, and maintenance of system components.
CC7.2 Infrastructure, data, software, and policies and procedures are
updated as necessary to remain consistent with the entity's
thereof].
CC7.3 Change management processes are initiated when deficiencies in
the design or operating effectiveness of controls are identified
during system operation and are monitored to meet the entity's
thereof].
CC7.4 Changes to system components are authorized, designed,
developed, configured, documented, tested, approved, and
implemented to meet the entity's [insert the principle(s) addressed
by the engagement: security, availability, processing integrity,
confidentiality, or privacy, or any combination thereof]
TSP 100.15 2016, AICPA


Additional Criteria for Availability
A1.1 Current processing capacity and usage are maintained, monitored,
and evaluated to manage capacity demand and to enable the
implementation of additional capacity to help meet the entity's
availability commitments and system requirements.
A1.2 Environmental protections, software, data backup processes, and
recovery infrastructure are authorized, designed, developed,
implemented, operated, approved, maintained, and monitored to
meet the entity's availability commitments and system
requirements.
A1.3 Recovery plan procedures supporting system recovery are tested to
help meet the entity's availability commitments and system
requirements.
Additional Criteria for Processing Integrity
PI1.1 Procedures exist to prevent, or detect and correct, processing errors
to meet the entity's processing integrity commitments and system
requirements.
PI1.2 System inputs are measured and recorded completely, accurately,
and timely to meet the entity's processing integrity commitments
and system requirements.
PI1.3 Data is processed completely, accurately, and timely as authorized
to meet the entity's processing integrity commitments and system
requirements.
PI1.4 Data is stored and maintained completely, accurately, and in a
timely manner for its specified life span to meet the entity's
processing integrity commitments and system requirements.
PI1.5 System output is complete, accurate, distributed, and retained to
meet the entity's processing integrity commitments and system
requirements.
PI1.6 Modification of data, other than routine transaction processing, is
authorized and processed to meet the entity's processing integrity
Additional Criteria for Confidentiality
C1.1 Confidential information is protected during the system design,
development, testing, implementation, and change processes to
meet the entity's confidentiality commitments and system
requirements.
C1.2 Confidential information within the boundaries of the system is
protected against unauthorized access, use, and disclosure during
input, processing, retention, output, and disposition to meet the
entity's confidentiality commitments and system requirements.
(continued)
2016, AICPA TSP 100.15


C1.3 Access to confidential information from outside the boundaries of
the system and disclosure of confidential information is restricted
to authorized parties to meet the entity's confidentiality
C1.4 The entity obtains confidentiality commitments that are consistent
with the entity's confidentiality system requirements from vendors
and other third parties whose products and services are part of the
system and have access to confidential information.
C1.5 Compliance with the entity's confidentiality commitments and
system requirements by vendors and others third parties whose
products and services are part of the system is assessed on a
periodic and as-needed basis, and corrective action is taken, if
necessary.
C1.6 Changes to the entity's confidentiality commitments and system
requirements are communicated to internal and external users,
vendors, and other third parties whose products and services are
part of the system.
C1.7 The entity retains confidential information to meet the entity's
confidentiality commitments and system requirements.
C1.8 The entity disposes of confidential information to meet the entity's
confidentiality commitments and system requirements.
Additional Criteria for Privacy
P1.0 Privacy Criteria Related to Notice and Communication of
Commitments and System Requirements
P1.1 The entity provides notice to data subjects about its privacy
practices to meet the entity's privacy commitments and system
requirements. The notice is updated and communicated to data
subjects in a timely manner for changes to the entity's privacy
practices, including changes in the use of personal information, to
meet the entity's privacy commitments and system requirements.
P1.2 The entity's privacy commitments are communicated to external
users, as appropriate, and those commitments and the associated
system requirements are communicated to internal users to enable
them to carry out their responsibilities.
P2.0 Privacy Criteria Related to Choice and Consent
P2.1 The entity communicates choices available regarding the collection,
use, retention, disclosure, and disposal of personal information to
the data subjects and the consequences, if any, of each choice.
Explicit consent for the collection, use, retention, disclosure, and
disposal of personal information is obtained from the data subject
or other authorized person, if required, and such consent is
obtained only for the purpose for which the information is intended
TSP 100.15 2016, AICPA


consistent with the entity's privacy commitments and system
requirements. The entity's basis for determining implicit consent
for the collection, use, retention, disclosure, and disposal of
personal information is documented.
P3.0 Privacy Criteria Related to Collection
P3.1 Personal information is collected consistent with the entity's
P3.2 For information requiring explicit consent, the entity
communicates the need for such consent, as well as the
consequences of a failure to provide consent for the request for
personal information, and obtains the consent prior to the
collection of the information consistent with the entity's privacy
P4.0 Privacy Criteria Related to Use, Retention, and Disposal
P4.1 The entity limits the use of personal information to the purposes
identified in the entity's privacy commitments and system
requirements.
P4.2 The entity retains personal information consistent with the entity's
P4.3 The entity securely disposes of personal information consistent
with the entity's privacy commitments and system requirements.
P5.0 Privacy Criteria Related to Access
P5.1 The entity grants identified and authenticated data subjects the
ability to access their stored personal information for review and,
upon request, provides physical or electronic copies of that
information to the data subject consistent with the entity's privacy
commitments and system requirements. If access is denied, the
data subject is informed of the denial and reason for such denial, as
required, consistent with the entity's privacy commitments and
P5.2 The entity corrects, amends, or appends personal information based
on information provided by the data subjects and communicates
such information to third parties, as committed or required,
consistent with the entity's privacy commitments and system
requirements. If a request for correction is denied, the data subject
is informed of the denial and reason for such denial consistent with
the entity's privacy commitments and system requirements.
(continued)
2016, AICPA TSP 100.15


P6.0 Privacy Criteria Related to Disclosure and Notification
P6.1 The entity discloses personal information to third parties with the
explicit consent of the data subject to meet the entity's privacy
commitments and system requirements, and such consent is
obtained prior to disclosure.
P6.2 The entity creates and retains a complete, accurate, and timely
record of authorized disclosures of personal information consistent
P6.3 The entity creates and retains a complete, accurate, and timely
record of detected or reported unauthorized disclosures of personal
information, including breaches, consistent with the entity's
P6.4 The entity obtains privacy commitments from vendors and other
third parties whose products and services are part of the system
and who have access to personal information processed by the
system that are consistent with the entity's privacy commitments
and system requirements.
P6.5 Compliance with the entity's privacy commitments and system
requirements by vendors and others third parties whose products
and services are part of the system and who have access to personal
information processed by the system is assessed on a periodic and
as-needed basis and corrective action is taken, if necessary.
P6.6 The entity obtains commitments from vendors and other third
parties that may have access to personal information processed by
the system, to notify the entity in the event of actual or suspected
unauthorized disclosures of personal information. Such
notifications are reported to appropriate personnel and acted on to
meet the entity's established incident response procedures, privacy
commitments, and system requirements.
P6.7 The entity provides notification of breaches and incidents to
affected data subjects, regulators, and others consistent with the
entity's privacy commitments and system requirements.
P6.8 The entity provides to the data subjects an accounting of the
personal information held and disclosure of a data subject's
personal information, upon the data subject's request, consistent
P7.0 Privacy Criteria Related to Quality
P7.1 The entity collects and maintains accurate, up-to-date, complete,
and relevant personal information consistent with the entity's
TSP 100.15 2016, AICPA


P8.0 Privacy Criteria Related to Monitoring and Enforcement
P8.1 The entity implements a process for receiving, addressing,
resolving, and communicating the resolution of inquiries,
complaints, and disputes from data subjects and others and
periodically monitors compliance with the entity's privacy
commitments and system requirements; corrections and other
necessary actions related to identify deficiencies are taken in a
timely manner.
Effective Date
.16 The trust services principles and criteria are effective for periods
ending on or after December 15, 2016. Early implementation is permitted.
2016, AICPA TSP 100.16

.17
Appendix ADefinitions
access to personal information. The ability to view personal infor-
mation held by an organization. This ability may be complemented
by an ability to update or correct the information. Access defines
the intersection of identity and data; that is, who can do what to
which data. Access is one of the fair information practice principles.
Individuals must be able to find out what personal information an
entity has on file about them and how the information is being
used. Individuals must be able to correct erroneous information in
such records.
authorized access. Access to system components that (a) has been
approved by a person designated to do so by management and (b)
does not compromise segregation of duties, confidentiality commit-
ments, or otherwise increase risk to the system beyond the levels
approved by management (that is, access is appropriate).
boundary of the system. The specific aspects of an entity's infras-
tructure, software, people, procedures, and data necessary to per-
form a function or provide a service. When the systems for mul-
tiple functions or services share aspects, infrastructure, software,
people, procedures, and data, the systems will overlap, but the
boundaries of each service's system will differ. In an engagement
that addresses the confidentiality and privacy principles, the sys-
tem boundaries cover, at a minimum, all the system components as
they relate to the life cycle of the confidential and personal informa-
tion within well-defined processes and informal ad hoc procedures.
collection. The process of obtaining personal information from either
the individual directly, such as a Web form or a registration form,
or from another party, such as a business partner.
commitments. Declarations made by management to customers re-
garding the performance of a system. Commitments can be com-
municated in written individualized agreements, standardized con-
tracts, service level agreements, or published statements (for ex-
ample, a security practices statement). A commitment may relate
to one or more principles. The practitioner need only consider com-
mitments related to the principles addressed by the engagement.
Commitments may be made on many different aspects of the ser-
vice being provided, including the following:
r Specification of the algorithm used in a calculation
r The hours a system will be available
r Published password standards
r Encryption standards used to encrypt stored customer
data
consent. This privacy requirement is one of the fair information
practice principles. Individuals must be able to prevent the collec-
tion of their personal data, unless legally required. If an individual
has a choice about the use or disclosure of his or her information,
consent is the individual's way of giving permission for the use
or disclosure. Consent may be affirmative (for example, opting in)
TSP 100.17 2016, AICPA

or implied (for example, not opting out). There are two types of
consent:
r explicit consent. A requirement that an individual "sig-
nifies" his or her agreement with a data controller by some
active communication between the parties. According to
the EU Data Protection Directive, explicit consent is re-
quired for processing of sensitive information. Further,
data controllers cannot infer consent from nonresponse to
a communication.
r implied consent. When consent may reasonably be in-
ferred from the action or inaction of the individual.
data subjects. The individual to whom personal information is col-
lected.
disclosure. The release, transfer, provision of access to, or divulging
in any other manner of information outside the entity holding
the information. Disclosure is often used interchangeably with the
terms "sharing" and "onward transfer."
disposal. A phase of the data lifecycle that pertains to how an entity
removes or destroys an individual's personal information.
environmental protections. Measures implemented by the entity
to detect, prevent, and manage the risk of casualty damage to the
physical parts of the system (for example, protections from fire,
flood, wind, earthquake, power surge, or power outage).
external users. Individuals that are non-workforce members or per-
sonnel who are authorized by customers, entity management, or
other authorized persons to interact with the system.
internal users. Workforce members or personnel whose job function
causes them to be members of the people component of the system.
personal information. Information that is or can be about or related
to an identifiable individual.
privacy commitments. Declarations made by management regard-
ing the performance of a system processing personal informa-
tion. Privacy commitments can be communicated in written agree-
ments, standardized contracts, service level agreements, or pub-
lished statements (for example, a privacy practices statement). Pri-
vacy commitments may be made on many different aspects of the
service being provided, including the following:
r Types of information processed by the system
r Employees, third parties, and other persons that can ac-
cess the information
r Conditions under which information can be processed
without consent
Some examples include the following:
r The organization will not process or transfer information
without obtaining the data subject's consent.
r The organization will provide a notice to customers once in
6 months or when there is a change in the organization's
business policies.
2016, AICPA TSP 100.17

r The organization will respond to access requests within 10
working days of receiving the request from its customers.
privacy notice. A written communication by entities that collect per-
sonal information to the individuals about whom personal informa-
tion is collected about the entity's (a) policies regarding the nature
of the information that they will collect and how that information
will be used, retained, disclosed, and disposed of or anonymized
and (b) commitment to adhere to those policies. A privacy notice
also includes information about such matters as the purpose of col-
lecting the information, the choices that individuals have related
to their personal information, the security of such information, and
how individuals can contact the entity with inquiries, complaints,
and disputes related to their personal information. When a user
entity collects personal information from individuals, it typically
provides a privacy notice to those individuals.
report users. Intended users of the practitioner's report in accor-
dance with AT section 101, Attest Engagements (AICPA, Profes-
sional Standards). Report users may be the general public or may
be restricted to specified parties in accordance with paragraph .78
of AT section 101.
retention. A phase of the data lifecycle that pertains to how an entity
stores information for future use or reference.
system requirements. Specifications regarding how the system
should function to meet the entity's commitments to customers and
relevant laws, regulations, and guidelines of industry groups, such
as business or trade associations. Requirements are often specified
in the entity's system policies and procedures, system design docu-
mentation, contracts with customers, and government regulations.
Examples of system requirements are
r workforce member fingerprinting and background checks
established in government banking regulations.
r system edits that restrict the values accepted for system
input, which are defined in application design documents.
r maximum acceptable intervals between periodic review
of workforce member logical access as documented in the
security policy manual.
r data definition and tagging standards, including any as-
sociated metadata requirements, established by industry
groups or other bodies, such as the Simple Object Access
Protocol.
r business processing rules and standards established by
regulators, for example, security requirements under
the Health Insurance Portability and Accountability Act
(HIPAA).
System requirements may result from the entity's commitments
relating to security, availability, processing integrity, confidential-
ity, or privacy. For example, a commitment to programmatically
enforce segregation of duties between data entry and data approval
creates system requirements regarding user access administration.
TSP 100.17 2016, AICPA

SOC 2 engagement. An examination engagement to report on the
fairness of the presentation of management's description of the
service organization's system, the suitability of the design of the
controls included in the description, and, in a type 2 engagement,
the operating effectiveness of those controls. This engagement is
performed in accordance with the attestation standards and the
AICPA Guide Reporting on Controls at a Service Organization:
Relevant to Security, Availability, Processing Integrity, Confiden-
tiality, or Privacy (SOC 2 ).
suitability of design and the operating effectiveness of an entity's
principles.
third party. An entity that is not a party to the contract between the
entity and the contractual user of the system but has an involve-
ment with the system.
trust services. A set of professional attestation and advisory ser-
vices based on a core set of principles and criteria that address the
operation and protection of a system and related data.
workforce member. Employees, contractors, and others (personnel)
engaged by company to perform activities as part of the system.
2016, AICPA TSP 100.17

.18
Appendix BIllustration of Risks and Controls for a Sample Entity
In evaluating whether controls are suitably designed to meet each of the trust
services criteria, management needs to evaluate the risks that would prevent
the criteria from being met for the system being assessed. In identifying these
risks, management needs to consider the
r products and services provided by the system.
r components of the system used to provide the products and ser-
vices.
r environment in which the system operates.
r commitments the entity has made to system users and parties
affected by the system.
r system requirements that derive from
laws and regulations affecting how the system functions
and products and services are provided,
commitments made to system users and parties affected
by the system, and
business objectives of the entity.
The illustration that follows is an example of the risks that a hypothetical
midsized entity might identify during its risk evaluation and the controls that
it could implement to address those risks. It is provided to assist practition-
ers with an understanding of the types of risks an entity might identify and
controls to mitigate the risks to meet the criteria. It is not intended to be an
all-inclusive listing of possible risks and controls. Each entity needs to consider
other risks and controls to address those risks to meet the criteria. Also, the
types of controls are presented at a high level and do not include the details
that would be necessary for a suitably designed control, for example, the posi-
tion of the person performing the control, the frequency with which the control
is performed, and how the control is performed, documented, and monitored.
Illustrative Types
Criteria Illustrative Risks of Controls
CC1.1 The entity has The entity's The entity evaluates
defined organizational its organizational
organizational structure does not structure, reporting
structures, reporting provide the lines, authorities,
lines, authorities, necessary structure, and responsibilities
and responsibilities resources, and as part of its business
for the design, information flow to planning process and
development, manage [security, as part of its ongoing
implementation, availability, risk assessment and
operation, processing integrity, management process
TSP 100.18 2016, AICPA

Illustrative Types
maintenance, and confidentiality, or and revises these
monitoring of the privacy] activities. when necessary to
system enabling it to help meet changing
meet its commitments and
system
requirements as
they relate to [insert
the principle(s)
addressed by the
engagement:
security,
availability,
processing integrity,
confidentiality, or
privacy, or any
combination
thereof].
The roles and Roles and
responsibilities of responsibilities are
key managers are defined in written job
not sufficiently descriptions and
defined to permit communicated to
proper oversight, managers and their
management, and supervisors.
monitoring of
[security,
availability,
confidentiality, or
privacy] activities.
Job descriptions are
reviewed by entity
management on an
annual basis for
needed changes and,
when job duty
changes are required
necessary, changes to
these job descriptions
are also made.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Reporting Reporting
relationships and relationships and
organizational organizational
structure do not structures are
permit effective reviewed periodically
senior management by senior management
oversight of as part of
[security, organizational
availability, planning and adjusted
processing integrity, as needed based on
confidentiality, or changing entity
privacy] activities. commitments and
requirements.
Personnel have not Roles and
been assigned responsibilities are
responsibility or defined in written job
have not been descriptions.
delegated
insufficient
authority to meet
[security,
availability,
confidentiality, or
privacy]
commitments and
system
requirements.
Responsibility and Roles and
accountability for responsibilities for
privacy and data privacy and data
protection are not governance are defined
assigned to and communicated to
personnel with personnel as well as to
sufficient authority third parties. The
within the entity to entity has assigned a
manage risk and chief privacy officer
compliance. (CPO) who reports to
the general counsel
and audit committee.
The CPO oversees the
privacy staff
responsible for
implementation and
monitoring of privacy
controls. In addition,
designated privacy
advocates are assigned
in each business unit
and report indirectly to
privacy staff.
TSP 100.18 2016, AICPA

Illustrative Types
CC1.2 Responsibility and Personnel have not Roles and
accountability for been assigned responsibilities are
designing, responsibility or defined in written job
developing, have been delegated descriptions.
implementing, insufficient
operating, authority to meet
maintaining, [security,
monitoring, and availability,
approving the processing integrity,
entity's system confidentiality, or
controls and other privacy]
risk mitigation commitments and
strategies are system
assigned to requirements.
individuals within
the entity with
authority to ensure
policies and other
system
requirements are
effectively
promulgated and
implemented to
meet the entity's
commitments and
system
requirements as
the principle(s)
addressed by the
engagement:
security,
availability,
confidentiality, or
privacy, or any
combination
thereof].
reviewed on a
periodic basis for
needed changes and
updated if such
changes are
identified.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Responsibility and The CPO oversees a
accountability for privacy staff
privacy and data responsible for the
protection controls implementation and
are not assigned to monitoring of privacy
personnel with controls. In addition,
sufficient authority designated privacy
within the entity to advocates, who
manage risk and indirectly report to
compliance. the CPO and privacy
staff, are assigned in
each business unit.
Privacy advocates
are responsible for
helping to ensure the
implementation of
privacy controls and
monitoring activities.
CC1.3 The entity has Newly hired, newly Job requirements are
established assigned, or documented in the
procedures to transferred job descriptions, and
evaluate the personnel do not candidates' abilities
competency of have sufficient to meet these
personnel knowledge and requirements are
responsible for experience to evaluated as part of
designing, perform their the hiring,
developing, responsibilities. performance review,
implementing, and transfer
operating, evaluation processes.
maintaining, and
monitoring the
system affecting
[insert the
principle(s)
addressed by the
engagement:
security,
availability,
confidentiality, or
privacy, or any
combination thereof]
and provides
resources necessary
for personnel to
fulfill their
responsibilities.
TSP 100.18 2016, AICPA

Illustrative Types
The experience and
training of
candidates for
employment or
assignment are
evaluated before they
assume the
responsibilities of
their position.
Personnel do not Management
have sufficient establishes requisite
periodic training to skillsets for
perform their personnel and
responsibilities. provides continued
training about its
commitments and
requirements for
personnel.
Management
monitors compliance
with training
requirements.
Technical tools and During its ongoing
knowledge resources and periodic business
are insufficient to planning and
perform assigned budgeting process,
tasks. management
evaluates the need
for additional tools
and resources in
order to achieve
business objectives.
CC1.4 The entity has Personnel did not Management
established comply with the monitors personnel
workforce conduct entity's compliance with the
standards, requirements for code of conduct
implemented conduct. through monitoring
workforce candidate of customer and
background workforce member
screening complaints and the
procedures, and use of an anonymous
conducts third-party
enforcement administered ethics
procedures to enable hotline. The entity's
it to meet its code of conduct
commitments and includes a sanctions
(continued)
2016, AICPA TSP 100.18

Illustrative Types
system policy for personnel
requirements as who violate the code of
they relate to conduct. The sanctions
[insert the policy is applied to
principle(s) personnel who violate
addressed by the the code of conduct.
engagement:
security,
availability,
processing
integrity,
confidentiality, or
privacy, or any
combination
thereof].
Personnel are required
to read and accept the
code of conduct and the
statement of
confidentiality and
privacy practices upon
their hire and to
formally reaffirm them
annually thereafter.
A candidate with a Senior management
background develops a list of
considered to be characteristics that
unacceptable by would preclude a
management of the candidate from being
entity is hired by hired based on
the entity. sensitivity or skill
requirements for the
given position. That list
is provided to the
individuals within the
organization who make
final hiring decisions,
and those
characteristics are
considered when
evaluating all
candidates.
TSP 100.18 2016, AICPA

Illustrative Types
Before a third party is
engaged by the entity,
the third-party
personnel undergo
background screening.
A background check
includes, at a
minimum, credit,
criminal, drug, and
employment checks.
Agreements are
established with third
parties or
subcontractors that
include clearly defined
terms, conditions, and
responsibilities for
third parties and
subcontractors.
Prior to employment,
personnel are verified
against regulatory
screening databases.
The entity has
established standards
and guidelines for
personnel ethical
behavior.
CC2.1 Information External users System descriptions are
regarding the misuse the system made available to
design and due to their failure authorized external
operation of the to understand its users that delineate the
system and its scope, purpose, and boundaries of the
boundaries has design. system and describe
been prepared and relevant system
communicated to components as well as
authorized internal the purpose and design
and external users of the system.
of the system to Documentation of the
permit users to system description is
understand their made available to
role in the system authorized external
and the results of users via the entity's
system operation. customer-facing
website.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
A description of the
system is posted on the
entity's intranet and is
available to the entity's
internal users. This
description delineates
the boundaries of the
system and key aspects
of processing.
Internal users are A description of the
unaware of key entity organization
organization and structure, system
system support support functions,
functions, processes, and
processes, roles, organizational roles
and and responsibilities is
responsibilities. posted on the entity's
intranet and made
available to entity
internal users. The
the parties responsible,
accountable, consented,
and informed of
changes in design and
operation of key system
components.
External users fail System descriptions are
to address risks for made available to
which they are authorized external
responsible that users that delineate the
arise outside the boundaries of the
boundaries of the system and describe
system. significant system
components as well as
the purpose and design
of the system. The
system description is
made available to
external users via
ongoing
communications with
customers or via the
customer website.
TSP 100.18 2016, AICPA

Illustrative Types
CC2.2 The entity's [insert Internal and The entity's [security,
the principle(s) external users availability, processing
addressed by the misunderstand the integrity,
engagement: capabilities of the confidentiality, or
security, system in providing privacy] commitments
availability, for [security, regarding the system
processing integrity availability, are included in the
confidentiality, or processing master services
privacy, or any integrity, agreement and
combination confidentiality, or customer-specific
thereof] privacy] and take service level
commitments are actions based on agreements. In
communicated to the addition, a summary of
external users, as misunderstanding. these commitments is
appropriate, and made available on the
those commitments entity's customer-facing
and the associated website. A privacy
system notice is posted on all of
requirements are the entity's publicly
communicated to available websites and
internal users to software. The privacy
enable them to notice describes the
carry out their entity's privacy
responsibilities. commitments.
Policy and procedures
documents for
significant processes
that address system
requirements are
available on the
intranet.
The entity fails to Policy and procedures
meet its documents for
commitments due significant processes
to lack of are made available on
understanding on the entity's intranet.
the part of
personnel
responsible for
providing the
service.
to attend annual
security,
confidentiality, and
privacy training.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
entity's code of conduct
and the statement of
security,
hire and annually
thereafter.
Processes are
monitored monthly
through service level
management
procedures that
monitor compliance
with service level
commitments and
agreements. Results
are shared with
applicable personnel
and customers, and
actions are taken and
communicated to
relevant parties,
including customers,
when such
commitments and
agreements are not
met.
CC2.3 The responsibilities The system fails to Policy and procedures
of internal and function as documents for
external users and designed due to significant processes
others whose roles internal users' that address system
affect system failure to meet requirements are
operation are with their available on the
communicated to responsibilities. intranet.
those parties.
to attend annual
security,
privacy training.
TSP 100.18 2016, AICPA

Illustrative Types
Personnel are
required to read and
accept the code of
conduct and the
statement of
confidentiality and
privacy practices
upon hire and
annually thereafter.
Processes are
monitored through
service level
management
procedures that
monitor compliance
with commitments
and requirements.
Results are shared
with applicable
personnel and
customers.
The system fails to Customer
function as designed responsibilities are
due to external described on the
users' failure to customer-facing
meet their website and in
responsibilities. system
documentation.
CC2.4 Information Controls fail to Policy and
necessary for function as designed procedures
designing, or operate effectively documents for
developing, due to significant processes
implementing, misunderstanding are available on the
operating, on the part of intranet.
maintaining, and personnel
monitoring controls, responsible for
relevant to the implementing and
[insert the performing those
principle(s) controls resulting in
addressed by the failure to achieve
engagement: [security,
security, availability,
availability, processing integrity,
processing integrity, confidentiality, or
confidentiality, or privacy]
(continued)
2016, AICPA TSP 100.18

Illustrative Types
privacy, or any commitments and
combination thereof] system
of the system, is requirements.
provided to
personnel to carry
out their
responsibilities.
Processes are
monitored following
service level
management
procedures that
monitor compliance
with commitments
and requirements.
Results are shared
according to policies.
Customer
responsibilities are
described on the
customer-facing
website and in
system
documentation.
CC2.5 Internal and System anomalies Policy and
external users have are detected by procedures
been provided with internal or external documents for
information on how users but the significant processes,
to report [insert the failures are not which include
principle(s) reported to responsibility for
addressed by the appropriate reporting operational
engagement: personnel resulting failures, incidents,
security, in the system failing system problems,
availability, to achieve its concerns, and user
processing integrity, [security, complaints (and the
confidentiality, or availability, process for doing so),
privacy, or any processing integrity, are published and
combination thereof] confidentiality, or made available on
failures, incidents, privacy] the intranet.
concerns, and other commitments and
complaints to system
appropriate requirements.
personnel.
TSP 100.18 2016, AICPA

Illustrative Types
Customer
responsibilities, which
include responsibility
for reporting
operational failures,
incidents, problems,
concerns, and
complaints, and the
process for doing so,
are described on the
customer-facing
website and in system
documentation.
CC2.6 System changes Internal and Proposed system
that affect internal external users changes affecting
and external users' misunderstand customers are
responsibilities or changes in system published on the
the entity's capabilities or their customer-facing
commitments and responsibilities in website XX days
system providing for before their
requirements [security, implementation.
relevant to [insert availability, Internal and external
the principle(s) processing integrity, users are given the
addressed by the confidentiality, or chance to participate
engagement: privacy] due to in user acceptance
security, system changes and testing for major
availability, take actions based changes XX days prior
processing integrity, on the to implementation.
confidentiality, or misunderstanding. Changes made to
privacy, or any systems are
combination thereof] communicated and
are communicated confirmed with
to those users in a customers through
timely manner. ongoing
communications
mechanisms such as
customer care
meetings and via the
customer-facing
website.
Management of the
business unit must
confirm
understanding of
changes by
authorizing them.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Internal and The system change
external users are calendar that
not aware of system describes changes to
changes. be implemented is
posted on the entity
intranet.
Updated system
documentation is
published on the
customer website
and intranet 30 days
prior to
implementation.
System changes that
result from incidents
are communicated to
internal and external
users through email
as part of the
implementation
process.
Changes in roles Major changes to
and responsibilities roles and
and changes to key responsibilities and
personnel are not changes to key
communicated to personnel are
internal and communicated to
external users in a affected internal and
timely manner. external users via
email as part of the
change management
process.
CC3.1 The entity (1) Not all system A master list of the
identifies potential components are entity's system
threats that could included in the risk components is
impair system management maintained,
[insert the process resulting in accounting for
principle(s) a failure to identify additions and
addressed by the and mitigate or removals, for
engagement: accept risks. management's use.
security,
availability,
confidentiality, or
privacy, or any
TSP 100.18 2016, AICPA

Illustrative Types
commitments and
system requirements
(including threats
arising from the use of
vendors and other
third parties providing
goods and services, as
well as threats arising
from customer
personnel and others
with access to the
system); (2) analyzes
the significance of risks
associated with the
identified threats; (3)
determines mitigation
strategies for those
risks (including
implementation of
controls, assessment
and monitoring of
vendors and other
third parties providing
goods or services, as
well as their activities,
and other mitigation
strategies); (4)
identifies and assesses
changes (for example,
environmental,
regulatory, and
technological changes
and results of the
assessment and
monitoring of controls)
that could significantly
affect the system of
internal control; and
(5) reassesses, and
revises as necessary,
risk assessments and
mitigation strategies
based on the identified
changes.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Not all changes that During the risk
significantly affect the assessment and
system are identified management process,
resulting in a failure to risk management
correctly reassess personnel identify
related risks. changes to business
objectives,
commitments and
requirements, internal
operations, and external
factors that threaten
the achievement of
business objectives and
update the potential
threats to system
objectives. In response
to the identification of
such risks, management
updates its policies,
procedures, processes,
and controls, as needed.
Personnel involved in The entity has defined
the risk management and implemented a
process do not have formal risk
sufficient information management process
to evaluate risks and that specifies risk
the tolerance of the tolerances and the
entity for those risks. process for evaluating
risks based on identified
threats and the
specified tolerances.
One or more internal During the risk
or external risks that assessment and
are significant threaten management process,
the achievement of risk management office
[security, availability, personnel identify
processing integrity, changes to business
confidentiality, or objectives,
privacy] commitments, commitments and
and system system requirements,
requirements that can internal operations, and
be addressed by external factors that
security controls, are threaten the
not identified. achievement of business
objectives and update
the potential threats to
system objectives.
Identified risks are
rated using a risk
evaluation process and
ratings are reviewed by
management.
TSP 100.18 2016, AICPA

Illustrative Types
The entity preforms a
privacy impact
assessment (PIA) to
identify privacy specific
risks or compliance
obligations and assesses
the likelihood and
potential magnitude of
those risks. A PIA
entails assessing the
impact when new
processes involving
personal information are
developed and when
changes are made to
such processes.
The risk and controls
group evaluates the
effectiveness of controls
and mitigation
strategies in meeting
identified risks and
recommends changes
based on its evaluation.
group's
recommendations are
reviewed and approved
by senior management.
An owner is assigned for
each remediation plan in
risk assessments.
The entity uses a
configuration
management database
and related process to
capture key system
components, as well as
technical and
installation specific
implementation details,
and to support ongoing
asset and service
management
commitments and
requirements.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Changes that are During the risk
not properly assessment and
identified create management process,
risks due to the risk management
failure of those personnel identify
changes to undergo environmental,
the risk regulatory, and
management technological
process. changes that have
occurred. In response
to the identification
of such risks,
management updates
its policies,
procedures,
processes, and
controls, as needed.
CC3.2 The entity designs, Controls and Control
develops, mitigation strategies self-assessments are
implements, and selected, developed, performed by
operates controls, and deployed do not operating units on a
including policies adequately mitigate quarterly basis.
and procedures, to risk.
implement its risk
mitigation strategy,
reassesses the
suitability of the
design and
implementation of
control activities
based on the
operation and
monitoring of those
activities, and
updates the controls,
as necessary.
Internal audits are
performed based on
the annual
risk-based internal
audit plan.
Business and system
recovery plans are
tested annually.
TSP 100.18 2016, AICPA

Illustrative Types
Internal and external
vulnerability scans
are performed
quarterly and
annually and their
frequency is adjusted
as required to meet
ongoing and
changing
commitments and
requirements.
Management takes
action based on the
results of the scans.
Policies and
procedures related to
risk management are
developed,
implemented, and
communicated to
personnel.
Deployed controls See CC3.1
and mitigation illustrative controls.
strategies create
new risks that fail to
be assessed.
CC4.1 The design and Controls are not Internal audit
operating suitably designed, performs control
effectiveness of configured in assessments on a
controls are accordance with quarterly basis and
periodically established policies, communicates
evaluated against or operating in an results to the audit
the entity's effective manner, committee for
commitments and resulting in a monitoring of
system system that does not corrective actions.
requirements as meet commitments
they relate to [insert and system
the principle(s) requirements.
addressed by the
engagement:
security,
availability,
(continued)
2016, AICPA TSP 100.18

Illustrative Types
confidentiality, or
privacy, or any
combination
thereof], and
corrections and
other necessary
actions relating to
identified
deficiencies are
taken in a timely
manner.
Management and
internal audit
periodically receive
reports summarizing
incidents, root cause
of incidents, and
corrective action
plans. Internal audit
monitors for
completion of
corrective action
plans.
Control
self-assessments
(including
assessment of
controls addressing
privacy risks) are
performed by
operating units on a
quarterly basis, and
the results of these
are reported to
management for
additional control
monitoring purposes.
TSP 100.18 2016, AICPA

Illustrative Types
Controls
CC5.1 Logical access Not all system Established entity
security software, infrastructure or standards exist for
infrastructure, and system components infrastructure and
architectures have are protected by software hardening
been implemented to logical access and configuration
support (1) security measures that include
identification and resulting in requirements for
authentication of unauthorized implementation of
authorized internal modification or use. access control
and external users; software, entity
(2) restriction of configuration
authorized internal standards, and
and external user standardized access
access to system control lists.
components, or
portions thereof,
authorized by
management,
including hardware,
data, software,
mobile devices,
output, and offline
elements; and (3)
prevention and
detection of
unauthorized access
to meet the entity's
commitments and
system
requirements as
the principle(s)
addressed by the
engagement:
security,
availability,
confidentiality, or
privacy, or any
combination
thereof].
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Network scans are
performed for
infrastructure
elements to identify
variance from entity
standards. Static and
dynamic code analysis
testing is performed
on new application
systems and on
changes made to
existing system source
code prior to and after
such systems are
placed into production.
Management takes
appropriate action
based on the results of
the scans.
Information system
assets are assigned
owners who are
responsible for
evaluating access
based on job roles. The
owners define access
rights when assets are
acquired or changed
and periodically
evaluate access for
assets under their
custody or
stewardship.
Online applications
match each user ID to
a single customer
account number.
Requests for access to
system records require
the matching of the
customer account
number against a list
of privileges each user
possesses when
granted access to the
system initially.
TSP 100.18 2016, AICPA

Illustrative Types
Logical access Infrastructure
security measures components and
do not identify or software are
authenticate configured to use the
internal and shared sign-on
external users prior functionality when
to permitting access available. Systems not
to IT components. using the shared
sign-on functionality
are required to be
implemented with
separate user ID and
password submission.
External access by
personnel is permitted
only through a
two-factor (for
example, a swipe card
and a password)
encrypted virtual
private network (VPN)
connection.
Logical access A role based security
security measures process has been
do not provide for defined with an access
the segregation of control system that is
duties required by required to use roles
the system design. when possible.
Assets are assigned
owners who are
responsible for
evaluating the
appropriateness of
access based on job
roles. Roles are
periodically reviewed
and updated by asset
owners and the risk
and controls group on
an annual basis.
Access change
requests resulting
from the review are
submitted to the
security group via a
change request record.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
For software or
infrastructure that
does not support the
use of role-based
security, a separate
database of roles and
related access
privileges is
maintained. The
security group uses
this database when
specifying and
entering access rules
in these systems.
Logical access Privileged access to
security measures sensitive resources is
do not restrict access restricted to defined
to system user roles, and logical
configurations, access to these roles
privileged must be approved by
functionality, the chief information
master passwords, security officer. This
powerful utilities, access is reviewed by
security devices, and the chief information
other high risk security officer on a
resources. periodic basis.
CC5.2 New internal and Valid user identities On a daily basis,
external users, are granted to workforce member
whose access is unauthorized user IDs are
administered by the persons. automatically
entity, are created in or removed
registered and from the active
authorized prior to directory and VPN
being issued system systems as of the
credentials and date of employment
granted the ability using an automated
to access the system feed of new internal
to meet the entity's and external users
commitments and collected from
system workforce member
requirements as changes in the
they relate to [insert human resource
the principle(s) management system.
addressed by the
engagement:
security,
availability,
TSP 100.18 2016, AICPA

Illustrative Types
confidentiality, or
privacy, or any
combination
thereof]. For those
users whose access
is administered by
the entity, user
system credentials
are removed when
user access is no
longer authorized.
Workforce access to
protected resources is
created or modified
by the security group
based on an
authorized change
request from the
system's asset owner.
Contractor and
vendor IDs are
created by the
security group based
on an authorized
change request from
the contractor office.
These IDs are valid
for the lesser of the
expected period of
relationship or XX
days.
Privileged customer
accounts are created
based on a written
authorization request
from the designated
customer point of
contact. These
accounts are used by
customers to create
customer user access
accounts and their
related privileges.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
System security is
configured to require
users to change their
passwords upon their
initial system sign-on
and thereafter every
XX days after their
initial sign-on.
A user that is no On a daily basis, the
longer authorized human resources
continues to access system sends an
system resources. automated feed to
the active directory
and the VPN for
removal of access for
personnel for whom
it is the last day of
employment. The list
is used by security
personnel to remove
access. The removal
of the access is
verified by the
security manager.
On a weekly basis,
the human resources
system sends to the
security group a list
of terminated
personnel whose
access is to be
removed. The list is
used by security
personnel to remove
access. The removal
of the access is
verified by a security
manager.
TSP 100.18 2016, AICPA

Illustrative Types
On a weekly basis,
the contractor office
sends to the security
group a list of
terminated vendors
and contractors
whose access is to be
removed. The list is
used by security
personnel to remove
access. The removal
of the access is
verified by a security
manager.
Entity policies
prohibit the
reactivation or use of
a terminated
workforce member's
ID without written
approval of the chief
information security
officer. Requests for
reactivation are
made using the
change management
record system and
must include the
purpose and
justification of the
access (for business
need), the systems
that are to be
reactivated, and the
time period for which
the account will be
active (no more than
XX days). The
account is reset with
a new password and
is activated for the
time period
requested. All use of
the account is logged
and reviewed by
security personnel.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Account sharing is
prohibited unless a
variance from policy
is granted by the
chief information
security officer as
might be provided by
the entity using an
account and
password vaulting
software product that
provides account
sharing under tightly
controlled
circumstances, the
active logging of each
use, and the resetting
of the account
password after each
use. Otherwise,
shared accounts are
permitted for low
risk applications (for
example, an
informational system
where access with
shared IDs cannot
compromise
segregation of duties)
or when system
technical limitations
require their use (for
example, UNIX root
access). The chief
officer must approve
the use of all shared
accounts. Mitigating
controls are
implemented when
possible (for example,
required use of su
when accessing the
UNIX root account).
TSP 100.18 2016, AICPA

Illustrative Types
CC5.3 Internal and Internal and Entity standards are
external users are external users are established for
identified and not identified when infrastructure and
authenticated when accessing software hardening
accessing the system information system and configuration
components (for components. that include
example, requirements for
infrastructure, implementation of
software, and data) access control
to meet the entity's software, entity
commitments and configuration
system standards, and
requirements as standardized access
they relate to [insert control lists.
the principle(s)
addressed by the
engagement:
security,
availability,
confidentiality, or
privacy, or any
combination
thereof].
Account sharing is
prohibited unless a
variance from policy
is granted by the
chief information
security officer as
might be provided by
the entity using an
account and
password vaulting
provides account
sharing under tightly
controlled
circumstances, active
logging of each use,
and the resetting of
the account password
after each use.
Otherwise, shared
accounts are
permitted for low
risk applications (for
(continued)
2016, AICPA TSP 100.18

Illustrative Types
example,
where access with
shared IDs cannot
compromise
segregation of duties)
or when system
technical limitations
require their use (for
example, UNIX root
access). The chief
controls are
implemented when
required use of su
when accessing the
UNIX root account).
Valid user identities The online
are assumed by an application
unauthorized person authenticates the
to access the system. legitimacy of each
customer user
privileges by
matching each users'
ID upon entry to a
single customer
account number.
Requests for access
(for example, user
attempts to access) to
system records
require the matching
of the customer
account number.
Applications provide
reporting
functionality on user
entitlements.
TSP 100.18 2016, AICPA

Illustrative Types
Two-factor
authentication and
use of encrypted VPN
channels help to
ensure that only
valid external users
gain remote and local
access to IT system
components.
Infrastructure
components and
software are
configured to use the
active directory
shared sign-on
functionality when
available. Systems
not using the shared
are configured to
require a separate
user ID and
password.
Applications provide
reporting
functionality on user
entitlements.
External user access External users can
credentials are only access the
compromised, system remotely
allowing an through the use of
unauthorized person the VPN, secure
to perform activities sockets layer (SSL),
reserved for or other encrypted
authorized persons. communication
system.
Password complexity
standards are
established to enforce
control over access
control software
passwords.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Administrative
accounts are set up,
and the user
administration
function is
segregated for
managing privileged
accounts.
CC5.4 Access to data, Valid internal or When possible,
software, functions, external users formal role-based
and other IT obtain unauthorized access controls to
resources is access to the system limit access to the
authorized and resulting in a system and
modified or removed breakdown in infrastructure
based on roles, segregation of duties components are
responsibilities, or or an increase in the created and enforced
the system design risk of intentional by the access control
and changes to meet malicious acts or system. When it is
the entity's error. not possible,
commitments and authorized user IDs
system with two-factor
requirements as authentication are
they relate to [insert used.
the principle(s)
addressed by the
engagement:
security,
availability,
confidentiality, or
privacy, or any
combination
thereof].
User access requests
for a specific role are
approved by the
user's manager and
submitted to the
security group via
the change
management record
system. Separation of
duties exists between
individuals who
request access,
authorize access,
grant access, and
review access.
TSP 100.18 2016, AICPA

Illustrative Types
Access granted When possible,
through the formal role-based
provisioning process access controls to
compromises limit access to the
segregation of duties system and
or increases the risk infrastructure
of intentional components are
malicious acts or created and enforced
error. by the access control
system. When it is
not possible,
authorized user IDs
with two-factor
authentication are
used.
Roles are reviewed
and updated by both
asset owners and the
risk and controls
group on an annual
basis. Access change
requests resulting
from the review are
submitted to the
security group via a
change request
record.
CC5.5 Physical access to Unauthorized An ID card-based
facilities housing the persons gain physical access
system (for example, physical access to control system has
data centers, backup system components been implemented
media storage, and resulting in damage within the perimeter
other sensitive to components of facilities and at
locations, as well as (including threats to the entry and exit
sensitive system personnel), points of sensitive
components within fraudulent or areas within these
those locations) is erroneous facilities.
restricted to processing,
authorized unauthorized logical
personnel to meet access, or
the entity's compromise of
commitments and information.
system
requirements as
the principle(s)
addressed by the
(continued)
2016, AICPA TSP 100.18

Illustrative Types
engagement:
security,
availability,
confidentiality, or
privacy, or any
combination
thereof].
ID cards that include
a workforce member
picture must be worn
at all times when
accessing or leaving
the facility.
ID cards are created
by the human
resources
department during
the workforce
member orientation
period and
distributed after all
required background
investigations are
completed. ID cards
initially provide
access only to
non-sensitive areas.
Access to sensitive
areas is added to ID
cards by the physical
security director
based on a request
for access approved
by the owner of the
sensitive area and
after required
background
investigations have
been performed and
any issues resolved.
Requests for access
and changes to access
are made, approved,
and communicated
through the change
management record
system.
TSP 100.18 2016, AICPA

Illustrative Types
The contractor office
may request ID cards
for vendors and
contractors. Cards are
created by the physical
security director upon
approval of authorized
manager. Requests
are made, approved,
and communicated
through the change
management record
system.
Visitors must be
signed in by an
authorized workforce
member before a
single-day visitor
badge that identifies
them as an authorized
visitor can be issued.
Visitor badges are for
identification purposes
only and do not permit
access to any secured
areas of the facility.
All visitors must be
escorted by a
workforce member
when visiting facilities
where sensitive
system and system
components are
maintained and
operated.
Formerly appropriate Owners of sensitive
physical access areas of the facilities
becomes review the list of
inappropriate due to names and roles of
changes in user job those granted physical
responsibilities or access to their areas
system changes, on a semiannual basis
resulting in a to check for continued
breakdown in business need.
segregation of duties Requests for changes
or an increase in the are made through the
risk of intentional change management
malicious acts or record system.
error.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
A formerly Owners of sensitive
authorized person areas of the facilities
continues to access review access to their
system resources areas on a
after that person is semiannual basis.
no longer Requests for changes
authorized. are made through the
change management
record system.
Vendors are asked to
review a list of
personnel with ID
cards on a
semiannual basis,
recertify access
entitlements, and
request any
modifications. The
contractor office
requests changes
based on the vendor
review.
On a daily basis, as
of the last day of
employment, the
human resources
system sends to
physical security a
list of terminated
personnel for whom
it is the last day of
employment and
whose access is to be
removed and their
pass cards to be
disabled.
A user obtains the On a weekly basis,
identification the contractor office
credentials and sends to the security
authentication group a list of
credentials of a terminated vendors
formerly authorized and contractors for
person and uses whom access is to be
them to gain removed.
unauthorized access
to the system.
TSP 100.18 2016, AICPA

Illustrative Types
On a weekly basis, or
immediately upon
termination of
employment, the
human resources
system sends to the
physical security
group a list of
terminated personnel
for whom access is to
be removed.
Personnel are
required to return
their ID cards during
exit interviews, and
all ID badges are
disabled prior to exit
interviews.
Therefore, personnel
must be physically
escorted from the
entity's facilities at
the completion of the
exit interview.
The sharing of access
badges and tailgating
are prohibited by
policy.
Mantraps or other
physical devices are
used for controlling
access to highly
sensitive facilities.
Doors that bypass
mantraps can only be
opened by the ID
cards of designated
members of
management.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
A monitoring process
exists to monitor
entry or exit points.
Measures such as,
but not limited to,
alarm systems,
surveillance
cameras, trained
security guards, and
so forth are adopted.
The information (for
example, logs, tapes,
and so forth) is
maintained for an
agreed to period of
time for future
reference.
CC5.6 Logical access Threats to the Defined entity
security measures system are obtained standards exist for
have been through external infrastructure and
implemented to points of software hardening
protect against connectivity. and configuration
[insert the that include
principle(s) requirements for
addressed by the implementation of
engagement: access control
security, software, entity
availability, configuration
processing integrity standards, and
confidentiality, or standardized access
privacy, or any control lists that
combination thereof] define which
threats from sources privileges are
outside the attributable to each
boundaries of the user or system
system to meet the account.
entity's
commitments and
system
requirements.
TSP 100.18 2016, AICPA

Illustrative Types
External points of
connectivity are
protected by a
firewall complex,
network
segmentation, data
loss prevention
(DLP), and several
layers of defense to
prevent
unauthorized
external users from
gaining access to the
organization's
internal systems and
devices.
Firewall hardening
standards are based
on relevant
applicable technical
specifications that
are compared against
product and industry
recommended
practices and
updated periodically.
Security Incident and
Event Management
(SIEM) software
continually collects
firewall logs and
parses the entries
using business rules
and known threat
signatures and
creates alerts to the
security and network
operations teams
when anomalous
traffic or packets are
identified so that
firewall rules can be
immediately updated
to reduce security
threat risks in the
network, systems,
and data stores.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
External access to
nonpublic sites is
restricted through the
use of user
authentication and
message encryption
systems such as VPN
and SSL.
Authorized connections Firewall rules and the
to the system are online system limit the
compromised and used times when remote
to gain unauthorized access can be granted
access to the system. and the types of
activities and service
requests (for example,
disable copy/paste or
remote print and drive
mappings) that can be
performed from
external connections.
Data stored Data written to the data
temporarily outside its storage systems within
normal location (for the disaster recovery
example, stored during facility is subject to
disaster recovery sanitization procedures
testing) is accessed by at the conclusion of
unauthorized persons. disaster recovery
testing prior to the
return of control of
storage to the facility
vendor.
CC5.7 The transmission, Nonpublic information VPN, SSL, secure file
movement, and is disclosed during transfer program
removal of information transmission over (SFTP), and other
is restricted to public communication encryption technologies
authorized internal paths. are used for defined
and external users and points of connectivity
processes and is and to protect
protected during communications
transmission, between the processing
movement, or removal, center and users
enabling the entity to connecting to the
meet its commitments processing center from
and system within or external to
requirements as they customer networks.
relate to [insert the
principle(s) addressed
by the engagement:
security, availability,
confidentiality, or
privacy, or any
TSP 100.18 2016, AICPA

Illustrative Types
Entity policies
prohibit the
transmission of
sensitive information
over the Internet or
other public
communications
paths (for example,
email) unless it is
encrypted.
DLP software is used
to scan for sensitive
information in
outgoing
transmissions over
public
communication
paths. Information
that is restricted
(Social Security
numbers [SSNs],
dates of birth, and so
forth) is blocked,
stripped, or both
from outgoing
transmissions.
Removable media Backup media are
(for example, USB encrypted during
drives, DVDs, or creation.
tapes) are lost,
intercepted, or
copied during
physical movement
between locations.
Storage for
workstations and
laptops is encrypted.
Removable media for
workstations and
laptops are encrypted
automatically by the
software. Removable
media is readable
only by other
entity-owned devices.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Other removable
media are produced
by data center
operations and are
transported via
courier.
Use of removable
media is prohibited
by policy except
when authorized by
management
Removable media Storage for
used to make workstations and
unauthorized copies laptops is encrypted.
of software or data Removable media for
are taken beyond these devices is
the boundaries of encrypted
the system. automatically by the
software. Removable
media is readable
only by other
entity-owned devices.
Backup media are
encrypted during
creation.
CC5.8 Controls have been Malicious or The ability to install
implemented to otherwise software on
prevent or detect unauthorized code is workstations and
and act upon the used to intentionally laptops is restricted
introduction of or unintentionally to IT support
unauthorized or compromise logical personnel.
malicious software access controls or
to meet the entity's system functionality
commitments and through data
system transmission,
requirements as removable media,
they relate to [insert and portable or
the principle(s) mobile devices.
addressed by the
engagement:
security,
availability,
confidentiality, or
privacy, or any
combination
thereof].
TSP 100.18 2016, AICPA

Illustrative Types
Antivirus software is
installed on
workstations,
laptops, and servers
supporting such
software. The
antivirus program
covers any piece of
hardware that may
be accessing the
network, both
internally and
externally, as well as
bring your own
device (BYOD).
configured to receive
an updated virus
signature at least
daily. A network
operation receives a
report of devices that
have not been
updated in 30 days
and follows up on the
devices.
Business owners The ability to install
obtain and install applications on
applications without systems is restricted
proper to change
authorization. implementation and
system
administration
personnel.
CC6.1 Vulnerabilities of Vulnerabilities that Logging and
system components could lead to a monitoring software
to [insert the breach or incident is used to collect data
principle(s) are not detected in a from system
addressed by the timely manner. infrastructure
engagement: components and
security, endpoint systems; to
availability, monitor system
processing integrity, performance,
confidentiality, or potential security
privacy, or any threats and
(continued)
2016, AICPA TSP 100.18

Illustrative Types
combination thereof] vulnerabilities, and
breaches and resource utilization;
incidents due to and to detect unusual
malicious acts, system activity or
natural disasters, or service requests. This
errors are identified, software sends a
monitored, and message to the
evaluated, and operations center
countermeasures and security
are designed, organization and
implemented, and automatically opens
operated to a priority incident or
compensate for problem ticket and
known and newly change management
identified system record item.
vulnerabilities to
meet the entity's
commitments and
system
requirements as
the principle(s)
addressed by the
engagement:
security,
availability,
confidentiality, or
privacy, or any
combination
thereof].
Call center personnel
receive telephone and
email requests for
support, which may
include requests to
reset user passwords
or notify entity
personnel of potential
breaches and
incidents. Call center
personnel follow
defined protocols for
recording, resolving,
and escalating
received requests.
TSP 100.18 2016, AICPA

Illustrative Types
Vulnerability
monitoring scans are
performed on a
periodic basis.
Management takes
appropriate action
based on the results of
the scans.
Data loss prevention
and detection tools are
deployed at system
boundaries to identify
transmission of
personal information.
Data center operation
personnel implement
documented counter
measures strategies
when vulnerabilities
are detected.
Security or other Weekly full-system
system configuration and daily incremental
information is backups are performed
corrupted or using an automated
otherwise destroyed, system.
preventing the system
from functioning as
designed.
CC6.2 [Insert the Breaches and Operations personnel
principle(s)addressed incidents are not follow defined
by the engagement: identified, prioritized, protocols for
security, availability, or evaluated for evaluating reported
processing integrity, effects. system events that
confidentiality, or may indicate a breach
privacy, or any or other related
combination thereof] incident. Security
incidents, including related events are
logical and physical assigned to the
security breaches, security group for
failures, and evaluation. Privacy
identified incidents are assigned
vulnerabilities, are to appropriate privacy
identified and personnel for
reported to evaluation.
appropriate personnel
and acted on in
accordance with
established incident
response procedures
to meet the entity's
commitments and
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Corrective measures to Operations and security
address breaches and personnel follow defined
incidents are not protocols for resolving
implemented in a and escalating reported
timely manner. events. This includes root
cause analysis that is
escalated to management
as required.
Resolution of security
events (incidents or
problems) is reviewed at
the daily and weekly
operations and security
group meetings.
users are informed of
incidents in a timely
manner and advised of
corrective measure to be
taken on their part.
Corrective measures Resolution of events is
are not effective or reviewed at the weekly
sufficient. operations and security
group meetings.
Change management
requests are opened for
events that require
permanent fixes.
Lack of compliance The resolution of events
with policies and is reviewed at the weekly
procedures is not operations and security
addressed through group meetings. Relevant
sanctions or remedial events with effects on
actions, resulting in internal and external
increased users or customers are
noncompliance in the referred to user and
future. customer care
management to be
addressed.
Entity policies include
probation, suspension,
and termination as
potential sanctions for
workforce member's
misconduct.
Breaches and incidents Change management
recur because requests are opened for
preventive measures events that require
are not implemented permanent fixes.
after a previous event.
TSP 100.18 2016, AICPA

Illustrative Types
CC7.1 The entity's Commitments and System change requests
commitments and system requirements are evaluated to
system requirements, are not addressed at determine the potential
as they relate to [insert one or more points effect of the change on
the principle(s) during the system security, availability,
addressed by the development lifecycle, processing integrity,
engagement: security, resulting in a system confidentiality
availability, processing that does not meet commitments, and
integrity, commitments and system requirements
confidentiality, or system requirements. throughout the change
privacy, or any management process.
combination thereof],
are addressed during
the system
development lifecycle,
including the
authorization, design,
acquisition,
implementation,
configuration, testing,
modification, approval,
and maintenance of
system components.
System changes, other
than those classified as
minor, require the
officer and operations
manager prior to
implementation.
CC7.2 Infrastructure, data, System components During the ongoing risk
software, and policies are not updated for assessment process and
and procedures are changes in the periodic planning
updated as necessary requirements, and budgeting
to remain consistent resulting in a system processes,
with the entity's that does not meet infrastructure, data,
commitments and commitments and software, and
system requirements system requirements. procedures are
as they relate to [insert evaluated for needed
the principle(s) changes. Change
addressed by the requests are created
engagement: security, based on the identified
availability, processing needs.
integrity,
confidentiality, or
privacy, or any
(continued)
2016, AICPA TSP 100.18

Illustrative Types
For high severity
incidents, a root
cause analysis is
prepared and
reviewed by
operations
management. Based
on the root cause
analysis, change
requests are
prepared and the
entity's risk
management process
and relevant risk
management data is
updated to reflect the
planned incident and
problem resolution.
CC7.3 Change Identified breaches, For high severity
management incidents, and other incidents, a root
processes are system impairments cause analysis is
initiated when are not considered prepared and
deficiencies in the during the change reviewed by
design or operating management operations
effectiveness of lifecycle. management. Based
controls are on the root cause
identified during analysis, change
system operation requests are
and are monitored to prepared and the
meet the entity's entity's risk
commitments and management process
system and relevant risk
requirements as management data is
they relate to [insert updated to reflect the
the principle(s) planned incident and
addressed by the problem resolution.
engagement:
security,
availability,
confidentiality, or
privacy, or any
combination
thereof].
TSP 100.18 2016, AICPA

Illustrative Types
A process exists to
manage emergency
changes.
CC7.4 Changes to system System changes are System change
components are not authorized by requests must be
authorized, those responsible for reviewed and
designed, developed, the design and approved by the
configured, operation of the owner of the
documented, tested, system, resulting in infrastructure or
approved, and changes to the software and the
implemented to system that impairs change advisory
meet the entity's its ability to meet board prior to work
[insert the commitments and commencing on the
principle(s) system requested change.
addressed by the requirements. Separate personnel
engagement: are responsible to
security, authorize changes
availability, and to implement the
processing integrity, changes.
confidentiality, or
privacy, or any
commitments and
system
requirements.
System changes do Functional and
not function as detailed designs are
intended, resulting prepared for other
in a system that than minor changes
does not meet (more than XX
commitments and hours). Functional
system designs are reviewed
requirements. and approved by the
application or
infrastructure and
software owner, and
detailed designs are
approved by the
director of
development for the
application and the
change advisory
board prior to work
commencing on the
requested change or
development project.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Test plans and test data
are created and used in
required system and
regression testing. Test
plans and test data are
reviewed and approved by
the testing manager prior
to and at the completion of
testing, and they are
reviewed by the change
advisory board prior to
newly developed or
changed software being
authorized for migration to
production. Security
vulnerability testing is
included in the types of
tests performed on
relevant application,
database, network, and
operating system changes.
System and regression
testing is prepared by the
testing department using
approved test plans and
test data. Deviations from
planned results are
analyzed and submitted to
the developer.
Security vulnerability
scans on developed source
and object code libraries
using Static Code Analysis
tools are performed.
Management remediates
significant security
vulnerabilities and coding
defects prior to compiling
computer programs and
integrating them into the
production environment.
Code review or
walkthrough is required
for high impact changes
that meet established
criteria (that mandate
code reviews and
walkthroughs). These are
performed by a peer
programmer who does not
have responsibility for the
change.
TSP 100.18 2016, AICPA

Illustrative Types
Changes are reviewed
and approved by the
change advisory board
prior to
implementation.
Established entity
standards exist for
infrastructure and
software hardening and
configuration that
include requirements
for implementation of
access control software,
entity configuration
standards, and
standardized access
control lists.
Changes to hardening
standards are reviewed
and approved by the
director in
infrastructure
management.
Unauthorized Separate environments
changes are made to are used for
the system, resulting development, testing,
in a system that does and production.
not meet Developers do not have
commitments and the ability to make
system requirements. changes to software in
testing or production.
Logical access controls
and change
management tools
restrict the ability to
migrate from
development, test, and
production to change
deployment personnel.
and approved by the
prior to
implementation.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Unforeseen system A turnover process
implementation that includes
problems impair verification of
system operation, operation and back
resulting in a out steps is used for
system that does not every migration.
function as
designed.
Postimplementation
procedures that are
designed to verify the
operation of system
changes are performed
for a defined period, as
determined during
project planning, after
the implementation
for other than minor
changes, and results
are shared with
users and customers
as required to meet
commitments and
Incompatible duties The change
exist within the management process
change management has defined the
process, particularly following roles and
between approvers, assignments:
designers,
implementers, Authorization of
change
testers, and owners,
requestsowner or
resulting in the
business unit
implemented system
manager
not functioning as
intended. Development
application design
and support
department
Testingquality
assurance
department
Implementation
software change
management group
TSP 100.18 2016, AICPA

Illustrative Types
A1.1 Current processing Current processing Processing capacity is
capacity and usage capacity is not monitored on an
are maintained, sufficient to meet ongoing basis in
monitored, and availability accordance with SLAs,
evaluated to manage commitments and key performance
capacity demand and system requirements indicators (KPIs), and
to enable the in the event of the other performance
implementation of loss of individual related parameters.
additional capacity to elements within the
help meet the entity's system components.
availability
commitments and
Critical infrastructure
components have been
reviewed for criticality
classification and
assignment of a
minimum level of
redundancy.
Processing capacity is Processing capacity is
not monitored, monitored on a daily
planned, and basis.
expanded or modified,
as necessary, to
provide for the
continued availability
of the system to meet
the entity's
commitments and
Future processing
demand is forecasted
and compared to
scheduled capacity on
an ongoing basis.
Forecasts are reviewed
and approved by
senior operations
management. Change
requests are initiated
as needed based on
approved forecasts.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
A1.2 Environmental Environmental Environmental
protections, vulnerabilities and protections have been
software, data changing installed including
backup processes, environmental the following:
and recovery conditions are not
infrastructure are identified or Cooling systems
authorized, addressed through Battery and
designed, developed, the use of natural gas
implemented, environmental generator backup
operated, approved, protections resulting in the event of
maintained, and in a loss of system power failure
monitored to meet availability. Redundant
the entity's communications
availability lines
commitments and Smoke detectors
system
requirements.
Dry pipe
sprinklers
Vermin and pest
control
Environmental Operations personnel
vulnerabilities are monitor the status of
not monitored or environmental
acted upon protections during
increasing the each shift. Alert
severity of an mechanisms have
environmental been installed to
event. communicate any
discrepancies in
environmental
thresholds.
Environmental
protections receive
maintenance on at
least an annual
basis.
Software or data are Weekly full-system
lost or not available and daily
due to processing incremental backups
error, intentional are performed using
act, or an automated
environmental system.
event.
TSP 100.18 2016, AICPA

Illustrative Types
Backups are
monitored for failure
using an automated
system, and the
incident
management process
is automatically
invoked.
Backups are
transported and
stored offsite by a
third-party storage
provider in an
environmentally
controlled setting,
transported by
authorized courier (if
stored offsite), and
when encryption is
not present,
accompanied by
chaperon.
Availability Business continuity
commitments and and disaster recovery
system plans have been
requirements are developed, updated,
not met due to a lack and tested annually.
of recovery
infrastructure.
The entity has
contracted with a
third-party recovery
facility to permit the
resumption of IT
operations in the
event of a disaster at
the IT data center.
The entity uses a
multilocation
strategy for its
facilities to permit
the resumption of
operations at other
entity facilities in the
event of loss of a
facility.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
A1.3 Recovery plan Recovery plans are Business continuity
procedures not suitably and disaster recovery
supporting system designed and plans, including
recovery are tested backups are not restoration of
to help meet the sufficient to permit backups, and
entity's availability recovery of system emergency
commitments and operation to meet notification systems
system the entity's are tested annually.
requirements. commitments and
system
requirements.
Test results are
reviewed and the
contingency plan is
adjusted.
PI1.1 Procedures exist to Software or data are Weekly full-system
prevent, or detect lost or not available and daily
and correct, due to processing incremental backups
processing errors to error, intentional are performed using
meet the entity's act, or an automated
processing integrity environmental system.
commitments and event.
system
requirements.
Backups are
monitored for failure
using an automated
system, and the
incident
management process
is automatically
invoked.
Backups are
transported and
stored offsite by a
third-party storage
provider.
TSP 100.18 2016, AICPA

Illustrative Types
Environmental Environmental
vulnerabilities are protections have been
not addressed installed including
through the use of the following:
environmental
protections, Cooling systems
resulting in a loss of Battery and
system availability. natural gas
generator backup
in the event of
power failure
Redundant
communications
lines
Smoke detectors
Dry pipe
sprinklers
acted upon, protections during
increasing the each shift.
severity of an
environmental
event.
Environmental
protections receive
maintenance on at
least an annual
basis.
Current processing Processing capacity
capacity is not is monitored on a
sufficient to meet daily basis.
processing
requirements,
resulting in
processing errors.
Critical
infrastructure
components have a
defined level of
redundancy based on
risk assessment.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
PI1.2 System inputs are Inputs are captured Application edits limit
measured and recorded incorrectly. input to acceptable
completely, accurately, value ranges.
and timely to meet the
entity's processing
integrity commitments
and system
requirements.
The data preparation
clerk batches
documents by date
received and enters the
date and number of
sheets on the batch
ticket. Batched forms
are scanned by a
purchased imaging
system. Upon
completion of the
scanning process, the
scanned sheets are
compared to the count
per the batch ticket by
the scanning operator.
Scanned images are
processed through the
optical character
recognition (OCR)
system. Key fields
including customer
identifier, customer
name, and record type
are validated by the
system against records
in the master data file.
Text from free-form
sections from scan
sheets is manually
entered. This
information is input
twice by two separate
clerks. The input
information is
compared, and records
with differences are
sent to a third clerk for
resolution.
Inputs are not captured System edits require
or captured completely. mandatory fields to be
complete before record
entry is accepted.
TSP 100.18 2016, AICPA

Illustrative Types
clerk batches
documents by date
received and enters the
date and number of
sheets on the batch
ticket. Batched forms
are scanned by a
purchased imaging
system. Upon
completion of the
sheets scanned are
Scanned images are
OCR system. Key fields,
including customer
name, and record type,
Text from free-form
sections from scan
sheets is manually
entered. This
clerks. The input
information is
compared, and records
with differences are
sent to a third clerk for
resolution.
Electronic files received
contain batch control
totals. During the load
processing data
captured is reconciled
to batch totals
application.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Inputs are not Electronic files are
captured in a processed when
timely manner. received. The
application monitors
files that fail to process
completely and
generates an incident
management error
record.
Manual forms for data
entry are batched upon
receipt. Batches are
traced to batches
entered for processing
daily by the date entry
supervisor, and
differences are
investigated.
The final Inputs are coded with
disposition of input identification numbers,
cannot be traced to registration numbers,
its source to registration
validate that it was information, or time
processed correctly, stamps to enable them
and the results of to be traced from initial
processing cannot input to output and
be traced to initial final disposition and
input to validate from output to source
completeness and inputs.
accuracy.
PI1.3 Data is processed Data is lost during Input record counts are
completely, processing. traced from entry to
accurately, and final processing. Any
timely as differences are
authorized to meet investigated.
the entity's
processing
integrity
commitments and
system
requirements.
Data is Application regression
inaccurately testing validates key
modified during processing for the
processing. application during the
change management
process.
TSP 100.18 2016, AICPA

Illustrative Types
Output values are
compared against prior
cycle values. Variances
greater than X percent
are flagged on the
variance report, logged to
the incident
management system,
and investigated by the
output clerk. Resolutions
are documented in the
incident management
system. Open incidents
are reviewed daily by the
operations manager.
Daily, weekly, and
monthly trend reports
are reviewed by the
operations manager for
unusual trends.
Newly created data Application regression
is inaccurate. testing validates key
processing for the
application during the
change management
process.
The system compares
generated data to
allowable values. Values
outside the allowable
values are written to the
value exception report.
Items on the value
exception report are
reviewed by the output
clerk on a daily basis.
Processing is not Scheduling software is
completed within used to control the
required submission and
timeframes. monitoring of job
execution. An incident
management record is
generated automatically
in the service
management system
when processing errors
are identified.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
PI1.4 Data is stored and Data is not A mirror image of
maintained available for use as application data files is
completely, committed or created nightly and
accurately, and in a agreed. stored on a second
timely manner for system for use in
its specified life recovery and restoration
span to meet the in the event of a system
entity's processing disruption or outage.
integrity
commitments and
system
requirements.
Stored data is Logical access to stored
inaccurate. data is restricted to the
application and
database
administrators.
Stored data is Data is reconciled on a
incomplete. monthly basis by rolling
forward prior period
balances with monthly
activity and comparing
results to the stored
data balances.
PI1.5 System output is System output is Application regression
complete, accurate, not complete. testing validates key
and distributed to processing for the
meet the entity's application during the
processing integrity change management
commitments and process.
system
requirements.
Output values are
are flagged on the
variance report, logged
to the incident
management system,
output clerk.
Resolutions are
documented in the
incident management
are reviewed daily by
the operations manager.
TSP 100.18 2016, AICPA

Illustrative Types
On a monthly basis,
total records
processed are
compared with total
records received via
electronic
submission, manual
entry, and sheet
scanned by the OCR
system.
System output is not Application
accurate. regression testing
validates key
processing for the
application during
the change
management process.
Output values are
compared against
prior cycle values.
Variances greater
than X percent are
flagged on the
variance report,
logged to the incident
management system,
and investigated by
the output clerk.
Resolutions are
documented in the
incident
management system.
Open incidents are
reviewed daily by the
operations manager.
Daily, weekly, and
monthly trend
reports are reviewed
by the operations
manager for unusual
trends.
System output is Application security
provided to restricts output to
unauthorized approved user IDs.
recipients.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
System output is Output is generated by
not available to the system based on a
authorized master schedule.
recipients. Changes to the master
schedule are managed
through the change
management process
and are approved by
the customer service
executive. On a daily
basis, an automated
routine scans output
files to validate that all
required output has
been generated. The
routine generates an
incident record for any
missing output.
Incident tickets are
managed through the
incident management
process.
PI1.6 Modification of Data is modified by Application regression
data, other than an unauthorized testing validates key
routine transaction process or processing for the
processing, is procedure resulting application during the
authorized and in inaccurate or change management
processed to meet incomplete data. process.
the entity's
processing
integrity
commitments and
system
requirements.
Access to data is
restricted to authorized
applications through
access control software.
Access rules are created
and maintained by
personnel during the
application
development process.
TSP 100.18 2016, AICPA

Illustrative Types
Application level
security restricts the
ability to access,
modify, and delete data
to authenticated
users who have been
granted access through
a record in the access
control list. Creation
and modification of
access control records
occurs through the
access provisioning
process.
Data is modified Logical access to stored
without data is restricted to the
authorization. application and
database
administrators.
Data is lost or Logical access to stored
destroyed. data is restricted to the
application and
database
administrators.
A mirror image of
application data files is
created nightly and
stored on a second
secure system for use
in recovery and
restoration in the event
of a system disruption
or outage.
C1.1 Confidential Data used in The entity creates test
information is nonproduction data using data
protected during the environments is not masking software that
system design, protected from replaces confidential
development, testing, unauthorized access information with test
implementation, and as committed. information prior to the
change processes to creation of test
meet the entity's databases.
confidentiality
commitments and
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Data owners approve
any storage or use of
production information
in nonproduction
environments.
C1.2 Confidential Unauthorized access Access to data is
information within to confidential restricted to authorized
the boundaries of the information is applications through
system is protected obtained during access control software.
against unauthorized processing. Access rules are created
access, use, and and maintained by
disclosure during information security
input, processing, personnel during the
retention, output, and application
disposition to meet development process.
the entity's
confidentiality
commitments and
Logical access other
than through
authorized application
is restricted to
administrators through
database management
system native security.
Creation and
modification of access
control records for the
database management
systems occurs through
the access provisioning
process.
Application level
ability to access, modify,
and delete data to
authenticated internal
and external users who
have been granted
access through a record
in the access control
list. Creation and
control records occurs
through the access
provisioning process.
TSP 100.18 2016, AICPA

Illustrative Types
Unauthorized Application security
access to restricts output to
confidential approved roles or user
information in IDs.
output is obtained
after processing.
Output containing
is printed at the
secure print facility
and is marked with
the legend
"Confidential."
Paper forms are
physically secured
after data entry.
Physical access is
restricted to storage
clerks.
Personal information
(both public and
sensitive information)
involved in business
processes, systems,
and third-party
involvement is clearly
identified and
classified based on
severity and risk
within data
management policies
and procedures. The
quantities of personal
and sensitive
information are
identified.
Awareness training is
provided to personnel
around the policy and
usage of personal
information.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
C1.3 Access to confidential Confidential Application security
information from information restricts output to
outside the transmitted beyond approved user IDs.
boundaries of the the boundaries of
system and disclosure the system is
of confidential provided to
information is unauthorized user
restricted to entity personnel.
authorized parties to
meet the entity's
confidentiality
commitments and
Transmission of digital
output beyond the
boundary of the system
occurs through the use
of authorized software
supporting the
advanced encryption
standard (AES).
Logical access to stored
data is restricted to
application and
database
administrators.
Data is stored in
encrypted format using
software supporting the
AES.
Use of removable media
is prohibited by policy
except when authorized
by management.
Confidential Application security
information is restricts output to
transmitted to approved user IDs.
related parties,
vendors, or other
approved parties
contravening
confidentiality
commitments.
output beyond the
authorized software
supporting the AES.
TSP 100.18 2016, AICPA

Illustrative Types
Confidential paper
records are stored in
locked containers in
accordance with the
retention schedule.
The entity has the
capability to identify,
capture, preserve, and
transfer client data, in
the event of a legal
preservation request,
without impacting
other client data.
A nondisclosure or
confidentiality
agreement is signed
by all personnel with
access to confidential
information.
C1.4 The entity obtains Related party and Formal information
confidentiality vendor personnel sharing agreements
commitments that are unaware of the are in place with
are consistent with entity's related parties and
the entity's confidentiality vendors. These
confidentiality commitments. agreements include
system confidentiality
requirements from commitments
vendors and other applicable to that
third parties whose entity. Agreement
products and terms include
services are part of requirements for
the system and have marking and
access to identifying data as
confidential confidential, handling
information. standards for
confidential data in
the custody of related
parties and vendors,
and returning and
disposing of
confidential
information when no
longer required.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Requirements for Formal information
handling of sharing agreements are
confidential in place with related
information are not parties and vendors.
communicated to These agreements
and agreed to by include confidentiality
related parties and commitments
vendors. applicable to that
entity.
C1.5 Compliance with the Related party and Related party and
entity's vendor systems are vendor systems are
confidentiality not suitably subject to review as
commitments and designed or part of the vendor risk
system requirements operating effectively management process.
by vendors and others to comply with Attestation reports
third parties whose confidentiality (SOC 2 reports) are
products and services commitments. obtained and evaluated
are part of the system when available. Site
is assessed on a visits and other
periodic and procedures are
as-needed basis, and performed based on the
corrective action is entity's vendor
taken, if necessary. management
guidelines.
C1.6 Changes to the Confidentiality The chief information
entity's practices and security officer is
confidentiality commitments are responsible for changes
commitments and changed without the to confidentiality
system requirements knowledge or practices and
are communicated to consent of internal commitments. A formal
internal and external and external users. process is used to
users, vendors, and communicate these
other third parties changes to internal and
whose products and external users, related
services are part of parties, and vendors.
the system.
Confidentiality The chief information
practices and security officer is
commitments are responsible for changes
changed without the to confidentiality
knowledge of related practices and
parties or vendors commitments. A formal
resulting in their process is used to
systems not communicate these
complying with the changes to internal and
required practices external users, related
and not meeting the parties, and vendors.
commitments.
TSP 100.18 2016, AICPA

Illustrative Types
Related party and
vendor agreements are
modified to reflect
changes in
confidentiality practices
and commitments.
Related party and
vendor systems are
subject to review as part
of the vendor risk
management process.
Attestation reports
(SOC 2 reports) are
obtained and evaluated
when available. Site
visits and other
procedures are
performed based on the
entity's vendor
management guidelines.
C1.7 The entity retains Confidential The entity establishes
confidential information is written policies related
information to meet retained in excess of to retention periods for
the entity's that associated with the confidential
confidentiality the stated purpose, information it
commitments and longer than maintains. The entity
system requirements. necessary to fulfill
the stated purpose or has automated
system processes in
longer than allowed
place to delete
by the entity's
confidential
confidentiality
information in
commitments and
accordance with
system
specific retention
requirements.
requirements.
deletes backup
information in
accordance with a
defined schedule.
requires approval for
confidential
information to be
retained beyond its
retention period and
specifically marks
such information for
retention.
reviews annually
information marked
for retention.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
C1.8 The entity disposes Confidential The entity
of confidential information is not
information to meet destroyed in locates and removes
or redacts specified
the entity's accordance with
confidential
confidentiality confidentiality
information as
commitments and commitments and
required.
system system
requirements. requirements. regularly and
systematically
destroys, erases, or
makes anonymous
confidential
information that is
no longer required
for the purposes
identified in its
confidentiality
commitments or
system
requirements.
erases or destroys
records in
accordance with the
retention policies,
regardless of the
method of storage
(for example,
electronic, optical
media, or paper
based).
disposes of original,
archived, backup,
and ad hoc or
personal copies of
records in
accordance with its
destruction policies.
documents the
disposal of
confidential
information.
TSP 100.18 2016, AICPA

Illustrative Types
Additional Criteria for Privacy
P1.0 Privacy Criteria Related to Notice and Communication of
Commitments and System Requirements
P1.1 The entity provides Data subjects are The entity provides
notice to data not notified of the notice of its privacy
subjects about its purpose for the practices to data
privacy practices to collection, use, and subjects of the system
meet the entity's retention of their (upon data collection,
privacy personal from each mode of
commitments and information collection, and when
system thereby creating any changes are made
requirements. The the potential for to the entity's privacy
notice is updated regulatory practices). The notice
and communicated compliance is
to data subjects in a violation (for
timely manner for example, with readily accessible
and made available
changes to the respect to Fair
when personal
entity's privacy Information
information is first
practices, including Practice Principles
collected from the
changes in the use of FIPPs, the Health
data subject.
personal Insurance
information, to meet Portability and provided in a timely
the entity's privacy Accountability Act manner (that is, at
commitments and [HIPAA], or or before the time
system Federal Trade personal
requirements. Commission) or information is
diminishment of collected, or as soon
the entity's as practical
reputation. thereafter) to
enable data subjects
to decide whether or
not to submit
personal
information to the
entity.
clearly dated to
allow data subjects
to determine
whether the notice
has changed since
the last time they
read it or since the
last time they
submitted personal
information to the
entity.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
In addition, the entity
tracks previous
iterations of the
entity's privacy
notices.
informs data
subjects of a change
to a previously
communicated
privacy notice (for
example, by posting
the notification on
the entity's website,
by sending written
notice via postal
mail, or by sending
an email).
documents the
changes to privacy
practices that were
communicated to
data subjects.
On a quarterly basis,
the CPO and privacy
staff meet to discuss
the new types of
personal information
that is collected and
the effect on privacy
practices, including
detailed use, ability to
opt-out, enhancement
(enrichment) or
inference, sharing,
disclosure, access,
security, retention,
and disposal of
items. For any new
that is collected,
systems and processes
are updated to provide
notice to the data
subjects.
TSP 100.18 2016, AICPA

Illustrative Types
Data subjects are not The entity provides
notified of one or notice of its privacy
more of the following: practices to data
subjects of the system
The collection of (upon data collection,
their personal from each mode of
information or the collection, and when
choice and consent any changes are made
mechanisms in to the entity's privacy
place to opt-out of practices).The CPO
the collection reviews the notice and
The retention, documents his or her
sharing, disclosure approval that the notice
and disposal of includes the following
their personal disclosures:
information
Notification of a
Processes in place mechanism to
to obtain access to, opt-out of the
make changes to, collection and use of
or make contact or their personal
inquiries regarding information upon
personal collection and upon
information changes to the
Additional sources purpose and use of
of the personal personal information
information Policies regarding
collected other retention, sharing,
than provided by disclosure, and
the data subject disposal of their
The mechanism(s) to
access, make
changes to, or make
inquiries regarding
their personal
information
Additional sources of
used to enhance,
enrich, or infer
(through
cross-reference)
already provided by
the data subject
upon collection
(continued)
2016, AICPA TSP 100.18

Illustrative Types
P1.2 The entity's privacy Internal and The entity provides
commitments are external users are notice of its privacy
communicated to not notified or aware practices to data
external users, as of personal subjects of the system
appropriate, and information (upon data collection,
those commitments collected through from each mode of
and the associated both active and collection, and when
system passive means. any changes are made
requirements are to the entity's privacy
communicated to practices through
internal users to email and surface
enable them to mail).
carry out their
responsibilities.
The privacy Before personal
commitments and information is
system collected, the entity
requirements are communicates to the
not communicated to internal and external
internal and users the purpose and
external users use of the collection of
before personal personal information,
information is including detailed use,
collected, or as soon ability to opt-out,
as practical enhancement
thereafter. (enrichment) or
inference, sharing,
disclosure, access,
and disposal of
Internal and Before changes are
external users are made, the entity
not notified of communicates to
changes to the internal and external
privacy users' changes to the
commitments or purpose and use of
system personal information,
requirements for use including changes to
of information in a the detailed use,
timely manner to ability to opt-out,
opt-out of the enhancement
collection or use of (enrichment) or
personal inference, sharing,
information. disclosure, access,
and disposal of
TSP 100.18 2016, AICPA

Illustrative Types
Internal and Before personal
external users are information is
not given sufficient collected, the entity
information communicates to
regarding the nature internal and external
and extent of the users the purpose and
entity's use of use of the collection of
personal personal information,
information. including detailed use,
ability to opt-out,
enhancement
(enrichment) or
inference, sharing,
disclosure, access,
and disposal of
P2.0 Privacy Criteria Related to Choice and Consent
P2.1 The entity Consent policies and Policies and
communicates procedures do not procedures containing
choices available address the choice information about
regarding the and consent options. choice and consent
collection, use, A data subject does options include the
retention, not "signify" their following:
disclosure, and agreement
disposal of personal indicating that there Consent is obtained
before the personal
information to the is active
information is
data subjects and communication.
processed or
the consequences,
handled.
if any, of each
choice. Explicit To ensure that
consent for the consent is freely
collection, use, given, requests for
retention, consent are
disclosure, and designed not to be
disposal of personal deceptive
information is intimidating or
obtained from the imply that failure to
data subject or provide consent will
other authorized result in significant
person, if required, negative
and such consent is consequences.
obtained only for When authorization
the purpose for is required (explicit
which the consent), the
information is authorization is
intended consistent obtained in writing.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
with the entity's Implicit consent has
privacy clear actions on how
commitments and a data subject opts
system out.
requirements. The Action by a data
entity's basis for subject to constitute
determining valid consent.
implicit consent for
the collection, use, Requests for
consent are
retention,
designed to be
disclosure, and
appropriate to the
disposal of personal
age and capacity of
information is
the data subject and
documented.
to the particular
circumstances.
Processes are not in On annual basis, the
place to determine privacy staff reviews
whether implicit or collection processes to
explicit consent is determine whether
appropriate for the the consents obtained
collection of personal are appropriate
information. (specifically, whether
implicit or explicit
consent is
appropriately collected
depending on the
collection process).
Data subjects are Annually, the privacy
not notified of staff checks that
choices available notice is provided to
related to collection, internal and external
use, or disclosure of users; that the notice
personal is clear,
information. comprehensive, and
visible to users; and
that it includes the
purpose and intended
use of the collected
personal information,
encompassing detailed
use, consent, ability to
opt-out, authorization,
sharing, disclosure,
access, security,
retention, and
information.
TSP 100.18 2016, AICPA

Illustrative Types
Lack of The privacy staff
understanding of reviews quarterly
when consent is relevant privacy laws
required due to and regulations to
specific law or determine whether
regulations. they require the entity
to obtain consent and
reviews and updates
the entity's policies for
conformity to the
requirements.
Denial or withdrawal On an annual basis, the
of consent is not entity sends written
recognized or notification informing
administered. data subjects of their
current choice and
offers them the option
of either confirming or
withdrawing their
previously given
consents. Denial or
withdrawal of consents
is tracked by privacy
staff for further
processing.
Implicit consent is The privacy staff
relied upon when obtains and evaluates
explicit or opt out requirements to
consent is required. determine whether
implicit or explicit
consent applies and
compares such
requirement to
consents used.
Opt-out consent is Explanatory
used without information is provided
communicating the when data subjects are
impact of that choice given the choice to opt
to the user. out.
Sensitive personal The privacy staff
information is reviews procedures to
collected without assess the nature of the
obtaining without information collected to
legal grounds and determine whether
explicit consent. personal information
received requires an
explicit consent.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
The privacy staff
reviews quarterly
relevant privacy laws
and regulations to
determine whether
they require the entity
to obtain consent, or
whether the entity
possesses other legal
ground to process the
data. It also reviews
and updates the
entity's policies for
conformity to the
requirement
There is a lack of On an annual basis,
clear definition at the CPO reviews its
the entity related to policies to ensure the
what personal definition of
information is "sensitive" personal
considered information is
"sensitive" personal properly delineated
information. and communicated to
personnel.
The entity provides
updated training and
awareness to
personnel that
includes defining what
constitutes personal
information and what
is considered sensitive
Consent is not The privacy office
obtained for new establishes procedures
purposes or uses to assess the need for
when required. obtaining and
recording consents
with respect to new
products, software,
relationships, and
transactions.
TSP 100.18 2016, AICPA

Illustrative Types
P3.0 Privacy Criteria Related to Collection
P3.1 Personal information Personal information is Members of the privacy
is collected consistent collected in a manner staff verify that the
with the entity's that is inconsistent entity has legal ground to
privacy commitments with privacy collect data from the data
and system commitments and subjects and that such
requirements. system requirements legal grounds are
and thereby documented prior to
collection. Additionally,
causes the entity to
members of the privacy
be subject to
staff verify, on a test
regulatory claims for
basis, that the entity has
unfair or deceptive
requested and received
trade practices.
explicit written consent
subjects the entity from the data subjects,
to data subject or when such consent is
class action legal required.
proceedings.
creates damage to
the entity's
reputation due to
negative publicity.
enables competitors
to leverage this
situation to gain
market share.
Privacy related
complaints are
investigated monthly to
identify whether there
were incidents of unfair
or unlawful practices.
The entity does not Members of the privacy
have explicit or staff verify that the
implicit consent to entity has legal ground to
collect the information collect data from the data
necessary for the subjects and that such
provision of services. legal grounds are
documented prior to
collection. Additionally,
staff verify, on a test
basis, that the entity has
requested and received
explicit written consent
from the data subjects,
when such consent is
required.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Privacy related
complaints are
investigated upon
receipt to identify
whether there were
incidents of unfair or
unlawful practices.
Personal information Members of the privacy
is collected in excess of staff determine whether
the minimum personal information is
necessary information collected only for the
needed to provide purposes identified in
services in accordance the privacy notice and
with privacy only the minimum
commitments and necessary personal
system requirements. information is collected
to fulfill the business
purpose by
reviewing and
approving system
change requests,
when changes involve
use of personal
information or
collection of new
reviewing the privacy
policies and personal
information collection
methods of third
parties prior to
contract execution.
reviewing contracts to
determine whether
they include
provisions requiring
that personal
information be
collected fairly
without intimidation
or deception and
lawfully adhering to
all relevant laws and
regulations.
Privacy related
complaints are
investigated on a
bi-weekly basis to
identify whether there
were incidents of unfair
or unlawful practices.
TSP 100.18 2016, AICPA

Illustrative Types
System changes result PIAs are conducted so
in the collection of that system changes are
personal information assessed for privacy
in excess of, or implications. Personnel
inconsistent with, who are authorized to
privacy commitments make system changes
and system are properly trained so
requirements. that they execute the
PIA appropriately. Legal
counsel reviews system
changes that have
privacy implications.
Management is For each new
unaware that the third-party contract or
entity collects agreement, members of
personal information the privacy staff
from third parties and determine whether
is unaware of the personal information is
types of personal collected only for the
information, as well as purposes identified in
the means and the privacy notice and
methods by which the only the minimum
personal information necessary personal
was collected. information is collected
to fulfill the business
purpose by
reviewing and
approving system
change requests,
when changes involve
use of personal
information or
collection of new
reviewing the privacy
policies and personal
information collection
methods of third
parties before prior to
contract execution.
reviewing contract to
determine whether it
includes provisions
requiring that
be collected fairly
without intimidation
or deception and
lawfully adhering to
all relevant laws and
regulations.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
The entity does not The entity provides
inform data subjects notice of its privacy
that it has acquired practices to data
or is collecting subjects of the system
additional personal (upon data collection,
information; from each mode of
therefore, data collection, and when
subjects are any changes are made
unaware that the to the entity's privacy
entity has personal practices). The notice
information beyond is
what is stated in the
entity's privacy readily accessible
and made available
notice.
when personal
information is first
collected from the
data subject.
provided in a timely
manner (that is, at
or before the time
personal
information is
collected, or as soon
as practical
thereafter) to
enable data subjects
to decide whether or
not to submit
personal
information to the
entity.
clearly dated to
allow data subjects
to determine
whether the notice
has changed since
the last time they
read it or since the
last time they
submitted personal
information to the
entity.
TSP 100.18 2016, AICPA

Illustrative Types
P3.2 For information The entity does not The entity change
requiring explicit obtain explicit management policies
consent, the entity consent directly from require system
communicates the the data subject when processes to obtain
need for such sensitive personal explicit consent when
consent, as well as information is required. CPO staff
the consequences of collected, used, or review and approve
a failure to provide disclosed. all system changes
consent for the for compliance with
request for the the policy prior to
request for personal implementation.
information, and
obtains the consent
prior to the
collection of the
information
consistent with the
entity's privacy
commitments and
system
requirements.
Consent for online The entity's
data transfers to or application(s) provide
from a data subject's for user interface (UI)
computer or other screens that have a
similar electronic click button that
device is not obtained. captures and records a
data subject's consent
before the data subject
submits the
information.
P4.0 Privacy Criteria Related to Use, Retention, and Disposal
P4.1 The entity limits the Personal information The entity maintains
use of personal is used for purposes policies and procedures
information to the not identified in that define allowable
purposes identified privacy commitments use and disclosure
in the entity's and system scenarios. Management
privacy requirements for personnel responsible
commitments and which consents have for the entity's
system not been obtained and operations that involve
requirements. for purposes not the potential use and
permitted or in disclosure of personal
accordance with information formally
applicable laws and acknowledge their
regulations. receipt and
understanding of these
policies.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
On an annual basis
the entity reviews
privacy policies and
procedures to ensure
that personal
information is used in
conformity with the
purposes identified
in the entity's
privacy notice.
conformity with the
consent received
from the data
subject.
compliance with
applicable laws and
regulations.
P4.2 The entity retains Personal The entity establishes
personal information is written policies
information retained in excess of related to retention
consistent with the that associated with periods for each type
entity's privacy the stated purpose, of information it
commitments and longer than maintains. The entity
system necessary to fulfill has automated
requirements. the stated purpose system processes in
or longer than place to delete
allowed by law or information in
regulations, thereby accordance with
creating potential specific retention
for compliance requirements.
violations and
increased data
deletes backup
information in
breach exposure. accordance with a
defined schedule.
requires approval
by the CPO for
information to be
retained beyond its
retention period and
specifically marks
such information for
retention.
reviews annually
information marked
for retention.
TSP 100.18 2016, AICPA

Illustrative Types
Storage locations of An annual review of
personal information the organization's data
are not identified and inventory is performed
tracked, thereby to verify that the
increasing risks of documentation is kept
data breaches. current and includes
the location of the data,
a description of the
data, and identified
data owners.
Personal information The entity has
is retained in a documented its
manner that violates personal information
applicable laws and retention policies and
regulations. procedures, which are
reviewed on at least an
annual basis by legal
counsel for consistency
with applicable laws
and regulations.
retention laws and
regulations are
reviewed on at least an
annual basis by
staff and legal counsel
for any new or revised
applicable laws or
regulations. Entity
retention policies and
procedures are
reviewed for
consistency with
applicable laws and
regulations. Any
retention policies and
procedures that are not
aligned with the
current applicable laws
and regulations are
escalated to
management for
corrective action (for
example, updating of
the entity's policies and
procedures as
necessary.).
(continued)
2016, AICPA TSP 100.18

Illustrative Types
P4.3 The entity securely Personal On a weekly basis
disposes of information is not data center personnel
personal destroyed to meet complete a checklist
information the entity's privacy that documents the
consistent with the commitments and entity
entity's privacy system
commitments and requirements and erased or destroyed
records in
system applicable laws and
accordance with its
requirements. regulations, thereby
retention policies,
creating the
regardless of the
potential for
method of storage
compliance
(for example,
violations and
electronic, optical
increased data
media, or paper
breach exposure.
based).
disposed of original,
archived, backup,
and ad hoc or
personal copies of
records in
accordance with its
documented the
information.
located and
removed or redacted
specified personal
information about a
data subject as
required within the
limits of technology
(for example,
removing credit
card numbers after
the transaction is
complete).
destroyed, erased,
or made anonymous
personal
information that is
no longer required
for the purposes
identified in its
privacy
commitments or as
required by law or
regulation.
TSP 100.18 2016, AICPA

Illustrative Types
Data center personnel
complete the preceding
items in accordance
with destruction
procedures and attach
documentation of the
performance of those
procedures to the
checklist. CPO staff
perform quarterly
compliance assessment
for a sample of business
units to verify
compliance with privacy
and security policies by
reviewing the checklists
and associated
documentations.
5.0 Privacy Criteria Related to Access
P5.1 The entity grants Data subjects are not Privacy staff annually
identified and aware of the process review processes that
authenticated data for requesting access involve direct
subjects the ability to or a copy of their communication with
to access their personal information data subjects, online
stored personal creating the potential notices, privacy
information for for compliance statements, mailings,
review and, upon violations or data and training and
request, provides integrity issues. awareness programs for
physical or staff to determine
electronic copies of whether they address
that information to the process for
the data subject providing data subjects
consistent with the with access to their
entity's privacy personal information
commitments and and updating their
system information. The CPO
requirements. If establishes written
access is denied, the procedures to update
data subject is communications to data
informed of the subjects when changes
denial and reason occur to access policies,
for such denial, as procedures, and
required, consistent practices.
with the entity's
privacy
commitments and
system
requirements.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
The entity's privacy
notice is made
available to data
subjects at the time an
agreement for services
is entered into as well
as on the entity's
website, which
explains the process
for providing data
subjects with access to
their personal
information and
updating their
information.
The CPO establishes
written privacy
policies and
procedures that define
how entity personnel
are to respond to
requests by data
subjects to access their
information.
Access is provided to The CPO establishes
unauthorized written procedures to
individuals who are track and monitor the
not authenticated authentication of data
prior to providing subjects before they
them with access. are granted access to
Information Annually, the CPO
provided to the data reviews reports that
subject is summarize the
incomplete, response times in
inaccurate, or not providing personal
received in a timely information, the
manner. associated costs
incurred by the entity,
and any charges to the
data subjects. Annual
assessments of the
understandability of
the format for
information provided
to data subjects are
conducted by privacy
staff.
TSP 100.18 2016, AICPA

Illustrative Types
When data subjects Annually, the CPO
are denied access, reviews reports that
the data subjects are summarize the
not informed of the response time to data
reason for the denial subjects whose access
in accordance with request has been
the entity's privacy denied and reasons
commitments and for such denials, as
system well as any
requirements. communications
regarding challenges.
P5.2 The entity corrects, Requests received The CPO establishes
amends, or appends for corrections, written policies and
personal information amendments, or procedures to
based on information additions are not consistently and
provided by the data processed correctly, uniformly inform
subjects and timely, or by an data subjects of how
communicates such authorized data to update or correct
information to third subject in personal information
parties, as accordance with the held by the entity.
committed or entity's privacy
required, consistent commitments and
with the entity's system
privacy requirements.
commitments and
system
requirements. If a
request for
correction is denied,
the data subject is
informed of the
denial and reason for
such denial
consistent with the
entity's privacy
commitments and
system
requirements.
The CPO establishes
written procedures to
track data update
and correction
requests and to
validate the accuracy
and completeness of
such data. Annually,
the CPO reviews
(continued)
2016, AICPA TSP 100.18

Illustrative Types
reports of updates
and correction
requests and
response time to
update records.
Authorized data
subjects are
designated with the
responsibility of
making updates or
amendments to
when self-service
functionality is
available to the data
subject.
Corrected, amended, The CPO establishes
or appended written procedures to
personal consistently and
information is not uniformly provide
communicated to updated information
vendors or other to vendors or other
third parties that third parties that
previously received previously received
that personal the data subject's
information in personal information.
accordance with the Documentation or
entity's privacy justification is kept
commitments and for not providing
system information updates
requirements. to relevant vendors
and other third
parties.
Data subjects are The CPO establishes
not informed that written policies and
their request to procedures that cover
correct, amend, or relevant aspects
add to personal related to informing
information has data subjects in
been denied or the writing about the
reason for the denial reason a request for
in accordance with correction of personal
the entity's privacy information was
commitments and denied and how they
system may appeal.
requirements.
TSP 100.18 2016, AICPA

Illustrative Types
The CPO annually
reviews denials to verify
that the justifications for
denying requests for
correction of personal
information were
appropriately
documented and
supported.
The CPO annually
reviews cases that
involve disagreements
over the accuracy and
completeness of personal
information to validate
that the appropriate
justifications and
supporting
documentation is
retained.
P6.0 Privacy Criteria Related to Disclosure and Notification
P6.1 The entity discloses Authorized use and Business unit leaders
personal disclosure scenarios identify and document
Information to third are not defined and authorized uses and
parties with the documented. disclosures of personal
explicit consent of information relevant to
the data subject to their area. On an annual
meet the entity's basis, the uses and
privacy disclosures are reviewed
commitments and and approved by the
system privacy staff.
requirements, and
such consent is
obtained prior to
disclosure.
A PIA is completed for
new types of disclosures
of personal information
and disclosures to new
third-party recipients.
As part of the
assessment, the privacy
staff determines whether
the disclosure is
consistent with notice,
consent, and privacy
commitments and
(continued)
2016, AICPA TSP 100.18

Illustrative Types
As part of the change
management process,
the CPO reviews and
approves new
automated
disclosures and
transmissions to
third parties and
changes to existing
automated
disclosures and
transmissions.
Personal When explicit
information is consent is required,
disclosed to vendors business unit
and other third personnel implement
parties without a process for
obtaining explicit obtaining explicit
consent of the data consent. Updates to
subject and does not the consent process
meet the entity's are reviewed and
privacy approved by the
commitments and CPO.
system
requirements.
Requests for
disclosure are
recorded by business
unit personnel and
compared to
preapproved types of
disclosures before
processing. When
required, consent of
the data subject is
obtained prior to
processing.
Approved data
subject and ad hoc
requests requiring
explicit consent are
rejected if consent is
not received.
Rejections are
recorded in a
repository.
TSP 100.18 2016, AICPA

Illustrative Types
P6.2 The entity creates Unauthorized When the disclosure
and retains a disclosures are of personal
complete, accurate, made, thereby information requires
and timely record of creating potential for explicit consent, the
authorized data breach. information to be
disclosures of disclosed through
personal information automated processes
consistent with the is compared to the
entity's privacy consent records to
commitments and confirm consent prior
system to disclosure.
requirements.
The entity does not Automated
maintain records for disclosures are
tracking purposes of recorded in a
disclosures made. database of
disclosures that is
retained in
accordance with the
entity's privacy
commitments and
requirements.
Authorized
disclosures are
recorded and retained
in accordance with
the entity's privacy
commitments and
Requests for
disclosure are
recorded by business
unit personnel and
compared to
preapproved types of
disclosures before
processing. Requests
not in accordance
with preapproved
disclosures types are
evaluated for
appropriateness in
consultation with the
privacy officer. When
required, explicit
consent of the data
subject is obtained
prior to processing.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Disclosure requests Requests for
made by data disclosure are
subjects are not recorded by business
recorded. unit personnel,
including the date
received and specific
details regarding the
request (for example,
information
requested, requestor
name, or period of
time requested). The
privacy staff reviews
a report of data
subjects and ad hoc
disclosure requests
on a weekly basis for
unprocessed requests
and unusual activity.
Unprocessed
requests are
investigated, and
unusual requests are
recorded in the
incident
management system
for formal
investigation and
resolution.
P6.3 The entity creates Disclosures An automated
and retains a identified as part of message is sent to
complete, accurate, incident the privacy office
and timely record of management or informing them of
detected or reported reported by data unauthorized
unauthorized subjects and other disclosures and
disclosures of external parties are potential disclosures
personal not identified as detected as part of
information, privacy incidents. the incident
including breaches, management process.
consistent with the Resolution of all
entity's privacy incidents flagged as
commitments and privacy issues must
system be approved by
requirements. privacy staff before
the record is closed.
TSP 100.18 2016, AICPA

Illustrative Types
Incident management
procedures include
detailed instructions
on how to escalate a
suspected incident to
the Information
Security Team and,
when necessary, to the
Privacy or Legal
department. The
entity has a standard
incident report
template that must be
completed for each
incident. The incident
management
procedures and
templates are
communicated to
personnel who handle
P6.4 The entity obtains Contractual Contracts with
privacy commitments agreements are not in vendors or other third
from vendors and place between the parties are required in
other third parties entity and vendors or order to set up a
whose products and other third parties vendor or other third
services are part of involved in the party in the accounts
the system and who processing of personal payable system. On an
have access to information. annual basis, the
personal information privacy staff obtains a
processed by the list of paid vendors or
system that are other third parties and
consistent with the identifies those that
entity's privacy process personal
commitments and information. The
system requirements. privacy staff also
reviews the contracts
with those vendors or
other third parties to
determine whether the
contracts contain
privacy and security
commitments and
system requirements
that are consistent
with those of the
entity commitments
for privacy and
security.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
The vendor or other Vendors or other
third party does not third parties are
implement its required to undergo a
practices in privacy and security
accordance with the assessment supplied
entity's privacy by the entity before
commitments and the entity enters into
system a contract with those
requirements. parties, and
[annually or
biannually]
thereafter, to confirm
that administrative,
technical, and
physical safeguards
are consistent with
the entity's
commitments and
system requirements
and are in place.
Alternatively,
vendors or other
third parties can
provide a privacy
SOC 2 report. If a
SOC 2 report is
provided, the privacy
staff reviews the
report to verify that
the appropriate
regulatory
requirements are
included and met.
The privacy staff
reviews the results of
the submitted
assessment or SOC 2
report to determine
whether there are
privacy or security
risks that require
remediation. The
privacy office
monitors whether
any needed
remediation is
completed timely.
TSP 100.18 2016, AICPA

Illustrative Types
The entity periodically
reviews contracts to
confirm ongoing
alignment with the
entity's revised
privacy and security
policies and
procedures.
Contracts between Standard contractual
the entity and vendor templates are used for
or other third party contracts involving
do not provide personal information.
instructions, The contracts contain
requirements, or instructions for
commitments for approved handling of
handling personal personal information.
information. Deviations from
standard templates
require approval from
the CPO. Contract
templates are
reviewed on a periodic
basis to determine
whether changes are
required as a result of
changes to system
requirements (for
example, regulatory
requirements or
commitments for
handling personal
information).
P6.5 Compliance with the The vendor or other Standard contractual
entity's privacy third party does not templates are used for
commitments and have the appropriate contracts involving
system requirements privacy and security personal information
by vendors and others capabilities to comply containing the
third parties whose with contractual requirement for an
products and services commitments. independent third
are part of the system party assessment or
and who have access the right to audit the
to personal vendor or third party.
information processed Deviations from
by the system is standard templates
assessed on a periodic require approval from
and as-needed basis, the CPO.
and corrective action
is taken, if necessary.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Vendors and other third
parties are required to
undergo a privacy and
security assessment
prior to entering into a
contract with the entity,
and annually
thereafter, to confirm
that administrative,
technical, and physical
safeguards that are
consistent with those of
the entity are in place.
Alternatively, vendors
and other third parties
can provide a privacy
SOC 2 Report. The
privacy staff reviews
the results of the
assessment or SOC 2
report to determine
whether there are
privacy or security risks
that require
remediation.
Changes in the Standard contractual
vendor's or other templates are used for
third party's privacy contracts involving
procedures or controls personal information
have a detrimental that contain the
impact on the requirement for vendors
processing by the or other third parties to
vendor or other third inform the entity of
party of personal changes to vendor's or
information. other third party's
privacy procedures or
controls that impact the
processing of personal
information. Deviations
from standard
templates require
approval from the CPO.
The entity meets with
the third party on a
quarterly basis to
discuss any changes in
the vendor's or other
third party's privacy
procedures or controls
that impact the
processing of personal
information.
TSP 100.18 2016, AICPA

Illustrative Types
Upon termination of Standard contractual
a contract, templates are used
assurances are not for contracts
obtained from the involving personal
vendor or other information that
third party to contain requirements
confirm the return for vendors or other
or destruction of third parties to
personal provide
information. documentation that
confirms that
has been
appropriately
returned or destroyed
in accordance with
the contractual
requirements.
Deviations from
standard templates
require approval
from the CPO.
Vendor or other third
party relationship
managers are
required by policy to
obtain such
assurances and
provide the
supporting
documentation to the
privacy staff. Upon
determination that a
contract is to be
terminated, the
entity provides the
vendor or third party
with a checklist of
procedures to be
performed regarding
the return or
destruction of the
information and a
template for written
certification of the
completion of
procedures.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
P6.6 The entity obtains Vendors and other Standard contractual
commitments from third parties are not templates are used
vendors and other obligated by for contracts
third parties that commitment or involving personal
may have access to requirement to information
personal notify the entity of a containing
information breach or requirements to
processed by the unauthorized notify the entity of a
system to notify the disclosure of breach or
entity in the event of personal unauthorized
actual or suspected information in a disclosure of personal
unauthorized timely manner. information.
disclosures of Deviations from
personal standard templates
information. Such require approval
notifications are from the CPO.
reported to
appropriate
personnel and acted
on to meet the
entity's established
incident response
procedures, privacy
commitments, and
system
requirements.
The vendor's or Prior to contracting
other third party's with vendors and
incident response other third parties,
procedures do not vendors and other
exist. third parties are
required to provide a
copy of their incident
response procedures.
Vendors and other
third parties are
provided with specific
instructions on who
should be contacted
in the event of a
privacy or security
incident as well as
the timeframe in
which the notification
must occur.
TSP 100.18 2016, AICPA

Illustrative Types
P6.7 The entity provides Unauthorized uses Privacy related
notification of and disclosures are disclosures and
breaches and not assessed to potential disclosures
incidents to affected determine whether identified during the
data subjects, they constitute incident
regulators, and breaches. management process
others consistent are assessed by
with the entity's privacy staff using
privacy predetermined
commitments and assessment
system guidelines.
requirements. Assessments are
documented in the
incident
management system.
Unauthorized uses
and disclosures that
constitute a breach
based on the type,
sensitivity, value,
and amount of
that is used or
disclosed
inappropriately are
recorded in a
separate repository.
Unauthorized uses A comprehensive
and disclosures are incident
not properly identification and
identified as breach response
breaches. procedure is
documented that
provides examples of
unauthorized uses
and disclosures, as
well as guidelines to
determine whether
an incident
constitutes a breach.
The procedure is
communicated to
personnel who
handle personal
information.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Identified breaches Unauthorized uses
and incidents are and disclosures that
not recorded in constitute a breach
accordance with the based on the type,
entity's privacy sensitivity, value,
commitments and and amount of
system personal information
requirements. that is used or
disclosed
inappropriately are
recorded in a
separate repository.
Breaches and
incidents are
reviewed by the CPO.
Notification of Breach notification
breaches and procedures are
incidents is not reviewed on a
completed in regular basis to
accordance with determine whether
commitments and the procedures are
system aligned with
requirements. commitments and
Breach notification
activities are
reviewed against
breach notification
procedures and
notifications are
approved by the
CPO.
P6.8 The entity provides, Requests for an Requests for an
to the data subjects, accounting of accounting of
an accounting of the disclosures are not disclosures are
personal processed. recorded in a
information held repository. The date
and disclosure of a of completion of the
data subject's processing of the
personal requests and the
information, upon person generating
the data subject's the accounting is
request, consistent documented in the
with the entity's repository.
privacy
commitments and
system
requirements.
TSP 100.18 2016, AICPA

Illustrative Types
The accounting of Requestor
disclosures is identification
provided to an procedures are
unauthorized defined in the
person. procedures for
processing requests.
The type of
identification
obtained is
documented in the
repository.
The accounting of Predefined queries
disclosures is have been developed
incomplete or for each record of
inaccurate. disclosures. The
request repository
contains a checklist
of each system
application to be
queried. Queries are
automatically
returned to the
processor's
workstation in a
predefined report
format. The
processor stores the
results of each query
to the repository.
Upon completion, the
processor requests
generation of the
disclosure report
from the repository.
The accounting of All queries are based
disclosures contains on the specific
personal requesting data
information for subject's unique
other data subjects. identification
number. Only one
identification
number can be
processed at a time.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
P7.0 Privacy Criteria Related to Quality
P7.1 The entity collects Personal As personal
and maintains information that is information is
accurate, up-to-date, collected is collected, automated
complete, and inaccurate or edit checks and
relevant personal incomplete. balances help ensure
information that data entry fields
consistent with the are completed
entity's privacy properly (for
commitments and example, only 9 digits
system are allowed when
requirements. SSNs are entered).
As personal
information is
collected, users are
asked to confirm that
their information is
correct prior to
submitting the
information to the
entity.
The personal Automated controls
information that is exist to identify and
collected is modified provide notification
inaccurately. within the entity
when personal
information within
the IT systems is
altered. Such
alterations must be
reviewed and
approved by
operations personnel
prior to finalization
of the records.
When personal
information within
the IT systems is
altered, notification
is sent to the data
subject. The entity
requests the data
subject communicate
any inaccuracies
within 30 days.
TSP 100.18 2016, AICPA

Illustrative Types
The personal Automated controls
information is exist to provide
altered within the notification within the
entity, whether entity when personal
intentionally or information within the
unintentionally, IT application systems
such that it is no is altered. Such
longer accurate and alterations must be
complete. reviewed and
approved by
operations personnel
prior to finalization of
the records.
Information that is Personal information
not relevant to the collected and the
purpose is collected. intended purpose of
Information is collection is compared
collected and used to the privacy notice
for a purpose that is for completeness and
not disclosed to the accuracy.
data subject.
The entity maintains
an up-to-date
inventory of data for
which business units
are required to supply
regular updates. The
CPO reviews the
inventory on a regular
basis.
Changes to the way
that personal
information is
collected and the
purposes for which the
information is used
are communicated to
the appropriate
individuals
responsible for
governance within the
entity. These
individuals assess the
changes, determine
their appropriateness,
and alter the privacy
notice as needed.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
P8.0 Privacy Criteria Related to Monitoring and Enforcement
P8.1 The entity Data subjects are The entity monitors
implements a not informed about the status of privacy
process for receiving, how to contact the controls and the
addressing, entity with entity's adherence to
resolving, and inquiries, the entity's
communicating the complaints, and commitments to
resolution of disputes. customers and data
inquiries, subjects related to
complaints, and the protection of the
disputes from data privacy of customer
subjects and others personal information
and periodically and provides
monitors compliance customers and data
with the entity's subjects with
privacy information on how
commitments and to contact the entity
system with inquiries,
requirements; complaints, and
corrections and disputes.
other necessary
actions related to
identify deficiencies
are taken in a timely
manner.
Inability for a The entity provides
complaint to be an automated,
submitted, which confidential,
creates necessity for customer privacy
data subjects to complaint system for
report complaints to capturing and
regulatory agencies. tracking customer
privacy concerns and
issues.
Customer privacy
concerns captured by
the complaint
tracking system are
shared with the
entity's board of
directors and
relevant oversight
bodies or regulatory
authorities as may be
required by law or
regulation.
TSP 100.18 2016, AICPA

Illustrative Types
Failure to assess The entity implements
complaints to a Data Privacy Task
determine whether a Force comprising
breach or senior service entity
inappropriate access team leads who are
requires action, such responsible for
as a formal reporting monitoring adherence
or corrective action to the entity's privacy
plan. policies and
procedures. The Data
Privacy Task Force is
responsible for
evaluating customer
privacy concerns and
complaints,
determining whether
urgent reporting or
remediation actions
are required, and
directly responding to
customers on actions
taken to address such
concerns and
complaints.
Corrective action The privacy staff
plans are not monitors the
developed or development and
monitored to ensure execution of corrective
that an issue does action plans that were
not reoccur. developed to address
identified or suspected
privacy incidents and
related data
processing issues that
could affect privacy
controls.
Policies and The privacy staff
procedures are out monitors the
of date and do not continued relevance
support current and applicability of
regulations, the entity's policies
agreements, or and procedures
contracts. related to privacy
regulations,
agreements, and
contracts.
(continued)
2016, AICPA TSP 100.18

Illustrative Types
Lack of documented The CPO establishes
activity related to written policies and
monitoring or procedures to
auditing may deem monitor its privacy
the program controls and
ineffective. compliance with the
entity's privacy
policies and
procedures, laws,
regulations, and
other requirements.
Selection of controls
to be monitored and
frequency with which
they are monitored
are based on a risk
assessment.
Annually, compliance
monitoring results
and remediation
activities are
analyzed by the
privacy office and
provided to
management.
Lack of written Written action plans
action plans may are used by
deem the program management to help
ineffective. ensure that the
entity's privacy
program is operating
effectively in
identifying,
monitoring, and
addressing privacy
related concerns.
TSP 100.18 2016, AICPA

.19
Appendix CMapping of the Trust Services Principles and
Criteria to Extant Generally Accepted Privacy Principles
Mapping of the Trust Services Principles and Criteria (TSPC) to

Extant Generally Accepted Privacy Principles (GAPP)
TSPC Ref Title Extant GAPP Criterion
CC1.1 1 Management Management Principle: The entity
Principle and defines, documents, communicates,
Criteria and assigns accountability for its
privacy policies and procedures.
CC1.1 1.1.0 Privacy Policies The entity defines and documents its
privacy policies with respect to the
following:
a. Notice (See 2.1.0)
b. Choice and consent (See 3.1.0)
c. Collection (See 4.1.0)
d. Use, retention, and disposal
(See 5.1.0)
e. Access (See 6.1.0)
f. Disclosure to third parties
(See 7.1.0)
g. Security for privacy (See
8.1.0)
h. Quality (See 9.1.0)
i. Monitoring and enforcement
(See 10.1.0)
CC2.2, 1.1.1 Communication Privacy policies and the consequences of
CC1.4, to Internal noncompliance with such policies are
CC2.6 Personnel communicated, at least annually, to the
entity's internal personnel responsible for
collecting, using, retaining, and disclosing
personal information. Changes in privacy
policies are communicated to such
personnel shortly after the changes are
approved.
CC1.1, 1.1.2 Responsibility Responsibility and accountability are
CC1.2, and assigned to a person or group for
CC3.2, Accountability developing, documenting, implementing,
CC4.1 for Policies enforcing, monitoring, and updating the
entity's privacy policies. The names of
such person or group and their
responsibilities are communicated to
internal personnel.
CC1.2 1.2.1 Review and Privacy policies and procedures, and
Approval changes thereto, are reviewed and
approved by management.
(continued)
2016, AICPA TSP 100.19


CC1.1, 1.2.2 Consistency of Policies and procedures are reviewed and
CC1.2 Privacy Policies compared to the requirements of applicable
and Procedures laws and regulations at least annually and
With Laws and whenever changes to such laws and
Regulations regulations are made. Privacy policies and
procedures are revised to conform with the
requirements of applicable laws and
regulations.
CC3.1 1.2.3 Personal The types of personal information and
Information sensitive personal information and the
Identification related processes, systems, and third parties
and involved in the handling of such information
Classification are identified. Such information is covered
by the entity's privacy and related security
policies and procedures.
CC3.1 1.2.4 Risk A risk assessment process is used to
Assessment establish a risk baseline and to, at least
annually, identify new or changed risks to
personal information and to develop and
update responses to such risks.
CC1.1, 1.2.5 Consistency of Internal personnel or advisers review
CC1.2, Commitments contracts for consistency with privacy
CC3.1 With Privacy policies and procedures and address any
Policies and inconsistencies.
Procedures
CC7.1, 1.2.6 Infrastructure The potential privacy impact is assessed
CC7.4, and Systems when new processes involving personal
C1.1 Management information are implemented, and when
changes are made to such processes
(including any such activities outsourced to
third parties or contractors), and personal
information continues to be protected in
accordance with the privacy policies. For
this purpose, processes involving personal
information include the design, acquisition,
development, implementation,
configuration, modification, and
management of the following:
Infrastructure
Systems
Applications
Websites
Procedures
Products and services
Databases and information repositories
Mobile computing and other similar
electronic devices
TSP 100.19 2016, AICPA

CC2.5, 1.2.7 Privacy A documented privacy incident and breach
CC6.2, Incident and management program has been
P6.6 Breach implemented that includes, but is not
Management limited to, the following:
Procedures for the identification,
management, and resolution of privacy
incidents and breaches
Defined responsibilities
A process to identify incident severity and
determine required actions and escalation
procedures
A process for complying with breach laws
and regulations, including stakeholders
breach notification, if required
An accountability process for employees
or third parties responsible for incidents
or breaches with remediation, penalties,
or discipline as appropriate
A process for periodic review (at least on
an annual basis) of actual incidents to
identify necessary program updates based
on the following:
Incident patterns and
root cause
Changes in the
internal control
environment or
external
requirements
(regulation or
legislation)
Periodic testing or
walkthrough process
(at least on an annual
basis) and associated
program remediation
as needed
CC1.3 1.2.8 Supporting Resources are provided by the entity to
Resources implement and support its privacy policies.
CC1.3, 1.2.9 Qualifications The entity establishes qualifications for
CC1.4 of Internal personnel responsible for protecting the
Personnel privacy and security of personal information
and assigns such responsibilities only to
those personnel who meet these
qualifications and have received needed
training.
(continued)
2016, AICPA TSP 100.19


CC2.3 1.2.10 Privacy A privacy awareness program about the
Awareness and entity's privacy policies and related
Training matters, and specific training for selected
personnel depending on their roles and
responsibilities, are provided.
CC1.1, 1.2.11 Changes in For each jurisdiction in which the entity
CC1.2, Regulatory and operates, the effect on privacy requirements
CC3.1 Business from changes in the following factors is
Requirements identified and addressed:
Legal and regulatory
Contracts, including service-level
agreements
Industry requirements
Business operations and processes
People, roles, and responsibilities
Technology
Privacy policies and procedures are updated
to reflect changes in requirements.
2 Notice Notice Principle: The entity provides
Principle and notice about its privacy policies and
Criteria procedures and identifies the purposes
for which personal information is
collected, used, retained, and
disclosed.
CC1.1, 2.1.0 Privacy Policies The entity's privacy policies address
CC1.2, providing notice to individuals.
P1.2
P1.1, 2.1.1 Communication Notice is provided to individuals regarding
P1.2 to Individuals the following privacy policies:
a. Purpose for collecting personal
information
b. Choice and consent (See 3.1.1)
c. Collection (See 4.1.1)
d. Use, retention, and disposal
(See 5.1.1)
f. Disclosure to third parties (See
7.1.1)
g. Security for privacy (See 8.1.1)
i. Monitoring and enforcement
(See 10.1.1)
If personal information is collected from
sources other than the individual, such
sources are described in the notice.
TSP 100.19 2016, AICPA

P1.1 2.2.1 Provision of Notice is provided to the individual about the
Notice entity's privacy policies and procedures (a)
at or before the time personal information is
collected, or as soon as practical thereafter,
(b) at or before the entity changes its privacy
policies and procedures, or as soon as
practical thereafter, or (c) before personal
information is used for new purposes not
previously identified.
P1.1, 2.2.2 Entities and An objective description of the entities and
P1.2 Activities activities covered by the privacy policies and
Covered procedures is included in the entity's privacy
notice.
P1.1, 2.2.3 Clear and The entity's privacy notice is conspicuous
P1.2, Conspicuous and uses clear language.
P2.2
P2.1 3 Choice and Choice and Consent Principle: The
Consent entity describes the choices available to
Principle and the individual and obtains implicit or
Criteria explicit consent with respect to the
collection, use, and disclosure of
CC1.1, 3.1.0 Privacy Policies The entity's privacy policies address the
CC1.2, choices available to individuals and the
P1.1, consent to be obtained.
P1.2
P1.1 3.1.1 Communication Individuals are informed about (a) the
to Individuals choices available to them with respect to the
collection, use, and disclosure of personal
information and (b) that implicit or explicit
consent is required to collect, use, and
disclose personal information, unless a law
or regulation specifically requires or allows
otherwise.
P2.1 3.1.2 Consequences When personal information is collected,
of Denying or individuals are informed of the consequences
Withdrawing of refusing to provide personal information
Consent or of denying or withdrawing consent to use
personal information for purposes identified
in the notice.
P2.1 3.2.1 Implicit or Implicit or explicit consent is obtained from
Explicit the individual at or before the time personal
Consent information is collected or soon thereafter.
The individual's preferences expressed in his
or her consent are confirmed and
implemented.
(continued)
2016, AICPA TSP 100.19


P2.1 3.2.2 Consent for If information that was previously collected
New Purposes is to be used for purposes not previously
and Uses identified in the privacy notice, the new
purpose is documented, the individual is
notified, and implicit or explicit consent is
obtained prior to such new use or purpose.
P2.1 3.2.3 Explicit Explicit consent is obtained directly from the
Consent for individual when sensitive personal
Sensitive information is collected, used, or disclosed,
Information unless a law or regulation specifically
requires otherwise.
P2.1 3.2.4 Consent for Consent is obtained before personal
Online Data information is transferred to or from an
Transfers To or individual's computer or other similar
From an device.
Individual's
Computer or
Other Similar
Electronic
Devices
4 Collection Collection Principle: The entity collects
Principle and personal information only for the
Criteria purposes identified in the notice.
CC1.2, collection of personal information.
P1.2
P1.1, 4.1.1 Communication Individuals are informed that personal
P2.1 to Individuals information is collected only for the purposes
identified in the notice.
P1.1, 4.1.2 Types of The types of personal information collected
P1.2, Personal and the methods of collection, including the
P2.1 Information use of cookies or other tracking techniques,
Collected and are documented and described in the privacy
Methods of notice.
Collection
P3.1 4.2.1 Collection The collection of personal information is
Limited to limited to that necessary for the purposes
Identified identified in the notice.
Purpose
CC3.1, 4.2.2 Collection by Methods of collecting personal information
CC3.2, Fair and Lawful are reviewed by management before they
CC4.1, Means are implemented to confirm that personal
P8.1, information is obtained (a) fairly, without
P3.1 intimidation or deception, and (b) lawfully,
adhering to all relevant rules of law,
whether derived from statute or common
law, relating to the collection of personal
information.
TSP 100.19 2016, AICPA

CC1.0, 4.2.3 Collection From Management confirms that third parties
P1.1, Third Parties from whom personal information is collected
P3.1 (that is, sources other than the individual)
are reliable sources that collect information
fairly and lawfully.
P1.1, 4.2.4 Information Individuals are informed if the entity
P2.1 Developed develops or acquires additional information
About about them for its use.
Individuals
5 Use, Use, Retention, and Disposal Principle:
Retention, The entity limits the use of personal
and Disposal information to the purposes identified
Principle and in the notice and for which the
Criteria individual has provided implicit or
explicit consent. The entity retains
personal information for only as long as
necessary to fulfill the stated purposes
or as required by law or regulations
and thereafter appropriately disposes
of such information.
CC1.1, 5.1.0 Privacy Policies The entity's privacy policies address the use,
CC1.2, retention, and disposal of personal
CC2.1, information.
CC2.2,
CC2.4,
P1.2
P1.1 5.1.1 Communication Individuals are informed that personal
to Individuals information is (a) used only for the purposes
identified in the notice and only if the
individual has provided implicit or explicit
consent, unless a law or regulation
specifically requires otherwise, (b) retained
for no longer than necessary to fulfill the
stated purposes, or for a period specifically
required by law or regulation, and (c)
disposed of in a manner that prevents loss,
theft, misuse, or unauthorized access.
P4.1 5.2.1 Use of Personal Personal information is used only for the
Information purposes identified in the notice and only if
the individual has provided implicit or
explicit consent, unless a law or regulation
specifically requires otherwise.
P4.2 5.2.2 Retention of Personal information is retained for no
Personal longer than necessary to fulfill the stated
Information purposes unless a law or regulation
specifically requires otherwise.
(continued)
2016, AICPA TSP 100.19


P4.2, 5.2.3 Disposal, Personal information no longer retained is
P4.3 Destruction, anonymized, disposed of, or destroyed in a
and Redaction manner that prevents loss, theft, misuse, or
of Personal unauthorized access.
Information
6 Access Access Principle: The entity provides
Principle and individuals with access to their
Criteria personal information for review and
update.
6.1.0 Privacy Policies The entity's privacy policies address
providing individuals with access to their
CC1.1, 6.1.1 Communication Individuals are informed about how they
CC1.2, to Individuals may obtain access to their personal
P1.2, information to review, update, and correct
P5.1 that information.
P2.1, 6.2.1 Access by Individuals are able to determine whether
P5.1 Individuals to the entity maintains personal information
Their Personal about them and, upon request, may obtain
Information access to their personal information.
P5.1, 6.2.2 Confirmation of The identity of individuals who request
P6.2 an Individual's access to their personal information is
Identity authenticated before they are given access to
that information.
P5.1 6.2.3 Understandable Personal information is provided to the
Personal individual in an understandable form, in a
Information, reasonable timeframe, and at a reasonable
Time Frame, cost, if any.
and Cost
P5.1, 6.2.4 Denial of Access Individuals are informed, in writing, of the
P5.2 reason a request for access to their personal
information was denied, the source of the
entity's legal right to deny such access, if
applicable, and the individual's right, if any,
to challenge such denial, as specifically
permitted or required by law or regulation.
P5.2 6.2.5 Updating or Individuals are able to update or correct
Correcting personal information held by the entity. If
Personal practical and economically feasible to do so,
Information the entity provides such updated or
corrected information to third parties that
previously were provided with the
individual's personal information.
P5.2 6.2.6 Statement of Individuals are informed, in writing, about
Disagreement the reason a request for correction of
personal information was denied and how
they may appeal.
TSP 100.19 2016, AICPA

7 Disclosure to Disclosure to Third Parties Principle:
Third Parties The entity discloses personal
Principle and information to third parties only for the
Criteria purposes identified in the notice and
with the implicit or explicit consent of
the individual.
CC1.2, disclosure of personal information to third
P1.2 parties.
P1.1, 7.1.1 Communication Individuals are informed that personal
P6.1, to Individuals information is disclosed to third parties only
P6.2 for the purposes identified in the notice and
for which the individual has provided
implicit or explicit consent unless a law or
regulation specifically allows or requires
otherwise.
P1.2 7.1.2 Communication Privacy policies or other specific instructions
to Third Parties or requirements for handling personal
information are communicated to third
parties to whom personal information is
disclosed.
P1.1, 7.2.1 Disclosure of Personal information is disclosed to third
P6.1 Personal parties only for the purposes described in
Information the notice, and for which the individual has
provided implicit or explicit consent, unless
a law or regulation specifically requires or
allows otherwise.
P6.4, 7.2.2 Protection of Personal information is disclosed only to
P6.5 Personal third parties who have agreements with the
Information entity to protect personal information in a
manner consistent with the relevant aspects
of the entity's privacy policies or other
specific instructions or requirements. The
entity has procedures in place to evaluate
that the third parties have effective controls
to meet the terms of the agreement,
instructions, or requirements.
P3.1, 7.2.3 New Purposes Personal information is disclosed to third
P6.1, and Uses parties for new purposes or uses only with
P6.4 the prior implicit or explicit consent of the
individual.
P6.7, 7.2.4 Misuse of The entity takes remedial action in response
P6.8 Personal to misuse of personal information by a third
Information by party to whom the entity has transferred
a Third Party such information.
(continued)
2016, AICPA TSP 100.19


8 Security for Security for Privacy Principle: The
Privacy entity protects personal information
Principle and against unauthorized access (both
Criteria physical and logical).
CC1.1, 8.1.0 Privacy Policies The entity's privacy policies (including any
CC1.2, relevant security policies) address the
P1.2, security of personal information.
CC5.1
CC5.8
P1.1 8.1.1 Communication Individuals are informed that precautions
to Individuals are taken to protect personal information.
CC3.1, 8.2.1 Information A security program has been developed,
CC3.2, Security documented, approved, and implemented
CC5.1 Program that includes administrative, technical, and
CC5.8, physical safeguards to protect personal
P6.5, information from loss, misuse, unauthorized
P8.1 access, disclosure, alteration, and
destruction. The security program should
address, but not be limited to, the following
areas, insofar as they relate to the security
of personal information:
a. Risk assessment and treatment
(See 1.2.4)
b. Security policy (See 8.1.0)
c. Organization of information
security (See 1, 7, and 10)
d. Asset management (See 1)
e. Human resources security
(See 1)
f. Physical and environmental
security (See 8.2.3 and 8.2.4)
g. Communications and operations
management (See 1, 7, and 10)
h. Access control (See 1, 8.2, and
10)
i. Information systems
acquisition, development, and
maintenance (See 1.2.6)
j. Information security incident
management (See 1.2.7)
k. Business continuity
management (See 8.2)
l. Compliance (See 1 and 10)
TSP 100.19 2016, AICPA

CC5.0, 8.2.2 Logical Access Logical access to personal information is
CC5.2 Controls restricted by procedures that address the
CC5.4, following matters:
CC5.6 a. Authorizing and registering
CC5.8 internal personnel and
individuals
b. Identifying and authenticating
internal personnel and
individuals
c. Making changes and updating
access profiles
d. Granting privileges and
permissions for access to IT
infrastructure components and
e. Preventing individuals from
accessing anything other than
their own personal or sensitive
information
f. Limiting access to personal
information to only authorized
internal personnel based upon
their assigned roles and
responsibilities
g. Distributing output only to
authorized internal personnel
h. Restricting logical access to
offline storage, backup data,
systems, and media
i. Restricting access to system
configurations, superuser
functionality, master
passwords, powerful utilities,
and security devices (for
example, firewalls)
j. Preventing the introduction of
viruses, malicious code, and
unauthorized software
CC5.5 8.2.3 Physical Access Physical access is restricted to personal
Controls information in any form (including the
components of the entity's system[(s) that
contain or protect personal information).
CC6.1 8.2.4 Environmental Personal information, in all forms, is
Safeguards protected against accidental disclosure due
to natural disasters and environmental
hazards.
(continued)
2016, AICPA TSP 100.19


CC5.7 8.2.5 Transmitted Personal information is protected when
Personal transmitted by mail or other physical
Information means. Personal information collected and
transmitted over the Internet, over public
and other nonsecure networks, and wireless
networks is protected by deploying industry
standard encryption technology for
transferring and receiving personal
information.
CC5.1, 8.2.6 Personal Personal information stored on portable
CC5.4 Information on media or devices is protected from
Portable Media unauthorized access.
CC4.1, 8.2.7 Testing Tests of the effectiveness of the key
P8.1 Security administrative, technical, and physical
Safeguards safeguards protecting personal information
are conducted at least annually.
9 Quality Quality Principle: The entity maintains
Principle and accurate, complete, and relevant
Criteria personal information for the purposes
CC1.2, quality of personal information.
P1.2
P1.1 9.1.1 Communication Individuals are informed that they are
to Individuals responsible for providing the entity with
accurate and complete personal information
and for contacting the entity if correction of
such information is required.
P5.2, 9.2.1 Accuracy and Personal information is accurate and
P7.1, Completeness of complete for the purposes for which it is to
P8.1 Personal be used.
Information
P4.1 9.2.2 Relevance of Personal information is relevant to the
Personal purposes for which it is to be used.
Information
10 Monitoring Monitoring and Enforcement
and Principle: The entity monitors
Enforcement compliance with its privacy policies
Principle and and procedures and has procedures to
Criteria address privacy related inquiries,
complaints, and disputes.
CC1.2, monitoring and enforcement of privacy
P1.2 policies and procedures.
P1.1, 10.1.1 Communication Individuals are informed about how to
P5.1, to Individuals contact the entity with inquiries,
P5.2 complaints, and disputes.
TSP 100.19 2016, AICPA

CC6.1, 10.2.1 Inquiry, A process is in place to address inquiries,
CC6.2, Complaint, and complaints, and disputes.
CC5.1, Dispute Process
CC5.2,
P8.1
CC6.1, 10.2.2 Dispute Each complaint is addressed, and the
CC6.2, Resolution and resolution is documented and
CC5.1, Recourse communicated to the individual.
CC5.2,
P8.1
C3.2, 10.2.3 Compliance Compliance with privacy policies and
CC4.1, Review procedures, commitments and applicable
P8.1 laws, regulations, service-level agreements,
and other contracts is reviewed and
documented, and the results of such reviews
are reported to management. If problems
are identified, remediation plans are
developed and implemented.
CC6.2, 10.2.4 Instances of Instances of noncompliance with privacy
P8.1 Noncompliance policies and procedures are documented and
reported and, if needed, corrective and
disciplinary measures are taken on a timely
basis.
CC4.1, 10.2.5 Ongoing Ongoing procedures are performed for
P8.1 Monitoring monitoring the effectiveness of controls over
personal information, based on a risk
assessment [1.2.4], and for taking timely
corrective actions where necessary.
2016, AICPA TSP 100.19

TSP Section 100A
Trust Services Principles and Criteria for Security, Availability,
Processing Integrity, Confidentiality, and Privacy
(To supersede the 2009 version of Trust Services Principles, Criteria,
and Illustrations for Security, Availability, Processing Integrity, Confi-
dentiality, and Privacy. The privacy criteria are presented in appendix
C.)
Introduction
.01 The AICPA Assurance Services Executive Committee (ASEC) has de-
veloped a set of principles and criteria (trust services principles and criteria)
to be used in evaluating controls relevant to the security, availability, and
processing integrity of a system, and the confidentiality and privacy of the
information processed by the system. In this document, a system is designed,
implemented, and operated to achieve specific business objectives (for exam-
ple, delivery of services, production of goods) in accordance with management-
specified requirements. System components can be classified into the following
five categories:
r Infrastructure. The physical structures, IT, and other hardware
(for example, facilities, computers, equipment, mobile devices, and
telecommunications networks).
r Software. The application programs and IT system software that
supports application programs (operating systems, middleware,
and utilities).
r People. The personnel involved in the governance, operation, and
use of a system (developers, operators, entity users, vendor per-
sonnel, and managers).
r Processes. The automated and manual procedures.
r Data. Transaction streams, files, databases, tables, and output
used or processed by a system.
.02 This document presents the trust services principles and criteria for
assessing the effectiveness of an entity's controls over a system relevant to the
security, availability, or processing integrity of the system, or the confidential-
ity or privacy of the information processed by the system. Management of an
entity may use the principles and criteria to evaluate its controls over a system
or may engage a CPA to report on or provide consulting services related to
those controls.
.03 Attestation services, performed under the AICPA's Statements on
Standards for Attestation Engagements (commonly known as the attestation
standards), include examination, review,1 and agreed-upon procedures engage-
ments. In the attestation standards, the CPA performing an attest engagement
1
Review engagements generally consist of the performance of inquiries and analytical proce-
dures designed to provide a moderate level of assurance (that is, negative assurance). However, the
Assurance Services Executive Committee believes that a practitioner ordinarily could not perform
meaningful analytical procedures on an entity's controls or compliance with requirements of specified
laws, regulations, rules, contracts, or grants to achieve this level of assurance, and it is uncertain
(continued)
2016, AICPA TSP 100A.03

is known as a practitioner. In an examination engagement, the practitioner pro-

vides a report that expresses an opinion about subject matter or an assertion
about subject matter in relation to an identified set of criteria. For example,
a practitioner may report on whether controls over a system were operating
effectively to meet the trust services criteria for processing integrity and con-
fidentiality. In an agreed-upon procedures engagement, the practitioner does
not express an opinion but rather performs procedures agreed upon by speci-
fied parties and reports the results of those procedures. Examination engage-
ments are performed in accordance with AT section 101, Attest Engagements,
of the attestation standards and agreed-upon procedures engagements are per-
formed in accordance with AT section 201, Agreed-Upon Procedures Engage-
ments (AICPA, Professional Standards).
.04 The following are the types of subject matter a practitioner may ex-
amine and report on using the trust services principles and criteria:
r The design and operating effectiveness of a service organization's
tiality, and privacy (SOC 3SM engagement).
r The fairness of the presentation of a description of a service or-
ganization's system relevant to one or more of the trust services
tiality, and privacy using the description criteria in paragraph
1.34 of the AICPA Guide Reporting on Controls at a Service Orga-
nization Relevant to Security, Availability, Processing Integrity,
Confidentiality or Privacy (SOC 2SM ), and additionally in para-
graph 1.35 for the privacy principle; for a type 1 report, the suit-
ability of the design of controls to meet the related trust services
criteria; and, for a type 2 report, the operating effectiveness of
those controls throughout a specified period to meet those trust
services criteria (SOC 2 engagement).
r The suitability of the design of an entity's controls over a system
relevant to one or more of the trust services principles of security,
availability, processing integrity, confidentiality, and privacy to
meet the related trust services criteria. (This engagement would
typically be performed prior to the system's implementation.)
.05 The nature and extent of the services that an organization provides to
each user entity may vary significantly depending on the user entity's needs.
For example, a social organization that uses a website for a monthly newsletter
would have a much more limited need for data center hosting service availabil-
ity than would a securities trading firm. The social organization is likely to
be only slightly inconvenienced if its newsletter is unavailable for one day;
whereas, the securities trading firm could experience a significant financial
loss if the system is unavailable for 15 minutes. Such user needs generally
are addressed by management declarations in written contracts, service level
(footnote continued)
what other procedures could be identified that, when combined with inquiry procedures, could form
the basis for a review engagement. Also due to this uncertainty, users of a review report are at
greater risk of misunderstanding the nature and extent of the practitioner's procedures. Accordingly,
the feasibility of a review engagement related to trust services is uncertain.
TSP 100A.04 2016, AICPA

agreements, or public statements (for example, a privacy notice). These man-
agement declarations are referred to in the trust services principles and criteria
as commitments. Specifications regarding how the system should function to
enable management to meet its business objectives, commitments, and obli-
gations (for example, legal and regulatory) are referred to as requirements in
the trust services principles and criteria. For example, security requirements
may result from management's commitments relating to security, availability,
processing integrity, confidentiality, or privacy.
Commitments and requirements are the objectives for which the entity imple-
ments controls, and, consequently, the objectives of the trust services criteria.
Accordingly, many of the trust services criteria refer to commitments and re-
quirements. For example, "The entity has established workforce conduct stan-
dards, implemented workforce candidate background screening procedures,
and conducts enforcement procedures to enable it to meet its commitments
and requirements as they relate to [insert the principle(s) being reported on;
for example, security, availability, processing integrity, and confidentiality]." In
an engagement in which the practitioner expresses an opinion on compliance
with or achievement of the commitments and requirements, they serve as the
engagement criteria.
.06 Management is responsible for maintaining a record of and complying
with its commitments and requirements. In identifying its commitments and
requirements, management should specify in its assertion what its commit-
ments and requirements consist of for the particular engagement, for example:
r Obligations included in written customer contracts
r Baseline obligations that are applicable to all customers but which
exclude special commitments made to particular customers when
those commitments result in the implementation of additional
processes or controls outside the services provided to a broad range
of users
In addition, trust services engagements do not require the practitioner to report
on the entity's compliance, or internal control over compliance, with laws,
regulations, rules, contracts, or grant agreements, related to the principles
being reported upon. If the practitioner is engaged to report on compliance with
laws, regulations, rules, contracts, or grant agreements in conjunction with an
engagement to report on the operating effectiveness of an entity's controls
(for example, a SOC 3 privacy engagement), such an engagement would be
performed in accordance with AT section 601, Compliance Attestation (AICPA,
.07 Consulting services include developing findings and recommendations
for the consideration and use of management of an entity when making deci-
sions. The practitioner does not express an opinion or form a conclusion about
the subject matter in these engagements. Generally, the work is performed
only for the use and benefit of the client. Practitioners providing such services
follow CS section 100, Consulting Services: Definitions and Standards (AICPA,
Principles, Criteria, Controls, and Risks
.08 Trust services principles represent attributes of a system that support

the achievement of management's objectives.
2016, AICPA TSP 100A.08

.09 For each of the principles there are detailed criteria that serve as
benchmarks used to measure and present the subject matter and against which
the practitioner evaluates the subject matter. The attributes of suitable criteria
are as follows:
r Objectivity. Criteria should be free from bias.
r Measurability. Criteria should permit reasonably consistent mea-
surements, qualitative or quantitative, of subject matter.
r Completeness. Criteria should be sufficiently complete so that
those relevant factors that would alter a conclusion about sub-
ject matter are not omitted.
r Relevance. Criteria should be relevant to the subject matter.
.10 ASEC has concluded that the trust services criteria for each individual
principle that include the common criteria have all of the attributes of suitable
criteria. In addition to being suitable, AT section 101 indicates that the criteria
must be available to users of the practitioner's report. The publication of the
principles and criteria makes the criteria available to users.
.11 The trust services principles and criteria are designed to be flexible
and enable the achievement of the objectives of users and management. Ac-
cordingly, a practitioner may be engaged to perform an engagement related to
a single principle, multiple principles, or all of the principles.
.12 The environment in which the system operates; the commitments,
agreements, and responsibilities of the entity operating the system; as well as
the nature of the components of the system result in risks that the criteria
will not be met. These risks are addressed through the implementation of
suitably designed controls that, if operating effectively, provide reasonable
assurance that the criteria are met. Because each system and the environment
in which it operates are unique, the combination of risks to meeting the criteria
and the controls necessary to address the risks will be unique. As part of
the design and operation of the system, management of an entity needs to
identify the specific risks that the criteria will not be met and the controls
necessary to address those risks. Appendix B provides examples of risks that
may prevent the criteria from being met as well as examples of controls that
would address those risks. These illustrations are not intended to be applicable
to any particular entity or all-inclusive of the risks to meeting the criteria or
the controls necessary to address those risks.
Trust Services Principles

.13 The following are the trust services principles:2
a. Security. The system is protected against unauthorized access, use,
or modification.
The security principle refers to the protection of the system re-
sources through logical and physical access control measures in
order to support the achievement of management's commitments
2
SysTrustSM , SysTrust for Service OrganizationsSM , and WebTrustSM are specific branded as-
surance services offerings developed by the AICPA and Canadian Institute of Chartered Accountants
(CICA) that are based on the trust services principles and criteria. Practitioners must be licensed by
CICA to use these registered service marks. Service marks can only be issued for engagements that re-
sult in an unqualified examination opinion. For more information on licensure, see www.webtrust.org.
TSP 100A.09 2016, AICPA

and requirements related to security, availability, processing in-
tegrity, and confidentiality. Controls over the security of a system
prevent or detect the breakdown and circumvention of segregation
of duties, system failure, incorrect processing, theft or other unau-
thorized removal of data or system resources, misuse of software,
and improper access to, or use of, alteration, destruction, or disclo-
sure of information.
b. Availability. The system is available for operation and use as com-
mitted or agreed.
The availability principle refers to the accessibility of the system,
products, or services as committed by contract, service-level agree-
ment, or other agreements. This principle does not, in itself, set
a minimum acceptable performance level for system availability.
The availability principle does not address system functionality
(the specific functions a system performs) and system usability
(the ability of users to apply system functions to the performance
of specific tasks or problems), but does address whether the sys-
tem includes controls to support system accessibility for operation,
monitoring, and maintenance.
c. Processing integrity. System processing is complete, valid, accurate,
timely, and authorized.
The processing integrity principle refers to the completeness, valid-
ity, accuracy, timeliness, and authorization of system processing.
Processing integrity addresses whether the system achieves its aim
or the purpose for which it exists, and whether it performs its in-
tended function in an unimpaired manner, free from unauthorized
or inadvertent manipulation. Processing integrity does not auto-
matically imply that the information received and stored by the
system is complete, valid, accurate, current, and authorized. The
risk that data contains errors introduced prior to its input in the
system often cannot be addressed by system controls and detecting
such errors is not usually the responsibility of the entity. Simi-
larly, users outside the boundary of the system may be responsible
for initiating processing. In these instances, the data may become
invalid, inaccurate, or otherwise inappropriate even though the
system is processing with integrity.
d. Confidentiality. Information designated as confidential is protected
as committed or agreed.
The confidentiality principle addresses the system's ability to pro-
tect information designated as confidential in accordance with the
organization's commitments and requirements through its final
disposition and removal from the system. Information is confiden-
tial if the custodian of the information, either by law or regulation,
the custodian's own assertion, commitment, or other agreement,
is obligated to limit its access, use, and retention, and restrict its
disclosure to a specified set of persons or organizations (includ-
ing those that may otherwise have authorized access within the
boundaries of the system). The need for information to be confiden-
tial may arise for many different reasons. For example, the infor-
mation is proprietary information, information intended only for
company personnel, personal information, or merely embarrassing
2016, AICPA TSP 100A.13

information. Confidentiality is distinguished from privacy in that

(i) privacy deals with personal information whereas, confidential-
ity refers to a broader range of information that is not restricted
to personal information; and (ii) privacy addresses requirement for
the treatment, processing, and handling of personal information.
e. Privacy.
The privacy principle addresses the system's collection, use, reten-
tion, disclosure, and disposal of personal information3 in conformity
with the commitments in the entity's privacy notice and with crite-
ria set forth in generally accepted privacy principles (GAPP) issued
by the AICPA and Canadian Institute of Chartered Accountants
(see appendix C, "Generally Accepted Privacy Principles"). GAPP
is a management framework that includes the measurement cri-
teria for the trust services privacy principle. GAPP consists of 10
sub-principles:
i. Management. The entity defines documents, communi-
cates, and assigns accountability for its privacy policies
and procedures.
ii. Notice. The entity provides notice about its privacy poli-
cies and procedures and identifies the purposes for which
personal information is collected, used, retained, and dis-
closed.
iii. Choice and consent. The entity describes the choices avail-
able to the individual and obtains implicit or explicit con-
sent with respect to the collection, use, and disclosure of
iv. Collection. The entity collects personal information only
for the purposes identified in the notice.
v. Use and retention. The entity limits the use of personal
information to the purposes identified in the notice and
for which the individual has provided implicit or explicit
consent. The entity retains personal information for only
as long as necessary to fulfill the stated purposes or as re-
quired by law or regulations and thereafter appropriately
disposes of such information.
vi. Access. The entity provides individuals with access to their
personal information for review and update.
vii. Disclosure to third parties. The entity discloses personal
information to third parties only for the purposes identi-
fied in the notice and with the implicit or explicit consent
of the individual.
viii. Security for privacy. The entity protects personal infor-
mation against unauthorized access (both physical and
logical).
ix. Quality. The entity maintains accurate, complete, and rel-
evant personal information for the purposes identified in
the notice.
3
Personal information is information that is about or can be related to an identifiable individual.
It may include information about customers, employees, and other individuals.
TSP 100A.13 2016, AICPA

x. Monitoring and enforcement. The entity monitors com-
pliance with its privacy policies and procedures and has
procedures to address privacy-related complaints and dis-
putes.
Trust Services Criteria

.14 Many of the criteria used to evaluate a system are shared amongst all
of the principles; for example, the criteria related to risk management apply to
the security, availability, processing integrity, and confidentiality principles.
As a result, the criteria for the security, availability, processing integrity, and
confidentiality principles are organized into (a) the criteria that are applicable
to all four principles (common criteria) and (b) criteria applicable only to a
single principle. The common criteria constitute the complete set of criteria for
the security principle. For the principles of availability, processing integrity,
and confidentiality, a complete set of criteria is comprised of all of the common
criteria and all of the criteria applicable to the principle(s) being reported on.
The common criteria are organized into seven categories:
a. Organization and management. The criteria relevant to how the
organization is structured and the processes the organization has
implemented to manage and support people within its operating
units. This includes criteria addressing accountability, integrity,
ethical values and qualifications of personnel, and the environment
in which they function.
b. Communications. The criteria relevant to how the organization
communicates its policies, processes, procedures, commitments,
and requirements to authorized users and other parties of the sys-
tem and the obligations of those parties and users to the effective
operation of the system.
c. Risk management and design and implementation of controls. The
criteria relevant to how the entity (i) identifies potential risks that
would affect the entity's ability to achieve its objectives, (ii) ana-
lyzes those risks, (iii) develops responses to those risks including
the design and implementation of controls and other risk mitigat-
ing actions, and (iv) conducts ongoing monitoring of risks and the
risk management process.
d. Monitoring of controls. The criteria relevant to how the entity moni-
tors the system, including the suitability, and design and operating
effectiveness of the controls, and takes action to address deficien-
cies identified.
e. Logical and physical access controls. The criteria relevant to how
the organization restricts logical and physical access to the sys-
tem, provides and removes that access, and prevents unauthorized
access to meet the criteria for the principle(s) addressed in the
engagement.
f. System operations. The criteria relevant to how the organization
manages the execution of system procedures and detects and miti-
gates processing deviations, including logical and physical security
deviations, to meet the objective(s) of the principle(s) addressed in
the engagement.
2016, AICPA TSP 100A.14

g. Change management. The criteria relevant to how the organization

identifies the need for changes to the system, makes the changes
following a controlled change management process, and prevents
unauthorized changes from being made to meet the criteria for the
principle(s) addressed in the engagement.
The GAPP management framework does not use the common criteria structure
for organizing the criteria. See appendix C for GAPP criteria.

.15

and Confidentiality] Principles
CC1.1 The entity has defined organizational structures, reporting lines,
authorities, and responsibilities for the design, development,
implementation, operation, maintenance and monitoring of the
system enabling it to meet its commitments and requirements as
they relate to [insert the principle(s) being reported on: security,
availability, processing integrity, or confidentiality or any
combination thereof ].
CC1.2 Responsibility and accountability for designing, developing,
implementing, operating, maintaining, monitoring, and approving
the entity's system controls are assigned to individuals within the
entity with authority to ensure policies and other system
requirements are effectively promulgated and placed in operation.
CC1.3 Personnel responsible for designing, developing, implementing,
operating, maintaining and monitoring the system affecting [insert
the principle(s) being reported on: security, availability, processing
integrity, or confidentiality or any combination thereof ] have the
qualifications and resources to fulfill their responsibilities.
CC1.4 The entity has established workforce conduct standards,
implemented workforce candidate background screening
procedures, and conducts enforcement procedures to enable it to
meet its commitments and requirements as they relate to [insert
integrity, or confidentiality or any combination thereof ].
CC2.1 Information regarding the design and operation of the system and
its boundaries has been prepared and communicated to authorized
internal and external system users to permit users to understand
their role in the system and the results of system operation.
TSP 100A.15 2016, AICPA


CC2.2 The entity's [insert the principle(s) being reported on: security,
combination thereof ] commitments are communicated to external
users, as appropriate, and those commitments and the associated
system requirements are communicated to internal system users to
enable them to carry out their responsibilities.
CC2.3 The entity communicates the responsibilities of internal and
external users and others whose roles affect system operation.
CC2.4 Internal and external personnel with responsibility for designing,
developing, implementing, operating, maintaining, and monitoring
controls, relevant to the [insert the principle(s) being reported on:
security, availability, processing integrity, or confidentiality or any
combination thereof ] of the system, have the information necessary
to carry out those responsibilities.
CC2.5 Internal and external system users have been provided with
information on how to report [insert the principle(s) being reported
on: security, availability, processing integrity, or confidentiality or
any combination thereof ] failures, incidents, concerns, and other
complaints to appropriate personnel.
CC2.6 System changes that affect internal and external system user
responsibilities or the entity's commitments and requirements
relevant to [insert the principle(s) being reported on: security,
combination thereof ] are communicated to those users in a timely
manner.
CC3.1 The entity (1) identifies potential threats that would impair system
[insert the principle(s) being reported on: security, availability,
processing integrity, or confidentiality or any combination thereof ]
commitments and requirements, (2) analyzes the significance of
risks associated with the identified threats, and (3) determines
mitigation strategies for those risks (including controls and other
mitigation strategies).
CC3.2 The entity designs, develops, and implements controls, including
policies and procedures, to implement its risk mitigation strategy.
CC3.3 The entity (1) identifies and assesses changes (for example,
environmental, regulatory, and technological changes) that could
significantly affect the system of internal control for [insert the
principle(s) being reported on: security, availability, processing
integrity, or confidentiality or any combination thereof ] and
reassesses risks and mitigation strategies based on the changes
and (2) reassesses the suitability of the design and deployment of
control activities based on the operation and monitoring of those
activities, and updates them as necessary.
(continued)
2016, AICPA TSP 100A.15


CC4.1 The design and operating effectiveness of controls are periodically
evaluated against [insert the principle(s) being reported on:
security, availability, processing integrity, or confidentiality or any
combination thereof ] commitments and requirements, corrections
and other necessary actions relating to identified deficiencies are
taken in a timely manner.
Controls
CC5.1 Logical access security software, infrastructure, and architectures
have been implemented to support (1) identification and
authentication of authorized users; (2) restriction of authorized
user access to system components, or portions thereof, authorized
by management, including hardware, data, software, mobile
devices, output, and offline elements; and (3) prevention and
detection of unauthorized access.
CC5.2 New internal and external system users are registered and
authorized prior to being issued system credentials, and granted
the ability to access the system. User system credentials are
removed when user access is no longer authorized.
CC5.3 Internal and external system users are identified and
authenticated when accessing the system components (for example,
infrastructure, software, and data).
CC5.4 Access to data, software, functions, and other IT resources is
authorized and is modified or removed based on roles,
responsibilities, or the system design and changes to them.
CC5.5 Physical access to facilities housing the system (for example, data
centers, backup media storage, and other sensitive locations as well
as sensitive system components within those locations) is restricted
to authorized personnel.
CC5.6 Logical access security measures have been implemented to protect
against [insert the principle(s) being reported on: security,
combination thereof ] threats from sources outside the boundaries
of the system.
CC5.7 The transmission, movement, and removal of information is
restricted to authorized users and processes, and is protected
during transmission, movement, or removal enabling the entity to
meet its commitments and requirements as they relate to [insert
integrity, or confidentiality or any combination thereof ].
CC5.8 Controls have been implemented to prevent or detect and act upon
the introduction of unauthorized or malicious software.
TSP 100A.15 2016, AICPA


CC6.1 Vulnerabilities of system components to [insert the principle(s)
being reported on: security, availability, processing integrity, or
confidentiality or any combination thereof ] breaches and incidents
due to malicious acts, natural disasters, or errors are monitored
and evaluated and countermeasures are implemented to
compensate for known and new vulnerabilities.
CC6.2 [Insert the principle(s) being reported on: security, availability,
incidents, including logical and physical security breaches, failures,
concerns, and other complaints, are identified, reported to
appropriate personnel, and acted on in accordance with established
incident response procedures.
CC7.1 [Insert the principle(s) being reported on: security, availability,
commitments and requirements, are addressed, during the system
development lifecycle including design, acquisition,
implementation, configuration, testing, modification, and
maintenance of system components.
CC7.2 Infrastructure, data, software, and procedures are updated as
necessary to remain consistent with the system commitments and
requirements as they relate to [insert the principle(s) being reported
on: security, availability, processing integrity, or confidentiality or
any combination thereof ].
CC7.3 Change management processes are initiated when deficiencies in
the design or operating effectiveness of controls are identified
during system operation and monitoring.
CC7.4 Changes to system components are authorized, designed,
developed, configured, documented, tested, approved, and
implemented in accordance with [insert the principle(s) being
reported on: security, availability, processing integrity, or
confidentiality or any combination thereof ] commitments and
requirements.
A1.1 Current processing capacity and usage are maintained, monitored,
and evaluated to manage capacity demand and to enable the
implementation of additional capacity to help meet availability
commitments and requirements.
A1.2 Environmental protections, software, data backup processes, and
recovery infrastructure are designed, developed, implemented,
operated, maintained, and monitored to meet availability
(continued)
2016, AICPA TSP 100A.15


A1.3 Procedures supporting system recovery in accordance with
recovery plans are periodically tested to help meet availability
PI1.1 Procedures exist to prevent, detect, and correct processing errors to
meet processing integrity commitments and requirements.
PI1.2 System inputs are measured and recorded completely, accurately,
and timely in accordance with processing integrity commitments
and requirements.
PI1.3 Data is processed completely, accurately, and timely as authorized
in accordance with processing integrity commitments and
requirements.
PI1.4 Data is stored and maintained completely and accurately for its
specified life span in accordance with processing integrity
PI1.5 System output is complete, accurate, distributed, and retained in
accordance with processing integrity commitments and
requirements.
PI1.6 Modification of data is authorized, using authorized procedures in
accordance with processing integrity commitments and
requirements.
C1.1 Confidential information is protected during the system design,
development, testing, implementation, and change processes in
accordance with confidentiality commitments and requirements.
C1.2 Confidential information within the boundaries of the system is
protected against unauthorized access, use, and disclosure during
input, processing, retention, output, and disposition in accordance
with confidentiality commitments and requirements.
C1.3 Access to confidential information from outside the boundaries of
the system and disclosure of confidential information is restricted
to authorized parties in accordance with confidentiality
C1.4 The entity obtains confidentiality commitments that are consistent
with the entity's confidentiality requirements from vendors and
other third parties whose products and services comprise part of
the system and have access to confidential information.
C1.5 Compliance with confidentiality commitments and requirements by
vendors and others third parties whose products and services
comprise part of the system is assessed on a periodic and as-needed
basis and corrective action is taken, if necessary.
TSP 100A.15 2016, AICPA


C1.6 Changes to confidentiality commitments and requirements are
communicated to internal and external users, vendors, and other
third parties whose products and services are included in the
system.
Privacy Principles and Criteria

.16 These criteria are set forth in appendix C.
Effective Date
.17 The trust services principles and criteria are effective for periods
ending on or after December 15, 2014. Early implementation is permitted.
2016, AICPA TSP 100A.17

.18
Appendix ADefinitions
accuracy. The key information associated with the submitted trans-
action remains accurate throughout the processing of the transac-
tion and that the transaction or service is processed or performed
as intended.
authorization. The processing is performed in accordance with and
subject to the required approvals and privileges defined by policies
governing system processing.
authorized access. Access is authorized only if (a) the access has
been approved by a person designated to do so by management,
and (b) the access does not compromise segregation of duties, con-
fidentiality commitments, or otherwise increase risk to the system
beyond the levels approved by management (that is, access is ap-
propriate).
boundary of the system. The physical and logical perimeter of
that portion of an entity's operations that is used to achieve man-
agement's specific business objectives of a system. The boundary
includes all components of the system for which the entity is respon-
sible, including those provided by vendors and other third parties.
For a privacy or confidentiality engagement, the boundary of the
system includes the components starting with the capture of the
information through its disclosure and final disposition (often re-
ferred to as the information life cycle). The boundary of the system
includes (a) the collection, use, retention, disclosure and de-
identification, or anonymization of the information until its de-
struction and (b) all business segments and locations for the entire
entity or only certain identified segments of the business (for ex-
ample, retail operations but not manufacturing operations or only
operations originating on the entity's website or specified Web do-
mains) or geographic locations (for example, only Canadian opera-
tions).
commitments. Declarations made by management to customers re-
garding the performance of a system. Commitments can be com-
municated through individual agreements, standardized contracts,
service level agreements, or published statements (for example,
security practices statement). An individual commitment may re-
late to one or more principles. The practitioner need only consider
commitments related to the principles on which he or she is en-
gaged to report. Commitments may take many forms including the
following:
r Specification of the algorithm used in a calculation
r Contractual agreement that states the hours a system
will be available
r Published password standards
r Encryption standards used to encrypt stored customer
data
completeness. Transactions are processed or all services are per-
formed without omission.
TSP 100A.18 2016, AICPA

environmental protections. Measures implemented by the entity
to detect, prevent, and manage the risk of casualty damage to the
physical parts of the system (for example, protections from fire,
flood, wind, earthquake, power surge, or power outage).
external users. Individuals outside the boundary of the system who
are authorized by customers, entity management, or other autho-
rized persons to interact with the system.
internal users. Entity and entity vendor personnel whose job func-
tion causes them to be members of the people component of the
system.
report users. Intended users of the practitioner's report in accor-
dance with AT section 101, Attest Engagements (AICPA, Profes-
sional Standards). Report users may be the general public or may
be restricted to specified parties in accordance with AT section 101
paragraph .78.
requirements. Specifications regarding how the system should func-
tion to meet management's business objectives, commitments to
customers, and obligations (for example, legal and regulatory). Re-
quirements are often specified in the system policies, system design
documentation, contracts with customers, and government regula-
tions. Examples of requirements are
r employee fingerprinting and background checks estab-
lished in government banking regulations.
r input edits defined in application design documents.
r maximum acceptable intervals between periodic review
of employee logical access as documented in the security
policy manual.
r data definition and tagging standards, including any as-
sociated metadata requirements, established by industry
groups of other bodies, such as the Simple Object Access
Protocol.
r business processing rules and standards established by
regulators; for example, security requirements under
the Health Insurance Portability and Accountability Act
(HIPAA).
Security requirements may result from management commitments

relating to security, availability, processing integrity, or confiden-
tiality. For example, a commitment to programmatically enforce
segregation of duties between data entry and data approval cre-
ates system requirements regarding user access administration.
suitability of design (type 1) or suitability of design and operating
effectiveness (type 2) of controls at a service organization using the
Guide Reporting on Controls at a Service Organization Relevant
to Security, Availability, Processing Integrity, Confidentiality, or
Privacy (SOC 2).
suitability of design and the operating effectiveness of an entity's
2016, AICPA TSP 100A.18

controls over a system relevant to one or more trust services prin-

ciples.
timeliness. The provision of services or the delivery of goods ad-
dressed in the context of commitments made for such delivery.
trust services. A set of professional attestation and advisory ser-
vices based on a core set of principles and criteria that address the
operation and protection of a system and related data.
workforce. Employees, contractors and others engaged by company
to perform activities as part of the system.
TSP 100A.18 2016, AICPA

.19
Appendix BIllustrative Risks and Controls
The illustrative risks and controls presented in this appendix are for illustra-
tive purposes only. They are based on a hypothetical entity in a hypothetical
industry. They are not intended to be a comprehensive set of risks and controls
or applicable to any particular entity. Accordingly, they should not be used as
a checklist of risks and controls for the criteria. Practitioners should consider
using other frameworks such as, NIST 800-53, Cloud Controls Matrix (CCM)
for such guidance.
Illustrative
Criteria Risks Controls
Criteria Common to All [Security, Availability, Processing Integrity, and
Confidentiality] Principles
CC1.1 The entity has The entity's The entity evaluates
defined organizational its organizational
organizational structure does not structure, reporting
structures, reporting provide the necessary lines, authorities, and
lines, authorities, and information flow to responsibilities as part
responsibilities for manage [security, of its business
the design, availability, planning process and
development, processing integrity, as part of its ongoing
implementation, or confidentiality] risk assessment and
operation, activities. management process
maintenance, and and revises these
monitoring of the when necessary to
system enabling it to help meet changing
meet its commitments commitments and
and requirements as requirements.
the principle(s) being
reported on: security,
availability,
or confidentiality or
any combination
thereof ].
The roles and Roles and
responsibilities of key responsibilities are
managers are not defined in written job
sufficiently defined to descriptions and
permit proper communicated to
oversight, managers and their
management, and supervisors.
monitoring of
[security, availability,
or confidentiality]
activities.
(continued)
2016, AICPA TSP 100A.19

Illustrative
reviewed by entity
management on an
annual basis for
needed changes and
where job duty
necessary changes to
these job descriptions
are also made.
Reporting Reporting
relationships and relationships and
organizational organizational
structure do not structures are
permit effective reviewed periodically
senior management by senior management
oversight of as part of
[security, organizational
availability, planning and adjusted
processing integrity, as needed based on
or confidentiality] changing entity
activities. commitments and
requirements.
Personnel have not Roles and
been assigned responsibilities are
responsibility or defined in written job
delegated descriptions.
insufficient
authority to meet
[security,
availability,
or confidentiality]
commitments and
requirements.
CC1.2 Responsibility and Personnel have not Roles and
accountability for been assigned responsibilities are
designing, responsibility or defined in written job
developing, delegated descriptions.
implementing, insufficient
operating, authority to meet
maintaining, [security,
monitoring, and availability,
approving the processing integrity,
entity's system or confidentiality]
controls are commitments and
assigned to requirements.
individuals within
TSP 100A.19 2016, AICPA

Illustrative
the entity with
authority to
ensure policies,
and other system
requirements are
effectively
promulgated and
placed in
operation.
reviewed on a periodic
basis for needed
changes and updated if
such changes are
identified.
CC1.3 Personnel Newly hired or Job requirements are
responsible for transferred documented in the job
designing, personnel do not descriptions and
developing, have sufficient candidates' abilities to
implementing, knowledge and meet these
operating, experience to requirements are
maintaining, and perform their evaluated as part of
monitoring of the responsibilities. the hiring or transfer
system affecting evaluation process.
[insert the
principle(s) being
reported on:
security,
availability,
processing
integrity, or
confidentiality or
any combination
thereof ] have the
qualifications and
resources to fulfill
their
responsibilities.
The experience and
training of candidates
for employment of
transfer are evaluated
before they assume the
responsibilities of their
position.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Personnel do not Management
have sufficient establishes skills and
continuous training continued training
to perform their with its commitments
responsibilities. and requirements for
employees.
Management monitors
compliance with
training requirements.
Tools and knowledge Management
resources are evaluates the need for
insufficient to additional tools and
perform assigned resources in order to
tasks. achieve business
objectives, during its
ongoing and periodic
business planning and
budgeting process and
as part of its ongoing
risk assessment and
management process.
CC1.4 The entity has Personnel do not Management monitors
established adhere to the code of employees' compliance
workplace conduct conduct. with the code of
standards, conduct through
implemented monitoring of customer
workplace and employee
candidate complaints and the use
background of an anonymous
screening third-party
procedures, and administered ethics
conducts hotline.
enforcement
procedures to
enable it to meet
its commitments
and requirements
as they relate to
[insert the
principle(s) being
reported on:
security,
availability,
processing
integrity, or
confidentiality or
any combination
thereof ].
TSP 100A.19 2016, AICPA

Illustrative
statement of
confidentiality and
their hire and to
formally re-affirm
them annually
thereafter.
Candidate has a Senior management
background develops a list of
considered to be characteristics that
unacceptable by would preclude
management of the employee candidate
entity. from being hired based
on sensitivity or skill
requirements for the
given position.
Personnel must pass a
criminal and financial
trust background
check before they may
be hired by the entity
or third party vendors
hired by the entity.
CC2.1 Information Users misuse the System descriptions
regarding the system due to their are available to
design and failure to authorized external
operation of the understand its users that delineate
system and its scope, purpose, and the boundaries of the
boundaries has design. system and describe
been prepared and relevant system
communicated to components as well as
authorized the purpose and design
internal and of the system.
external system Documentation of the
users to permit system description is
users to available to authorized
understand their users via the entity's
role in the system customer-facing
and the results of website.
system operation.
(continued)
2016, AICPA TSP 100A.19

Illustrative
A description of the
system is posted on the
entity's intranet and is
available to the entity's
internal users. This
the boundaries of the
system and key
aspects of processing.
Users are unaware A description of the
of key organization entity organization
and system support structure, system
functions, processes, support functions,
and roles and processes, and
responsibilities. organizational roles
and responsibilities is
posted on the entity's
intranet and available
to entity internal
users. The description
delineates the parties
responsible,
accountable,
consented, and
informed of changes in
design and operation of
key system
components.
External users fail System descriptions
to address risks for are available to
which they are authorized external
responsible that users that delineate
arise outside the the boundaries of the
boundaries of the system and describe
system. significant system
components as well as
the purpose and design
of the system. The
system description is
available to users via
ongoing
communications with
customers or via the
customer website.
TSP 100A.19 2016, AICPA

Illustrative
CC2.2 The entity's [insert Users The entity's [security,
the principle(s) misunderstand the availability, processing
being reported on: capabilities of the integrity, or
security, system in providing confidentiality]
availability, for [security, commitments
processing availability, regarding the system
integrity, or processing integrity, are included in the
confidentiality or or confidentiality] master services
any combination and take actions agreement and
thereof ] based on the customer-specific
commitments are misunderstanding. service level
communicated to agreements. In
external users, as addition, a summary of
appropriate, and these commitments is
those available on the
commitments and entity's customer
the associated facing website.
system
requirements are
communicated to
internal system
users to enable
them to carry out
their
responsibilities.
The entity fails to Policy and procedures
meet its documents for
commitments due to significant processes
lack of are available on the
understanding on entity's intranet.
the part of personnel
responsible for
providing the
service.
to attend annual
security,
privacy training.
entity's code of conduct
and the statement of
security,
hire and annually
thereafter.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Processes are monitored
management procedures
that monitor compliance
with service level
commitments and
agreements. Results are
shared with applicable
personnel and
customers, and actions
are taken and
communicated to
relevant parties,
including customers,
when such
commitments and
agreements are not met.
CC2.3 The entity The system fails to Policy and procedures
communicates the function as designed documents for
responsibilities of due to internal user significant processes
internal and failure to comply with that address system
external users and their responsibilities. requirements are
others whose roles available on the
affect system intranet.
operation.
to attend annual
security, confidentiality,
and privacy training.
statement of
confidentiality and
hire and annually
thereafter.
with commitments and
requirements. Results
are shared with
applicable personnel
and customers.
The system fails to Customer
function as designed responsibilities are
due to external users' described on the
failure to meet their customer website and in
responsibilities. system documentation.
TSP 100A.19 2016, AICPA

Illustrative
CC2.4 Internal and external Controls fail to Policy and procedures
personnel with function as designed or documents for significant
responsibility for operate effectively due processes are available on
designing, to misunderstanding the intranet.
developing, on the part of
implementing, personnel responsible
operating, for implementing and
maintaining, and performing those
monitoring controls, controls resulting in
relevant to the [insert failure to achieve
the principle(s) being [security, availability,
reported on: security, processing integrity, or
availability, confidentiality]
processing integrity, commitments and
or confidentiality or requirements.
any combination
thereof ] of the
system, have the
information
necessary to carry
out those
responsibilities.
following service level
with commitments and
requirements. Results are
shared according to
policies.
Customer responsibilities
customer website and in
system documentation.
CC2.5 Internal and external System anomalies are Policy and procedures
system users have detected by internal or documents for significant
been provided with external users but the processes, which include
information on how failures are not responsibility for
to report [insert the reported to appropriate reporting operational
principle(s) being personnel resulting in failures, incidents, system
reported on: security, the system failing to problems, concerns, and
availability, achieve its [security, user complaints (and the
processing integrity, availability, processing process for doing so), are
or confidentiality or integrity, or published and available
any combination confidentiality] on the intranet.
thereof ] failures, commitments and
incidents, concerns, requirements.
and other complaints
to appropriate
personnel.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Customer
responsibilities, which
include responsibility
for reporting
operational failures,
incidents, problems,
concerns and
complaints, and the
process for doing so,
customer website and
in system
documentation.
CC2.6 System changes Users Proposed system
that affect internal misunderstand changes affecting
and external changes in system customers are
system user capabilities or their published on the
responsibilities or responsibilities in customer website XX
the entity's providing for days before their
commitments and [security, implementation. Users
requirements availability, are given the chance to
relevant to [insert processing integrity, participate in user
the principle(s) or confidentiality] acceptance testing for
being reported on: due to system major changes XX days
security, changes and take prior to
availability, actions based on the implementation.
processing misunderstanding. Changes made to
integrity, or systems are
confidentiality or communicated and
any combination confirmed with
thereof ] are customers through
communicated to ongoing
those users in a communications
timely manner. mechanisms such as
customer care
meetings and via the
customer website.
Management of the
business unit must
confirm understanding
of changes by
authorizing them.
The system change
calendar that describes
changes to be
implemented is posted
on the entity intranet.
TSP 100A.19 2016, AICPA

Illustrative
Updated system
documentation is
published on the
customer website and
intranet 30 days prior to
implementation.
System changes that
result from incidents are
communicated to
users through e-mail as
part of the
implementation process.
Changes in roles and Major changes to roles
responsibilities and and responsibilities and
changes to key changes to key
personnel are not personnel are
communicated to communicated to
internal and external affected internal and
users in a timely external users via e-mail
manner. as part of the change
management process.
CC3.0 Common Criteria Related to Risk Management and Design and
Implementation of Controls
CC3.1 The entity (1) Not all system A master list of the
identifies potential components are entity's system
threats that would included in the risk components is
impair system management process maintained, accounting
[insert the resulting in a failure for additions and
principle(s) being to identify and removals, for
reported on: mitigate or accept management's use.
security, risks.
availability,
any combination
thereof ]
commitments and
requirements, (2)
analyzes the
significance of risks
associated with the
identified threats,
and (3) determines
mitigation
strategies for those
risks (including
controls and other
mitigation
strategies).
(continued)
2016, AICPA TSP 100A.19

Illustrative
Personnel involved The entity has defined
in the risk a formal risk
management management process
process do not have that specifies risk
sufficient tolerances and the
information to process for evaluating
evaluate risks and risks based on
the tolerance of the identified threats and
entity for those the specified
risks. tolerances.
One or more During the risk
internal or external assessment and
risks, that are management process,
significant, threaten risk management office
the achievement of personnel identify
[security, changes to business
availability, objectives,
processing integrity, commitments and
or confidentiality] requirements, internal
commitments and operations, and
requirements that external factors that
can be addressed by threaten the
security controls, achievement of
are not identified. business objectives and
update the potential
threats to system
objectives.
Identified risks are
rated using a risk
evaluation process and
ratings are reviewed
by management.
group evaluates the
effectiveness of
controls and mitigation
strategies in meeting
identified risks and
recommends changes
based on its
evaluation.
group's
recommendations are
by senior management.
TSP 100A.19 2016, AICPA

Illustrative
The entity uses a
configuration
management database
and related process to
capture key system
components, technical
and installation
specific
implementation
details, and to support
ongoing asset and
service management
commitments and
requirements.
CC3.2 The entity designs, Controls and Control
develops, and mitigation strategies self-assessments are
implements selected, developed, performed by
controls, including and deployed do not operating units on a
policies and adequately mitigate quarterly basis.
procedures, to risk.
implement its risk
mitigation
strategy.
Internal audits are
performed based on
the annual risk-based
internal audit plan.
Business recovery
plans are tested
annually.
vulnerability scans are
performed quarterly
and annually and their
frequency is adjusted
as required to meet
ongoing and changing
commitments and
requirements.
Deployed controls See CC3.1 illustrative
and mitigation controls.
strategies create
new risks that fail to
be assessed.
(continued)
2016, AICPA TSP 100A.19

Illustrative
CC3.3 The entity (1) Not all changes that During the risk
identifies and significantly affect assessment and
assesses changes the system are management process,
(for example, identified resulting risk management
environmental, in a failure to personnel identify
regulatory, and reassess related changes to business
technological) that risks. objectives,
could significantly commitments and
affect the system requirements, internal
of internal control operations, and
for [insert the external factors that
principle(s) being threaten the
reported on: achievement of
security, business objectives and
availability, update the potential
processing threats to system
integrity, or objectives.
confidentiality or
any combination
thereof ] and
reassesses risks
and mitigation
strategies based on
the changes and
(2) reassesses the
suitability of the
design and
deployment of
control activities
based on the
operation and
monitoring of
those activities,
and updates them
as necessary.
Changes that are During the risk
not properly assessment and
identified create management process,
risks due to the risk management office
failure of those personnel identify
changes to undergo environmental,
the risk regulatory, and
management technological changes
process. that have occurred.
TSP 100A.19 2016, AICPA

Illustrative
CC4.1 The design and Controls are not Monitoring software is
operating suitably designed, used to identify and
effectiveness of configured in evaluate ongoing system
controls are accordance with performance, security
periodically established policies, or threats, changing
evaluated against operating in an resource utilization
[insert the effective manner needs, and unusual
principle(s) being resulting in a system system activity. This
reported on: security, that does not meet software sends a message
availability, system commitments to the operations center
processing integrity, and requirements. and automatically opens
or confidentiality or an incident, problem, or
any combination change management
thereof ] "ticket" record when
commitments and specific predefined
requirements, thresholds are met.
corrections and other
necessary actions
relating to identified
deficiencies are taken
in a timely manner.
Operations and security
personnel follow defined
protocols for resolving
and escalating reported
events.
CC5.0 Common Criteria Related to Logical and Physical Access Controls
CC5.1 Logical access Not all system Established entity
security software, infrastructure or standards exist for
infrastructure, and system components are infrastructure and
architectures have protected by logical software hardening and
been implemented to access security configuration that include
support (1) measures resulting in requirements for
identification and unauthorized implementation of access
authentication of modification or use. control software, entity
authorized users; (2) configuration standards,
restriction of and standardized access
authorized user control lists.
access to system
components, or
portions thereof,
authorized by
management,
including hardware,
data, software,
mobile devices,
output, and offline
elements; and (3)
prevention and
detection of
unauthorized access.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Network scans are
performed for
infrastructure
elements to identify
variance from entity
standards.
Assets are assigned
owners who are
responsible for
evaluating access
based on job roles. The
owners define access
rights when assets are
acquired or changed
and periodically
evaluate access for
assets under their
custody or
stewardship.
Online applications
match each user ID to
a single customer
account number.
the matching of the
customer account
number against a list
of privileges each user
possesses when
granted access to the
system initially.
Logical access Infrastructure
security measures components and
do not identify or software are
authenticate users configured to use the
prior to permitting shared sign-on
access to IT functionality when
components. available. Systems not
using the shared
are required to be
implemented with
password submission.
TSP 100A.19 2016, AICPA

Illustrative
External access by
employees is permitted
only through a two
factor (for example, a
swipe card and a
password) encrypted
virtual private
network (VPN)
connection.
Logical access A role based security
security measures process has been
do not provide for defined with an access
the segregation of control system that is
duties required by required to use roles
the system design. when possible.
Assets are assigned
owners who are
responsible for
evaluating the
appropriateness of
access based on job
roles. Roles are
periodically reviewed
and updated by asset
owners and the risk
and controls group on
an annual basis.
Access change requests
resulting from the
review are submitted
to the security group
via a change request
record.
For software or
infrastructure that
does not support the
use of role-based
security, a separate
database of roles and
related access is
maintained. The
security group uses
this database when
entering access rules
in these systems.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Logical access Privileged access to
security measures sensitive resources is
do not restrict access restricted to defined
to system user roles and access
configurations, to these roles must be
privileged approved by the chief
functionality, information security
master passwords, officer. This access is
powerful utilities, reviewed by the chief
security devices, and information security
other high risk officer on a periodic
resources. basis as established by
the chief information
security officer.
CC5.2 New internal and Valid user identities On a daily basis,
external system are granted to employee user IDs are
users are unauthorized automatically created
registered and persons. in or removed from the
authorized prior to active directory and
being issued the VPN systems as of
system credentials the date of
and granted the employment using an
ability to access automated feed of new
the system. User users collected from
system credentials employee changes in
are removed when the human resource
user access is no management system.
longer authorized.
Employee access to
protected resources is
created or modified by
the security group
based on an authorized
change request from
the system's asset
owner.
Contractor and vendor
IDs are created by the
security group based
on an authorized
change request from
the contractor office.
These IDs are valid for
the lesser of the
expected period of
relationship or XX
days.
TSP 100A.19 2016, AICPA

Illustrative
Privileged customer
accounts are created
based on a written
authorization request
from the designated
customer point of
contact. These
accounts are used by
customers to create
customer user access.
System security is
configured to require
users to change their
password upon initial
sign-on and every XX
days thereafter.
A user that is no On a daily basis, the
longer authorized human resources
continues to access system sends an
system resources. automated feed to the
active directory and
the VPN for removal of
access for employees
for whom it is the last
day of employment.
The list is used by
security personnel to
remove access. The
removal of the access is
verified by the security
manager.
On a weekly basis, the
human resources
system sends to the
security group a list of
terminated employees
for whose access is to
be removed. The list is
used by security
personnel to remove
access. The removal of
the access is verified by
a security manager.
(continued)
2016, AICPA TSP 100A.19

Illustrative
contractor office sends to
the security group a list of
terminated vendors and
contractors whose access
is to be removed. The list
is used by security
personnel to remove
access. The removal of the
access is verified by a
security manager.
Entity policies prohibit
the reactivation or use of
a terminated employee's
ID without written
officer. Requests for
reactivation are made
using the change
management record
system and must include
the purpose and
justification of the access
(for business need), the
systems that are to be
reactivated, and the time
period for which the
account will be active (no
more than XX days). The
account is reset with a
new password and is
activated for the time
period requested. All use
of the account is logged
and reviewed by security
personnel.
Account sharing is
prohibited unless a
variance from policy is
granted by the chief
officer as might be
provided by the entity
using an account and
password vaulting
provides account sharing
controlled circumstances
and active logging of each
use. Otherwise, shared
accounts are permitted
for low risk applications
(for example,
TSP 100A.19 2016, AICPA

Illustrative
where access with shared
IDs cannot compromise
segregation of duties) or
when system technical
limitations require their
use (for example, UNIX
root access). The chief
officer must approve the
use of all shared accounts.
Mitigating controls are
implemented when
required use of su when
accessing the UNIX root
account).
CC5.3 Internal and external Users are not identified Entity standards are
system users are when accessing established for
identified and information system infrastructure and
authenticated when components. software hardening and
accessing the system configuration that
components (for includes requirements for
example, implementation of access
infrastructure, control software, entity
software, and data). configuration standards,
and standardized access
control lists.
Account sharing is
prohibited unless a
variance from policy is
granted by the chief
officer as might be
provided by the entity
using an account and
password vaulting
provides account sharing
controlled circumstances
and active logging of each
use. Otherwise, shared
accounts are permitted
for low risk applications
(for example,
where access with shared
IDs cannot compromise
segregation of duties) or
when system technical
limitations require their
use (for example, UNIX
root access). The chief
(continued)
2016, AICPA TSP 100A.19

Illustrative
controls are
implemented when
required use of su
when accessing the
UNIX root account).
Valid user identities The online application
are assumed by an matches each user ID
unauthorized person to a single customer
to access the system. account number.
the matching of the
customer account
number.
Two factor
authentication and use
of encrypted VPN
channels help to
ensure that only valid
users gain access to IT
components.
Infrastructure
components and
software are
configured to use the
active directory shared
when available.
Systems not using the
shared sign-on
functionality are
configured to require a
password.
User access Users can only access
credentials are the system remotely
compromised through the use of the
allowing an VPN, secure sockets
unauthorized person layer (SSL), or other
to perform activities encrypted
reserved for communication
authorized persons. system.
TSP 100A.19 2016, AICPA

Illustrative
Password complexity
standards are
established to enforce
control over access
control software
passwords.
CC5.4 Access to data, Valid users obtain When possible, formal
software, functions, unauthorized access role-based access
and other IT to the system controls limit access to
resources is resulting in a system and
authorized and is breakdown in infrastructure
modified or removed segregation of duties components are created
based on roles, or an increase in the and these are enforced
responsibilities, or risk of intentional by the access control
the system design malicious acts or system. When it is not
and changes to error. possible, authorized
them. user IDs with two factor
authentication are used.
User access requests for
a specific role are
approved by the user
manager and are
submitted to the
security group via the
change management
record system.
Access granted When possible, formal
through the role-based access
provisioning process controls limit access to
compromises system and
segregation of duties infrastructure
or increases the risk components and these
of intentional are enforced by the
malicious acts or access control system.
error. When it is not possible,
authorized user IDs
with two factor
authentication are used.
Roles are reviewed and
updated by asset owners
and the risk and
controls group on an
annual basis. Access
change requests
resulting from the
review are submitted to
the security group via a
change request record.
(continued)
2016, AICPA TSP 100A.19

Illustrative
CC5.5 Physical access to Unauthorized persons An ID card-based
facilities housing gain physical access physical access control
the system (for to system components system has been
example, data resulting in damage implemented within the
centers, backup to components perimeter of facilities
media storage, and (including threats to and at the entry and exit
other sensitive personnel), points of sensitive areas
locations as well as fraudulent or within these facilities.
sensitive system erroneous processing,
components within unauthorized logical
those locations) is access, or compromise
restricted to of information.
authorized
personnel.
ID cards that include an
employee picture must
be worn at all times
when accessing or
leaving the facility.
ID cards are created by
the human resources
department during the
employee orientation
period and distributed
after all required
background
investigations are
completed. ID cards
initially provide access
only to nonsensitive
areas.
Access to sensitive areas
is added to ID cards by
the physical security
director based on a
request for access
approved by the owner
of the sensitive area and
after required
background
investigations have been
performed and any
issues resolved.
Requests for access and
changes to access are
made, approved, and
communicated through
the change management
record system.
TSP 100A.19 2016, AICPA

Illustrative
The contractor office
may request ID cards
for vendors and
contractors. Cards are
created by the physical
security director.
Requests are made,
approved, and
communicated through
the change
management record
system.
Visitors must be
signed in by an
employee before a
single-day visitor
badge that identifies
them as an authorized
visitor can be issued.
Visitor badges are for
identification purposes
only and do not permit
access to any secured
areas of the facility.
All visitors must be
escorted by an entity
employee when
visiting facilities where
sensitive system and
system components are
maintained and
operated.
Formerly Owners of sensitive
appropriate physical areas of the facilities
access becomes review the list of
inappropriate due to names and roles of
changes in user job those granted physical
responsibilities or access to their areas on
system changes a semi-annual basis to
resulting in a check for continued
breakdown in business need.
segregation of duties Requests for changes
or an increase in the are made through the
risk of intentional change management
malicious acts or record system.
error.
(continued)
2016, AICPA TSP 100A.19

Illustrative
A formerly authorized Owners of sensitive
person continues to areas of the facilities
access system review access to their
resources after that areas on a semi-annual
person is no longer basis. Requests for
authorized. changes are made
through the change
management record
system.
Vendors are asked to
review a list of
employees with ID cards
on a semi-annual basis
and request any
modifications. The
contractor office
requests changes based
on the vendor review.
On a daily basis, as of
the last day of
employment, the human
resources system sends
to physical security a
list of terminated
employees for whom it is
the last day of
employment and whose
access is to be removed
and their pass cards to
be disabled.
A user obtains the On a weekly basis, the
identification contractor office sends to
credentials and the security group a list
authentication of terminated vendors
credentials of a and contractors for
formerly authorized whom access is to be
person and uses them removed.
to gain unauthorized
access to the system.
human resources system
sends to the physical
security group a list of
terminated employees
for whom access is to be
removed.
TSP 100A.19 2016, AICPA

Illustrative
Employees and
contractors are required
to return their ID cards
during exit interviews,
and all ID badges are
disabled prior to exit
interviews therefore
employees and
contractors must be
physically escorted from
the entity's facilities at
the completion of the
exit interview.
The sharing of access
badges and tailgating
are prohibited by policy.
Mantraps or other
physical devices are
used for controlling
accessing highly
sensitive facilities.
Doors that bypass
mantraps can only be
opened by the ID cards
of designated members
of management.
CC5.6 Logical access Threats to the system Defined entity
security measures are obtained through standards exist for
have been external points of infrastructure and
implemented to connectivity. software hardening and
protect against configuration that
[insert the include requirements for
principle(s) being implementation of
reported on: access control software,
security, entity configuration
availability, standards, and
processing integrity, standardized access
or confidentiality or control lists that define
any combination which privileges are
thereof ] threats attributable to each user
from sources or system account.
outside the
boundaries of the
system.
External points of
connectivity are
protected by a firewall
complex.
Firewall hardening
standards are based on
(continued)
2016, AICPA TSP 100A.19

Illustrative
relevant applicable
technical specifications
and these are compared
against product and
industry recommended
practices and updated
periodically.
External access to
nonpublic sites is
restricted through the use
of user authentication
and message encryption
systems such as VPN and
SSL.
Authorized connections Firewall rules and the
to the system are online system limit the
compromised and used times when remote access
to gain unauthorized can be granted and the
access to the system. types of activities and
service requests that can
be performed from
external connections.
CC5.7 The transmission, Nonpublic information VPN, SSL, secure file
movement, and is disclosed during transfer program (SFTP),
removal of transmission over and other encryption
information is public communication technologies are used for
restricted to paths. defined points of
authorized users and connectivity and to
processes, and is protect communications
protected during between the processing
transmission, center and users
movement, or connecting to the
removal enabling the processing center from
entity to meet its within or external to
commitments and customer networks.
requirements as they
relate to [insert the
principle(s) being
reported on: security,
availability,
any combination
thereof ].
Entity policies prohibit
the transmission of
sensitive information over
the Internet or other
public communications
paths (for example,
e-mail) unless it is
encrypted.
TSP 100A.19 2016, AICPA

Illustrative
Data loss prevention
software is used to scan
for sensitive information
in outgoing transmissions
over public
communication paths.
Removable media (for Backup media are
example, USB drives, encrypted during
DVDs, or tapes) are creation.
lost, intercepted, or
copied during physical
movement between
locations.
Storage for workstations
and laptops is encrypted.
Removable media for
workstations and laptops
are encrypted
software. Removable
media is readable only by
other entity owned
devices.
Other removable media
are produced by data
center operations and are
transported via courier.
Removable media used Storage for workstations
to make unauthorized and laptops is encrypted.
copies of software or Removable media for
data are taken beyond these devices is encrypted
the boundaries of the automatically by the
system. software. Removable
media is readable only by
other entity owned
devices.
Backup media are
encrypted during
creation.
CC5.8 Controls have been Malicious or otherwise The ability to install
implemented to unauthorized code is software on workstations
prevent or detect and used to intentionally or and laptops is restricted
act upon the unintentionally to IT support personnel.
introduction of compromise logical
unauthorized or access controls or
malicious software. system functionality
through data
transmission,
removable media, and
portable or mobile
devices.
(continued)
2016, AICPA TSP 100A.19

Illustrative
installed on
workstations, laptops,
and servers supporting
such software.
configured to receive
an updated virus
signature at least
daily. A network
operation receives a
report of devices that
have not been updated
in 30 days and follows
up on the devices.
The ability to install
applications on
systems is restricted to
change
implementation and
system administration
personnel.
CC6.1 Vulnerabilities of Vulnerabilities that Logging and
system could lead to a monitoring software is
components to breach or incident used to collect data
[insert the are not detected in a from system
principle(s) being timely manner. infrastructure
reported on: components and
security, endpoint systems and
availability, used to monitor system
processing performance, potential
integrity, or security threats and
confidentiality or vulnerabilities,
any combination resource utilization,
thereof ] breaches and to detect unusual
and incidents due system activity or
to malicious acts, service requests. This
natural disasters, software sends a
or errors are message to the
monitored and operations center and
evaluated and security organization
countermeasures and automatically
are implemented opens a priority
to compensate for incident or problem
known and new ticket and change
vulnerabilities. management system
record item.
TSP 100A.19 2016, AICPA

Illustrative
Call center personnel
receive telephone and
e-mail requests for
support, which may
include requests to
reset user passwords
or notify entity
personnel of potential
breaches and
incidents. Call center
personnel follow
defined protocols for
recording, resolving,
and escalating received
requests.
Security or other Weekly full-system
system configuration and daily incremental
information is backups are performed
corrupted or using an automated
otherwise destroyed, system.
preventing the
system from
functioning as
designed.
CC6.2 [Insert the Breaches and Operations personnel
principle(s) being incidents are not follow defined protocols
reported on: identified, for evaluating reported
security, prioritized, or events. Security
availability, evaluated for effects. related events are
processing assigned to the
integrity, or security group for
confidentiality or evaluation
any combination
thereof ] incidents,
including logical
and physical
security breaches,
failures, concerns,
and other
complaints are
identified, reported
to appropriate
personnel, and
acted on in
accordance with
established
incident response
procedures.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Corrective measures Operations and security
to address breaches personnel follow defined
and incidents are not protocols for resolving
implemented in a and escalating reported
timely manner. events.
Resolution of security
events (incidents or
problems) is reviewed at
the daily and weekly
operations and security
group meetings.
users are informed of
incidents in a timely
manner and advised of
corrective measure to be
taken on their part.
Corrective measures Resolution of events is
are not effective or reviewed at the weekly
sufficient. operations and security
group meetings.
Change management
requests are opened for
events that require
permanent fixes.
Lack of compliance The resolution of events
with policies and is reviewed at the
procedures is not weekly operations and
addressed through security group meetings.
sanctions or remedial Relevant events with
actions resulting in effects on user or
increased customer are referred to
noncompliance in the user and customer care
future. management to be
addressed.
Entity policies include
probation, suspension,
and termination as
potential sanctions for
employee misconduct.
Breaches and Change management
incidents recur requests are opened for
because preventive events that require
measures are not permanent fixes.
implemented after a
previous event.
TSP 100A.19 2016, AICPA

Illustrative
CC7.1 [Insert the Commitments and System change requests
principle(s) being requirements are not are evaluated to
reported on: addressed at one or determine the potential
security, more points during effect of the change on
availability, the system security, availability,
processing integrity, development lifecycle processing integrity,
or confidentiality or resulting in a system and confidentiality
any combination that does not meet commitments and
thereof ] system commitments requirements
commitments and and requirements. throughout the change
requirements are management process.
addressed during
the system
development
lifecycle including
design, acquisition,
implementation,
configuration,
testing,
modification, and
maintenance of
system components.
System changes other
than those classified as
minor require the
officer and operations
manager prior to
implementation.
CC7.2 Infrastructure, System components During the ongoing risk
data, software, and are not updated for assessment process and
procedures are changes in the periodic planning
updated as requirements and budgeting
necessary to remain resulting in a system processes,
consistent with the that does not meet infrastructure, data,
system system commitments software, and
commitments and and requirements. procedures are
requirements as evaluated for needed
they relate to [insert changes. Change
the principle(s) requests are created
being reported on: based on the identified
security, needs.
availability,
any combination
thereof ].
(continued)
2016, AICPA TSP 100A.19

Illustrative
For high severity
incidents, a root cause
analysis is prepared and
reviewed by operations
management. Based on
the root cause analysis,
change requests are
prepared and the
entity's risk
management process
and relevant risk
management data is
problem resolution.
CC7.3 Change Identified breaches, For high severity
management incidents, and other incidents, a root cause
processes are system impairments analysis is prepared and
initiated when are not considered reviewed by operations
deficiencies in the during the change management. Based on
design or operating management the root cause analysis,
effectiveness of lifecycle. change requests are
controls are prepared and the
identified during entity's risk
system operation management process
and monitoring. and relevant risk
management data is
problem resolution.
CC7.4 Changes to system System changes are System change requests
components are not authorized by must be reviewed and
authorized, those responsible for approved by the owner
designed, the design and of the infrastructure or
developed, operation of the software and the change
configured, system resulting in advisory board prior to
documented, tested, changes to the system work commencing on
approved, and that impairs its the requested change.
implemented in ability to meet system
accordance with commitments and
[insert the requirements.
principle(s) being
reported on:
security,
availability,
any combination
thereof ]
commitments and
requirements.
TSP 100A.19 2016, AICPA

Illustrative
System changes do Functional and
not function as detailed designs are
intended resulting prepared for other
in a system that than minor changes
does not meet (more than XX hours).
system Functional designs are
commitments and reviewed and approved
requirements. by the application or
infrastructure and
software owner and
detailed designs are
approved by the
director of
development for the
application and the
prior to work
commencing on the
requested change or
development project.
Test plans and test
data are created and
used in required
system and regression
testing. Test plans and
test data are reviewed
and approved by the
testing manager prior
to and at the
completion of testing,
and reviewed by the
prior to newly
developed or changed
software being
authorized for
migration to
production. Security
vulnerability testing is
included in the types of
tests performed on
relevant application,
database, network,
and operating system
changes.
(continued)
2016, AICPA TSP 100A.19

Illustrative
System and regression
testing is prepared by
the testing department
using approved test
plans and test data.
Deviations from
planned results are
analyzed and
submitted to the
developer.
Code review or
walkthrough is
required for high
impact changes that
meet established
criteria (that mandate
code reviews and
walkthroughs) and
these are performed by
a peer programmer
that does not have
responsibility for the
change.
and approved by the
prior to
implementation.
Established entity
standards exist for
infrastructure and
software hardening
and configuration that
include requirements
for implementation of
access control
software, entity
configuration
standards, and
standardized access
control lists.
Changes to hardening
standards are
by the director in
infrastructure
management.
TSP 100A.19 2016, AICPA

Illustrative
Unauthorized Separate environments
changes are made to are used for
the system resulting development, testing,
in a system that and production.
does not meet Developers do not have
system the ability to make
commitments and changes to software in
requirements. testing or production.
Logical access controls
and change
management tools
restrict the ability to
migrate between
production to change
deployment personnel.
and approved by the
prior to
implementation.
Unforeseen system A turnover process
implementation that includes
problems impair verification of
system operation operation and back out
resulting in a steps is used for every
system that does not migration.
function as
designed.
Post implementation
procedures that are
designed to verify the
operation of system
changes are performed
for one week after the
implementation for
other than minor
changes, and results
are shared with users
and customers as
required to meet
commitments and
requirements.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Incompatibility duties The change
exist within the management process
change management has defined the
process, particularly following roles and
between approvers, assignments:
designers,
implementers, Authorization of
testers, and owners, change requests
resulting in the owner or business
implemented system unit manager
not functioning as Development
intended. application design
and support
department
Testingquality
assurance
department
Implementation
software change
management group
A1.1 Current processing Current processing Processing capacity is
capacity and usage capacity is not monitored on an ongoing
are maintained, sufficient to meet basis.
monitored and availability
evaluated to commitments and
manage capacity requirements in the
demand and to event of the loss of
enable the individual elements
implementation of within the system
additional capacity components.
to help meet
availability
commitments and
requirements.
components have been
reviewed for criticality
classification and
assignment of a
minimum level of
redundancy.
Processing capacity is Processing capacity is
not monitored, monitored on a daily
planned, and basis.
expanded or modified,
as necessary, to
provide for the
continued availability
of the system in
accordance with
system commitments
and requirements.
TSP 100A.19 2016, AICPA

Illustrative
Future processing
demand is forecasted
and compared to
scheduled capacity on
an ongoing basis.
Forecasts are reviewed
and approved by senior
operations
management. Change
requests are initiated as
needed based on
approved forecasts.
A1.2 Environmental Environmental Environmental
protections, vulnerabilities and protections have been
software, data changing installed including the
backup processes, environmental following:
and recovery conditions are not
infrastructure are identified or Cooling systems
designed, addressed through Battery and natural
developed, the use of gas generator backup
implemented, environmental in the event of power
operated, protections resulting failure
maintained, and in a loss of system Redundant
monitored to meet availability. communications lines
availability
commitments and
Smoke detectors
requirements. Dry pipe sprinklers

acted upon increasing protections during each
the severity of an shift.
environmental event.
Environmental
protections receive
maintenance on at least
an annual basis.
Software or data are Weekly full-system and
lost or not available daily incremental
due to processing backups are performed
error, intentional act, using an automated
or environmental system.
event.
Backups are monitored
for failure using an
automated system and
the incident
management process is
automatically invoked.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Backups are
transported and stored
offsite by a third-party
storage provider.
System availability Business continuity and
commitments and disaster recovery plans
requirements are not have been developed
met due to a lack of and updated annually.
recovery
infrastructure.
The entity has
contracted with a
third-party recovery
facility to permit the
resumption of IT
operations in the event
of a disaster at it data
center.
The entity uses a
multi-location strategy
for its facilities to
permit the resumption
of operations at other
entity facilities in the
event of loss of a facility.
A1.3 Procedures Recovery plans are Business continuity and
supporting system not suitably designed disaster recovery plans,
recovery in and backups are not including restoration of
accordance with sufficient to permit backups, are tested
recovery plans are recovery of system annually.
periodically tested operation in
to help meet accordance with
availability commitments and
requirements.
Test results are
reviewed and the
contingency plan is
adjusted.
PI1.1 Procedures exist to Software or data are Weekly full-system and
prevent and detect lost or not available daily incremental
and correct due to processing backups are performed
processing errors to error, intentional act, using an automated
meet processing or environmental system.
integrity event.
commitments and
requirements.
TSP 100A.19 2016, AICPA

Illustrative
Backups are monitored
for failure using an
automated system and
the incident
management process is
automatically invoked.
Backups are
transported and stored
offsite by a third-party
storage provider.
Environmental Environmental
vulnerabilities are protections have been
not addressed installed including the
through the use of following:
environmental
protections resulting Cooling systems
in a loss of system Battery and natural
availability. gas generator backup
in the event of power
failure
Redundant
communications lines
Smoke detectors
Dry pipe sprinklers

acted upon increasing protections during each
the severity of an shift.
environmental event.
Environmental
protections receive
maintenance on at least
an annual basis.
Current processing Processing capacity is
capacity is not monitored on a daily
sufficient to meet basis.
processing
requirements
resulting in
processing errors.
components have at a
minimum level of
redundancy.
(continued)
2016, AICPA TSP 100A.19

Illustrative
PI1.2 System inputs are Inputs are captured Application edits limit
measured and incorrectly. input to acceptable
recorded value ranges.
completely,
accurately, and
timely in
accordance with
processing integrity
commitments and
requirements.
clerk batches documents
by date received and
enters the date and
number of sheets on the
batch ticket. Batched
forms are scanned by a
purchased imaging
system. Upon
completion of the
scanned sheets are
Scanned images are
optical character
recognition (OCR)
system. Key fields
including customer
Text from free form
sections from scan
sheets is manually
entered. This
clerks. The input
information is compared
and records with
differences are sent to a
third clerk for
resolution.
TSP 100A.19 2016, AICPA

Illustrative
Inputs are not System edits require
captured or captured mandatory fields to be
completely. complete before record
entry is accepted.
clerk batches documents
by date received and
enters the date and
number of sheets on the
batch ticket. Batched
forms are scanned by a
purchased imaging
system. Upon
completion of the
sheets scanned are
Scanned images are
OCR system. Key fields
including customer
Text from free form
sections from scan
sheets is manually
entered. This
clerks. The input
information is compared
and records with
differences are sent to a
third clerk for
resolution.
Electronic files received
contain batch control
totals. During the load
processing data
captured is reconciled to
batch totals
application.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Inputs are not Electronic files
captured in a timely received are processed
manner. as received. The
application monitors
files that fail to process
completely and
generate an incident
management error
record.
Manual forms for data
entry are batched upon
receipt. Batches are
traced to batches
entered for processing
daily by the date entry
supervisor and
differences are
investigated.
The final disposition Inputs are coded with
of input cannot be identification numbers,
traced to its source registration numbers,
to validate that it registration
was processed information, or time
correctly and the stamps to enable them
results of processing to be traced from
cannot be traced to initial input to output
initial input to and final disposition
validate and from output to
completeness and source inputs.
accuracy.
PI1.3 Data is processed Data is lost during Input record counts
completely, processing. are traced from entry
accurately, and to final processing. Any
timely as differences are
authorized in investigated.
accordance with
processing
integrity
commitments and
requirements.
Data is inaccurately Application regression
modified during testing validates key
processing. processing for the
change management
process.
TSP 100A.19 2016, AICPA

Illustrative
Output values are
are flagged on the
to the incident
management system,
output clerk.
Resolutions are
documented in the
incident management
the operations manager.
Daily, weekly, and
are reviewed by the
unusual trends.
Newly created data is Application regression
inaccurate. testing validates key
processing for the
change management
process.
The system compares
generated data to
allowable values. Values
outside the allowable
values are written to the
value exception report.
Items on the value
exception report are
reviewed by the output
clerk on a daily basis.
Processing is not Scheduling software is
completed within used to control the
required timeframes. submission and
monitoring of job
execution. An incident
management record is
generated automatically
when processing errors
are identified.
(continued)
2016, AICPA TSP 100A.19

Illustrative
PI1.4 Data is stored and Data is not available A mirror image of
maintained for use as committed application data files is
completely and or agreed. created nightly and
accurately for its stored on a second
specified life span system for use in
in accordance with recovery and
processing restoration in the
integrity event of a system
commitments and disruption or outage.
requirements.
Stored data is Logical access to stored
inaccurate. data is restricted to the
application and
database
administrators.
Stored data is Data is reconciled on a
incomplete. monthly basis to help
meet customer
commitments and
requirements.
PI1.5 System output is System output is not Application regression
complete, accurate, complete. testing validates key
distributed, and processing for the
retained in application during the
accordance with change management
processing process.
integrity
commitments and
requirements.
Output values are
greater than five
percent are flagged on
the variance report,
logged to the incident
management system,
and investigated by
the output clerk.
Resolutions are
documented in the
incident management
the operations
manager.
TSP 100A.19 2016, AICPA

Illustrative
On a monthly basis,
total records processed
are compared versus
total records received
via electronic
submission, manual
entry, and sheet
scanned by the OCR
system.
System output is not Application regression
accurate. testing validates key
processing for the
change management
process.
Output values are
greater than x percent
are flagged on the
to the incident
management system,
and investigated by
the output clerk.
Resolutions are
documented in the
incident management
the operations
manager.
Daily, weekly, and
are reviewed by the
unusual trends.
System output is Application security
provided to restricts output to
unauthorized approved user IDs.
recipients.
System output is not Application regression
available to testing validates key
authorized processing for the
recipients. application during the
change management
process.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Output is generated by
the system based on a
master schedule.
Changes to the master
schedule are managed
through the change
management process
and are approved by
the customer service
executive. On a daily
basis, an automated
routine scans output
files to validate that all
required output has
been generated. The
routine generates an
incident record for any
missing output.
Incident tickets are
managed through the
incident management
process.
PI1.6 Modification of Data is modified by Application regression
data is authorized, an unauthorized testing validates key
using authorized process or procedure processing for the
procedures in resulting in application during the
accordance with inaccurate or change management
processing incomplete data. process.
integrity
commitments and
requirements.
Access to data is
restricted to
authorized
applications through
access control
software. Access rules
are created and
maintained by
personnel during the
application
development process.
Application level
ability to access,
modify, and delete
TSP 100A.19 2016, AICPA

Illustrative
data to authenticated
users who have been
granted access through
a record in the access
control list. Creation
and modification of
access control records
occurs through the
access provisioning
process.
Data is modified Logical access to stored
without data is restricted to the
authorization. application and
database
administrators.
Data is lost or Logical access to stored
destroyed. data is restricted to the
application and
database
administrators.
A mirror image of
application data files is
created nightly and
stored on a second
secure system for use
in recovery and
restoration in the
event of a system
disruption or outage.
C1.1 Confidential Data used in The entity creates test
information is nonproduction data using data
protected during environments is not masking software that
the system design, protected from replaces confidential
development, unauthorized access information with test
testing, as committed. information prior to
implementation, the creation of test
and change databases.
processes in
accordance with
confidentiality
commitments and
requirements.
(continued)
2016, AICPA TSP 100A.19

Illustrative
C1.2 Confidential Unauthorized access Access to data is
information within to confidential restricted to authorized
the boundaries of information is applications through
the system is obtained during access control software.
protected against processing. Access rules are created
unauthorized and maintained by
access, use, and information security
disclosure during personnel during the
input, processing, application development
retention, output, process.
and disposition in
accordance with
confidentiality
commitments and
requirements.
Logical access other
than through authorized
application is restricted
to administrators
through database
management system
native security.
Creation and
control records for the
database management
systems occurs through
the access provisioning
process.
Application level
ability to access, modify,
and delete data to
authenticated users who
have been granted
access through a record
in the access control list.
Creation and
control records occurs
through the access
provisioning process.
Unauthorized access Application security
to confidential restricts output to
information in output approved roles or user
is obtained after IDs.
processing.
TSP 100A.19 2016, AICPA

Illustrative
Output containing
is printed at the secure
print facility and is
marked with the
legend "Confidential."
Paper forms are
physically secured
after data entry.
Physical access is
restricted to storage
clerks.
C1.3 Access to Confidential Application security
confidential information restricts output to
information from transmitted beyond approved user IDs.
outside the the boundaries of
boundaries of the the system is
system and provided to
disclosure of unauthorized user
confidential entity personnel.
information is
restricted to
authorized parties
in accordance with
confidentiality
commitments and
requirements.
output beyond the
of authorized software
supporting the
advanced encryption
standard (AES).
Logical access to stored
data is restricted to
application and
database
administrators.
Data is stored in
encrypted format using
software supporting
the AES.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Confidential Application security
information is restricts output to
transmitted to approved user IDs.
related parties,
vendors, or other
approved parties
contravening
confidentiality
commitments.
output beyond the
authorized software
supporting the
advanced encryption
standard.
C1.4 The entity obtains Related party and Formal information
confidentiality vendor personnel sharing agreements
commitments that are unaware of the are in place with
are consistent with entity's related parties and
the entity's confidentiality vendors. These
confidentiality commitments. agreements include
requirements, confidentiality
from vendors and commitments
other third parties applicable to that
whose products entity. Agreement
and services terms include
comprise part of requirements for
the system and marking and
have access to identifying data as
confidential confidential, handling
information. standards for
confidential data in the
custody of related
parties and vendors,
and return and
disposal of confidential
information when no
longer required.
Requirements for Formal information
handling of sharing agreements
confidential are in place with
information are not related parties and
communicated to vendors. These
and agreed to by agreements include
related parties and confidentiality
vendors. commitments
applicable to that
entity.
TSP 100A.19 2016, AICPA

Illustrative
C1.5 Compliance with Related party and Related party and
confidentiality vendor systems are vendor systems are
commitments and not suitably subject to review as
requirements by designed or part of the vendor risk
vendors and others operating effectively management process.
third parties to comply with Attestation reports
whose products confidentiality (SOC 2 reports) are
and services commitments. obtained and
comprise part of evaluated when
the system is available. Site visits
assessed on a and other procedures
periodic and are performed based
as-needed basis on the entity's vendor
and corrective management criteria.
action is taken, if
necessary.
C1.6 Changes to Confidentiality The chief information
confidentiality practices and security officer is
commitments and commitments are responsible for changes
requirements are changed without the to confidentiality
communicated to knowledge or ascent practices and
internal and of user entities. commitments. A
external users, formal process is used
vendors, and other to communicate these
third parties changes to users,
whose products related parties, and
and services are vendors.
included in the
system.
Confidentiality The chief information
practices and security officer is
commitments are responsible for changes
changed without the to confidentiality
knowledge of related practices and
parties or vendors commitments. A
resulting in their formal process is used
systems not to communicate these
complying with the changes to users,
required practices related parties, and
and not meeting the vendors.
commitments.
Related party and
vendor agreements are
modified to reflect
changes in
confidentiality
practices and
commitments.
(continued)
2016, AICPA TSP 100A.19

Illustrative
Related party and
vendor systems are
subject to review as
part of the vendor risk
management process.
Attestation reports
(SOC 2 reports) are
obtained and
evaluated when
available. Site visits
and other procedures
are performed based
on the entity's vendor
management criteria.
TSP 100A.19 2016, AICPA

.20
Appendix CGenerally Accepted Privacy Principles

[Notice to Readers: The criteria for the trust services privacy principle are
currently under revision. These criteria are being revised separately from the
trust services principles and criteria for security, availability, processing in-
tegrity, and confidentiality. Accordingly, until the criteria for the trust service
privacy principle are finalized, the 2009 version of the generally accepted pri-
vacy principles contained in this appendix should be used.]
Generally Accepted Privacy Principles
August 2009
Foreword
The AICPA and the Canadian Institute of Chartered Accountants (CICA)
strongly believe that privacy is a business issue. Considering what organi-
zations face when trying to address privacy issues, we quickly concluded that
businesses did not have a comprehensive framework to manage their privacy
risks effectively. The institutes decided that they could provide a significant
contribution by developing a privacy framework that would address the needs
of all of the parties affected by privacy requirements or expectations. There-
fore, the institutes developed a privacy framework called AICPA and CICA
Generally Accepted Privacy Principles. The institutes are making these princi-
ples and criteria widely available to all parties interested in addressing privacy
issues.
These principles and criteria were developed and updated by volunteers who
considered both current international privacy regulatory requirements and
best practices. These principles and criteria were issued following the due pro-
cess procedures of both institutes, which included exposure for public comment.
The adoption of these principles and criteria is voluntary.
An underlying premise to these principles is that good privacy is good busi-
ness. Good privacy practices are a key component of corporate governance and
accountability. One of today's key business imperatives is maintaining the pri-
vacy of personal information collected and held by an organization. As business
systems and processes become increasingly complex and sophisticated, grow-
ing amounts of personal information are being collected. Because more data is
being collected and held, most often in electronic format, personal information
may be at risk to a variety of vulnerabilities, including loss, misuse, unautho-
rized access, and unauthorized disclosure. Those vulnerabilities raise concerns
for organizations, governments, individuals, and the public in general.
For organizations operating in a multijurisdictional environment, managing
privacy risk can be an even more significant challenge. Adherence to generally
accepted privacy principles does not guarantee compliance with all laws and
regulations to which an organization is subject. Organizations need to be aware
of the significant privacy requirements in all of the jurisdictions in which they
do business. Although this framework provides guidance on privacy in general,
organizations should consult their own legal counsel to obtain advice and guid-
ance on particular laws and regulations governing an organization's specific
situation.
With these issues in mind, the AICPA and CICA developed Generally Accepted
Privacy Principles to be used as an operational framework to help manage-
ment address privacy in a manner that takes into consideration many local,
2016, AICPA TSP 100A.20

national, or international requirements. The primary objective is to facilitate

privacy compliance and effective privacy management. The secondary objective
is to provide suitable criteria against which a privacy attestation engagement
(usually referred to as a privacy audit) can be performed.
Generally Accepted Privacy Principles represents the AICPA and CICA
contribution to aid organizations in maintaining the effective management
of privacy risk, recognizing the needs of organizations, and reflecting the
public interest. Additional history about the development and additional
privacy resources can be found online at www.aicpa.org/INTERESTAREAS/
INFORMATIONTECHNOLOGY/RESOURCES/PRIVACY/Pages/default.aspx
and www.cica.ca/privacy. Generally Accepted Privacy Principles can be
downloaded from the AICPA and the CICA websites, at www.aicpa.org/
INTERESTAREAS/INFORMATIONTECHNOLOGY/RESOURCES/
PRIVACY/Pages/default.aspx and www.cica.ca/privacy, respectively.
Because the privacy environment is constantly changing, Generally Accepted
Privacy Principles will need to be revised from time to time; accordingly,
please forward any comments about this document by e-mail to the AICPA
(GAPP@aicpa.org) or the CICA (privacy@cica.ca).
AICPA
CICA
PrivacyAn Introduction to Generally Accepted Privacy Principles
Introduction
Many organizations find challenges in managing privacy1 on local, national,
or international bases. Most are faced with a number of differing privacy laws
and regulations whose requirements need to be operationalized.
Generally Accepted Privacy Principles (GAPP) has been developed from a busi-
ness perspective, referencing some, but by no means all, significant local, na-
tional, and international privacy regulations. GAPP operationalizes complex
privacy requirements into a single privacy objective that is supported by 10 pri-
vacy principles. Each principle is supported by objective, measurable criteria
that form the basis for effective management of privacy risk and compliance
in an organization. Illustrative policy requirements, communications, and con-
trols, including monitoring controls, are provided as support for the criteria.
GAPP can be used by any organization as part of its privacy program. GAPP
has been developed to help management create an effective privacy program
that addresses privacy risks and obligations, and business opportunities. It
can also be a useful tool to boards and others charged with governance and
providing oversight. This introduction includes a definition of privacy and an
explanation of why privacy is a business issue and not solely a compliance
issue. Also illustrated is how these principles can be applied to outsourcing
scenarios and the potential types of privacy initiatives that can be undertaken
for the benefit of organizations and their customers.
This introduction and the set of privacy principles and related criteria that
follow will be useful to those who
r oversee and monitor privacy and security programs.
r implement and manage privacy in an organization.
1
The first occurrence of each word contained in the glossary is linked to the top of glossary.
TSP 100A.20 2016, AICPA

r implement and manage security in an organization.
r oversee and manage risks and compliance in an organization.
r assess compliance and audit privacy and security programs.
r regulate privacy.
Why Privacy Is a Business Issue
Good privacy is good business. Good privacy practices are a key part of corpo-
rate governance and accountability. One of today's key business imperatives
is maintaining the privacy of personal information. As business systems and
processes become increasingly complex and sophisticated, organizations are
collecting growing amounts of personal information. As a result, personal infor-
mation is vulnerable to a variety of risks, including loss, misuse, unauthorized
access, and unauthorized disclosure. Those vulnerabilities raise concerns for
organizations, governments, and the public in general.
Organizations are trying to strike a balance between the proper collection and
use of their customers' personal information. Governments are trying to pro-
tect the public interest and, at the same time, manage their cache of personal
information gathered from citizens. Consumers are very concerned about their
personal information, and many believe they have lost control of it. Further-
more, the public has a significant concern about identity theft and inappropri-
ate access to personal information, especially financial and medical records,
and information about children.
Individuals expect their privacy to be respected and their personal information
to be protected by the organizations with which they do business. They are
no longer willing to overlook an organization's failure to protect their privacy.
Therefore, all businesses need to effectively address privacy as a risk man-
agement issue. The following are specific risks of having inadequate privacy
policies and procedures:
r Damage to the organization's reputation, brand, or business rela-
tionships
r Legal liability and industry or regulatory sanctions
r Charges of deceptive business practices
r Customer or employee distrust
r Denial of consent by individuals to have their personal informa-
tion used for business purposes
r Lost business and consequential reduction in revenue and market
share
r Disruption of international business operations
r Liability resulting from identity theft
International Privacy Considerations
For organizations operating in more than one country, the management of their
privacy risk can be a significant challenge.
For example, the global nature of the Internet and business means regula-
tory actions in one country may affect the rights and obligations of individual
users and customers around the world. Many countries have laws regulating
transborder data flow, including the European Union's (EU) directives on data
protection and privacy, with which an organization must comply if it wants to
do business in those countries. Therefore, organizations need to comply with
2016, AICPA TSP 100A.20

changing privacy requirements around the world. Further, different jurisdic-

tions have different privacy philosophies, making international compliance a
complex task. To illustrate this, some countries view personal information as
belonging to the individual and take the position that the enterprise has a
fiduciary-like relationship when collecting and maintaining such information.
Alternatively, other countries view personal information as belonging to the
enterprise that collects it.
In addition, organizations are challenged to try and stay up to date with the
requirements for each country in which they do business. By adhering to a high
global standard, such as those set out in this document, compliance with many
regulations will be facilitated.
Even organizations with limited international exposure often face issues of
compliance with privacy requirements in other countries. Many of these orga-
nizations are unsure how to address often stricter overseas regulations. This
increases the risk that an organization inadvertently could commit a breach
that becomes an example to be publicized by the offended host country.
Furthermore, many local jurisdictions (such as states or provinces) and certain
industries, such as healthcare or banking, have specific requirements related
to privacy.
Outsourcing and Privacy
Outsourcing increases the complexity for dealing with privacy. An organization
may outsource a part of its business process and, with it, some responsibility for
privacy; however, the organization cannot outsource its ultimate responsibility
for privacy for its business processes. Complexity increases when the entity
that performs the outsourced service is in a different country and may be
subject to different privacy laws or perhaps no privacy requirements at all. In
such circumstances, the organization that outsources a business process will
need to ensure it manages its privacy responsibilities appropriately.
GAPP and its supporting criteria can assist an organization in completing
assessments (including independent examinations) about the privacy policies,
procedures, and practices of the third party providing the outsourced services.
The fact that these principles and criteria have global application can provide
comfort to an outsourcer that privacy assessments can be undertaken using
a consistent measurement based on internationally known fair information
practices.
What Is Privacy?
Privacy Definition
Privacy is defined in Generally Accepted Privacy Principles as "the rights and

obligations of individuals and organizations with respect to the collection,
use, retention, disclosure, and disposal of personal information."
Personal Information
Personal information (sometimes referred to as personally identifiable informa-
tion) is information that is about, or can be related to, an identifiable individual.
It includes any information that can be linked to an individual or used to di-
rectly or indirectly identify an individual. Individuals, for this purpose, include
prospective, current, and former customers, employees, and others with whom
TSP 100A.20 2016, AICPA

the entity has a relationship. Most information collected by an organization
about an individual is likely to be considered personal information if it can be
attributed to an identified individual. Some examples of personal information
are as follows:
r Name
r Home or e-mail address
r Identification number (for example, a Social Security or Social
Insurance Number)
r Physical characteristics
r Consumer purchase history
Some personal information is considered sensitive. Some laws and regulations
define the following to be sensitive personal information:
r Information on medical or health conditions
r Financial information
r Racial or ethnic origin
r Political opinions
r Religious or philosophical beliefs
r Trade union membership
r Sexual preferences
r Information related to offenses or criminal convictions
Sensitive personal information generally requires an extra level of protection
and a higher duty of care. For example, some jurisdictions may require explicit
consent rather than implicit consent for the collection and use of sensitive
information.
Some information about or related to people cannot be associated with specific
individuals. Such information is referred to as nonpersonal information. This
includes statistical or summarized personal information for which the identity
of the individual is unknown or linkage to the individual has been removed.
In such cases, the individual's identity cannot be determined from the infor-
mation that remains because the information is deidentified or anonymized.
Nonpersonal information ordinarily is not subject to privacy protection be-
cause it cannot be linked to an individual. However, some organizations may
still have obligations over nonpersonal information due to other regulations
and agreements (for example, clinical research and market research).
Privacy or Confidentiality?
Unlike personal information, which is often defined by law or regulation, no
single definition of confidential information exists that is widely recognized. In
the course of communicating and transacting business, partners often exchange
information or data that one or the other party requires be maintained on a
"need to know" basis. Examples of the kinds of information that may be subject
to a confidentiality requirement include the following:
r Transaction details
r Engineering drawings
r Business plans
r Banking information about businesses
r Inventory availability
2016, AICPA TSP 100A.20

r Bid or ask prices
r Price lists
r Legal documents
r Revenue by client and industry
Also, unlike personal information, rights of access to confidential information to
ensure its accuracy and completeness are not clearly defined. As a result, inter-
pretations of what is considered to be confidential information can vary signifi-
cantly from organization to organization and, in most cases, are driven by con-
tractual arrangements. For additional information on criteria for confidential-
ity, refer to the AICPA and CICA Trust Services Principles, Criteria, and Illus-
trations for Security, Availability, Processing Integrity, Confidentiality, and Pri-
vacy (see www.aicpa.org/INTERESTAREAS/INFORMATIONTECHNOLOGY/
RESOURCES/TRUSTSERVICES/Pages/default.aspx or www.webtrust.org).
Introducing Generally Accepted Privacy Principles
GAPP is designed to assist management in creating an effective privacy pro-
gram that addresses their privacy obligations, risks, and business opportuni-
ties.
The privacy principles and criteria are founded on key concepts from significant
local, national, and international privacy laws, regulations, guidelines,2 and
good business practices. By using GAPP, organizations can proactively address
the significant challenges that they face in establishing and managing their
privacy programs and risks from a business perspective. GAPP also facilitates
the management of privacy risk on a multijurisdictional basis.
Overall Privacy Objective
The privacy principles and criteria are founded on the following privacy objec-
tive.
Personal information is collected, used, retained, disclosed, and dis-

posed of in conformity with the commitments in the entity's privacy
notice and with criteria set forth in Generally Accepted Privacy Prin-
ciples issued by the AICPA and CICA.
Generally Accepted Privacy Principles

The privacy principles are essential to the proper protection and management
of personal information. They are based on internationally known fair infor-
mation practices included in many privacy laws and regulations of various
jurisdictions around the world and recognized good privacy practices.
2
For example, the Organisation for Economic Co-operation and Development has issued Guide-
lines on the Protection of Privacy and Transborder Flows of Personal Data and the European Union
has issued Directive on Data Privacy (Directive 95/46/EC). In addition, the United States has enacted
the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Chil-
dren's Online Privacy Protection Act. Canada has enacted the Personal Information Protection and
Electronic Documents Act and Australia has enacted the Australian Privacy Act of 1988, as amended
in 2001. A chart comparing these international privacy concepts with generally accepted privacy prin-
ciples can be found online at www.aicpa.org/INTERESTAREAS/INFORMATIONTECHNOLOGY/
RESOURCES/PRIVACY/Pages/default.aspx. Compliance with this set of generally accepted privacy
principles and criteria may not necessarily result in compliance with applicable privacy laws and
regulations, and entities should seek appropriate legal advice regarding compliance with any laws
and regulations.
TSP 100A.20 2016, AICPA

The following are the 10 generally accepted privacy principles:
1. Management. The entity defines, documents, communicates, and
assigns accountability for its privacy policies and procedures.
2. Notice. The entity provides notice about its privacy policies and pro-
cedures and identifies the purposes for which personal information
is collected, used, retained, and disclosed.
3. Choice and consent. The entity describes the choices available to
the individual and obtains implicit or explicit consent with respect
to the collection, use, and disclosure of personal information.
4. Collection. The entity collects personal information only for the
purposes identified in the notice.
5. Use, retention, and disposal. The entity limits the use of personal
information to the purposes identified in the notice and for which
the individual has provided implicit or explicit consent. The entity
retains personal information for only as long as necessary to ful-
fill the stated purposes or as required by law or regulations and
thereafter appropriately disposes of such information.
6. Access. The entity provides individuals with access to their personal
information for review and update.
7. Disclosure to third parties. The entity discloses personal informa-
tion to third parties only for the purposes identified in the notice
and with the implicit or explicit consent of the individual.
8. Security for privacy. The entity protects personal information
against unauthorized access (both physical and logical).
9. Quality. The entity maintains accurate, complete, and relevant per-
sonal information for the purposes identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with
its privacy policies and procedures and has procedures to address
privacy related complaints and disputes.
For each of the 10 privacy principles, relevant, objective, complete, and measur-
able criteria have been specified to guide the development and evaluation of an
entity's privacy policies, communications, and procedures and controls. Privacy
policies are written statements that convey management's intent, objectives,
requirements, responsibilities, and standards. Communications refers to the
organization's communication to individuals, internal personnel, and third par-
ties about its privacy notice and its commitments therein and other relevant
information. Procedures and controls are the other actions the organization
takes to achieve the criteria.
Using GAPP
GAPP can be used by organizations for the following:
r Designing, implementing, and communicating privacy policy
r Establishing and managing privacy programs
r Monitoring and auditing privacy programs
r Measuring performance and benchmarking
Establishing and managing a privacy program involves the following activities:
r Strategizing. Performing privacy strategic and business plan-
ning.
2016, AICPA TSP 100A.20

r Diagnosing. Performing privacy gap and risk analyses.
r Implementing. Developing, documenting, introducing, and in-
stitutionalizing the program's action plan, including establishing
controls over personal information.
r Sustaining and managing. Monitoring activities of a privacy
program.
r Auditing. Internal or external auditors evaluating the organiza-
tion's privacy program.
The following table summarizes and illustrates how GAPP can be used by an
organization to address these business activities.
Potential Use of Generally

Activity General Discussion Accepted Privacy Principles
Strategizing Vision. An entity's Vision. Within an entity's
strategy is concerned privacy effort, establishing the
with its long-term vision helps the entity integrate
direction and prosperity. preferences and prioritize goals.
The vision identifies the Strategic Planning. Within an
entity's culture and helps entity's privacy effort, Generally
shape and determine Accepted Privacy Principles
how the entity will (GAPP) can be used to assist the
interact with its external organization in identifying
environment, including significant components that need
customers, competitors, to be addressed.
and legal, social, and
Resource Allocation. Using
ethical issues.
GAPP, the entity would identify
Strategic Planning. the people working with and
This is an entity's overall responsible for areas that might
master plan, include systems management,
encompassing its privacy and security concerns,
strategic direction. Its and stipulate the resourcing for
objective is to ensure their activities.
that the entity's efforts
Overall Strategy. A strategic
are all headed in a
document describes expected or
common direction. The
intended future development.
strategic plan identifies
GAPP can assist an entity in
the entity's long-term
clarifying plans for the systems
goals and major issues
under consideration or for the
for becoming privacy
business's privacy objectives.
compliant.
The plan identifies the process to
Resource Allocation. achieve goals and milestones. It
This step identifies the also provides a mechanism to
human, financial, and communicate critical
other resources allocated implementation elements,
to achieve the goals and including details on services,
objectives set forth in the budgets, development costs,
strategic plan or promotion, and privacy
business plan. advertising.
TSP 100A.20 2016, AICPA

Diagnosing This stage, often referred GAPP can assist the entity in
to as the assessment understanding its high-level
phase, encompasses a risks, opportunities, needs,
thorough analysis of the privacy policy and practices,
entity's environment, competitive pressures, and the
identifying opportunities requirements of the relevant
where weaknesses, laws and regulations to which
vulnerability, and the entity is subject.
threats exist. The most GAPP provides a legislative
common initial project neutral benchmark to allow the
for an organization is a entity to assess the current
diagnostic assessment. state of privacy against the
The purpose of such an desired state.
assessment is to evaluate
the entity against its
privacy goals and
objectives and determine
to what extent the
organization is achieving
those goals and
objectives.
Implementing At this point, an action GAPP can assist the entity in
plan is mobilized or a meeting its implementation
diagnostic goals. At the completion of the
recommendation is put implementation phase, the
into effect, or both. entity should have developed
Implementing involves the following deliverables:
developing and
documenting a privacy Systems, procedures, and
processes to address the
program and action plan
privacy requirements
and the execution of all
planned and other tasks Updated privacy compliant
necessary to make the forms, brochures, and
action plan operational. contracts
It includes defining who Internal and external
will perform what tasks, privacy awareness programs
assigning
responsibilities, and
establishing schedules
and milestones. This
involves the planning
and implementation of a
series of planned projects
to provide guidance,
direction, methodology,
and tools to the
organization in
developing its initiatives.
(continued)
2016, AICPA TSP 100A.20


Sustaining Sustaining and The entity can use GAPP to
and managing involves develop appropriate reporting
managing monitoring the work to criteria for monitoring requests
identify how progress for information, the sources used
differs from the action to compile the information and
plan in time to initiate the information actually
corrective action. disclosed. It can also be used for
Monitoring refers to the determining validation
management policies, procedures to ensure that the
processes, and parties to whom the information
supporting technology to was disclosed are entitled to
ensure compliance with receive that information.
organizational privacy
policies and procedures
and the ability to exhibit
due diligence.
Internal Internal auditors provide Internal auditors can evaluate
privacy audit objective assurance and an entity's privacy program and
consulting services controls using GAPP as a
designed to add value benchmark and provide useful
and improve an entity's information and reporting to
operations. They help an management.
entity accomplish its
objectives by bringing a
systematic, disciplined
approach to evaluate and
improve the effectiveness
of risk management,
control, and governance
processes.
External External auditors, An external auditor can evaluate
privacy audit notably certified public an entity's privacy program and
accountants (CPAs) and controls in accordance with
chartered accountants GAPP and provide reports useful
(CAs), can perform to individuals, management,
attestation and customers, business partners,
assurance services. and other users.
Generally, these services,
whether performed on
financial and
nonfinancial information,
build trust and
confidence for
individuals,
management, customers,
business partners, and
other users.
TSP 100A.20 2016, AICPA

Presentation of Generally Accepted Privacy Principles and Criteria
Under each principle, the criteria are presented in a three column format. The
first column contains the measurement criteria. The second column contains
illustrative controls and procedures, which are designed to provide examples
and enhance the understanding of how the criteria might be applied. The illus-
trations are not intended to be comprehensive, nor are any of the illustrations
required for an entity to have met the criteria. The third column contains addi-
tional considerations, including supplemental information such as good privacy
practices and selected requirements of specific laws and regulations that may
pertain to a certain industry or country.
Some of the criteria may not be directly applicable to some organizations or
some processes. When a criterion is considered not applicable, the entity should
consider justifying that decision to support future evaluation.
These principles and criteria provide a basis for designing, implementing,
maintaining, evaluating, and auditing a privacy program to meet an entity's
needs.
Generally Accepted Privacy Principles and Criteria
Management
Management Illustrative Controls Additional

Ref. Criteria and Procedures Considerations
1.0 The entity defines, documents, communicates, and assigns
accountability for its privacy policies and procedures.
1.1 Policies and
Communications
1.1.0 Privacy Policies Privacy policies are
The entity defines and documented in writing
documents its privacy and made readily
policies with respect to available to internal
the following: personnel and third
parties who need them.
a. Notice (See 2.1.0)
b. Choice and consent
(See 3.1.0)
c. Collection (See
4.1.0)
d. Use, retention, and
disposal (See 5.1.0)
f. Disclosure to third
parties (See 7.1.0)
g. Security for privacy
(See 8.1.0)
i. Monitoring and
enforcement (See
10.1.0)
(continued)
2016, AICPA TSP 100A.20


1.1.1 Communication to The entity Privacy policies (as
Internal Personnel used herein) include
Privacy policies and
periodically security policies
communicates to relevant to the
the consequences of internal personnel (for
noncompliance with protection of personal
example, on a network information.
such policies are or a website) relevant
communicated, at information about the
least annually, to the entity's privacy
entity's internal policies. Changes to its
personnel responsible privacy policies are
for collecting, using, communicated shortly
retaining, and after approval.
disclosing personal
information. Changes requires internal
personnel to confirm
in privacy policies are
(initially and
communicated to such
periodically) their
personnel shortly after
understanding of the
the changes are
entity's privacy
approved.
policies and their
agreement to comply
with them.
1.1.2 Responsibility and The entity assigns The individual

Accountability for responsibility for privacy identified as being
Policies policies to a designated accountable for
Responsibility and person, such as a privacy should be
accountability are corporate privacy officer. from within the
assigned to a person or (Those assigned entity.
group for developing, responsibility for privacy
documenting, policies may be different
implementing, from those assigned for
enforcing, monitoring, other policies, such as
and updating the security).
entity's privacy The responsibility,
policies. The names of authority, and
such person or group accountability of the
and their designated person or
responsibilities are group are clearly
communicated to documented.
internal personnel. Responsibilities include
the following:
Establishing with
management the
standards used to
classify the sensitivity
of personal
information and to
determine the level of
protection required
Formulating and
maintaining the
entity's privacy
policies
TSP 100A.20 2016, AICPA

Monitoring and
updating the entity's
privacy policies
Delegating authority
for enforcing the
entity's privacy
policies
Monitoring the degree
of compliance and
initiating action to
improve the training
or clarification of
policies and practices
A committee of the board
of directors includes
privacy periodically in its
regular review of overall
corporate governance.
1.2 Procedures and
Controls
1.2.1 Review and Privacy policies and
Approval procedures are
Privacy policies and reviewed and approved
procedures, and by senior management
changes thereto, are or a management
reviewed and approved committee.
by management.
reviewed at least
annually and updated
as needed.
1.2.2 Consistency of Corporate counsel or the In addition to legal
Privacy Policies and legal department and regulatory
Procedures With requirements, some
Laws and determines which
entities may elect to
privacy laws and
Regulations comply with certain
regulations are
Policies and standards, such as
applicable in the
procedures are those published by
jurisdictions in which
reviewed and International
the entity operates.
compared to the Organization for
requirements of identifies other Standardization
standards applicable (ISO), or may be
applicable laws and
to the entity. required to comply
regulations at least
annually and reviews the entity's with certain
whenever changes to privacy policies and standards, such as
such laws and procedures to ensure those published by
regulations are made. they are consistent the payment card
Privacy policies and with the applicable industry, as a
procedures are revised laws, regulations, and condition of doing
to conform with the appropriate standards. business. Entities
requirements of may include such
applicable laws and standards as part of
regulations. this process.
(continued)
2016, AICPA TSP 100A.20


1.2.3 Personal Information The entity has both an
Identification and information classification
Classification The policy and process, which
types of personal include the following:
information and
sensitive personal A classification process,
which identifies and
information and the
classifies information
related processes,
into one or more of the
systems, and third
following categories:
parties involved in the
handling of such Business
information are confidential
identified. Such
Personal
information is covered
information
by the entity's privacy
(sensitive and
and related security
other personal
information)
Business general
Public
Identifying processes,
systems, and third
parties that handle
Specific security and
procedures that apply to
each category of
information
1.2.4 Risk Assessment A process is in place to Ideally, the privacy
A risk assessment periodically identify the risk assessment
process is used to risks to the entity's should be integrated
establish a risk baseline personal information. with the security risk
and to, at least Such risks may be assessment and be a
annually, identify new external (such as loss of part of the entity's
or changed risks to information by vendors or overall enterprise risk
personal information failure to comply with management program.
and to develop and regulatory requirements) The board or a
update responses to or internal (such as committee of the board
such risks. e-mailing unprotected should provide
sensitive information). oversight and review
When new or changed of the privacy risk
risks are identified, the assessment.
privacy risk assessment
and the response
strategies are updated.
The process considers
factors such as experience
with privacy incident
management, the
complaint and dispute
resolution process, and
monitoring activities.
TSP 100A.20 2016, AICPA

1.2.5 Consistency of Both management and
Commitments With the legal department
Privacy Policies review all contracts and
and Procedures service-level
Internal personnel or agreements for
advisers review consistency with the
contracts for entity's privacy policies
consistency with and procedures.
procedures and
address any
inconsistencies.
1.2.6 Infrastructure and The following are used Some jurisdictions
Systems for addressing privacy prohibit the use of
Management impact: personal
The potential privacy Management information for test
impact is assessed and development
assesses the privacy
when new processes purposes unless it
impact of new and
involving personal has been
significantly changed
information are anonymized or
products, services,
implemented, and otherwise protected
business processes,
when changes are to the same level
and infrastructure.
made to such required in its
processes (including
The entity uses a policies for
documented systems production
any such activities
development and information.
outsourced to third
change management
parties or
process for all
contractors), and
information systems
and related
continues to be
technology (including
protected in
manual procedures,
accordance with the
application
privacy policies. For
programs, technology
this purpose,
infrastructure,
processes involving
organizational
structure, and the
include the design,
responsibilities of
acquisition,
users and systems
development,
personnel), used to
implementation,
collect, use, retain,
configuration,
disclose, and destroy
modification and
management of the
following: The entity assesses
planned new systems
Infrastructure and changes for their
Systems potential effect on
Applications privacy.
(continued)
2016, AICPA TSP 100A.20


Websites Changes to system
Procedures components are tested
to minimize the risk of
Products and
any adverse effect on
services
the protection of
Data bases and personal information.
information All test data are
repositories anonymized. A
Mobile computing controlled test
and other similar database is
electronic devices maintained for full
regression testing to
The use of personal ensure that changes to
information in process one program do not
and system test and adversely affect other
development is programs that process
prohibited unless such personal information.
information is
anonymized or Procedures ensure the
otherwise protected in maintenance of
accordance with the integrity and
entity's privacy protection of personal
policies and information during
procedures. migration from old to
new or changed
systems.
Documentation and
approval by the
privacy officer,
security officer,
business unit
manager, and IT
management are
required before
implementing the
changes to systems
and procedures that
handle personal
information, including
those that may affect
security. Emergency
to maintain the same
level of protection of
personal information;
however, they may be
documented and
approved on an
after-the-fact basis.
The IT function
maintains a listing of all
software that processes
personal information and
the respective level,
version, and patches that
have been applied.
TSP 100A.20 2016, AICPA

Procedures exist to
provide that only
authorized, tested, and
documented changes are
made to the system.
Where computerized
systems are involved,
appropriate procedures
are followed, such as the
use of separate
production libraries to
ensure that access to
personal information is
appropriately restricted.
Personnel responsible for
initiating or
implementing new
systems and changes,
and users of new or
revised processes and
applications, are
provided training and
awareness sessions
related to privacy.
Specific roles and
responsibilities are
assigned related to
privacy.
1.2.7 Privacy Incident A formal, comprehensive Some entities may
and Breach privacy incident and adopt a breach
Management breach management notification policy for
A documented privacy program has been consistent use across
incident and breach implemented, which all jurisdictions in
management program specifies the following: which they operate.
has been implemented By necessity, such a
that includes, but is
Incidents and policy would, at a
breaches are reported minimum, be based
not limited to, the to a member of the
following: on the most
breach team, who comprehensive legal
Procedures for the assesses if it is privacy requirements in any
identification, or security related, or such jurisdiction.
management, and both, classifies the
resolution of privacy severity of the
incidents and incident, initiates
breaches required actions, and
Defined determines the
responsibilities required involvement
by individuals who are
A process to identify responsible for privacy
incident severity
and security.
and determine
required actions
and escalation
procedures
(continued)
2016, AICPA TSP 100A.20


A process for The chief privacy officer

complying with (CPO) has the overall
breach laws and accountability for the
regulations, program and is
including supported by the
stakeholders breach privacy and security
notification, if steering committees
required and assisted by the
An accountability breach team. Incidents
process for employees and breaches that do
or third parties not involve personal
responsible for information are the
incidents or breaches responsibility of the
with remediation, chief security officer.
penalties, or The entity has a privacy
discipline as breach notification
appropriate policy, supported by (a)
A process for periodic a process for identifying
review (at least on an the notification and
annual basis) of related requirements of
actual incidents to other applicable
identify necessary jurisdictions relating to
program updates the data subjects
based on the affected by the breach,
following: (b) a process for
assessing the need for
Incident stakeholders breach
patterns and notification, if required
root cause by law, regulation, or
Changes in the policy, and (c) a process
internal for delivering the notice
control in a timely manner. The
environment or entity has agreements
external in place with a third
requirements party to manage the
(regulation or notification process and
legislation) provide credit
monitoring services for
Periodic testing or individuals, if needed.
walkthrough process
(at least on an
The program includes a
clear escalation path,
annual basis) and
based on the type or
associated program
severity, or both, of the
remediation as
incident, up to executive
needed
management, legal
counsel, and the board.
The program sets forth
a process for contacting
law enforcement,
regulatory, or other
authorities when
necessary.
TSP 100A.20 2016, AICPA

Program training for

new hires and team
members, and
awareness training for
general staff, is
conducted annually,
when a significant
change in the program
is implemented, and
after any major
incident.
The privacy incident and
breach management
program also specifies the
following:
After any major privacy
incident, a formal
incident evaluation is
conducted by internal
audit or outside
consultants.
A quarterly review of
actual incidents is
conducted and required
program updates are
identified based on the
following:
Incident root
cause
Incident patterns
Changes in the
internal control
environment and
legislation
Results of the quarterly
review are reported to
the privacy steering
committee and annually
to the audit committee.
Key metrics are defined,
tracked and reported to
senior management on
a quarterly basis.
The program is tested at
least every six months
and shortly after the
implementation of
significant system or
procedural changes.
(continued)
2016, AICPA TSP 100A.20


1.2.8 Supporting Management annually
Resources reviews the assignment
Resources are of personnel, budgets,
provided by the and allocation of other
entity to implement resources to its privacy
and support its program.
privacy policies.
1.2.9 Qualifications of The qualifications of
Internal Personnel internal personnel
The entity responsible for
establishes protecting the privacy
qualifications for and security of personal
personnel information are
responsible for ensured by procedures
protecting the such as the following:
privacy and security Formal job
of personal descriptions
information and (including
assigns such responsibilities,
responsibilities only educational and
to those personnel professional
who meet these requirements, and
qualifications and organizational
have received needed reporting for key
training. privacy management
positions)
Hiring procedures
(including the
comprehensive
screening of
credentials,
background checks,
and reference
checking) and formal
employment and
confidentiality
agreements
Performance
appraisals
(performed by
supervisors,
including
assessments of
professional
development
activities)
TSP 100A.20 2016, AICPA

1.2.10 Privacy Awareness An interactive online
and Training privacy and security
A privacy awareness awareness course is
program about the required annually for
entity's privacy all employees. New
policies and related employees, contractors,
matters, and specific and others are required
training for selected to complete this course
personnel depending within the first month
on their roles and following employment
responsibilities, are in order to retain their
provided. access privileges.
In-depth training is
provided which covers
privacy and relevant
security policies and
procedures, legal and
regulatory
considerations, incident
response, and related
topics. Such training is
required annually for
all employees who
have access to
or are responsible for
protection of personal
information.
tailored to the
employee's job
responsibilities.
supplemented by
external training and
conferences.
Attendance at the
entity's privacy
training and awareness
courses is monitored.
Training and
awareness courses are
reviewed and updated
to reflect current
legislative, regulatory,
industry, and entity
policy and procedure
requirements.
(continued)
2016, AICPA TSP 100A.20


1.2.11 Changes in The entity has an Ideally, these
Regulatory and ongoing process in place procedures would
Business to monitor, assess, and be coordinated with
Requirements address the effect on the risk assessment
For each jurisdiction privacy requirements process.
in which the entity from changes in the The entity also
operates, the effect following: should consider
on privacy Legal and regulatory emerging and good
requirements from environments practices, such as
changes in the breach notification
following factors is
Industry
in jurisdictions
requirements (such
identified and where none is
as those for the
addressed: required.
Direct Marketing
Legal and Association)
regulatory Contracts, including
Contracts, service-level
including agreements with
service-level third parties
agreements (changes that alter
Industry the privacy and
requirements security related
clauses in contracts
Business
are reviewed and
operations and
approved by the
processes
privacy officer or
People, roles, and legal counsel before
responsibilities they are executed)
Technology Business operations
Privacy policies and and processes
procedures are People assigned
updated to reflect responsibility for
changes in privacy and security
requirements. matters
Technology (prior to
implementation)
TSP 100A.20 2016, AICPA

Notice
Illustrative Controls Additional

Ref. Notice Criteria and Procedures Considerations
2.0 The entity provides notice about its privacy policies and procedures
and identifies the purposes for which personal information is collected,
used, retained, and disclosed.
2.1 Policies and
Communications
2.1.0 Privacy Policies
policies address
providing notice to
individuals.
2.1.1 Communication to The entity's privacy Notice also may describe
Individuals notice situations in which
Notice is provided to personal information will
individuals regarding
describes the personal
be disclosed, such as the
information collected,
the following privacy following:
the sources of such
policies: information, and Certain processing for
a. Purpose for collecting purposes for which it purposes of public
personal information is collected. security or defense
b. Choice and consent indicates the purpose Certain processing for
(See 3.1.1) for collecting sensitive purposes of public
c. Collection (See 4.1.1) personal information health or safety
and whether such When allowed or
d. Use, retention, and
purpose is part of a required by law
disposal (See 5.1.1)
legal requirement.
e. Access (See 6.1.1) The purpose described in
describes the
the notice should be
f. Disclosure to third consequences, if any,
parties (See 7.1.1) stated in such a manner
of not providing the
that the individual can
g. Security for privacy requested
reasonably understand
(See 8.1.1) information.
the purpose and how the
h. Quality (See 9.1.1) indicates that certain personal information is
i. Monitoring and information may be to be used. Such purpose
enforcement (See developed about should be consistent with
10.1.1) individuals, such as the business purpose of
buying patterns. the entity and not overly
If personal information
is collected from sources may be provided in broad.
other than the various ways (for Consideration should be
individual, such sources example, in a given to providing a
are described in the face-to-face summary level notice
notice. conversation, on a with links to more
telephone interview, detailed sections of the
on an application policy.
form or questionnaire,
or electronically).
However, written
notice is the preferred
method.
(continued)
2016, AICPA TSP 100A.20

2.2 Procedures and
Controls
2.2.1 Provision of Notice The privacy notice is See 3.2.2, "Consent for
Notice is provided to the New Purposes and Uses."
individual about the
readily accessible and
Some regulatory
available when
entity's privacy policies personal information requirements indicate
and procedures (a) at or is first collected from that a privacy notice is to
before the time personal the individual. be provided on a periodic
information is collected, basis, for example,
or as soon as practical provided in a timely
annually in the
manner (that is, at or
thereafter, (b) at or Gramm-Leach-Bliley Act
before the time
before the entity changes (GLBA).
its privacy policies and
is collected, or as soon
procedures, or as soon as
as practical
practical thereafter, or
thereafter) to enable
(c) before personal
individuals to decide
information is used for
whether or not to
new purposes not
submit personal
previously identified.
information to the
entity.
clearly dated to allow
individuals to
determine whether
the notice has
changed since the last
time they read it or
since the last time
they submitted
to the entity.
tracks previous
iterations of the
entity's privacy
policies and
procedures.
informs individuals of
a change to a
previously
communicated
privacy notice, for
example, by posting
the notification on the
entity's website, by
sending written notice
via postal mail, or by
sending an e-mail.
documents that
changes to privacy
policies and
procedures were
communicated to
individuals.
TSP 100A.20 2016, AICPA

2.2.2 Entities and The privacy notice
Activities Covered describes the particular
An objective entities, business
description of the segments, locations, and
entities and activities types of information
covered by the privacy covered, such as:
policies and Operating jurisdictions
procedures is included (legal and political)
in the entity's privacy
notice. Business segments and
affiliates
Lines of business
Types of third parties
(for example, delivery
companies and other
types of service
providers)
Types of information (for
example, information
about customers and
potential customers)
Sources of information
(for example, mail order
or online)
The entity informs
individuals when they
might assume they are
covered by the entity's
privacy policies but, in fact,
are no longer covered (for
example, linking to another
website that is similar to
the entity's, or using
services on the entity's
premises provided by third
parties).
2.2.3 Clear and The privacy notice is If multiple notices are
Conspicuous used for different
in plain and simple subsidiaries or segments
language. of an entity, similar
notice is conspicuous
and uses clear appropriately labeled, formats are encouraged
easy to see, and not in to avoid consumer
language.
unusually small print. confusion and allow
linked to or displayed on consumers to identify
the website at points of any differences.
data collection. Some regulations may
available in the national contain specific
languages used on the information that a notice
site or in languages must contain.
required by law. Illustrative notices are
often available for
certain industries and
types of collection, use,
retention, and disclosure.
2016, AICPA TSP 100A.20

Choice and Consent
Choice and Consent Illustrative Controls Additional

3.0 The entity describes the choices available to the individual and
obtains implicit or explicit consent with respect to the collection,
use, and disclosure of personal information.
3.1 Policies and
Communications
policies address the
choices available to
individuals and the
consent to be obtained.
3.1.1 Communication to The entity's privacy Some laws and
Individuals notice describes, in a regulations (such as
Individuals are clear and concise Principle 11, "Limits on
informed about (a) the manner, the following: disclosure of personal
choices available to information," section 1
them with respect to of the Australian
the collection, use, and
The choices Privacy Act of 1988)
available to the provide specific
disclosure of personal individual regarding
information, and (b) exemptions for the
the collection, use, entity not to obtain the
that implicit or explicit and disclosure of
consent is required to individual's consent.
personal information Examples of such
collect, use, and
disclose personal The process an situations include the
individual should following:
information, unless a
follow to exercise
law or regulation The record keeper
these choices (for
specifically requires or believes, on
example, checking
allows otherwise. reasonable grounds,
an opt out box to
decline receiving that use of the
marketing information for that
materials) other purpose is
necessary to prevent
The ability of, and
or lessen a serious
process for, an
and imminent threat
individual to change
to the life or health
contact preferences
of the individual
The consequences of concerned or another
failing to provide person.
required for a Use of the
information for that
transaction or
other purpose is
service
required or
Individuals are advised authorized by or
of the following: under law.
not essential to the
purposes identified
in the privacy notice
need not be provided.
TSP 100A.20 2016, AICPA

Preferences may be
changed, and consent
may be withdrawn at
a later time, subject to
legal or contractual
restrictions and
reasonable notice.
The type of consent
required depends on the
nature of the personal
information and the
method of collection (for
example, an individual
subscribing to a
newsletter gives implied
consent to receive
communications from
the entity).
3.1.2 Consequences of At the time of collection,
Denying or the entity informs
Withdrawing Consent individuals of the
When personal following:
information is collected, About the
individuals are informed consequences of
of the consequences of refusing to provide
refusing to provide personal information
personal information or (for example,
of denying or transactions may not
withdrawing consent to be processed)
use personal information
for purposes identified in About the
consequences of
the notice.
denying or
withdrawing consent
(for example, opting
out of receiving
information about
products and services
may result in not
being made aware of
sales promotions)
About how they will
or will not be affected
by failing to provide
more than the
minimum required
(for example, services
or products will still
be provided)
(continued)
2016, AICPA TSP 100A.20


3.2 Procedures and
Controls
3.2.1 Implicit or Explicit The entity
Consent
obtains and
Implicit or explicit documents an
consent is obtained individual's consent
from the individual at in a timely manner
or before the time (that is, at or before
personal information is the time personal
collected or soon after. information is
The individual's collected or soon
preferences expressed after).
in his or her consent
are confirmed and
confirms an
individual's
implemented.
preferences (in
writing or
electronically).
documents and
manages changes to
an individual's
preferences.
ensures that an
individual's
preferences are
implemented in a
timely fashion.
addresses conflicts in
the records about an
individual's
preferences by
providing a process
for users to notify
and challenge a
vendor's
interpretation of
their contact
preferences.
ensures that the use
of personal
information,
throughout the
entity and by third
parties, is in
accordance with an
individual's
preferences.
TSP 100A.20 2016, AICPA

3.2.2 Consent for New When personal
Purposes and Uses information is to be
If information that was used for a purpose not
previously collected is previously specified,
to be used for purposes the entity
not previously notifies the
identified in the individual and
privacy notice, the new documents the new
purpose is documented, purpose.
the individual is
notified, and implicit or obtains and
documents consent
explicit consent is
or withdrawal of
obtained prior to such
consent to use the
new use or purpose.
for the new purpose.
ensures that
is being used in
accordance with the
new purpose or, if
consent was
withdrawn, not so
used.
3.2.3 Explicit Consent for The entity collects Canada's Personal
Sensitive sensitive information Information Protection
Information only if the individual and Electronic
Explicit consent is provides explicit Documents Act
obtained directly from consent. Explicit (PIPEDA), Schedule 1,
the individual when consent requires that clause 4.3.6, states that
sensitive personal the individual an organization should
information is affirmatively agree, generally seek explicit
collected, used, or through some action, to consent when the
disclosed, unless a law the use or disclosure of information is likely to
or regulation the sensitive be considered sensitive.
specifically requires information. Explicit Many jurisdictions
otherwise. consent is obtained prohibit the collection
directly from the of sensitive data, unless
individual and specifically allowed. For
documented, for example, in the EU
example, by requiring member state of
the individual to check Greece, Article 7 of
a box or sign a form. Greece's "Law on the
This is sometimes protection of
referred to as opt in. individuals with regard
to the processing of
personal data" states,
"The collection and
processing of sensitive
data is forbidden."
However, a permit to
collect and process
sensitive data may be
obtained.
(continued)
2016, AICPA TSP 100A.20

Some jurisdictions
consider
government-issued
personal identifiers, for
example, Social
Security numbers or
Social Insurance
numbers, to be
sensitive information.
3.2.4 Consent for Online The entity requests Consideration should
Data Transfers To or customer permission to be given to prevent or
From an Individual's store, alter, or copy detect the introduction
Computer or Other personal information of software that is
Similar Electronic (other than cookies) in designed to mine or
Devices the customer's extract information
Consent is obtained computer or other from a computer or
before personal similar electronic other similar electronic
information is device. device and therefore
transferred to or from If the customer has may be used to extract
an individual's indicated to the entity personal information,
computer or other that it does not want for example, spyware.
similar device. cookies, the entity has
controls to ensure that
cookies are not stored
on the customer's
computer or other
similar electronic
device.
Entities will not
download software that
will transfer personal
information without
obtaining permission.
Collection

Ref. Collection Criteria and Procedures Considerations
4.0 The entity collects personal information only for the purposes
4.1 Policies and
Communications
4.1.0 Privacy Policies Some jurisdictions,
The entity's privacy such as some countries
policies address the in Europe, require
collection of personal entities that collect
information. personal information to
register with their
regulatory body.
TSP 100A.20 2016, AICPA

4.1.1 Communication to The entity's privacy
Individuals notice discloses the
Individuals are types of personal
informed that personal information collected,
information is collected the sources and
only for the purposes methods used to collect
identified in the notice. personal information,
and whether
information is
developed or acquired
about individuals, such
as buying patterns.
4.1.2 Types of Personal Types of personal Some jurisdictions,
Information information collected such as those in the
Collected and include the following: EU, require that
Methods of individuals have the
Collection Financial (for
opportunity to decline
example, financial
The types of personal the use of cookies.
account information)
information collected
and the methods of Health (for example,
information about
collection, including the
physical or mental
use of cookies or other
status or history)
tracking techniques,
are documented and Demographic (for
described in the example, age,
privacy notice. income range, social
geocodes)
Methods of collecting
and third-party sources
include the following:
Credit reporting
agencies
Over the telephone
Via the Internet
using forms, cookies,
or Web beacons
notice discloses
whether it uses cookies
and Web beacons and
how they are used. The
notice also describes
the consequences if the
cookie is refused.
(continued)
2016, AICPA TSP 100A.20

4.2 Procedures and
Controls
4.2.1 Collection Limited to Systems and procedures
Identified Purpose are in place to
The collection of specify the personal
personal information is information essential
limited to that necessary for the purposes
for the purposes identified in the notice
identified in the notice. and differentiate it
from optional
periodically review
the entity's program
or service needs for
(for example, once
every five years or
when changes to the
program or service are
made).
obtain explicit consent
when sensitive
is collected (see 3.2.3,
"Explicit Consent for
Sensitive
Information").
monitor that the
collection of personal
information is limited
to that necessary for
the purposes
identified in the
privacy notice and
that all optional data
is identified as such.
4.2.2 Collection by Fair and The entity's The following may be
Lawful Means management, privacy considered deceptive
Methods of collecting officer, and legal counsel, practices:
personal information are review the methods of
reviewed by collection and any To use tools, such as
changes thereto. cookies and Web
management before they beacons, on the
are implemented to entity's website to
confirm that personal collect personal
information is obtained information without
(a) fairly, without providing notice to the
intimidation or individual
deception, and (b)
lawfully, adhering to all To link information
collected during an
relevant rules of law,
individual's visit to a
whether derived from
website with personal
statute or common law,
information from
relating to the collection
other sources without
of personal information.
providing notice to the
individual
TSP 100A.20 2016, AICPA

To use a third party

to collect information
in order to avoid
providing notice to
individuals
Entities should
consider legal and
regulatory
requirements in
jurisdictions other than
the one in which they
operate (for example,
an entity in Canada
collecting personal
information about
Europeans may be
subject to certain
European legal
requirements).
A review of complaints
may help to identify
whether unfair or
unlawful practices
exist.
4.2.3 Collection From The entity Contracts include
Third Parties provisions requiring
Management confirms
performs due personal information to
diligence before be collected fairly and
that third parties from establishing a
whom personal lawfully and from
relationship with a reliable sources.
information is collected third-party data
(that is, sources other provider.
than the individual)
are reliable sources reviews the privacy
policies, collection
that collect information
methods, and types
fairly and lawfully.
of consents of third
parties before
accepting personal
information from
third-party data
sources.
4.2.4 Information The entity's privacy
Developed about notice indicates that, if
Individuals applicable, it may
Individuals are develop and acquire
informed if the entity information about the
develops or acquires individual using
additional information third-party sources,
about them for its use. browsing, credit and
purchasing history,
and so on.
2016, AICPA TSP 100A.20

Use, Retention, and Disposal
Use, Retention, and Illustrative Controls Additional

Ref. Disposal Criteria and Procedures Considerations
5.0 The entity limits the use of personal information to the purposes
identified in the notice and for which the individual has provided
implicit or explicit consent. The entity retains personal
information for only as long as necessary to fulfill the stated
purposes or as required by law or regulations and thereafter
appropriately disposes of such information.
5.1 Policies and
Communications
use, retention, and
information.
Individuals notice describes the
Individuals are following uses of
informed that personal personal information,
information is (a) used for example:
only for the purposes Processing business
identified in the notice transactions such as
and only if the claims and
individual has provided warranties, payroll,
implicit or explicit taxes, benefits, stock
consent, unless a law or options, bonuses, or
regulation specifically other compensation
requires otherwise, (b) schemes
retained for no longer
than necessary to fulfill Addressing inquiries
or complaints about
the stated purposes, or
products or services,
for a period specifically
or interacting during
required by law or
the promotion of
regulation, and (c)
products or services
disposed of in a manner
that prevents loss, Product design and
theft, misuse, or development, or
unauthorized access. purchasing of
products or services
Participation in
scientific or medical
research activities,
marketing, surveys,
or market analysis
Personalization of
websites or
downloading
software
Legal requirements
Direct marketing
TSP 100A.20 2016, AICPA

The entity's privacy notice
explains that personal
information will be
retained only as long as
necessary to fulfill the
stated purposes, or for a
period specifically
required by law or
regulation and thereafter
will be disposed of
securely or made
anonymous so that it
cannot be identified to any
individual.
5.2 Procedures and
Controls
5.2.1 Use of Personal Systems and procedures Some regulations have
Information are in place to ensure that specific provisions
Personal information is personal information is concerning the use of
used only for the used personal information.
purposes identified in Examples are the
the notice and only if the
in conformity with the GLBA, the Health
purposes identified in Insurance Portability
individual has provided the entity's privacy
implicit or explicit and Accountability Act
notice. (HIPAA), and the
consent, unless a law or
regulation specifically in agreement with the Children's Online
consent received from Privacy Protection Act
requires otherwise.
the individual. (COPPA).
in compliance with
applicable laws and
regulations.
5.2.2 Retention of Personal The entity Some laws specify the

Information retention period for
Personal information is
documents its retention personal information.
policies and disposal For example, HIPAA
retained for no longer procedures.
than necessary to fulfill has retention
the stated purposes retains, stores, and requirements on
disposes of archived accounting for
unless a law or
and backup copies of disclosures of personal
regulation specifically
records in accordance health
requires otherwise.
with its retention informationthree
policies. years for electronic
ensures personal health records, and six
information is not kept years for nonelectronic
beyond the standard health records.
retention time unless a Other statutory record
justified business or retention requirements
legal reason for doing may exist; for example,
so exists. certain data may need
Contractual requirements to be retained for tax
are considered when purposes or in
establishing retention accordance with
practices when they may employment laws.
be exceptions to normal
policies.
(continued)
2016, AICPA TSP 100A.20


5.2.3 Disposal, The entity Consideration should
Destruction and be given to using the
Redaction of erases or destroys services of companies
Personal records in that provide secure
Information accordance with the destruction services for
retention policies, personal information.
Personal information regardless of the
no longer retained is Certain of these
method of storage companies will provide
anonymized, disposed (for example,
of, or destroyed in a a certificate of
electronic, optical destruction where
manner that prevents media, or paper
loss, theft, misuse, or needed.
based).
unauthorized access. Certain archiving
disposes of original,
techniques, such as
archived, backup
DVDs, CDs, microfilm,
and ad hoc or
or microfiche may not
personal copies of
permit the removal of
records in
individual records
accordance with its
without destruction of
the entire database
documents the contained on such
disposal of personal media.
information.
within the limits of
technology, locates
and removes or
redacts specified
about an individual
as required, for
example, removing
credit card numbers
after the transaction
is complete.
regularly and
systematically
destroys, erases, or
makes anonymous
no longer required to
fulfill the identified
purposes or as
required by laws and
regulations.
Contractual
requirements are
considered when
establishing disposal,
destruction, and
redaction practices if
they may result in
exception to the entity's
normal policies.
TSP 100A.20 2016, AICPA

Access

Ref. Access Criteria and Procedures Considerations
6.0 The entity provides individuals with access to their personal
information for review and update.
6.1 Policies and
Communications
policies address
providing individuals
with access to their
Individuals notice
Individuals are informed explains how
about how they may individuals may gain
obtain access to their access to their
personal information to personal information
review, update, and and any costs
correct that information. associated with
obtaining such access.
outlines the means by
which individuals
may update and
correct their personal
information (for
example, in writing,
by phone, by e-mail,
or by using the
entity's website).
explains how
disagreements related
to personal
information may be
resolved.
6.2 Procedures and
Controls
6.2.1 Access by Individuals Procedures are in place Some laws and
to Their Personal to regulations specify the
Information following:
Individuals are able to
determine whether
determine whether the
the entity holds or Provisions and
controls personal requirements for
entity maintains information about an providing access to
personal information individual. personal information
about them and, upon (for example, HIPAA)
request, may obtain communicate the
access to their personal
steps to be taken to Requirements that
gain access to the requests for access to
information.
personal information. personal information
respond to an be submitted in
individual's request writing
on a timely basis.
(continued)
2016, AICPA TSP 100A.20


provide a copy of
personal information,
upon request, in
printed or electronic
form that is
convenient to both the
individual and the
entity.
record requests for
access and actions
taken, including
denial of access and
unresolved complaints
and disputes.
6.2.2 Confirmation of an Employees are The extent of
Individual's Identity adequately trained to authentication depends
The identity of authenticate the identity on the type and
individuals who request of individuals before sensitivity of personal
access to their personal granting the following: information that is made
information is available. Different
authenticated before
Access to their
techniques may be
they are given access to considered for the
that information. Requests to change different channels, such
sensitive or other as the following:
(for example, to Web
update information Interactive voice
such as address or response system
bank details) Call center
The entity In person
does not use

government-issued
identifiers (for
example, Social
Security numbers or
Social Insurance
numbers) for
authentication.
mails information
about a change
request only to the
address of record or,
in the case of a change
of address, to both the
old and new
addresses.
requires that a unique
user identification
and password (or
equivalent) be used to
access user account
information online.
TSP 100A.20 2016, AICPA

6.2.3 Understandable The entity Entities may provide
Personal individuals with
Information, Time provides personal access to their
Frame, and Cost information to the personal information
individual in a format that at no cost or at a
Personal information is understandable (for
is provided to the minimal cost because
example, not in code, not in of the potential
individual in an a series of numbers, not in
understandable form, business and
overly technical language customer-relationship
in a reasonable or other jargon), and in a
timeframe, and at a benefits, as well as the
form convenient to both the opportunity to
reasonable cost, if any. individual and the entity. enhance the quality of
makes a reasonable effort the information.
to locate the personal
information requested and,
if personal information
cannot be found, keeps
sufficient records to
demonstrate that a
reasonable search was
made.
takes reasonable
precautions to ensure that
released does not identify
another person, directly or
indirectly.
provides access to personal
information in a timeframe
that is similar to the
entity's normal response
times for other business
transactions, or as
permitted or required by
law.
provides access to personal
information in archived or
backup systems and media.
informs individuals of the
cost of access at the time
the access request is made
or as soon as practicable
thereafter.
charges the individual for
access to personal
information at an amount,
if any, which is not
excessive in relation to the
entity's cost of providing
access.
provides an appropriate
physical space to inspect
(continued)
2016, AICPA TSP 100A.20

6.2.4 Denial of Access The entity Some laws and
Individuals are regulations (for
informed, in writing, of
outlines the reasons example, Principle 5,
why access to personal "Information relating to
the reason a request for information may be
access to their personal records kept by
denied. record-keeper," point 2
information was denied,
the source of the entity's records all denials of of the Australian
access and unresolved Privacy Act of 1988, and
legal right to deny such
complaints and PIPEDA, Sections 8.(4),
access, if applicable, and
disputes. 8.(5), 8.(7), 9, 10, and
the individual's right, if
any, to challenge such provides the individual 28) specify the
denial, as specifically with partial access in situations in which
permitted or required situations in which access can be denied,
by law or regulation. access to some of his or the process to be
her personal followed (such as
information is notifying the customer
justifiably denied. of the denial in writing
within 30 days), and
provides the individual
potential penalties or
with a written
explanation about why sanctions for lack of
access to personal compliance.
information is denied.
provides a formal
escalation (appeal)
process if access to
denied.
conveys the entity's
legal rights and the
individual's right to
challenge, if applicable.
6.2.5 Updating or The entity In some jurisdictions
Correcting Personal (for example, PIPEDA,
Information describes the process an Schedule 1, clauses
individual must follow 4.5.2 and 4.5.3),
Individuals are able to to update or correct
update or correct personal information
personal information cannot be erased, but an
personal information records (for example, in
held by the entity. If entity is bound to cease
writing, by phone, by further processing.
practical and e-mail, or by using the
economically feasible to entity's website).
do so, the entity
provides such updated verifies the accuracy
and completeness of
or corrected information
to third parties that
that an individual
previously were
updates or changes (for
provided with the
example, by edit and
individual's personal
validation controls, and
information.
forced completion of
mandatory fields).
records the date, time,
and identification of the
person making the
change if the entity's
employee is making a
change on behalf of an
individual.
TSP 100A.20 2016, AICPA

notifies third parties to

whom personal
information has been
disclosed of
amendments, erasures,
or blocking of personal
information, if it is
possible and reasonable
to do so.
6.2.6 Statement of If an individual and an See 10.1.1,
Disagreement entity disagree about "Communications to
Individuals are whether personal Individuals," 10.2.1,
informed, in writing, information is complete "Inquiry, Complaint,
about the reason a and accurate, the and Dispute Process,"
request for correction of individual may ask the and 10.2.2, "Dispute
personal information entity to accept a Resolution and
was denied, and how statement claiming that Recourse."
they may appeal. the personal information is Some regulations (for
not complete and accurate. example, HIPAA) have
The entity specific requirements
for denial of requests
documents instances and handling of
where an individual and disagreements from
the entity disagree individuals.
about whether personal
information is complete If a challenge is not
and accurate. resolved to the
satisfaction of the
informs the individual,
individual, when
in writing, of the reason
appropriate, the
a request for correction
existence of such
challenge is
is denied, citing the
communicated to third
individual's right to
parties having access to
appeal.
the information in
informs the individual, question.
when access to personal
information is
requested or when
access is actually
provided, that the
statement of
disagreement may
include information
about the nature of the
change sought by the
individual and the
reason for its refusal by
the entity.
if appropriate, notifies
third parties who have
previously been
provided with personal
information that there
is a disagreement and
the nature of the
disagreement.
2016, AICPA TSP 100A.20

Disclosure to Third Parties
Disclosure to Third Illustrative Controls Additional

Ref. Parties Criteria and Procedures Considerations
7.0 The entity discloses personal information to third parties only for the
purposes identified in the notice and with the implicit or explicit
consent of the individual.
7.1 Policies and
Communications
disclosure of personal
information to third
parties.
7.1.1 Communication to The entity's privacy notice The entity's privacy
Individuals notice may disclose the
describes the practices
following:
Individuals are related to the sharing of
informed that personal personal information (if The process used to
information is disclosed any) with third parties assure the privacy
to third parties only for and the reasons for and security of
the purposes identified information sharing. personal information
in the notice and for
which the individual
identifies third parties that has been
or classes of third disclosed to a third
has provided implicit or parties to whom party
explicit consent unless a
law or regulation
personal information is How personal
disclosed. information shared
specifically allows or
requires otherwise. informs individuals that with a third party
personal information is will be kept up to
disclosed to third date, so that
parties only for the outdated or incorrect
purposes (a) identified information shared
in the notice, and (b) for with a third party
which the individual will be changed if the
has provided implicit or individual has
explicit consent, or as changed his or her
specifically allowed or information
required by law or
regulation.
7.1.2 Communication to Prior to sharing personal
Third Parties information with a third
Privacy policies or other party, the entity
specific instructions or communicates its privacy
requirements for policies or other specific
handling personal instructions or
information are requirements for handling
communicated to third personal information to,
parties to whom and obtains a written
personal information is agreement from the third
disclosed. party that its privacy
practices over the disclosed
adhere to those policies or
requirements.
TSP 100A.20 2016, AICPA

7.2 Procedures and
Controls
7.2.1 Disclosure of Systems and procedures Personal information
Personal Information are in place to may be disclosed through
Personal information is various legal processes to
disclosed to third
prevent the disclosure law enforcement or
of personal information regulatory agencies.
parties only for the to third parties unless
purposes described in an individual has Some laws and
the notice, and for given implicit or regulations have specific
which the individual explicit consent for the provisions for the
has provided implicit or disclosure. disclosure of personal
explicit consent, unless information. Some
a law or regulation document the nature
permit disclosure of
and extent of personal
specifically requires or personal information
information disclosed
allows otherwise. without consent whereas
to third parties.
others require verifiable
test whether disclosure consent.
to third parties is in
compliance with the
entity's privacy policies
and procedures, or as
specifically allowed or
required by law or
regulation.
document any
third-party disclosures
for legal reasons.
7.2.2 Protection of When providing personal The entity is responsible
Personal Information information to third for personal information
Personal information is parties, the entity enters in its possession or
disclosed only to third into contracts that custody, including
parties who have require a level of information that has
agreements with the protection of personal been transferred to a
entity to protect information equivalent to third party.
personal information in that of the entity's. In Some regulations (for
a manner consistent doing so, the entity example, from the U.S.
with the relevant limits the third party's federal financial
aspects of the entity's use of personal regulatory agencies)
privacy policies or other information to require that an entity
specific instructions or purposes necessary to take reasonable steps to
requirements. The fulfill the contract. oversee appropriate
entity has procedures in service providers by
place to evaluate that communicates the
exercising appropriate
individual's
the third parties have due diligence in the
preferences to the
effective controls to selection of service
third party.
meet the terms of the providers.
agreement, refers any requests for
Some jurisdictions,
instructions, or access or complaints
including some countries
requirements. about the personal
in Europe, require
information
entities that transfer
transferred by the
personal information to
entity to a designated
register with their
privacy executive, such
regulatory body prior to
as a corporate privacy
transfer.
officer.
(continued)
2016, AICPA TSP 100A.20


specifies how and PIPEDA requires a
when third parties are comparable level of
to dispose of or return protection while the
any personal personal information is
information provided being processed by a
by the entity. third party.
The entity evaluates Article 25 of the EU's
compliance with such Directive requires that
contract using one or such transfers take place
more of the following only where the third
approaches to obtain an party ensures an
increasing level of adequate level of
assurance depending on protection.
its risk assessment:
The third party
responds to a
questionnaire about
their practices.
The third party
self-certifies that its
practices meet the
entity's requirements
based on internal audit
reports or other
procedures.
The entity performs an
onsite evaluation of
the third party.
The entity receives an
audit or similar report
provided by an
independent auditor.
7.2.3 New Purposes and Systems and procedures Other types of onward
Uses are in place to transfers include
Personal information is transfers to third parties
disclosed to third
notify individuals and
who are
obtain their consent
parties for new prior to disclosing subsidiaries or
purposes or uses only personal information affiliates.
with the prior implicit to a third party for
or explicit consent of the purposes not identified
providing a service
requested by the
individual. in the privacy notice. individual.
document whether the law enforcement or
entity has notified the regulatory agencies.
individual and
received the in another country
and may be subject to
individual's consent.
other requirements.
monitor that personal
information is being
provided to third
parties only for uses
specified in the privacy
notice.
TSP 100A.20 2016, AICPA

7.2.4 Misuse of Personal The entity
Information by a
Third Party reviews complaints to
identify indications of
The entity takes any misuse of personal
remedial action in information by third
response to misuse of parties.
personal information by
a third party to whom responds to any
knowledge of a third
the entity has
party using or
transferred such
disclosing personal
information.
information in
variance with the
entity's privacy
or contractual
arrangements.
mitigates, to the extent
practicable, any harm
caused by the use or
information by the
third party in violation
of the entity's privacy
(for example, notify
individuals affected,
attempt to recover
to others, void affected
numbers and reissue
new numbers).
takes remedial action
in the event that a
third party misuses
(for example,
contractual clauses
address the
ramification of misuse
of personal
information).
2016, AICPA TSP 100A.20

Security for Privacy
Security for Illustrative Controls Additional

Ref. Privacy Criteria and Procedures Considerations
8.0 The entity protects personal information against unauthorized
access (both physical and logical).
8.1 Policies and
Communications
8.1.0 Privacy Policies Privacy policies Personal information in
The entity's privacy adequately address any location under
policies (including any security measures to control of the entity or
relevant security safeguard the privacy of deemed to be under
policies), address the personal information control of the entity
security of personal whether in electronic, must be protected.
information. paper, or other forms.
Security measures are
consistent with the
sensitivity of the
8.1.1 Communication to The entity's privacy Users, management,
Individuals notice describes the providers, and other
Individuals are general types of security parties should strive to
informed that measures used to develop and adopt good
precautions are taken protect the individual's privacy practices and to
to protect personal personal information, promote conduct that
information. for example: recognizes security
needs and respects the
Employees are
legitimate interests of
authorized to access
others.
based on job Consideration should
responsibilities. be given to disclosing in
the privacy notice the
Authentication is
security obligations of
used to prevent
individuals, such as
unauthorized access
keeping user IDs and
to personal
passwords confidential
information stored
and reporting security
electronically.
compromises.
Physical security is
Consideration should
maintained over
be given to limiting the
disclosure of detailed
stored in hard copy
security procedures so
form, and encryption
as not to compromise
is used to prevent
internal security.
unauthorized access
to personal
information sent over
the Internet.
Additional security
safeguards are
applied to sensitive
information.
TSP 100A.20 2016, AICPA

8.2 Procedures and
Controls
8.2.1 Information The entity's security Safeguards employed
Security Program program addresses the may consider the
A security program following matters nature and sensitivity
has been developed, related to protection of of the data, as well as
documented, personal information: the size and complexity
approved, and of the entity's
implemented that
Periodic risk operations. For
assessments example, the entity
includes
administrative, Identification of all may protect personal
types of personal information and other
technical, and physical
information and the sensitive information to
safeguards to protect
related processes, a level greater than it
systems, and third applies for other
from loss, misuse,
parties that are information.
unauthorized access,
involved in the
disclosure, alteration, Some regulations (for
handling of such
and destruction. The example, HIPAA)
information
security program provide a greater level
should address, but Identification and of detail and guidance
not be limited to, the documentation of the on specific security
following areas3 security measures to be
insofar as they relate requirements of considered and
to the security of authorized users implemented.
personal information: Allowing access, the Some security rules (for
a. Risk assessment nature of that access, example, GLBA-related
and treatment and who authorizes rules for safeguarding
[1.2.4] such access information) require
b. Security policy Preventing the following:
[8.1.0] unauthorized access
by using effective Board (or committee
c. Organization of or individual
physical and logical
information appointed by the
access controls
security [sections 1, board) approval and
7, and 10] The procedures to oversight of the
add new users, entity's information
d. Asset management
modify the access security program.
[section 1]
levels of existing
e. Human resources users, and remove That an entity take
security [section 1] users who no longer reasonable steps to
f. Physical and need access oversee appropriate
environmental service providers by
security [8.2.3 and
8.2.4]
(continued)
3
These areas are drawn from ISO/IEC 27002:2005, Information technologySecurity
techniquesCode of practice for information security management. Permission is granted by the
American National Standards Institute (ANSI) on behalf of the International Organization for
Standardization (ISO). Copies of ISO/IEC 27002 can be purchased from ANSI in the United
States at http://webstore.ansi.org/ and in Canada from the Standards Council of Canada at
www.standardsstore.ca/eSpecs/index.jsp. It is not necessary to meet all of the criteria of ISO/IEC
27002:2005 to satisfy Generally Accepted Privacy Principles' criterion 8.2.1. The references associated
with each area indicate the most relevant Generally Accepted Privacy Principles' criteria for this
purpose.
2016, AICPA TSP 100A.20


g. Communications Assignment of exercising
and operations responsibility and appropriate due
management accountability for diligence in the
[sections 1, 7, and security selection of
10] service
h. Access control
Assignment of
providers.
responsibility and
[sections 1, 8.2, and accountability for requiring
10] system changes and service
i. Information systems maintenance providers by
acquisition, Protecting operating contract to
development, and system and network implement and
maintenance [1.2.6] software and system maintain
j. Information security files appropriate
incident safeguards for
management [1.2.7]
Protecting
the personal
cryptographic tools
information at
k. Business continuity and information
issue.
management Implementing system
[section 8.2] software upgrades and The payment card
l. Compliance [sections patches industry has established
1 and 10] specific security and
Testing, evaluating, privacy requirements for
and authorizing cardholder information
system components from certain brands.
before implementation
Addressing how
complaints and
requests relating to
security issues are
resolved
Handling errors and
omissions, security
breaches, and other
incidents
Procedures to detect
actual and attempted
attacks or intrusions
into systems and to
proactively test
security procedures
(for example,
penetration testing)
Allocating training and
other resources to
support its security
policies
Provision for the
handling of exceptions
and situations not
specifically addressed
in its system
processing integrity
and related system
security policies
TSP 100A.20 2016, AICPA

Business continuity
management and
disaster recovery
plans and related
testing
Provision for the
identification of, and
consistency with,
applicable laws and
regulations, defined
commitments,
service-level
agreements, and
other contracts
A requirement that
users, management,
and third parties
confirm (initially and
annually) their
understanding of an
agreement to comply
with the entity's
procedures related to
the security of
Procedures to cancel
access privileges and
ensure return of
computers and other
devices used to access
or store personal
information when
personnel are
terminated
The entity's security
program prevents
access to personal
information in
computers, media, and
paper based information
that are no longer in
active use by the
organization (for
example, computers,
media, and paper-based
information in storage,
sold, or otherwise
disposed of).
(continued)
2016, AICPA TSP 100A.20


8.2.2 Logical Access Systems and procedures User authorization
Controls are in place to processes consider the
Logical access to following:
establish the level
personal information and nature of access How the data is
is restricted by that will be provided accessed (internal or
procedures that to users based on the external network), as
address the following sensitivity of the data well as the media
matters: and the user's and technology
a. Authorizing and legitimate business platform of storage
registering internal need to access the Access to paper and
personnel and personal information. backup media
individuals authenticate users, containing personal
b. Identifying and for example, by user information
authenticating name and password, Denial of access to
internal personnel certificate, external joint accounts
and individuals token, or biometrics without other
c. Making changes before access is methods to
and updating granted to systems authenticate the
access profiles handling personal actual individuals
information.
d. Granting privileges Some jurisdictions
and permissions for require enhanced
require stored data (at
access to IT security measures for
rest) to be encrypted or
infrastructure remote access, such
otherwise obfuscated.
components and as additional or
personal dynamic passwords,
information callback procedures,
digital certificates,
e. Preventing
secure ID cards,
individuals from
virtual private
accessing anything
network (VPN), or
other than their
properly configured
own personal or
firewalls.
sensitive
information implement intrusion
detection and
f. Limiting access to
monitoring systems.
personal
information to only
authorized internal
personnel based
upon their assigned
roles and
responsibilities
g. Distributing output
only to authorized
internal personnel
h. Restricting logical
access to offline
storage, backup
data, systems, and
media
TSP 100A.20 2016, AICPA

i. Restricting access
to system
configurations,
superuser
functionality,
master passwords,
powerful utilities,
and security
devices (for
example, firewalls)
j. Preventing the
introduction of
viruses, malicious
code, and
unauthorized
software
8.2.3 Physical Access Systems and procedures Physical safeguards
Controls are in place to may include the use of
Physical access is locked file cabinets,
restricted to personal
manage logical and card access systems,
physical access to physical keys, sign in
information in any personal information,
form (including the logs, and other
including hard copy, techniques to control
components of the archival, and backup
entity's system(s) that access to offices, data
copies. centers, and other
contain or protect
personal information). log and monitor locations in which
access to personal personal information is
information. processed or stored.
prevent the
unauthorized or
accidental
destruction or loss of
investigate breaches
and attempts to gain
communicate
investigation results
to the appropriate
designated privacy
executive.
maintain physical
control over the
distribution of
reports containing
securely dispose of
waste containing
confidential
information (for
example, shredding).
(continued)
2016, AICPA TSP 100A.20

8.2.4 Environmental Management maintains Some regulations, such
Safeguards measures to protect as those in the EU
Personal information, in against environmental Directive, also require
all forms, is protected factors (for example, fire, that personal
against accidental flood, dust, power failure, information is protected
disclosure due to and excessive heat and against unlawful
natural disasters and humidity) based on its destruction, accidental
environmental hazards. risk assessment. The loss, natural disasters,
entity's controlled areas and environmental
are protected against fire hazards, in addition to
using both smoke accidental disclosure.
detectors and a fire
suppression system.
maintains physical and
other safeguards to
prevent accidental
information in the event
of an environmental
incident.
8.2.5 Transmitted Systems and procedures Some regulations (for
Personal Information are in place to example, HIPAA) have
Personal information is specific provisions for the
protected when
define minimum levels electronic transmission
of encryption and and authentication of
transmitted by mail or controls.
other physical means. signatures with respect
Personal information employ industry to health information
standard encryption records (that is,
collected and
technology, for associated with the
transmitted over the
example, 128-bit standard transactions).
Internet, over public
Transport Layer
and other nonsecure Some credit card vendors
Security (TLS), over
networks, and wireless have issued minimum
VPNs, for transferring
networks is protected by requirements for
and receiving personal
deploying industry protecting cardholder
information.
standard encryption data, including the
technology for approve external requirement to use
transferring and network connections. encryption techniques for
receiving personal protect personal credit card and
information. information in both transaction related data
hardcopy and in transmission and in
electronic forms sent storage.
by mail, courier, or As technology, market,
other physical means. and regulatory
encrypt personal conditions evolve, new
information collected measures may become
and transmitted necessary to meet
wirelessly and protect acceptable levels of
wireless networks from protection (for example,
unauthorized access. 128-bit secure TLS,
including user IDs and
passwords).
Voice transmission from
wireless devices (for
example, cell phones) of
may not be encrypted.
TSP 100A.20 2016, AICPA

8.2.6 Personal Information Policies and procedures Consideration should be
on Portable Media prohibit the storage of given to the protection
Personal information personal information on needed for any personal
stored on portable portable media or devices information provided to,
media or devices is unless a business need for example, regulators
protected from exists and such storage is and auditors.
unauthorized access. approved by
management.
Policies, systems, and
procedures are in place to
protect personal
information accessed or
stored in manners such
as using the following:
Laptop computers,
PDAs, smart-phones
and similar devices
Computers and other
devices used by
employees while, for
example, traveling and
working at home
USB drives, CDs and
DVDs, magnetic tape,
or other portable
media
Such information is
encrypted, password
protected, physically
protected, and subject to
the entity's access,
retention, and
Controls exist over
creation, transfer,
storage, and disposal of
media containing
used for backup and
recovery.
Procedures exist to report
loss or potential misuse of
media containing
Upon termination of
employees or contractors,
procedures provide for
the return or destruction
of portable media and
devices used to access
and store personal
information, and of
printed and other copies
of such information.
(continued)
2016, AICPA TSP 100A.20


8.2.7 Testing Security Systems and procedures The frequency and
Safeguards are in place to nature of the testing of
Tests of the security safeguards will
effectiveness of the
regularly test the vary with the entity's
effectiveness of the size and complexity,
key administrative, key administrative,
technical, and physical the nature and scope of
technical, and its activities, and the
safeguards protecting physical safeguards
personal information sensitivity of personal
protecting personal information.
are conducted at least information.
annually. Some security
periodically regulations (for
undertake
example, GLBA-related
independent audits of
rules for safeguarding
security controls
information) require an
using either internal
entity to
or external auditors.
test card access conduct regular tests
systems and other of key controls,
physical security systems, and
devices at least procedures by
annually. independent third
parties or by staff
document and test independent of those
disaster recovery and
that develop or
contingency plans at
maintain security (or
least annually to
at least have these
ensure their viability.
independent parties
periodically review results of
undertake threat and testing).
vulnerability testing,
including security assess and possibly
adjust its
penetration and Web
vulnerability and
at least annually.
resilience.
make appropriate
modifications to
security policies and
procedures on a
periodic basis, taking
into consideration the
results of tests
performed and new
and changing threats
and vulnerabilities.
periodically report
the results of security
testing to
management.
TSP 100A.20 2016, AICPA

Quality

Ref. Quality Criteria and Procedures Consideration
9.0 The entity maintains accurate, complete, and relevant personal
information for the purposes identified in the notice.
9.1 Policies and
Communications
quality of personal
information.
9.1.1 Communication to The entity's privacy notice
Individuals explains that personal
Individuals are information needs to be
informed that they are kept accurate and
responsible for complete only when the
providing the entity individual has an ongoing
with accurate and relationship with the
complete personal entity.
information, and for
contacting the entity if
correction of such
information is required.
9.2 Procedures and
Controls
9.2.1 Accuracy and Systems and procedures
Completeness of are in place to
Personal Information
Personal information is
edit and validate
personal information as
accurate and complete it is collected, created,
for the purposes for maintained, and
which it is to be used. updated.
record the date when
the personal
information is obtained
or updated.
specify when the
no longer valid.
specify when and how
the personal
information is to be
updated and the source
for the update (for
example, annual
reconfirmation of
information held and
methods for individuals
to proactively update
personal information).
(continued)
2016, AICPA TSP 100A.20

Ref. Quality Criteria and Procedures Consideration
indicate how to verify

the accuracy and
completeness of
obtained directly from
an individual, received
from a third party (see
4.2.3, "Collection From
Third Parties"), or
disclosed to a third
party (see 7.2.2,
"Protection of Personal
Information").
ensure personal
information used on an
ongoing basis is
sufficiently accurate
and complete to make
decisions, unless clear
limits exist for the need
for accuracy.
ensure personal
information is not
routinely updated
unless such a process is
necessary to fulfill the
purposes for which it is
to be used.
The entity undertakes
periodic assessments to
check the accuracy of
records and to correct
them, as necessary, to
fulfill the stated purpose.
9.2.2 Relevance of Systems and procedures
Personal Information are in place to
Personal information is ensure personal
relevant to the purposes information is
for which it is to be sufficiently relevant for
used. the purposes for which
it is to be used and to
minimize the possibility
that inappropriate
information is used to
make business decisions
about the individual.
periodically assess the
relevance of personal
information records and
to correct them, as
necessary, to minimize
the use of inappropriate
data for decision
making.
TSP 100A.20 2016, AICPA

Monitoring and Enforcement
Monitoring and Illustrative Controls Additional

Ref. Enforcement Criteria and Procedures Considerations
10.0 The entity monitors compliance with its privacy policies and
procedures and has procedures to address privacy related inquiries,
complaints and disputes.
10.1 Policies and
Communications
monitoring and
enforcement of privacy
10.1.1 Communication to The entity's privacy notice
Individuals
Individuals are
describes how individuals
can contact the entity
informed about how to with complaints (for
contact the entity with example, via an e-mail
inquiries, complaints link to the entity's
and disputes. website or a telephone
number).
provides relevant contact
information to which the
individual can direct
complaints (for example,
name, telephone number,
mailing address, and
e-mail address of the
individual or office
responsible for handling
complaints).
10.2 Procedures and
Controls
10.2.1 Inquiry, Complaint, The corporate privacy
and Dispute Process officer or other designated
A process is in place to individual is authorized to
address inquiries, address privacy related
complaints, and complaints, disputes, and
disputes. other problems.
Systems and procedures are
in place that allow for
procedures to be followed
in communicating and
resolving complaints
about the entity.
action that will be taken
with respect to the
disputed information
until the complaint is
satisfactorily resolved.
(continued)
2016, AICPA TSP 100A.20


remedies to be
available in case of a
breach of personal
information and how
to communicate this
information to an
individual.
recourse and a formal
escalation process to
be in place to review
and approve any
recourse offered to
individuals.
contact information
and procedures to be
followed with any
designated third party
dispute resolution or
similar service (if
offered).
10.2.2 Dispute Resolution The entity has a formally Some regulations
and Recourse documented process in (for example HIPAA
Each complaint is place to and COPPA) have
addressed, and the specific procedures
train employees
and requirements.
resolution is responsible for
documented and handling individuals' Some laws (for
communicated to the complaints and example, PIPEDA)
individual. disputes about the permit escalation
resolution and through the court
escalation processes. system up to the
most senior court.
document and respond
to all complaints in a
timely manner.
periodically review
unresolved disputes
and complaints to
ensure they are
resolved in a timely
manner.
escalate unresolved
complaints and
disputes for review by
management.
identify trends and the
potential need to
change the entity's
procedures.
TSP 100A.20 2016, AICPA

use specified independent

third-party dispute
resolution services or
other processes
mandated by regulatory
bodies in the event the
individual is not satisfied
with the entity's proposed
resolution, together with
a commitment from such
third parties to handle
such recourses.
If the entity offers a
third-party dispute
resolution process for
complaints that cannot be
resolved directly with the
entity, an explanation is
provided about how an
individual can use that
process.
10.2.3 Compliance Review Systems and procedures are In addition to legal,
Compliance with in place to regulatory and
privacy policies and contractual
procedures,
annually review requirements, some
compliance with privacy entities may elect to
commitments and policies and procedures,
applicable laws, comply with certain
commitments and standards, such as
regulations, applicable laws,
service-level those published by
regulations, service-level ISO, or may be
agreements, and other agreements, standards
contracts is reviewed required to comply
adopted by the entity, with certain
and documented, and and other contracts.
the results of such standards, such as
reviews are reported to document periodic those published by
reviews, for example, the payment card
management. If
internal audit plans, industry, as a
problems are identified,
audit reports, compliance condition of doing
remediation plans are
checklists, and business.
developed and
management sign offs.
implemented.
report the results of the
compliance review and
recommendations for
improvement to
management, and
implement a remediation
plan.
monitor the resolution of
issues and vulnerabilities
noted in the compliance
review to ensure that
appropriate corrective
action is taken on a
timely basis (that is,
procedures are revised,
as necessary).
(continued)
2016, AICPA TSP 100A.20


10.2.4 Instances of Systems and procedures
Noncompliance are in place to
Instances of notify employees of the
noncompliance with need to report privacy
privacy policies and breaches and security
procedures are vulnerabilities in a
documented and timely manner.
reported and, if needed,
corrective and inform employees of
the appropriate
disciplinary measures
channels to report
are taken on a timely
security
basis.
vulnerabilities and
privacy breaches.
document instances of
noncompliance with
procedures.
monitor the resolution
of security
vulnerabilities and
privacy breaches to
ensure appropriate
corrective measures
are taken on a timely
basis.
discipline employees
and others, as
appropriate, who
cause privacy
incidents or breaches.
mitigate, to the extent
practicable, any harm
caused by the use or
information by the
third party in violation
of the entity's privacy
policies and
procedures (for
example, notify
individuals affected,
attempt to recover
to others, void affected
account numbers and
reissue new numbers).
identify trends that
may require revisions
to privacy policies and
procedures.
TSP 100A.20 2016, AICPA

10.2.5 Ongoing Monitoring The entity uses the Guidance on
Ongoing procedures are following: Monitoring Internal
performed for Control Systems,
Control reports
published by COSO
monitoring the
effectiveness of controls Trend analysis (the Committee of
over personal Training attendance Sponsoring
information, based on a and evaluations Organizations of
risk assessment [1.2.4], Complaint the Treadway
and for taking timely resolutions Commission),
corrective actions where provides helpful
Regular internal
guidance for
necessary. reviews
monitoring the
Internal audit reports effectiveness of
Independent audit controls.
reports covering
controls at service
organizations
Other evidence of
control effectiveness
The selection of controls
to be monitored, and the
frequency with which
they are monitored are
based on the sensitivity
of the information and
the risks of possible
exposure of the
information.
Examples of such
controls are as follows:
Policies require that
all employees take
initial privacy
training within 30
days of employment.
Ongoing monitoring
activities would
include a review of
human resource files
of selected employees
to determine that
they contain the
appropriate evidence
of course completion.
(continued)
2016, AICPA TSP 100A.20


Policies require that

whenever an employee
changes job
responsibilities or is
terminated, such
employee's access to
be reviewed and
appropriately modified
or terminated within
24 hours (or
immediately in the
case of employee
termination). This is
controlled by an
automated process
within the human
resource system which
produces a report of
employee status
changes, which
requires supervisor
action to avoid
automatic termination
of access. This is
monitored by the
security group which
receives copies of these
reports and the related
supervisor actions.
Policies state that
confirmation of a
privacy-related
complaint is provided
to the complainant
within 72 hours, and if
not resolved within 10
working days, then the
issue is escalated to
the CPO. The control
is a log used to record
privacy complaints,
including complaint
date, and subsequent
activities through to
resolution. The
monitoring activity is
the monthly review of
such logs for
consistency with this
policy.
TSP 100A.20 2016, AICPA

Appendix AGlossary
affiliate. An entity that controls, is controlled by, or is under common
control with another entity.
anonymize. The removal of any person-related information that
could be used to identify a specific individual.
confidentiality. The protection of nonpersonal information and data
from unauthorized disclosure.
consent. Agreement by the individual for the entity to collect, use,
and disclose personal information in accordance with the privacy
notice. Such agreement can be explicit or implied. Explicit consent
is given orally, electronically, or in writing, is unequivocal and does
not require any inference on the part of the entity seeking consent.
Implicit consent may reasonably be inferred from the action or
inaction of the individual such as not having opted out, or providing
credit card information to complete a transaction. (see opt in and
opt out).
cookies. Cookies are pieces of information generated by a Web server
and stored in the user's computer, ready for future access. The infor-
mation can then be used to identify the user when returning to the
website, to personalize Web content, and suggest items of potential
interest based on previous buying habits. Certain advertisers use
tracking methods, including cookies, to analyze the patterns and
paths through a site.
encryption. The process of transforming information to make it un-
readable to anyone except those possessing special key (to decrypt).
entity. An organization that collects, uses, retains, and discloses
individual. The person about whom the personal information is be-
ing collected (sometimes referred to as the data subject).
internal personnel. Employees, contractors, agents, and others act-
ing on behalf of the entity and its affiliates.
opt in. Personal information may not be collected, used, retained and
disclosed by the entity without the explicit consent of the individ-
ual.
opt out. Implied consent exists for the entity to collect, use, retain,
and disclose personal information unless the individual explicitly
denies permission.
outsourcing. The use and handling of personal information by a
third party that performs a business function for the entity.
personal information. Information that is or can be about or related
to an identifiable individual.
personal information cycle. The collection, use, retention, disclo-
sure, disposal, or anonymization of personal information.
policy. A written statement that communicates management's in-
tent, objectives, requirements, responsibilities, and standards.
privacy. The rights and obligations of individuals and organizations
with respect to the collection, use, retention, disclosure, and de-
struction of personal information.
2016, AICPA TSP 100A.20

privacy breach. A privacy breach occurs when personal information

is collected, retained, accessed, used, or disclosed in ways that are
not in accordance with the provisions of the enterprise's policies,
applicable privacy laws, or regulations.
privacy program. The policies, communications, procedures, and
controls in place to manage and protect personal information in
accordance with business and compliance risks and requirements.
purpose. The reason personal information is collected by the entity.
redact. To delete or black out personal information from a document
or file.
sensitive personal information. Personal information that re-
quires an extra level of protection and a higher duty of care, for
example, information on medical or health conditions, certain fi-
nancial information, racial or ethnic origin, political opinions, re-
ligious or philosophical beliefs, trade union membership, sexual
preferences, or information related to offenses or criminal convic-
tions.
third party. An entity that is not affiliated with the entity that
collects personal information or any affiliated entity not covered by
the entity's privacy notice.
Web beacon. Web beacons, also known as Web bugs, are small
strings of code that provide a method for delivering a graphic im-
age on a Web page or in an e-mail message for the purpose of
transferring data. Businesses use Web beacons for many purposes,
including site traffic reporting, unique visitor counts, advertising
and e-mail auditing and reporting, and personalization. For ex-
ample, a Web beacon can gather a user's IP address, collect the
referrer, and track the sites visited by users.
TSP 100A.20 2016, AICPA

Appendix BCPA and CA Practitioner Services Using Generally
Accepted Privacy Principles
This appendix provides a high level overview of the services that CPAs and CAs
in public practice (practitioners) can provide using Generally Accepted Privacy
Principles (GAPP). Additional guidance for practitioners is available from both
the AICPA and Canadian Institute of Chartered Accountants (CICA) (see www.
aicpa.org/INTERESTAREAS/INFORMATIONTECHNOLOGY/RESOURCES/
PRIVACY/Pages/default.aspx and www.cica.ca).
Privacy Advisory Engagements
Practitioners can provide a variety of advisory services to their clients, which
include strategic, diagnostic, implementation, and sustaining and managing
services using GAPP criteria. These services could include advising clients on
system weaknesses, assessing risk, and recommending a course of action using
GAPP criteria as a benchmark.
Practitioners in the United States providing such advisory services follow CS
section 100 of Statement on Standards for Consulting Services, Consulting
Services: Definition and Standards (AICPA, Professional Standards). No stan-
dards for Canadian practitioners exist in the CICA Handbook covering the
performance of consulting services.
Privacy Attestation and Assurance Engagements
Practitioners also can use GAPP to provide attestation and assurance services
to their clients, which typically result in a report for use by third parties. The
nature of these services, the relevant professional standards, and the types of
reports that may be issued for each are described subsequently.
Privacy Examination and Audit Engagements
Relevant U.S. standards for attestation engagements are contained in the
Statements on Standards for Attestation Engagements. Relevant Canadian
standards for assurance engagements are contained in Section 5025 of the
CICA Handbook. Privacy attestation and assurance engagements are defined
within the context of these standards. A practitioner is expected to comply with
the requirements established by the relevant professional standards.
Examination and audit engagements are designed to provide a high, though
not absolute, level of assurance on the subject matter or assertion. With that
objective, the practitioner develops audit procedures that, in the practitioner's
professional judgment, reduce to a low level the risk that the practitioner will
reach an inappropriate conclusion. Illustrative privacy examination and audit
reports are included in appendix C.,
The following key concepts apply to privacy examination and audit engage-
ments:
r Privacy examination and audit reports ordinarily cover all 10 prin-
ciples. All of the relevant criteria for each principle need to be met
during the period covered by the report to issue an unqualified
report.1,2
1
See appendix C, "Illustrative Privacy Examination and Audit Reports."
2
In certain circumstances (such as a report on a third-party service provider), special purpose
privacy reports covering some of the 10 principles could be issued. It is recommended that such
reports contain language that indicates that the privacy principles not covered are essential for
overall assurance of privacy and be "restricted use" reports.
2016, AICPA TSP 100A.20

r The work should be performed at the examination or equivalent
level of assurance.
r The scope of the engagement can cover (1) either all personal in-
formation or only certain identified types of personal information,
such as customer information or employee information, and (2)
all business segments and locations for the entire entity or only
certain identified segments of the business (retail operations, but
not manufacturing operations or only operations originating on
the entity's website or specified web domains) or geographic loca-
tions (such as only Canadian operations). In addition:
The privacy notice either should (1) be readily available
to the users of the auditor's report and be clearly de-
scribed in management's assertion and the report, or
(2) accompany management's assertion and the auditor's
report.
The scope of the engagement should generally be consis-
tent with the description of the entities and activities cov-
ered in the privacy notice (see criterion 2.2.2). The scope
often could be narrower, but ordinarily not broader, than
that covered by the related privacy notice.
The scope of the engagement should cover all of the ac-
tivities in the information cycle for the relevant personal
information. These should include collection, use, reten-
tion, disclosure, disposal, or anonymization. Defining a
business segment that does not include this entire cy-
cle could be misleading to the user of the practitioner's
report.
If the identified personal information included in the
scope of the examination is commingled with other per-
sonal information not in the scope of the engagement, the
scope of the engagement needs to cover controls over all of
the information from the point of commingling forward.
The practitioner's report should ordinarily cover a period
of time (not less than two months); however, the practi-
tioner's initial report can be a point in time report.
Management's Assertion
Under AICPA attestation standards, in an examination engagement, the prac-
titioner should ordinarily obtain a written assertion. If management will not
provide the practitioner with a written assertion, the practitioner may still re-
port on the subject matter; however, the form of the report will vary depending
on the circumstances.3
Under AICPA standards, the practitioner may report on either management's
assertion or the subject matter of the engagement. When the practitioner re-
ports on the assertion, the assertion should accompany the practitioner's report,
or the first paragraph of the report should contain a statement of the assertion.4
When the practitioner reports on the subject matter, the practitioner may want
3
See paragraph .58 of AT section 101, Attest Engagements (AICPA, Professional Standards) for
a description of a practitioner's options, if a written assertion is not obtained.
4
See paragraph .64 of AT section 101.
TSP 100A.20 2016, AICPA

to request that management make an assertion available to the users of the
practitioner's report.
Under CICA assurance standards, the practitioner may report on either man-
agement's assertion regarding the subject matter of the engagement, or directly
on the subject matter. When the practitioner reports on management's asser-
tion, the assertion should accompany the practitioner's report. When the prac-
titioner reports directly on the subject matter, the practitioner is not required
to obtain a written assertion of management. However, when the practitioner
has not obtained such assertion, the practitioner is required to establish by
other means that management is responsible for the subject matterthis is
fundamental to performing the engagement.
For a privacy examination or audit, it is believed that an assertion-based en-
gagement is more appropriate than an engagement to report directly on the
subject matter. By providing a publicly available assertion, management explic-
itly acknowledges its responsibility for the matters addressed in its assertion.
Privacy Review Engagements
A review engagement is a type of attestation or assurance engagement. How-
ever, the term privacy review is often misused to refer either to a privacy exam-
ination or to certain types of privacy advisory engagements, such as a privacy
diagnostic engagement or an engagement to develop findings and recommen-
dations related to privacy. To reduce the risk that either the practitioner or
the client may misinterpret the needs or expectations of the other party, the
practitioner should establish an understanding with the client regarding the
specifics of services to be performed and type of report to be issued.
A review engagement, as defined in professional standards, is a type of attesta-
tion or assurance engagement in which the practitioner reports on whether any
information came to his or her attention, on the basis of the work performed,
that indicates that the subject matter is not based on (or in conformity with)
the criteria, or the assertion is not presented (or fairly stated) in all material
respects based on the criteria. The procedures performed to provide a basis for
the practitioner's review engagement report generally are limited to inquiry,
analytical review procedures, and discussion. In the view of the AICPA and
CICA Privacy Task Force, these types of procedures and the limited assurance
provided from a review engagement would not be adequate to meet the needs
of most parties affected by privacy requirements and expectations when the re-
porting entity is expected to demonstrate compliance with generally accepted
privacy principles and criteria. Accordingly, no guidance is provided on the
performance of privacy review engagements.
Agreed-Upon (Specified Auditing) Procedures Engagements
In an agreed-upon or specified procedures engagement, the practitioner per-
forms specified procedures, agreed to by the parties,5 and reports his or her
findings. The practitioner does not perform an audit or review of an assertion
or subject matter nor does the practitioner express an opinion or negative as-
surance about the assertion or subject matter.6 In this type of engagement, the
5
The specified users of the report and the practitioner agree upon the procedures to be performed
by the practitioner.
6
In the United States, agreed-upon procedures engagements are performed under paragraph .15
of AT section 201, Agreed-Upon Procedures Engagements (AICPA, Professional Standards). In Canada
(continued)
2016, AICPA TSP 100A.20

practitioner's report is in the form of a description of procedures and findings.

Generally accepted privacy principles and criteria may be used in such engage-
ments. This type of work would not lead to an examination or audit report,
but rather to a report presenting the agreed-upon or specified procedures and
the corresponding findings for each procedure. Agreed-upon or specified proce-
dures could be undertaken to address a subset of an entity's system or a subset
of the generally accepted privacy principles and criteria, or both. For example,
an entity may request that a practitioner complete agreed-upon or specified
procedures using selected criteria from generally accepted privacy principles
and report the findings. In Canada, specified procedures engagements are per-
mitted, although they are not considered to be assurance engagements under
CICA Handbook section 5025.
Because users' needs may vary widely, the nature, timing, and extent of the
agreed-upon and specified procedures may vary as well. Consequently, the
specified users and the client assume responsibility for the sufficiency of the
procedures since they best understand their own needs. The use of such a report
is restricted to the specified parties who agreed upon the procedures.
Relationship Between Generally Accepted Privacy Principles and the
Generally accepted privacy principles are part of the AICPA and CICA Trust
Services Principles and Criteria that are based upon a common framework
(that is, a core set of principles and criteria) to provide professional attestation
or assurance and consulting or advisory services. The Trust Services Principles
and Criteria7 were developed by volunteer task forces under the auspices of
the AICPA and CICA. The other trust services principles and criteria are:
r Security. The system is protected against unauthorized access
(both physical and logical).
r Availability. The system is available for operation and use as
committed or agreed.
r Processing integrity. System processing is complete, accurate,
timely, and authorized.
r Confidentiality. Information designated as confidential is pro-
tected as committed or agreed.
These are discussed more fully at www.aicpa.org/INTERESTAREAS/INFORMA
TIONTECHNOLOGY/RESOURCES/TRUSTSERVICES/Pages/default.aspx.
(footnote continued)
there are no general standards for agreed-upon procedures/specified procedures. A practitioner could,
however, look to the guidance provided by the Canadian Institute of Chartered Accountants (CICA)
handbook section 9100 that contains standards for performing Specified Procedures on Financial
Information Other Than Financial Statements. In specified auditing procedures engagements, the
practitioner is engaged to report to specific users the results of applying specified procedures. In
applying such procedures, the practitioner does not express a conclusion concerning the subject
matter because he or she does not necessarily perform all of the procedures that, in the practitioner's
judgment, would be necessary to provide a high level of assurance. Rather, the practitioner's report
sets out the factual results of the procedures applied, including any exceptions found.
7
WebTrust and SysTrust are two specific attestation or assurance services offerings developed
by the AICPA and the CICA that are based on the Trust Services Principles and Criteria. Practitioners
must be licensed by the CICA to use either the WebTrust or SysTrust seals. When the privacy
engagement incorporates an online segment and the entity has received an examination or audit
report that does not include a qualification or scope limitation, an entity may choose to display a
WebTrust Online Privacy seal. For more information on licensure and Online Privacy Engagements
see www.webtrust.org.
TSP 100A.20 2016, AICPA

Appendix CIllustrative Privacy Examination and Audit Reports
The following appendix includes examples of examination and audit reports
under AICPA or Canadian Institute of Chartered Accountants (CICA) profes-
sional reporting standards, respectively:
Under AICPA Attestation

Standards Under CICA Assurance Standards
Illustration 1Reporting on Illustration 3Reporting on
Management's Assertion and Sample Management's Assertion and Sample
Management Assertion Management Assertion
Illustration 2Reporting Directly on Illustration 4Reporting Directly on
the Subject Matter the Subject Matter
Illustration 1Reporting on Managements Assertion Under AICPA At-

testation Standards
Independent Practitioner's Privacy Report
To the Management of ABC Company, Inc.:
We have examined ABC Company, Inc.'s (ABC Company) management asser-
tion that, during the period Xxxx xx, 2009 through Yyyy yy, 2009, it:
r Maintained effective controls over the privacy of personal infor-
mation collected in its [description of the entities and
activities covered, for example "the mail-order catalog-sales oper-
ations"] business (the Business) to provide reasonable assurance
that the personal information was collected, used, retained, dis-
closed, and disposed of in conformity with its commitments in its
privacy notice related to the Business and with criteria set forth
in Generally Accepted Privacy Principles, issued by the American
Institute of Certified Public Accountants (AICPA) and the Cana-
dian Institute of Chartered Accountants, and
r Complied with its commitments in its privacy notice, which is
dated xxxx xx, 2009 and [is available at www.ABC-Company/
privacy or accompanies this report].
This assertion is the responsibility of ABC Company's management. Our re-
sponsibility is to express an opinion based on our examination.
Our examination was conducted in accordance with attestation standards es-
tablished by the American Institute of Certified Public Accountants and, ac-
cordingly, included (1) obtaining an understanding of ABC Company's controls
over the privacy of personal information, (2) testing and evaluating the oper-
ating effectiveness of the controls, (3) testing compliance with ABC Company's
commitments in its privacy notice, and (4) performing such other procedures as
we considered necessary in the circumstances. We believe that our examination
provides a reasonable basis for our opinion.
In our opinion, ABC Company's management assertion that, during the period
Xxxx xx, 2009 through Yyyy yy, 2009, ABC Company:
mation collected in the Business to provide reasonable assurance
closed and disposed of in conformity with its commitments in its
2016, AICPA TSP 100A.20

privacy notice and with criteria set forth in Generally Accepted

Privacy Principles; and
r Complied with its commitments in its privacy notice referred to
above,
is, in all material respects, fairly stated.
OR
In our opinion, ABC Company's management assertion referred to above is
fairly stated, in all material respects, in conformity with ABC Company's pri-
vacy notice referred to above and with criteria set forth in Generally Accepted
Privacy Principles.
Because of the nature and inherent limitations of controls, ABC Company's
ability to meet the aforementioned criteria and the commitments in its privacy
notice may be affected. For example, fraud, unauthorized access to systems
and information, and failure to comply with internal and external policies or
requirements may not be prevented or detected. Also, the projection of any
conclusions, based on our findings, to future periods is subject to the risk that
any changes or future events may alter the validity of such conclusions.
[Name of CPA firm]
Certified Public Accountants
[City, State]
[Date]
Sample Management Assertion for Illustration 1
During the period Xxxx xx, 2009 through Yyyy yy, 2009, ABC Company, in all
material respects:
mation collected in our [description of the entities and
closed, and disposed of in conformity with our commitments in our
in Generally Accepted Privacy Principles, issued by the Ameri-
can Institute of Certified Public Accountants and the Canadian
Institute of Chartered Accountants, and
r Complied with our commitments in our privacy notice, which is
Illustration 2Reporting Directly on the Subject Matter Under AICPA
Attestation Standards
Independent Practitioner's Privacy Report
We have examined (1) the effectiveness of ABC Company, Inc.'s (ABC Com-
pany) controls over the personal information collected in its [description
of the entities and activities covered, for example "the mail-order catalog-sales
operations"] business (the Business) to provide reasonable assurance that the
personal information was collected, used, retained, disclosed, and disposed of in
conformity with its commitments in its privacy notice and with criteria set forth
TSP 100A.20 2016, AICPA

in Generally Accepted Privacy Principles, issued by the American Institute of
Certified Public Accountants (AICPA) and the Canadian Institute of Chartered
Accountants, and (2) ABC Company's compliance with its commitments in its
privacy notice, which is dated xxxx xx, 2009 and [is available at www.ABC-
Company/privacy or accompanies this report], related to the Business during
the period Xxxx xx, 2009 through Yyyy yy, 2009. ABC Company's manage-
ment is responsible for maintaining the effectiveness of these controls and for
compliance with its commitments in its privacy notice. Our responsibility is to
express an opinion based on our examination.
tablished by the AICPA and, accordingly, included (1) obtaining an under-
standing of ABC Company's controls over the privacy of personal information,
(2) testing and evaluating the operating effectiveness of the controls, (3) testing
compliance with ABC Company's commitments in its privacy notice, and (4)
performing such other procedures as we considered necessary in the circum-
stances. We believe that our examination provides a reasonable basis for our
opinion.
In our opinion, during the period Xxxx xx, 2009 through Yyyy yy, 2009, ABC
Company, in all material respects (1) maintained effective controls over privacy
of personal information collected in the Business to provide reasonable assur-
ance that the personal information was collected, used, retained, disclosed, and
disposed of in conformity with its commitments in its privacy notice and with
criteria set forth in Generally Accepted Privacy Principles; and (2) complied
with its commitments in its privacy notice referred to above.
and information, and failure to comply with internal or external policies or
[Name of CPA firm]
[City, State]
[Date]
Illustration 3Reporting on Managements Assertion Under CICA
Assurance Standards
Auditor's Privacy Report
We have audited ABC Company, Inc.'s (ABC Company) management assertion
that, during the period Xxxx xx, 2009 through Yyyy yy, 2009, it:
mation collected in its [description of the entities and
2016, AICPA TSP 100A.20

in Generally Accepted Privacy Principles, issued by the Ameri-
can Institute of Certified Public Accountants and the Canadian
Institute of Chartered Accountants (CICA), and
r Complied with its commitments in its privacy notice, which is
This assertion is the responsibility of management. Our responsibility is to
express an opinion based on our audit.
Our audit was conducted in accordance with standards for assurance engage-
ments established by the CICA. Those standards require that we plan and
perform our audit to obtain reasonable assurance as a basis for our opinion.
Our audit included (1) obtaining an understanding of ABC Company's controls
commitments in its privacy notice and (4) performing such other procedures
as we considered necessary in the circumstances. We believe that our audit
In our opinion, ABC Company's management assertion that, during the period
Xxxx xx, 2009 through Yyyy yy, 2009, ABC Company:
mation collected in the Business to provide reasonable assurance
privacy notice and with criteria set forth in Generally Accepted
Privacy Principles; and
r Complied with its commitments in its privacy notice referred to
above,
is, in all material respects, fairly stated.
OR
In our opinion, ABC Company management's assertion referred to above is
fairly stated, in all material respects, in conformity with ABC Company's pri-
vacy notice referred to above and with criteria set forth in Generally Accepted
Privacy Principles.
and information, failure to comply with internal and external policies and
[Name of CA firm]
[City, Province]
Chartered Accountants
[Date]
TSP 100A.20 2016, AICPA

Sample Management Assertion for Illustration 3
During the period Xxxx xx, 2009 through Yyyy yy, 2009, ABC Company, in all
material respects:
mation collected in our business [description of the
entities and activities covered, for example "the mail-order catalog-
sales operations"] (the Business) to provide reasonable assurance
closed, and disposed of in accordance with our commitments in
the privacy notice related to the Business and with the criteria
set forth in Generally Accepted Privacy Principles, issued by the
American Institute of Certified Public Accountants and the Cana-
dian Institute of Chartered Accountants, and
r Complied with our commitments in our privacy notice which is
Illustration 4Reporting Directly on the Subject Matter Under CICA
Assurance Standards
Auditor's Privacy Report
We have audited (1) the effectiveness of ABC Company, Inc.'s (ABC Company)
controls over the personal information collected in its [description
of the entities and activities covered, for example "the mail-order catalog-sales
operations"] business (the Business) to provide reasonable assurance that the
personal information was collected, used, retained, disclosed, and disposed of in
conformity with its commitments in its privacy notice and with criteria set forth
in Generally Accepted Privacy Principles, issued by the American Institute of
Certified Public Accountants and the Canadian Institute of Chartered Accoun-
tants (CICA), and (2) ABC Company's compliance with its commitments in its
privacy notice, which is dated xxxx xx, 2009 and [is available at www.ABC-
Company/privacy or accompanies this report], related to the Business during
the period Xxxx xx, 2009 through Yyyy yy, 2009. ABC Company's manage-
ment is responsible for maintaining the effectiveness of these controls and for
compliance with its commitments in its privacy notice. Our responsibility is to
express an opinion based on our audit.
Our audit was conducted in accordance with standards for assurance engage-
ments established by the CICA. Those standards require that we plan and
perform our audit to obtain reasonable assurance as a basis for our opinion.
Our audit included (1) obtaining an understanding of ABC Company's controls
commitments in its privacy notice, and (4) performing such other procedures
as we considered necessary in the circumstances. We believe that our audit
In our opinion, during the period Xxxx xx, 2009 through Yyyy yy, 2009, ABC
Company, in all material respects (1) maintained effective controls over privacy
of personal information collected in the Business to provide reasonable assur-
ance that the personal information was collected, used, retained, disclosed, and
disposed of in conformity with its commitments in its privacy notice and with
2016, AICPA TSP 100A.20

criteria set forth in the Generally Accepted Privacy Principles; and (2) complied
with its commitments in its privacy notice referred to above.
and information, and failure to comply with internal or external policies or
[Name of CA firm]
[City, Province]
Chartered Accountants
[Date]
TSP 100A.20 2016, AICPA

Trust Services Principles and Criteria for Certification Authorities Version 2.0 291
TSP Section 200
Trust Services Principles and Criteria for Certification
Authorities Version 2.0
April 2012
(To supersede the 2000 version of the Trust Services Principles, Cri-
teria, and Illustrations for WebTrust for Certification Authorities
[Version 1.0])
Introduction
Introduction to Trust Service Principles and Criteria for Certification
Authorities Version 2.0
.01 This document provides a framework for third party assurance pro-
viders to assess the adequacy and effectiveness of the controls employed by
certification authorities (CAs). As a result of the technical nature of the activi-
ties involved in securing e-commerce transactions, this document also provides
a brief overview of public key infrastructure (PKI) using cryptography and
trusted third party concepts.
.02 This document replaces version 1.0 of the AICPA/Canadian Institute
of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Il-
lustrations for WebTrust for Certification Authorities (WebTrust Program for
Certification Authorities v1) that was issued in August 2000. Unlike version 1.0,
which was intended to be used by licensed WebTrust 1 practitioners only, this
version is regarded as "open-source" and can be used in the conduct of any as-
surance engagement, internal or external, by any third party service provider.
It also represents an effective benchmark for CAs to conduct self-assessments.
The public accounting profession has continued to play its role, with an intent
to increase consumer confidence in the application of PKI technology by estab-
lishing a basis for providing third party assurance to the assertions made by
CAs.
.03 This document was developed by an AICPA/CICA Task Force using In-
ternational Organization for Standardization (ISO) 21188, "Public key infras-
tructure for financial servicePractices and policy Framework," and version
1.0 of the AICPA/CICA WebTrust Program for Certification Authorities.
.04 Input and approval was also obtained from the Certification Authority
Browser Forum (CA/Browser Forum; see www.cabforum.org) for the content
and control activities contained in this framework. The CA/Browser Forum
was formed among CAs and vendors of Internet browser software and other
applications. This voluntary organization has worked collaboratively in defin-
ing guidelines and means of implementation for the Extended Validation (EV)
Secure Sockets Layer (SSL) Certificate standard as a way of providing a height-
ened security for Internet transactions and creating a more intuitive method
of displaying secure sites to Internet users.
1
WebTrust is an assurance services offering developed by the AICPA and Canadian Institute
of Chartered Accountants (CICA) that is based on the Trust Services Principles and Criteria. Prac-
titioners must be licensed by CICA to use these registered service marks. For more information on
licensure, see www.webtrust.org.
2016, AICPA TSP 200.04

.05 The principles and criteria for CAs are consistent with standards
developed by the American National Standards Institute (ANSI), the Interna-
tional Organization for Standardization (ISO), and the Internet Engineering
Task Force (IETF). The principles and criteria are also consistent with the
practices established by the CA Browser Forum.
Importance of PKI
.06 PKI provides a means for relying parties (that is, recipients of certifi-
cates, who act in reliance on those certificates or digital signatures, or both,
verified using those certificates) to know that another individual's or entity's
public key actually belongs to that individual or entity. CA organizations or CA
functions, or both, have been established to address this need.
.07 Cryptography is critical to establishing secure e-commerce; however,
it has to be coupled with other secure protocols in order to provide a com-
prehensive security solution. Several cryptographic protocols require digital
certificates (in effect, electronic credentials) issued by an independent trusted
third party (the CA) to authenticate the transaction. CAs have assumed an
increasingly important role in secure e-commerce. Although a large body of
national, international, and proprietary standards and guidelines for the use
of cryptography, the management of digital certificates, and the policies and
practices of CAs exist, these standards have not been applied or implemented
uniformly.
.08 This version is titled, "Trust Services Principles and Criteria for Cer-
tification Authorities Version 2.0." These principles and criteria are intended
to address user (that is, subscriber and relying party) needs and concerns and
are designed to benefit users and providers of CA e-commerce assurance ser-
vices by providing a common body of knowledge that is communicated to such
parties.
Overview
What Is a Public Key Infrastructure?
.09 With the expansion of e-commerce, PKI is growing in importance and
will continue to be a critical enterprise security investment. PKI enables parties
to an e-commerce transaction to identify one another by providing authenti-
cation with digital certificates and allows reliable business communications
by providing confidentiality through the use of encryption and authentication
data integrity and a reasonable basis for nonrepudiation through the use of
digital signatures.
.10 PKI uses public and private key pairstwo mathematically related
keys. Typically, one of the keys is made public by posting it on the Internet, for
example, while the other remains private. Public key cryptography works in
such a way that a message encrypted with the public key can only be decrypted
with the private key and, conversely, a message signed with a private key can
only be verified with the public key. This technology can be used in different
ways to provide the four ingredients required for trust in e-commerce transac-
tions, namely confidentiality, authentication, integrity, and nonrepudiation.
.11 Using PKI, a subscriber (that is, an end entity [or individual] whose
public key is cryptographically bound to his or her identity in a digital cer-
tificate) has an asymmetric, cryptographic key pair (that is, a public key and
TSP 200.05 2016, AICPA

a private key). The subscriber's private key must be kept secret, whereas the
public key may be made widely available, usually presented in the form of
a digital certificate, to ensure that relying parties know with confidence the
identity to which the public key belongs. Using public key cryptography, the
subscriber could send a message signed with his or her private key. The sig-
nature can be validated by the message recipient using the subscriber's public
key. The subscriber could also encrypt a message using the recipient's public
key. The message can be decrypted only with the recipient's private key.
.12 A subscriber first obtains a public and private key pair (generated by
the subscriber, or for the subscriber, as a service). The subscriber then goes
through a registration process by submitting his or her public key to a certi-
fication authority or a registration authority (RA), which acts as an agent for
the CA. The CA or RA verifies the identity of the subscriber in accordance with
the CA's established business practices (that may be contained in a certifica-
tion practice statement), and then issues a digital certificate. The certificate
includes the subscriber's public key and identity information and is digitally
signed by the CA, which binds the subscriber's identity to that public key.
The CA also manages the subscriber's digital certificate through the certificate
life cycle (that is, from registration through revocation or expiration). In some
circumstances, it remains important to manage digital certificates even after
expiry or revocation so that digital signatures on stored documents held past
the revocation or expiry period can be validated at a later date.
.13 The following diagram illustrates the relationship between a sub-

scriber's public and private keys and how they are used to secure messages
sent to a relying party.
.14 A transaction submitted by a customer to an online merchant via the

Internet can be encrypted with the merchant's public key and, therefore, can
only be decrypted by that merchant using the merchant's private key, ensuring
a level of confidentiality. Confidentiality can also be achieved through the use
of SSL, Secure/Multipurpose Internet Mail Extensions (S/MIME), and other
protocols, such as Secure Electronic Transaction (SET).
2016, AICPA TSP 200.14

What Is a Digital Signature?

.15 Digital signatures can be used to provide authentication, integrity, and
nonrepudiation. Generally speaking, if a customer sends a digitally signed mes-
sage to a merchant, the customer's private key is used to generate the digital
signature, and the customer's public key can be used by the merchant to verify
the signature. The mathematical processes employed are somewhat different
depending on the kind of asymmetric, cryptographic algorithm employed. For
example, the processes are slightly different for reversible algorithms (that is,
those which can be readily used to support digital signatures as well as encryp-
tion), such as Rivest Shamir Adleman (RSA), and irreversible algorithms, such
as the Digital Signature Algorithm (DSA).
.16 The following example illustrates the digital signature generation and
verification process for a reversible asymmetric cryptographic algorithm (such
as RSA). Suppose a customer wants to send a digitally signed message to a
merchant. The customer runs the message through a hash function (that is,
a mathematical function that converts a message into a fixed length block of
data [the hash], in a fashion such that the hash uniquely reflects the message.
In effect, it is the message's "fingerprint."). The customer then transforms
the hash using the algorithm and the customer's private key to create the
digital signature, which is appended to the message. A header is also appended
to the message, indicating the merchant's email address, the sender's email
address, and other information, such as the time the message is sent. The
message header, the message itself, and the digital signature are then sent to
the merchant. The customer can optionally send his or her public key certificate
to the merchant in the message itself. All of this is usually done by the e-mail
software in such a way that the process is transparent to the user.
.17 The following diagram illustrates the process of using a subscriber's
key pair to ensure the integrity and authenticity of a message sent by the
customer (subscriber) to a merchant.
.18 To determine whether the message came from the customer (that is,
authentication) and to determine whether the message has not been modified
(that is, integrity), the merchant validates the digital signature. To do so, the
merchant must obtain the customer's public key certificate. If the customer did
not send his or her public key certificate as part of the message, the merchant
would typically obtain the customer's public key certificate from an online
repository (maintained by the CA or another party acting as the agent of the CA
TSP 200.15 2016, AICPA

or any other source even if unrelated to the CA). The merchant then validates
that the customer's digital certificate (containing the customer's public key)
was signed by a recognized CA to ensure that the binding between the public
key and the customer represented in the certificate has not been altered. Next,
the merchant extracts the public key from the certificate and uses that public
key to transform the digital signature to reveal the original hash. The merchant
then runs the message as received through the same hash function to create
a hash of the received message. To verify the digital signature, the merchant
compares these two hashes. If they match, then the digital signature validates
and the merchant knows that the message came from the customer, and it was
not modified from the time the signature was made. If the hashes do not match,
then the merchant knows that the message was either modified in transit, or
the message was not signed with the customer's private key. As a result, the
merchant cannot rely on the digital signature.
.19 Digital signatures can also be used to provide a basis for nonrepudi-
ation so that the signer cannot readily deny having signed the message. For
example, an online brokerage customer who purchases one thousand shares
of stock using a digitally signed order via the Internet should have a difficult
task if he or she later tries to deny (that is, repudiate) having authorized the
purchase.
What Are the Differences Between Encryption Key Pairs and

Signing Key Pairs?
.20 As stated earlier, establishing a reasonable basis for nonrepudiation

requires that the private key used to create a digital signature (that is, the
signing private key) be generated and stored securely under the sole control
of the user. In the event a user forgets his or her password or loses, breaks,
or destroys his or her signing private key, it is acceptable to generate a new
signing key pair for use from that point forward with minimal impact to the
subscriber. Previously signed documents can still be verified with the user's
old signature verification public key. Documents subsequently signed with the
user's new signing private key must be verified with the user's new signature
verification public key.
.21 Extra care is required to secure the CA's signing private key, which is
used for signing user certificates. The trustworthiness of all certificates issued
by a CA depends on the CA's ability to protect its private signing key. CAs
securely back up their private signing key(s) for business continuity purposes
to allow the CA to continue to operate in the event that the CA's private signing
key is accidentally destroyed (but not compromised) as a result of hardware
failure, for example. Except for CA business continuity purposes, generally, no
technical or business reasons exist to back up a private signing key.
.22 On the other hand, and as cited earlier, it is often desirable that a
key pair used for encryption and decryption be securely backed up to ensure
that encrypted data can be recovered when a user forgets his or her password
or otherwise loses access to his or her decryption key. This is analogous to
requiring that the combination to a safe be backed up in case the user forgets
it or becomes incapacitated. As a result, a PKI typically requires two key pairs
for each user: one key pair for encryption and decryption and a second key pair
for signing and signature verification.
2016, AICPA TSP 200.22

What Is a Certification Authority?
.23 In order for these technologies to enable parties to securely conduct

e-commerce, one important question must be answered: In the digital world,
how does one know that an individual's public key actually belongs to that
individual? A digital certificate, which is an electronic document containing
information about an individual and his or her public key, is the answer. This
document is digitally signed by a trusted organization referred to as a CA. The
basic premise is that the CA is vouching for the link between an individual's
identity and his or her public key. The CA provides a level of assurance that the
public key contained in the certificate does, indeed, belong to the entity named
in the certificate. The digital signature placed on the public key certificate by
the CA provides the cryptographic binding between the entity's public key,
the entity's name, and other information in the certificate, such as a validity
period. For a relying party to determine whether the certificate was issued by
a legitimate CA, the relying party must verify the issuing CA's signature on
the certificate. The public keys of many common root CAs (as later defined) are
preloaded into standard Web browser software (for example, Netscape Navi-
gator or Microsoft Internet Explorer). This allows the relying party to verify
the issuing CA's signature using the CA's public key to determine whether the
certificate was issued by a trusted CA.
.24 The purpose of a CA is to manage the certificate life cycle, which in-
cludes generation and issuance, distribution, renewal and rekey, revocation,
and suspension of certificates. The CA frequently delegates the initial regis-
tration of subscribers to RAs, which act as agents for the CA. In some cases,
the CA may perform registration functions directly. The CA is also responsible
for providing certificate status information through the issuance of certificate
revocation lists (CRLs) or the maintenance of an online status-checking mech-
anism, or both. Typically, the CA posts the certificates and CRLs that it has
issued to a repository (such as an online directory), which is accessible to relying
parties.
What Is a Registration Authority?
.25 A registration authority, or RA, is an entity that is responsible for

the identification and authentication of subscribers, but does not sign or issue
certificates. In some cases, the CA performs the subscriber registration function
internally. In other cases, the CA might delegate the RA function to external
registration authorities (sometimes referred to as local registration authorities
or LRAs) that may or may not be part of the same legal entity as the CA. In
still other cases, a customer of a CA (for example, a company) may arrange
with that CA to perform the RA function itself or use its agent.
.26 The initial registration process for a subscriber is as follows, though
the steps may vary from CA to CA and will also depend upon the certificate
policy under which the certificate is to be issued. The subscriber first generates
his or her own public and private key pair. (In some implementations, a CA
may generate the subscriber's key pair and securely deliver it to the subscriber,
but this is normally done only for encryption key pairs, not signature key
pairs.) Then, the subscriber produces proof of identity in accordance with the
applicable certificate policy requirements and demonstrates that he or she
holds the private key corresponding to the public key without disclosing the
private key (typically by digitally signing a piece of data with the private
TSP 200.23 2016, AICPA

key, with the subscriber's digital signature then verified by the CA). Once the
association between a person and a public key is verified, the CA issues a
certificate. The CA digitally signs each certificate that it issues with its private
key to provide the means for establishing authenticity and integrity of the
certificate.
.27 The CA then notifies the subscriber of certificate issuance and gives
the subscriber an opportunity to review the contents of the certificate before it is
made public. Assuming the subscriber approves the accuracy of the certificate,
the subscriber will either publish the certificate or have the CA publish it
and make it available to other users. A repository is an electronic certificate
database that is available online. The repository may be maintained by the CA
or a third party contracted for that purpose by the subscriber or by any other
party. Subscribers may obtain other subscriber's certificates and certificate
status information from the repository. For example, if a subscriber's certificate
was revoked, the repository would indicate that the subscriber's certificate has
been revoked and should not be relied on. The ability to update the repository
is typically retained by the CA. Subscribers and other relying parties would
have read-only access to the repository. Because the certificates stored in the
repository are digitally signed by the CA, they cannot be maliciously changed
without detection, even if someone were to hack into the repository.
.28 The following diagram illustrates the relationship between the sub-
scriber and the RA and CA functions.
What Is the Impact of an External RA?
.29 External registration authorities are required to comply with the rel-
evant provisions of the CA's business practices disclosures, often documented
in a certification practice statement and applicable certificate policy(s). In per-
forming a WebTrust Program for Certification Authorities engagement, the
practitioner must consider how the CA handles the RA function and whether
the RA function is within the scope of the examination. For example, a CA that
2016, AICPA TSP 200.29

provides CA services to several banks might delegate the subscriber registra-

tion function to RAs that are specifically designated functional groups within
each bank. The functions performed by these specific groups would typically be
outside the scope of the WebTrust Program for Certification Authorities ex-
amination performed for the CA. In this case, management's assertion should
specify those aspects of the registration process that are not handled by the CA.
There may be scenarios, however, in which the CA exercises extensive moni-
toring controls (including on-site audit) over all aspects of the RA operations,
and the CA is willing to assert to the effectiveness of the controls performed by
the external RAs and include the RA operations in the examination. In these
rare situations, the CA and the auditor need to agree in advance with this
approach, including the extent and sufficiency of controls being exercised.
.30 External RAs could be examined and reported on separately from the
CA using the relevant criteria contained in this Trust Services Principles and
Criteria for Certification Authorities Version 2.0. Illustrative reports for these
types of examinations will be the subject of future guidance.
What Is an Extended Validation Certificate?

.31 When a CA performs additional steps to authenticate the entity to
which certificates are being issued, the certificates issued are differentiated
and issued as extended validation certificates. These certificates provide even
more assurance regarding the identity of the website owner.
.32 According to www.cabforum.org
Extended Validation SSL (EV SSL) Certificates build on the existing
SSL certificate format, but provide an additional layer of protection in
a strictly defined issuance process created to ensure that the certifi-
cate holder is who they claim to be. To ensure the ongoing integrity
of the process, revocation measures are specified that allow for the
quick and effective revocation of improperly issued or misused certifi-
cates. Leading Relying-Party Application Software Suppliers support
EV SSL, which allows the browser to display the verified identity of
the website owner to the user.2
What Is a Certification Practice Statement and a Certificate Policy?
.33 A certification practice statement (CPS) is a statement of the practices
that a CA employs in issuing and managing certificates. A certificate policy
(CP) is a named set of rules that indicates the applicability of a certificate to
a particular community or class of application, or both, with common security
requirements. For example, a particular CP might indicate the applicability
of a type of certificate to the authentication of electronic data interchange
transactions for the trading of goods within a given price range.
What Are the Hierarchical and Cross-Certified CA Models?

.34 CAs may be linked using two basic architectures or a hybrid of the
two: hierarchical and cross-certified (shared trust). In a hierarchical model, a
highest level (or root) CA is deployed, and subordinate CAs may be set up for
various business units, domains, or communities of interest. The root CA vali-
dates the subordinate CAs, which, in turn, issue certificates to lower tier CAs
2
See www.cabforum.org.
TSP 200.30 2016, AICPA

or directly to subscribers. Such a root CA typically has more stringent security
requirements than a subordinate CA. Although it is difficult for an attacker to
access the root CA (which, in some implementations, is only online in the rare
event that it must issue, renew, or revoke subordinate CA certificates), one
drawback to this model is that the root CA represents a single point of failure.
In the hierarchical model, the root CA maintains the established "community
of trust" by ensuring that each entity in the hierarchy conforms to a minimum
set of practices. Adherence to the established policies may be tested through
audits of the subordinate CAs and, in a number of cases, the RAs.
.35 The following diagram illustrates the structure and relationships be-
tween CAs and subscribers operating in a hierarchical model.
.36 In an alternative model, cross-certified CAs are built on a "peer-to-

peer" model. Rather than deploying a common root CA, the cross-certification
model shares trust among CAs known to one another. Cross-certification is a
process in which two CAs certify the trustworthiness of the other's certificates.
If two CAs, CA1 and CA2, cross-certify, CA1 creates and digitally signs a
certificate containing the public key of CA2 (and vice versa). Consequently,
users in either CA domain are assured that each CA trusts the other and,
therefore, subscribers in each domain can trust each other. Cross-certified CAs
are not subject to the single point of failure in the hierarchical model. However,
the network is only as strong as the weakest CA and requires continual policing.
In the cross-certified model, to establish and maintain a community of trust,
audits may be performed to ensure that each cross-certified CA conforms to a
minimum set of practices as agreed upon by the members of the community of
trust.
.37 The following diagram illustrates the structure and relationships be-
tween CAs and subscribers operating in a cross-certified (shared trust) model.
2016, AICPA TSP 200.37

.38 In a hybrid model, both a hierarchical structure and cross-certification

are employed. For example, two existing hierarchical communities of trust may
want to cross-certify each other, such that members of each community can rely
on the certificates issued by the other to conduct e-commerce.
What Is the Impact of Subordinate CAs?

.39 Depending on report users' needs, subordinate CAs may or may not be
included in the scope of examination. It is important that the system description
and assertion clearly articulate the hierarchy that is in scope.
What Are Some of the Business Issues Associated With CAs?

.40 Unless they are subject to governmental licensing and regulation,
CAs may use different standards or procedures to verify the identity of persons
to whom they issue certificates. Thus, a digital signature is only as reliable
as the CA is trustworthy in performing its functions. Consequently, a relying
party needs some way to gauge how much reliance it should place on a digital
signature supported by a certificate issued by a particular CA.
.41 CA topology (for example, a hierarchical, cross-certified, or a hybrid
model) is a developing issue. Which model is most appropriate depends on the
particular business circumstances. Although it is important that public keys
be certified, the issuance of nonstandard certificates can be a concern. For
example, if the broadly recognized International Telecommunications Union-
Telecommunication Standardization Sector's X.509 data format standard3 is
not used, subscribers and relying parties may be unable to process such certifi-
cates. Implementing the cross-certified CA model (discussed previously) would
also be very difficult. For these reasons, major entities, such as the U.S. and
3
International Telecommunications Union-Telecommunication Standardization Sector Recom-
mendation X.509 (1997) was also standardized by the International Organization for Standardization
(ISO) as ISO/IEC 9594-8.
TSP 200.38 2016, AICPA

Canadian governments, are using, or plan to use, X.509 certificates for their
internal and external activities.
Principles and Criteria for Certification Authorities

.42 In order to be understandable to the ultimate users (the subscriber
and the relying party), the principles set out in the following sections have been
developed with the relying party in mind and, as a result, are intended to be
practical and nontechnical in nature.
CA Principles
CA Business Practices Disclosure
.43 The certification authority (CA)
r discloses its business, key life cycle management, certificate life
cycle management, and CA environmental control practices in its
certification practice statement and
cycle management, and CA environmental control policies in its
certificate policy (if applicable).
.44 The CA maintains effective controls to provide reasonable assurance
that
r the CA's certification practice statement is consistent with its
certificate policy (if applicable), and
r the CA provides its services in accordance with its certificate policy
(if applicable) and certification practice statement (CPS).
.45 The CA must disclose its key and certificate life cycle management
business and information privacy practices. Information regarding the CA's
business practices should be made available to all subscribers and all potential
relying parties, typically by posting on its website. Such disclosure may be
contained in a certificate policy (CP) or CPS, or both, or in other informative
materials that are available to users (subscribers and relying parties).
Service Integrity
.46 The certification authority (CA) maintains effective controls to provide
reasonable assurance that
r the integrity of keys and certificates it manages is established and
protected throughout their life cycles;
r the subscriber information is properly authenticated (for the regis-
tration activities performed by ABC Certification Authority, Inc.);
and
r subordinate CA certificate requests are accurate, authenticated,
and approved.
.47 Effective key management controls and practices are essential to the
trustworthiness of the public key infrastructure. Cryptographic key manage-
ment controls and practices cover CA key generation, CA key storage, backup
and recovery, CA public key distribution (especially when done in the form
of self-signed root certificates), CA key escrow (if applicable), CA key usage,
CA key destruction, CA key archival, the management of CA cryptographic
2016, AICPA TSP 200.47

hardware through its life cycle, and CA-provided subscriber key management
services (if applicable).
Strong key life cycle management controls are vital to guard against key com-
promise, which can damage the integrity of the public key infrastructure.
.48 The user certificate life cycle is at the core of the services provided by
the CA. The CA establishes its standards and practices by which it will deliver
services in its published certification practice statement and certificate policy.
The user certificate life cycle includes the following:
r Registration (that is, the identification and authentication process
related to binding the individual subscriber to the certificate)
r The renewal of certificates (if applicable)
r The rekey of certificates
r The revocation of certificates
r The suspension of certificates (if applicable)
r The timely publication of certificate status information (through
certificate revocation lists or some form of online certificate status
protocol)
r The management of integrated circuit cards (ICCs) holding pri-
vate keys through their life cycle (if applicable)
.49 Effective controls over the registration process are essential because
poor identification and authentication controls jeopardize the ability of sub-
scribers and relying parties to rely on the certificates issued by the CA. Effective
revocation procedures and timely publication of certificate status information
are also critical elements because it is critical for subscribers and relying par-
ties to know when they are unable to rely on certificates that have been issued
by the CA.
CA Environmental Controls
r logical and physical access to CA systems and data are restricted
to authorized individuals;
r the continuity of key and certificate management operations is
maintained; and
r CA systems development, maintenance, and operations are prop-
erly authorized and performed to maintain CA systems integrity.
.51 The establishment and maintenance of a trustworthy CA environment
is essential to the reliability of the CA's business processes. Without strong CA
environmental controls, strong key and certificate life cycle management con-
trols are severely diminished in value. CA environmental controls include cer-
tification practice statement and certificate policy management, security pol-
icy management, security management, asset classification and management,
personnel security, physical and environmental security of the CA facility, op-
erations management, system access management, systems development and
maintenance, business continuity management, monitoring and compliance,
and event journaling.
TSP 200.48 2016, AICPA

.52 The original CA Business Practices Disclosure criteria in version 1.0
were derived primarily from the IETF's Internet X.509 Public Key Infrastruc-
ture Certificate Policy and Certification Practices FrameworkRequest For
Comments Draft (RFC 2527), which has been incorporated into Annex A of
the draft ANSI X9.79 standard. Trust Services Principles and Criteria for Cer-
tification Authorities Version 2.0 currently allows the CA to use RFC 2527,
version 1.0 of the WebTrust Program for Certification Authorities Criteria, or
RFC 3647 that was issued in November 2003.4 For specific key and certificate
life cycle management and CA environmental illustrative controls, in which the
CA's implemented controls may vary depending on the CA's business practices,
such illustrative controls refer to specifically required CA business practices
disclosures included in principle 1 of the CA Business Practices Disclosure.
Intended Use of the Trust Services Principles and Criteria

.53 The Trust Services Principles and Criteria for Certification Author-
ities can be used as a control framework to assess the adequacy of the CA
systems, policies, and procedures. It provides a basis for self-assessment for
either development or maintaining strong PKI systems.
.54 Assessors and auditors can use the framework as a benchmark for
performing an internal or independent assessment as an internal auditor
or independent external auditor as supported by the CA/Browser Forum.
For licensed WebTrust auditors, additional support is provided online at
www.webtrust.org.
Trust Service Principles and Criteria for Certification Authorities

1. CA Business Practices Disclosure
.55 The certification authority (CA)
cycle management, and CA environmental control practices in its
certification practice statement;
cycle management, and CA environmental control policies in its
certificate policy (if applicable); and
r provides services in accordance with its disclosed practices.
1.1 Certification Practice Statement
Criteria:
The certification authority (CA) discloses its business practices, including,
but not limited to, the topics listed in RFC 3647, RFC 2527, or WebTrust
Program for Certification Authorities v1 CA Business Practices Disclosure
Criteria (see appendix A) in its certification practice statement.
4
In the event that a replacement for Request for Comments 3647 is issued at a future date, that
version could also be used.
2016, AICPA TSP 200.55

1.2 Certificate Policy (if applicable)
Criteria:
The certification authority discloses its business practices, including, but
not limited to, the topics listed in RFC 3647, RFC 2527, or WebTrust
Program for Certification Authorities v1 (see appendix A) in its certificate
policy.
2. CA Business Practices Management

r the CA's certification practice statement is consistent with its
certificate policy (if applicable), and
r the CA provides its services in accordance with its certificate policy
(if applicable) and certification practice statement.
2.1 Certificate Policy Management (if applicable)
Criteria:
The certification authority (CA) maintains controls to provide reasonable
assurance that its certificate policy management process is effective.
Illustrative Controls:
Certificate Policy Management
1 The policy authority (PA) has the responsibility of defining the
business requirements and policies for using digital certificates and
specifying them in a certificate policy (CP) and supporting
agreements.
2 The PA has final authority and responsibility for specifying and
approving CP(s).
3 CP(s) are approved by the PA in accordance with a defined review
process, including responsibilities for maintaining and tracking
changes to the CP(s).
4 A defined review process exists to assess that the CP(s) are capable
of support by the controls specified in the certification practice
statement.
5 The PA makes available the CPs supported by the CA to subscribers
and relying parties.
2.2 Certification Practice Statement Management
Criteria:
assurance that its certification practice statement management processes
are effective.
TSP 200.56 2016, AICPA

Certification Practice Statement Management
1 The policy authority (PA) has final authority and responsibility for
approving the CA's certification practice statement (CPS).
2 Responsibilities for maintaining the CPS have been formally
assigned.
3 The CA's CPS is modified and approved in accordance with a defined
review process.
4 The CA makes available its CPS to all appropriate parties.
5 Revisions to the CA's CPS are made available to appropriate parties.
6 The CA updates its CPS to reflect changes in the environment as
they occur.
2.3 CP and CPS Consistency (if applicable)
Criteria:
assurance that its certification practice statement (CPS) addresses the
topics included in its certificate policy (CP).
CP and CPS Consistency
1 The policy authority (PA) is responsible for ensuring that the CA's
control processes, as stated in a CPS or equivalent, fully comply
with the requirements of the CP.
2 The CA addresses the requirements of the CP when developing its
CPS.
3 The CA assesses the impact of proposed CPS changes to ensure that
they are consistent with the CP.
4 A defined review process exists to ensure that CP(s) are supported
by the CA's CPS.
3. CA Environmental Controls

r logical and physical access to CA systems and data is restricted
to authorized individuals;
r the continuity of key and certificate management operations is
maintained; and
r CA systems development, maintenance, and operations are prop-
erly authorized and performed to maintain CA systems integrity.
2016, AICPA TSP 200.57

3.1 Security Management
Criteria:
assurance that
security is planned, managed, and supported within the organization;
security risks are identified and managed;
the security of CA facilities, systems, and information assets accessed by
third parties is maintained; and
the security of subscriber and relying party information is maintained
when the responsibility for CA subfunctions has been outsourced to
another organization or entity.
Information Security Policy
1 An information security policy document (that includes physical,
personnel, procedural, and technical controls), is approved by
management, published, and communicated to all employees.
2 The information security policy includes the following:
a. A definition of information security, its overall objectives and
scope, and the importance of security as an enabling mechanism
for information sharing
b. A statement of management intent, supporting the goals and
principles of information security
c. An explanation of the security policies, principles, standards, and
compliance requirements of particular importance to the
organization
d. A definition of general and specific responsibilities for
information security management, including reporting security
incidents
e. References to documentation, which supports the policy
3 A defined review process exists for maintaining the information
security policy, including responsibilities and review dates.
Information Security Infrastructure
4 Senior management or a high-level management information
security committee, or both, have the responsibility to ensure there
is clear direction and management support to manage risks
effectively.
5 A management group or security committee exists to coordinate the
implementation of information security controls and the
management of risk.
6 Responsibilities for the protection of individual assets and for
carrying out specific security processes are clearly defined.
TSP 200.57 2016, AICPA

7 A management authorization process for new information
processing facilities exists and is followed.
Security of Third Party Access
8 Procedures exist and are enforced to control physical and logical
access to CA facilities and systems by third parties (for example,
on-site contractors, trading partners, and joint ventures).
9 If a business need exists for the CA to allow third party access to CA
facilities and systems, a risk assessment is performed to determine
security implications and specific control requirements.
10 Arrangements involving third party access to CA facilities and
systems are based on a formal contract containing necessary
security requirements.
Outsourcing
11 If the CA outsources the management and control of all or some of
its information systems, networks, or desktop environments, the
CA's security requirements are addressed in a contract agreed upon
between the parties.
12 If the CA chooses to delegate a portion of the CA roles and respective
functions to another party, the CA maintains responsibility for the
completion of the outsourced functions and the definition and
maintenance of a statement of its certification practice statement.
3.2 Asset Classification and Management
Criteria:
assurance that CA assets and subscriber and relying party information
receive an appropriate level of protection based upon identified risks and in
accordance with the CA's disclosed business practices.
1 Owners are identified for all CA assets and assigned responsibility
for the protection of the assets.
2 Inventories of CA assets are maintained.
3 The CA has implemented information classification and associated
protective controls for information based on business needs and the
business impacts associated with such needs.
4 Information labeling and handling are performed in accordance
with the CA's information classification scheme and documented
procedures.
2016, AICPA TSP 200.57

3.3 Personnel Security
Criteria:
assurance that personnel and employment practices enhance and support
the trustworthiness of the CA's operations.
1 The CA employs personnel (that is, employees and contractors) who
possess the relevant skills, knowledge, and experience required for
the job function.
2 Security roles and responsibilities, as specified in the organization's
security policy, are documented in job descriptions.
3 Trusted roles, on which the security of the CA's operation is
dependent, are clearly identified. Trusted roles include, at a
minimum, the following responsibilities:
a. Overall responsibility for administering the implementation of
the CA's security practices
b. Approval of the generation, revocation, and suspension of
certificates
c. Installation, configuration, and maintenance of the CA systems
d. Day-to-day operation of CA systems and system backup and
recovery
e. Viewing and maintenance of CA system archives and audit logs
f. Cryptographic key life cycle management functions (for example,
key component custodians)
g. CA systems development
4 The CA's policies and procedures specify the background checks and
clearance procedures required for trusted roles and nontrusted
roles. As a minimum, verification checks on permanent staff are
performed at the time of job application and periodically for those
individuals undertaking trusted roles.
5 An individual's trusted status is approved prior to gaining access to
systems and facilities or performing actions requiring trusted status.
6 CA employees and trusted roles sign a confidentiality
(nondisclosure) agreement as a condition of employment.
7 Contractors who perform trusted roles are subject to at least the
same background check and personnel management procedures as
employees.
8 Any contract arrangement between contractors and CAs allows
for the provision of temporary contract personnel that explicitly
allows the organization to take measures against contract staff who
violate the organization's security policies. Protective measures may
include
TSP 200.57 2016, AICPA

a. bonding requirements on contract personnel;
b. indemnification for damages due to contract personnel willful,
harmful actions; and
c. financial penalties.
9 Periodic reviews occur to verify the continued trustworthiness of
personnel involved in the activities related to key management and
certificate management.
10 A formal disciplinary process exists and is followed for employees
who have violated organizational security policies and procedures.
The CA's policies and procedures specify the sanctions against
personnel for unauthorized actions, unauthorized use of authority,
and unauthorized use of systems.
11 Physical and logical access to CA facilities and systems is disabled
upon termination of employment.
12 If required based on a risk assessment, duress alarms are provided
for users who might be the target of coercion.
13 All employees of the organization and, when relevant, third party
contractors, receive appropriate training in organizational policies
and procedures. The CA's policies and procedures specify the
following:
a. The training requirements and training procedures for each role
b. Any retraining period and retraining procedures for each role
3.4 Physical and Environmental Security
Criteria:
assurance that
physical access to CA facilities and equipment is limited to authorized
individuals, protected through restricted security perimeters, and is
operated under multiple person (at least dual custody) control;
CA facilities and equipment are protected from environmental hazards;
loss, damage, or compromise of assets and interruption to business
activities are prevented; and
compromise of information and information processing facilities is
prevented.
2016, AICPA TSP 200.57

CA Facility Physical Security
1 Entry to the building or site containing the CA's certificate
manufacturing facility is achieved only through a limited number of
controlled access points.
2 All critical CA operations take place within a physically secure
facility with at least four layers of security to access sensitive
hardware or software. Such systems are physically separated from
the organization's other systems so that only authorized employees
of the CA can access them.
3 A manned reception area or other means to control physical access
is in place to restrict access to the building or site housing CA
operations to authorized personnel only.
4 Physical barriers are in place (for example, solid walls that extend
from real floor to real ceiling) to prevent unauthorized entry and
environmental contamination to the CAs certificate manufacturing
facility.
5 Physical barriers are in place (for example, Faraday cage) to prevent
electromagnetic radiation emissions for all root CA operations (for
example, key generation and certification of CA certificates) as
disclosed in certificate policy or certification practice statement, or
both.
6 Fire doors on security perimeters around CA operational facilities
are alarmed and conform to local fire regulations.
7 Intruder detection systems are installed and regularly tested to
cover all external doors of the building housing the CA operational
facilities.
8 CA operational facilities are physically locked and alarmed when
unoccupied.
9 All personnel are required to wear visible identification. Employees
are encouraged to challenge anyone not wearing visible
identification.
10 Access to CA operational facilities is controlled and restricted to
authorized persons through the use of multifactor authentication
controls.
11 All personnel entering and leaving CA operational facilities are
logged (that is, an audit trail of all access is securely maintained).
12 Entry, exit, and activities within CA facilities are monitored by
cameras.
13 Visitors to CA facilities are supervised and their date and time of
entry and departure recorded.
14 Third party support services personnel is granted restricted access
to secure CA operational facilities only when required, and such
access is authorized and accompanied.
TSP 200.57 2016, AICPA

15 Access rights to CA facilities are regularly reviewed and updated.
Equipment Security
16 The CA maintains an equipment inventory.
17 Equipment is sited or protected to reduce the risks from
environmental threats and hazards and opportunities for
18 Equipment is protected from power failures and other electrical
anomalies.
19 Power and telecommunications within the facility housing the CA
operation, cabling carrying data, or supporting CA services is
protected from interception or damage.
20 Equipment is maintained in accordance with the manufacturer's
instructions or other documented procedures, or both.
21 All items of equipment containing storage media (fixed and
removable disks) are checked to ensure that they do not contain
sensitive data prior to their disposal. Storage media containing
sensitive data is physically destroyed or securely overwritten prior
to disposal or reused.
General Controls
22 Sensitive or critical business information is locked away when not
required and when the CA facility is vacated.
23 Procedures require that personal computers and workstations are
logged off or protected by key locks, passwords, or other controls
when not in use.
24 The movement of materials to and from the CA facility requires
prior authorization.
3.5 Operations Management
Criteria:
assurance that
the correct and secure operation of CA information processing facilities is
ensured;
the risk of CA systems failure is minimized;
the integrity of CA systems and information is protected against viruses
and malicious software;
damage from security incidents and malfunctions is minimized through
the use of incident reporting and response procedures; and
media are securely handled to protect them from damage, theft, and
2016, AICPA TSP 200.57

Operational Procedures and Responsibilities
1 CA operating procedures are documented and maintained for each
functional area.
2 Formal management responsibilities and procedures exist to control all
changes to CA equipment, software, and operating procedures.
3 Duties and areas of responsibility are segregated in order to reduce
opportunities for unauthorized modification or misuse of information or
services.
4 Development and testing facilities are separated from operational
facilities.
5 Prior to using external facilities management services, risks and related
controls are identified, agreed upon with the contractor, and
incorporated into the contract.
System Planning and Acceptance
6 Capacity demands are monitored and projections of future capacity
requirements made to ensure that adequate processing power and
storage are available.
7 Acceptance criteria for new information systems, upgrades, and new
versions are established and suitable tests of the system carried out
prior to acceptance.
Protection Against Viruses and Malicious Software
8 Detection and prevention controls to protect against viruses and
malicious software are implemented. Employee awareness programs are
in place.
Incident Reporting and Response
9 A formal security incident reporting procedure exists, setting out the
actions to be taken upon receipt of an incident report. This includes a
definition and documentation of assigned responsibilities and escalation
procedures. Any incidents are reported to the policy authority as a
matter of urgency.
10 Users of CA systems are required to note and report observed or
suspected security weaknesses in, or threats to, systems or services as
they are detected.
11 Procedures exist and are followed for reporting hardware and software
malfunctions.
12 Procedures exist and are followed to assess that corrective action is
taken for reported incidents.
13 A formal problem management process exists that allows the types,
volumes, and impacts of incidents and malfunctions to be documented,
quantified, and monitored.
Media Handling and Security
14 Procedures for the management of removable computer media require
the following:
a. If no longer required, the previous contents of any reusable media
that are to be removed from the organization are erased or media is
destroyed.
TSP 200.57 2016, AICPA

b. Authorization is required for all media removed from the
organization, and a record of all such removals to maintain an audit
trail is kept.
c. All media are stored in a safe, secure environment, in accordance
with manufacturers' specifications.
15 Equipment containing storage media (that is, fixed hard disks) is
checked to determine whether they contain any sensitive data prior to
disposal or reuse. Storage devices containing sensitive information are
physically destroyed or securely overwritten prior to disposal or reuse.
16 Procedures for the handling and storage of information exist and are
followed in order to protect such information from unauthorized
disclosure or misuse.
17 System documentation is protected from unauthorized access.
3.6 System Access Management
Criteria:
assurance that CA system access is limited to authorized individuals. Such
controls provide reasonable assurance that
operating system and database access is limited to authorized
individuals with predetermined task privileges;
access to network segments housing CA systems is limited to authorized
individuals, applications, and services; and
CA application use is limited to authorized individuals.
User Access Management
1 Business requirements for access control are defined and
documented in an access control policy that includes at least the
following:
a. Roles and corresponding access permissions
b. Identification and authentication process for each user
c. Segregation of duties
d. Number of persons required to perform specific CA operations
(that is, m of n rule, where m represents the number of key
shareholders required to perform an operation, and n represents
the total number of key shares)
2 A formal user registration and deregistration procedure for access to
CA information systems and services exists.
3 The allocation and use of privileges is restricted and controlled.
(continued)
2016, AICPA TSP 200.57

4 The allocation of passwords is controlled through a formal
management process.
5 Access rights for users with trusted roles are reviewed at regular
intervals and updated.
6 Users are required to follow defined policies and procedures in the
selection and use of passwords.
7 Users are required to ensure that unattended equipment has
appropriate protection.
Network Access Control
8 CA employed personnel are provided direct access only to the
services that they have been specifically authorized to use. The path
from the user terminal to computer services is controlled.
9 Remote access to CA systems made by CA employees or external
systems, if permitted, requires authentication.
10 Connections made by CA employees or CA systems to remote
computer systems are authenticated.
11 Access to diagnostic ports is securely controlled.
12 Controls (for example, firewalls) are in place to protect the CA's
internal network domain from any unauthorized access from any
other domain.
13 Controls are in place to limit the network services (for example,
HTTP, FTP, and so forth) available to authorized users in
accordance with the CA's access control policies. The security
attributes of all network services used by the CA organization are
documented by the CA.
14 Routing controls are in place to ensure that computer connections
and information flows do not breach the CA's access control policy.
15 The CA maintains local network components (for example, firewalls
and routers) in a physically secure environment and audits their
configurations periodically for compliance with the CA's
configuration requirements.
16 Sensitive data is encrypted when exchanged over public or
untrusted networks.
Operating System and Database Access Control
17 Operating systems and databases are configured in accordance with
the CA's system configuration standards and periodically reviewed
and updated.
18 Operating system and database patches and updates are applied in
a timely manner when deemed necessary based on a risk
assessment.
TSP 200.57 2016, AICPA

19 Automatic terminal identification is used to authenticate
connections to specific locations and to portable equipment.
20 Access to CA systems requires a secure logon process.
21 All CA personnel users have a unique identifier (user ID) for their
personal and sole use so that activities can be traced to the
responsible individual. When shared or group accounts are required,
other monitoring controls are implemented to maintain individual
accountability.
22 Uses of system utility programs are restricted to authorized
personnel and tightly controlled.
23 Inactive terminals serving CA systems require reauthentication
prior to use.
24 Restrictions on connection times are used to provide additional
security for high risk applications.
25 Sensitive data is protected against disclosure to unauthorized users.
Application Access Control
26 Access to information and application system functions is restricted
in accordance with the CA's access control policy.
27 CA personnel are successfully identified and authenticated before
using critical applications related to certificate management.
28 Sensitive systems (for example, root CA) require a dedicated
(isolated) computing environment.
3.7 Systems Development and Maintenance
Criteria:
assurance that CA systems development and maintenance activities are
documented, tested, authorized, and properly implemented to maintain CA
system integrity.
1 Business requirements for new systems or enhancements to existing
systems specify the control requirements.
2 Software testing and change control procedures exist and are
followed for the implementation of software on operational systems,
including scheduled software releases, modifications, and
emergency software fixes.
(continued)
2016, AICPA TSP 200.57

3 Change control procedures exist and are followed for the hardware,
network component, and system configuration changes.
4 Test data is protected and controlled.
5 Control is maintained over access to program source libraries.
6 Application systems are reviewed and tested when operating system
changes occur.
7 The implementation of changes is strictly controlled by the use of
formal change control procedures to minimize the risk of corruption
of information systems.
8 Modifications to software packages are discouraged, and all changes
are strictly controlled.
9 The purchase, use, and modification of software are controlled and
checked to protect against possible covert channels and Trojan code.
This includes the authentication of the source of the software. These
controls apply equally to outsourced software development.
3.8 Business Continuity Management
Criteria:
assurance of continuity of operations in the event of a disaster. Such
controls include, at a minimum
the development and testing of a CA business continuity plan that
includes a disaster recovery process for critical components of the CA
system;
the storage of required cryptographic materials (that is, secure
cryptographic device and activation materials) at an alternate location;
the storage of backups of systems, data, and configuration information at
an alternate location; and
the availability of an alternate site, equipment, and connectivity to
enable recovery.
The CA maintains controls to provide reasonable assurance that potential
disruptions to subscribers and relying parties are minimized as a result of
the cessation or degradation of the CA's services.
1 The CA has a managed process for developing and maintaining its
business continuity plans. The CA has a business continuity
planning strategy based on an appropriate risk assessment.
TSP 200.57 2016, AICPA

2 The CA has a business continuity plan to maintain or restore the
CA's operations in a timely manner following interruption to, or
failure of, critical CA processes. The CA's business continuity plan
addresses the following:
a. The conditions for activating the plans
b. Emergency procedures
c. Fallback procedures
d. Resumption procedures
e. A maintenance schedule for the plan
f. Awareness and education requirements
g. The responsibilities of the individuals
h. Recovery time objective
i. Regular testing of contingency plans
3 The CA's business continuity plans include disaster recovery
processes for all critical components of a CA system, including the
hardware, software, and keys, in the event of a failure of one or
more of these components. Specifically
a. cryptographic devices used for storage of backup CA private keys
are securely stored at an off-site location in order for the CA to
recover in the event of a disaster at the primary CA facility; and
b. the requisite secret key shares or key components needed to use
and manage the disaster recovery cryptographic devices are
securely stored at an off-site location.
4 Backup copies of essential business information are regularly taken.
The security requirements of these copies are consistent with the
controls for the information backed up.
5 The CA identifies and arranges for an alternate site where core
public key infrastructure operations can be restored in the event of a
disaster at the CA's primary site. Fallback equipment and backup
media are sited at a safe distance to avoid damage from disaster at
the main site.
6 The CA's business continuity plans include procedures for securing
its facility to the extent possible during the period of time following
a disaster and prior to restoring a secure environment either at the
original or a remote site.
7 The CA's business continuity plans address the recovery procedures
used if computing resources, software, or data are corrupted or
suspected to be corrupted.
8 Business continuity plans are tested regularly to ensure that they
are up to date and effective.
(continued)
2016, AICPA TSP 200.57

9 Business continuity plans define an acceptable system outage time,
recovery time, and the average time between failures as disclosed in
the certificate policy (CP) or certification practice statement (CPS),
or both.
10 Business continuity plans are maintained by regular reviews and
updates to ensure their continuing effectiveness.
11 The CA maintains procedures for the termination, notification of
affected entities, and for transferring relevant archived CA records
to a custodian as disclosed in the CP or CPS, or both.
3.9 Monitoring and Compliance
Criteria:
assurance that
it conforms with the relevant legal, regulatory, and contractual
requirements;
compliance with the CA's security policies and procedures is ensured;
the effectiveness of the system audit process is maximized and
interference to and from the system audit process is minimized; and
unauthorized CA system usage is detected.
Compliance With Legal Requirements
1 Relevant statutory, regulatory, and contractual requirements are
explicitly defined and documented.
2 The CA has implemented procedures to comply with legal
restrictions on the use of material in respect of intellectual property
rights and on the use of proprietary software products.
3 Controls are in place to ensure compliance with national
agreements, laws, regulations, or other instruments to control the
access to, or use of, cryptographic hardware and software.
4 Procedures exist to ensure that personal information is protected in
accordance with relevant legislation.
5 The information security policy addresses the following:
a. The information that must be kept confidential by CA or
registration authority
b. The information that is not considered confidential
c. The policy on release of information to law enforcement officials
TSP 200.57 2016, AICPA

d. Information that can be revealed as part of civil discovery
e. The conditions upon which information may be disclosed with
the subscriber's consent
f. Any other circumstances under which confidential information
may be disclosed
6 CA records are protected from loss, unauthorized destruction, and
falsification.
7 Management authorizes the use of information processing facilities,
and controls are applied to prevent the misuse of such facilities.
Review of Security Policy and Technical Compliance
8 Managers are responsible for ensuring that security procedures
within their area of responsibility are carried out correctly.
9 The CA's operations are subject to regular review to ensure timely
compliance with its certification practice statement.
10 CA systems are periodically checked for compliance with security
implementation standards.
System Audit Process
11 Audits of operational systems are planned and agreed to minimize
the risk of disruptions to business processes.
12 Access to system audit tools is protected to prevent possible misuse
or compromise.
Monitoring System Access and Use
13 Procedures for monitoring the use of CA systems are established,
which include the timely identification and follow up of
unauthorized or suspicious activity. Alerting mechanisms are
implemented to detect unauthorized access.
3.10 Audit Logging
Criteria:
assurance that
significant CA environmental, key management, and certificate
management events are accurately and appropriately logged;
the confidentiality and integrity of current and archived audit logs are
maintained;
audit logs are completely and confidentially archived in accordance with
disclosed business practices; and
audit logs are reviewed periodically by authorized personnel.
2016, AICPA TSP 200.57

Audit Logs
1 The CA generates automatic (electronic) and manual audit logs in
accordance with the requirements of the certificate policy (CP) or
certification practice statement (CPS).
2 All journal entries include the following elements:
a. Date and time of the entry
b. Serial or sequence number of entry (for automatic journal
entries)
c. Kind of entry
d. Source of entry (for example, terminal, port, location, customer,
and so forth)
e. Identity of the entity making the journal entry
Events Logged
3 The CA logs the following CA and subscriber (if applicable) key life
cycle management related events:
a. CA key generation
b. Installation of manual cryptographic keys and its outcome (with
the identity of the operator)
c. CA key backup
d. CA key storage
e. CA key recovery
f. CA key escrow activities (if applicable)
g. CA key usage
h. CA key archival
i. Withdrawal of keying material from service
j. CA key destruction
k. Identity of the entity authorizing a key management operation
l. Identity of the entities handling any keying material (such as
key components or keys stored in portable devices or media)
m. Custody of keys and of devices or media holding keys
n. Compromise of a private key
4 The CA logs the following cryptographic device life cycle
management related events:
a. Device receipt and installation
b. Placing into or removing a device from storage
c. Device activation and usage
d. Device deinstallation
e. Designation of a device for service and repair
f. Device retirement
TSP 200.57 2016, AICPA

5 If the CA provides subscriber key management services, the CA logs the
following subscriber key life cycle management related events:
a. Key generation
b. Key distribution (if applicable)
c. Key backup (if applicable)
d. Key escrow (if applicable)
e. Key storage
f. Key recovery (if applicable)
g. Key archival (if applicable)
h. Key destruction
i. Identity of the entity authorizing a key management operation
j. Key compromise
6 The CA records (or requires that the registration authority [RA] record)
the following certificate application information:
a. The method of identification applied, and information used to meet,
subscriber requirements
b. Record of unique identification data, numbers, or a combination
thereof (for example, applicant's driver's license number) of
identification documents, if applicable
c. Storage location of copies of applications and identification
documents
d. Identity of entity accepting the application
e. Method used to validate identification documents, if any
f. Name of receiving CA or submitting RA, if applicable
g. The subscriber's acceptance of the subscriber agreement
h. When required under privacy legislation, the subscriber's consent to
allow the CA to keep records containing personal data, pass this
information to specified third parties, and publication of certificates
7 The CA logs the following certificate life cycle management related
events:
a. Receipt of requests for certificate(s), including initial certificate
requests, renewal requests, and rekey requests
b. Submissions of public keys for certification
c. Change of affiliation of an entity
d. Generation of certificates
e. Distribution of the CA's public key
f. Certificate revocation requests
g. Certificate revocation
h. Certificate suspension requests (if applicable)
i. Certificate suspension and reactivation
j. Generation and issuance of certificate revocation lists
(continued)
2016, AICPA TSP 200.57

8 The CA logs the following security-sensitive events:
a. Security-sensitive files or records read or written, including the audit
log itself
b. Actions taken against security-sensitive data
c. Security profile changes
d. Use of identification and authentication mechanisms, both successful
and unsuccessful (including multiple failed authentication attempts)
e. System crashes, hardware failures, and other anomalies
f. Actions taken by individuals in trusted roles, computer operators,
system administrators, and system security officers
g. Change of affiliation of an entity
h. Decisions to bypass encryption and authentication processes or
procedures
i. Access to the CA system or any component thereof
9 Audit logs do not record the private keys in any form (for example,
plaintext or enciphered).
10 CA computer system clocks are synchronized for accurate recording as
defined in the CP or CPS, or both, that specifies the accepted time
source.
Audit Log Protection
11 Current and archived audit logs are maintained in a form that prevents
their modification, substitution, or unauthorized destruction.
12 Digital signatures are used to protect the integrity of audit logs, when
applicable, or are required to satisfy legal requirements.
13 The private key used for signing audit logs is not used for any other
purpose. This applies equally to a symmetric secret key used with a
symmetric message authentication code (MAC) mechanism.
Audit Log Archival
14 The CA archives audit log data on a periodic basis as disclosed in the CP
or CPS, or both.
15 In addition to possible regulatory stipulation, a risk assessment is
performed to determine the appropriate length of time for retention of
archived audit logs.
16 The CA maintains archived audit logs at a secure off-site location for a
predetermined period as determined by risk assessment and legal
requirements.
Review of Audit Logs
17 Current and archived audit logs are only retrieved by authorized
individuals for valid business or security reasons.
18 Audit logs are reviewed periodically according to the practices
established in the CPS. The review of current and archived audit logs
include a validation of the audit logs' integrity and the timely
identification and follow-up of unauthorized or suspicious activity.
TSP 200.57 2016, AICPA

4. CA Key Life Cycle Management Controls
reasonable assurance that the integrity of the keys and certificates it manages
is established and protected throughout their life cycles.
4.1 CA Key Generation
Criteria:
assurance that CA key pairs are generated in accordance with the CA's
disclosed business practices and defined procedures specified within
detailed key generation ceremony scripts.
The CA's disclosed business practices include, but are not limited to, the
following:
a. Generation of CA keys is undertaken in a physically secured
environment (see section 3.4).
b. Generation of CA keys is performed by personnel in trusted roles (see
section 3.3) under the principles of multiple person control and split
knowledge.
c. Generation of CA keys occurs within cryptographic modules, meeting the
applicable technical and business requirements as disclosed in the CA's
certification practice statement (CPS).
d. Generation of CA keys is witnessed by an independent party or
videotaped, or both.
e. CA key generation activities are logged.
The CA key generation script includes the following:
a. Definition of roles and participant responsibilities
b. Approval for conduct of the key generation ceremony
c. Cryptographic hardware and activation materials required for the
ceremony
d. Specific steps performed during the key generation ceremony
e. Physical security requirements for the ceremony location
f. Procedures for secure storage of cryptographic hardware and activation
materials following the key generation ceremony
g. Sign-off from participants and witnesses indicating whether the key
generation ceremony was performed in accordance with the detailed key
generation ceremony script
h. Notation of any deviations from the key generation ceremony script
2016, AICPA TSP 200.58

Generation of CA Keys Including Root CA KeysGeneral
Requirements
1 Generation of CA keys occurs within a cryptographic module,
meeting the applicable requirements of ISO 15782-1/FIPS 140-2 (or
equivalent)/ANSI X9.66 and the business requirements in
accordance with the CPS. Such cryptographic devices perform key
generation using a random number generator or pseudo random
number generator.
2 The CA generates its own key pair in the same cryptographic device
in which it will be used, or the key pair is injected directly from the
device where it was generated into the device where it will be used.
3 CA key generation generates keys that
a. use a key generation algorithm as disclosed within the CA's CP
or CPS, or both.
b. have a key length that is appropriate for the algorithm and for
the validity period of the CA certificate as disclosed in the CA's
CP or CPS, or both. The public key length to be certified by a CA
is less than or equal to that of the CA's private signing key.
c. take into account requirements on parent and subordinate CA
key sizes and have a key size in accordance with the CA's CP or
CPS, or both.
4 CA key generation ceremonies are independently witnessed by
internal or external auditors.
Generation of CA Keys Including Root CA KeysScript
Requirements
5 The CA follows a CA key generation script for key generation
ceremonies that includes the following:
a. Definition and assignment of participant roles and
responsibilities
b. Management approval for conduct of the key generation
ceremony
c. Specific cryptographic hardware, software, and other materials,
including identifying information, for example, serial numbers
d. Specific steps performed during the key generation ceremony
i. Hardware preparation
ii. Operating system installation
iii. CA application installation and configuration
iv. CA key generation
v. CA key backup
vi. CA certificate signing
vii. CA system shutdown
viii. Preparation of materials for storage
TSP 200.58 2016, AICPA

e. Physical security requirements for the ceremony location (for

example, barriers, access controls, and logging controls)
f. Procedures for secure storage of cryptographic hardware and
activation materials following the key generation ceremony (for
example, detailing the allocation of materials between storage
locations)
g. Sign-off on the script or in a log from participants and witnesses,
indicating whether the key generation ceremony was performed
in accordance with the detailed key generation ceremony script
h. Notation of any deviations from the key generation ceremony
script (for example, documentation of steps taken to address any
technical issues)
6 The integrity of the hardware and software used for key generation,
and the interfaces to the hardware and software, is tested before
production usage.
4.2 CA Key Storage, Backup, and Recovery
Criteria:
The certification authority (CA) maintains controls to provide reasonable assurance
that CA private keys remain confidential and maintain their integrity. The CA's
private keys are backed up, stored, and recovered by authorized personnel in
trusted roles, using multiple person control in a physically secured environment.
1 The CA's private (signing and confidentiality) keys are stored and used
within a secure cryptographic device meeting the appropriate ISO 15408
protection profile or FIPS 140-2 level requirement based on a risk
assessment and the business requirements of the CA and in accordance
with the CA's certification practice statement and applicable certificate
policy(s).
2 If the CA's private keys are not exported from a secure, cryptographic
module, then the CA private key is generated, stored, and used within the
same cryptographic module.
3 If the CA's private keys are exported from a secure, cryptographic module
to secure storage for purposes of offline processing or backup and recovery,
then they are exported within a secure key management scheme that may
include any of the following:
a. As cipher-text, using a key which is appropriately secured
b. As encrypted key fragments, using multiple control and split knowledge
and ownership
c. In another secure cryptographic module, such as a key transportation
device, using multiple control
4 Backup copies of the CA's private keys are subject to the same, or greater,
level of security controls as keys currently in use. The recovery of the CA's
keys is carried out in as secure a manner as the backup process, using
multiperson control.
2016, AICPA TSP 200.58

4.3 CA Public Key Distribution
Criteria:
assurance that the integrity and authenticity of the CA public keys, and
any associated parameters, are maintained during initial and subsequent
distribution.
1 For the root CA distribution process (that is, using a self-signed
certificate), an out-of-band notification mechanism is employed.
When a self-signed certificate is used for any CA, the CA provides a
mechanism to verify the authenticity of the self-signed certificate
(for example, publication of the certificate's fingerprint).
For subsequent or subordinate CA public keys, or both, validation is
completed by using a chaining method or similar process to link
back to the trusted root certificate.
2 The initial distribution mechanism for the CA's public key is
controlled and initially distributed within a certificate using one of
the following methods:
a. Machine readable media (for example, smart card, CD-ROM)
from an authenticated source
b. Embedding in an entity's cryptographic module
c. Other secure means that ensure authenticity and integrity
3 The CA's public key is changed (rekeyed) periodically according to
the requirements of the certification practice statement with
advance notice provided to avoid disruption of the CA services.
4 The subsequent distribution mechanism for the CA's public key is
controlled in accordance with the CA's disclosed business practices.
5 If an entity already has an authenticated copy of the CA's public
key, a new CA public key is distributed using one of the following
methods:
a. Direct electronic transmission from the CA
b. Placing into a remote cache or directory
c. Loading into a cryptographic module
d. Any of the methods used for initial distribution
6 The CA provides a mechanism for validating the authenticity and
integrity of the CA's public keys.
4.4 CA Key Usage
Criteria:
assurance that CA keys are used only for their intended functions in their
predetermined locations.
TSP 200.58 2016, AICPA

1 The activation of the CA private signing key is performed using
multiparty control (that is, m of n) with a minimum value of m (for
example, m greater than two for root CAs).
2 If necessary, based on a risk assessment, the activation of the CA
private key is performed using multifactor authentication (for
example, smart card and password, biometric and password, and so
forth).
3 CA signing key(s) used for generating certificates or issuing
revocation status information, or both, are not used for any other
purpose.
4 The CA ceases to use a key pair at the end of the key pair's defined
operational lifetime or when the compromise of the private key is
known or suspected.
5 An annual review is required by the policy authority on key lengths
to determine the appropriate key usage period with
recommendations acted upon.
4.5 CA Key Archival and Destruction
Criteria:
assurance that
archived CA keys remain confidential and secured and are never put
back into production, and
CA keys are completely destroyed at the end of the key pair life cycle in
CA Key Archival
1 Archived CA keys are subject to the same, or greater, level of
security controls as keys currently in use.
2 All archived CA keys are destroyed at the end of the archive period
using dual control in a physically secure site.
3 Archived keys are only accessed when historical evidence requires
validation. Control processes are required to ensure the integrity of
the CA systems and the key sets.
4 Archived keys are recovered for the shortest possible time period
technically permissible to meet business requirements.
5 Archived keys are periodically verified to ensure that they are
properly destroyed at the end of the archive period.
(continued)
2016, AICPA TSP 200.58

CA Key Destruction
6 The CA's private keys are not destroyed until the business purpose
or application has ceased to have value or legal obligations have
expired, as disclosed within the CA's certification practice statement
(CPS).
7 Authorization to destroy a CA private key and how the CA's private
key is destroyed (for example, token surrender, token destruction, or
key overwrite) are limited in accordance with the CA's CPS.
8 All copies and fragments of the CA's private key are destroyed at
the end of the key pair life cycle in a manner such that the private
key cannot be retrieved.
9 If a secure cryptographic device is accessible and known to be
permanently removed from service, all CA private keys stored
within the device that have ever been, or potentially could be, used
for any cryptographic purpose are destroyed.
10 If a CA cryptographic device is being permanently removed from
service, then any key contained within the device that has been
used for any cryptographic purpose is erased from the device.
11 If a CA cryptographic device case is intended to provide
tamper-evident characteristics and the device is being permanently
removed from service, then the case is destroyed.
4.6 CA Key Compromise
Criteria:
assurance that continuity of operations is maintained in the event of the
compromise of the CA's private keys, and any certificates signed with the
compromised keys are revoked and reissued.
1 The CA's business continuity plans address the compromise, or
suspected compromise, of a CA's private keys as a disaster.
2 Disaster recovery procedures include the revocation and reissuance
of all certificates that were signed with that CA's private key in the
event of the compromise, or suspected compromise, of a CA's private
signing key.
3 The recovery procedures used if the CA's private key is
compromised include the following actions:
a. How secure key usage in the environment is reestablished
b. How the CA's old public key is revoked
TSP 200.58 2016, AICPA

c. How affected parties are notified (for example, impacted CAs,
repositories, subscribers, and competitive video service providers
d. How the CA's new public key is provided to the end entities and
relying parties, together with the mechanism for their
authentication
e. How the subscriber's public keys are recertified
4 In the event that the CA has to replace its root CA private key,
procedures are in place for the secure and authenticated revocation
of the following:
a. The old CA root public key
b. The set of all certificates (including any self-signed) issued by a
root CA, or any CA, based on the compromised private key
c. Any subordinate CA public keys and corresponding certificates
that require recertification.
5 The CA's business continuity plan for key compromise addresses
who is notified and what actions are taken with system software
and hardware, symmetric and asymmetric keys, previously
generated signatures, and encrypted data.
4.7 CA Cryptographic Hardware Life Cycle Management
Criteria:
assurance that
devices used for private key storage and recovery, and the interfaces to
these devices, are tested before usage for integrity;
access to CA cryptographic hardware is limited to authorized personnel
in trusted roles, using multiple person control; and
CA cryptographic hardware is functioning correctly.
1 CA cryptographic hardware is sent from the manufacturer via
registered mail (or equivalent) using tamper-evident packaging.
Upon the receipt of CA cryptographic hardware from the
manufacturer, authorized CA personnel inspects the tamper-evident
packaging to determine whether the seal is intact.
2 Upon the receipt of CA cryptographic hardware from the
manufacturer, acceptance testing and verification of firmware
settings is performed. Upon the receipt of CA cryptographic
hardware that has been serviced or repaired, acceptance testing and
verification of firmware settings is performed.
(continued)
2016, AICPA TSP 200.58

3 To prevent tampering, CA cryptographic hardware is stored and
used in a secure site, with access limited to authorized personnel
having the following characteristics:
a. Inventory control processes and procedures to manage the
origination, arrival, condition, departure, and destination of each
device
b. Access control processes and procedures to limit physical access
to authorized personnel
c. Recording of all successful or failed access attempts to the CA
facility and device storage mechanism (for example, a safe) in
audit logs
d. Incident handling processes and procedures to handle abnormal
events, security breaches, and investigation and reports
e. Monitoring processes and procedures to verify the ongoing
effectiveness of the controls
4 When not attached to the CA system, the CA cryptographic
hardware is stored in a tamper-resistant container that is stored
securely under multiple controls (that is, a safe).
5 The handling of CA cryptographic hardware, including the following
tasks, is performed in the presence of no less than two trusted
employees:
a. Installation of CA cryptographic hardware
b. Removal of CA cryptographic hardware from production
c. Servicing or repair of CA cryptographic hardware (including
installation of new hardware, firmware, or software)
d. Disassembly and permanent removal from use
6 Devices used for private key storage and recovery, and the
interfaces to these devices, are tested before usage for integrity.
7 Correct processing of CA cryptographic hardware is verified on a
periodic basis.
8 Diagnostic support is provided during troubleshooting of CA
cryptographic hardware in the presence of no less than two trusted
employees.
4.8 CA Key Escrow (if applicable)
Criteria:
assurance that escrowed CA private signing keys remain confidential.
TSP 200.58 2016, AICPA

1 If a third party provides CA private key escrow services, a contract
exists that outlines the liabilities and remedies between the parties.
2 If CA private signing keys are held in escrow, escrowed copies of the
CA private signing keys have the same, or greater, level of security
controls as keys currently in use.
5. Subscriber Key Life Cycle Management Controls

reasonable assurance that the integrity of the subscriber keys and certificates
it manages is established and protected throughout their life cycles.
5.1 CA-Provided Subscriber Key Generation Services (if supported)
Criteria:
If the certification authority (CA) provides subscriber key management
services, the CA maintains controls to provide reasonable assurance that
subscriber keys generated by the CA (or registration authority [RA] or
card bureau) are generated within a secure cryptographic device based on
a risk assessment and the business requirements of the CA in accordance
with the CA's disclosed business practices, and
subscriber keys generated by the CA (or RA or card bureau) are securely
distributed to the subscriber by the CA (or RA or card bureau) in
CA- (or RA or Card Bureau) Provided Subscriber Key Generation
1 Subscriber key generation is performed within a secure
cryptographic device, meeting the applicable ISO 15782-1/FIPS
140-2/ANSI X9.66 requirements based on a risk assessment and the
business requirements of the CA and in accordance with the
applicable certificate policy (CP). Such cryptographic devices
perform subscriber key generation using a random number
generator or pseudo random number generator as specified in the
ANSI X9 or ISO standard ISO/IEC 18032.
2 Subscriber key generation performed by the CA (or RA or card
bureau) uses a key generation algorithm, as specified in the CP.
3 Subscriber key generation performed by the CA (or RA) uses a prime
number generator, as specified in an ANSI X9 or ISO standard.
4 Subscriber key generation performed by the CA (or RA or card
bureau) results in key sizes in accordance with the CP.
(continued)
2016, AICPA TSP 200.59

5 Subscriber key generation performed by the CA (or RA) is performed
by authorized personnel in accordance with the CA's certification
practice statement.
6 When subscriber key generation is performed by the CA (or RA or
card bureau), the CA (or RA or card bureau) securely (confidentially)
delivers the subscriber key pair(s) generated by the CA (or RA or
card bureau) to the subscriber in accordance with the CP.
5.2 CA-Provided Subscriber Key Storage and Recovery

Services (if supported)
Criteria:
If the certification authority (CA) provides subscriber (confidentiality) key
storage, recovery, or escrow services, the CA maintains controls to provide
subscriber private keys stored by the CA remain confidential and
maintain their integrity;
subscriber private keys archived and escrowed by the CA remain
confidential; and
subscriber private keys stored by the CA are completely destroyed at the
end of the key pair life cycle.
CA-Provided Subscriber Key Storage, Backup, and Recovery
1 Subscriber private keys stored by the CA (or registration authority
[RA]) are stored in encrypted form using a cryptographic algorithm
and key length based on a risk assessment and requirements of the
certificate policy (CP).
2 If the CA generates key pair(s) on behalf of a subscriber, the CA (or
RA) ensures that the subscriber's private keys are not disclosed to
any entity other than the owner (that is, the subscriber) of the keys.
3 If the CA (or RA) generates public and private signing key pair(s), it
does not maintain a copy of any private signing key once the
subscriber confirms receipt of that key.
4 If the CA (or RA) provides subscriber (confidentiality) key storage,
backup, and recovery, subscriber private (confidentiality) key
backup and recovery services are only performed by authorized
personnel.
5 If the CA (or RA) provides subscriber key storage, backup, and
recovery, controls exist to ensure that the integrity of the
subscriber's private (confidentiality) key is maintained throughout
its life cycle.
TSP 200.59 2016, AICPA

CA-Provided Subscriber Key Archival
6 Subscriber private (confidentiality) keys archived by the CA are
stored in encrypted form using a cryptographic algorithm and key
length based on a risk assessment and the requirements of the CP.
7 If the CA provides subscriber (confidentiality) key archival, all
archived subscriber keys are destroyed at the end of the archive
period.
CA-Provided Subscriber Key Destruction
8 If the CA provides subscriber (confidentiality) key storage,
authorization to destroy a subscriber's private key, and the means
to destroy the subscriber's private (confidentiality) key, (for
example, key overwrite) is limited in accordance with the CP.
9 If the CA provides subscriber (confidentiality) key storage, all copies
and fragments of the subscriber's private key are destroyed at the
end of the key pair life cycle.
CA-Provided Subscriber Key Escrow
10 Subscriber private (confidentiality) keys escrowed by the CA are
stored in encrypted form using a cryptographic algorithm and key
length based on a risk assessment and the requirements of the CP.
5.3 Integrated Circuit Card Life Cycle Management (if supported)
Criteria:
If the certification authority (CA) (or registration authority [RA]) distributes
subscriber key pairs and certificates using integrated circuit cards (ICCs),
the CA (or RA) maintains controls to provide reasonable assurance that
ICC procurement, preparation, and personalization are securely
controlled by the CA (or RA or card bureau);
ICC application data file (ADF) preparation is securely controlled by the
CA (or RA);
ICC usage is enabled by the CA (or RA or card bureau) prior to ICC
issuance;
ICC deactivation and reactivation are securely controlled by the CA (or
RA);
ICCs are securely stored and distributed by the CA (or RA or card
bureau);
ICCs are securely replaced by the CA (or RA or card bureau); and
ICCs returned to the CA (or RA or card bureau) are securely terminated.
2016, AICPA TSP 200.59

ICC Procurement
1 If the CA or RA engages a card bureau, then a formal contract exists
between the relevant parties. Although card issuing functions may be
delegated to third parties, the CA retains responsibility and liability for
the ICCs.
2 ICCs are logically protected during transport between the card
manufacturer and the card issuer through the use of a secret transport
key or pass phrase.
3 ICCs issued to subscribers meet the appropriate ISO 15408 protection
profile, ISO card standard (for example, ISO 7810, 7811 parts 1-5, 7813,
7816, 10202) or Federal Information Processing Standards (FIPS) 140-2
level requirement based on a risk assessment and the requirements of
the certificate policy (CP).
4 The card bureau verifies the physical integrity of ICCs upon receipt
from the card manufacturer.
5 ICCs are securely stored and under inventory control while under the
control of the card issuer.
Card Preparation and Personalization
6 The CA (or RA), as the card issuer, controls ICC personalization (the
loading of common data file [CDF] data and its related cryptographic
keys).
7 Common data that identify the ICC, the card issuer, and the cardholder
are stored by the card issuer in the ICC CDF. CDF activation is
performed by the CA (or RA), as the card issuer, using a securely
controlled process.
8 ICC preparation processes and procedures, including the following, exist
and are followed:
a. Loading of the card operating system
b. Creation of logical data structures (card file system and card security
domains)
c. Loading of applications
d. Logically protecting the ICC to prevent unauthorized modification of
the card operating system, card file system, card security domains,
and applications
9 ICC personalization processes and procedures, including the following,
exist and are followed:
a. The loading of identifying information onto the card
b. Generation of subscriber key pair(s) in accordance with the CP
c. Loading subscriber private key(s) onto the ICC (if generated outside
the card) in encrypted form
d. Loading subscriber certificate(s) onto the ICC
e. Loading the CA and other certificates for the contractual
environment onto the ICC
f. Logically protecting the ICC from unauthorized access
TSP 200.59 2016, AICPA

10 The card bureau or CA (or RA) logs ICC preparation and personalization
in an audit log.
11 An ICC is not issued unless the card has been prepared and
personalized by the card bureau, the CA, or the RA.
12 An ICC is unusable unless in an activated or reactivated state.
ICC Storage and Distribution
13 ICCs are securely stored prior to distribution.
14 Processes and procedures exist and are followed for the distribution,
tracking, and accounting for the safe receipt of subscriber ICCs to
subscribers.
15 ICC initial activation data (initializing personal identification number
[PIN]) is securely communicated to the subscriber or, when applicable,
to the subscriber using an out-of-band method. The subscriber is
encouraged to change the initial activation data upon receipt to make
the card active.
16 ICC distribution is logged by the card bureau or CA (or RA) in an audit
log.
Subscriber ICC Usage
17 The subscriber is provided with a mechanism that protects the access to
the card data, including the private keys stored on the ICC during use
by the subscriber (that is, PIN access control mechanism cardholder
verification method).
18 The subscriber private keys on the ICC are not exported to an
application to undertake cryptographic (that is, signing) functions.
19 The subscriber is required to use a mutual authentication mechanism
for cryptographic application and card functions to ensure system
integrity.
20 The subscriber is required to use an application that displays the
message or the message's digest to the subscriber prior to signing
message (or transaction) data. The subscriber ICC application produces
audit logs of all uses of the ICC. This also includes all attempts in the
private key owner verification process.
21 The ICC is used by the subscriber or, when applicable, the subscriber in
accordance within the terms of the CP.
ICC Deactivation and Reactivation
22 ADF deactivation can be performed only by the CA, as the application
supplier.
23 CDF deactivation can be performed only by the CA, as the card issuer.
24 CDF reactivation is conducted under the control of the CA, as the card
issuer.
25 ADF reactivation is conducted under the control of the CA, as the
application supplier.
(continued)
2016, AICPA TSP 200.59

26 ADF deactivation, CDF deactivation, CDF reactivation, and ADF
reactivation are logged.
ICC Replacement
27 Processes and procedures exist and are followed for replacement of a
subscriber's lost or damaged ICC.
28 In the event of card loss or damage, subscriber certificates are renewed
or rekeyed in accordance with the CP (see clauses 6.2 and 6.3).
29 ICC replacement is logged by the card bureau or CA (or RA) in an audit
log.
ICC Termination
30 All ICCs returned to the ICC or CA (or RA) are deactivated or securely
destroyed to prevent unauthorized use.
31 CDF termination is controlled by the CA, as the card issuer.
32 ICC termination is logged by the card bureau or CA (or RA) in an audit
log.
5.4 Requirements for Subscriber Key Management
Criteria:
assurance that
requirements for protection of subscriber keys are communicated to
subscribers, and
any subscriber key management tools provided by the CA support the
requirements of the CA's business practices disclosure.
Subscriber Key Generation
1 The certificate policy (CP) specifies the appropriate ISO
15782-1/FIPS 140-2 level requirement for cryptographic modules
used for subscriber key generation.
2 The CP specifies the key generation algorithm(s) that is used for
subscriber key generation.
3 The CP specifies the acceptable key sizes for subscriber key
generation.
Subscriber Key Storage, Backup, and Recovery
4 The CA or registration authority (RA) provides, or makes available,
the mechanisms to allow the subscriber to access (that is, private
key owner verification method), manage, and control the usage of
their private keys.
TSP 200.59 2016, AICPA

5 The CP specifies the private key protection requirements for stored
subscriber private keys.
6 The CP states the circumstances and authority of when the
subscriber's private key will be restored and the control processes.
7 The CP specifies the private key protection requirements for backup
copies of subscriber private keys stored by the subscriber.
Subscriber Key Usage
8 Subscriber agreements describe the required processes to be
followed by the subscriber of any use of the cryptographic
mechanism (for example, hardware security module [HSM] or
integrated circuit card [ICC] and software application).
9 The CP specifies the acceptable uses for subscriber key pairs.
10 The CP specifies the requirements for subscriber key usage.
Subscriber Key Archival
11 The CP specifies the private key protection requirements for
archived subscriber private keys.
12 The CP specifies the requirements for destruction of archived
subscriber keys at the end of the archive period.
Subscriber Key Destruction
13 The CP specifies the means through which subscriber key
destruction is performed.
14 The CP or certification practice statement specifies the
requirements for destruction of all copies and fragments of the
subscriber's private key at the end of the key pair life cycle.
Subscriber Cryptographic Hardware Life Cycle Management
15 If required, the CP specifies the requirements for use and handling
of cryptographic hardware and subscriber authentication processes
(and subsequent actions) when the cryptographic hardware is in
other physical locations (that is, an HSM attached to a mainframe
or remote server).
Subscriber Key Compromise
16 The CP specifies the requirements for notification of the CA or RA in
the event of subscriber key compromise.
6. Certificate Life Cycle Management Controls

reasonable assurance that subscriber information was properly authenticated
(for the registration activities performed by ABC Certification Authority, Inc.).
2016, AICPA TSP 200.60

6.1 Subscriber Registration
Criteria:
assurance that
for authenticated certificates
subscribers are accurately identified in accordance with the CA's
disclosed business practices and
subscribers' certificate requests are accurate, authorized, and
complete.
for domain validated certificates
subscribers' domain names are accurately validated in accordance
with the CA's disclosed business practices and
subscribers' certificate requests are accurate and complete.
Identification and authentication
1 For authenticated certificates, the CA verifies or requires that the
registration authority (RA) verify the credentials presented by a
subscriber, as evidence of identity or authority, to perform a specific
role in accordance with the requirements of the certificate policy
(CP):
a. For individual end entity certificates, the CA or registration
authority (RA) verifies the identity of the person whose name is
to be included in the subscriber distinguished name field of the
certificate. An unauthenticated individual name is not included
in the subscriber distinguished name field.
b. For organizational certificates (including role based, server,
network resource, code signing, and so forth), the CA or RA
verifies the legal existence of the organization's name and the
authority of the requesting party to be included in the
organization attribute in the subscriber distinguished name field
of the certificate. An unauthenticated organization name is not
included in a certificate.
c. For organizational certificates containing a domain name of an
organization, the CA or RA verifies the organization's ownership,
control, or right to use the domain name and the authority of the
requesting party included in the common name attribute of the
subscriber distinguished name field of the certificate. An
unauthenticated domain name is not included in a certificate.
2 For domain-validated certificates, the CA validates or requires that
the RA validate (as determined by the CP) the organization's
ownership, control, or right to use the domain name.
3 The CA or RA verifies the accuracy of the information included in
the requesting entity's certificate request in accordance with the CP.
TSP 200.60 2016, AICPA

4 The CA or RA checks the certificate request for errors or omissions
in accordance with the CP.
5 For end entity certificates, the CA uses the RA's public key
contained in the requesting entity's certificate request to verify the
signature on the certificate request submission.
6 The CA verifies the uniqueness of the subscriber's distinguished
name within the boundaries or community defined by the CP.
7 Encryption and access controls are used to protect the confidentiality
and integrity of registration data in transit and in storage.
8 At the point of registration (before certificate issuance), the RA or
CA informs the subscriber of the terms and conditions regarding use
of the certificate.
9 Before certificate issuance, the CA informs the subscriber of the
terms and conditions regarding use of the certificate.
Certificate Request
10 The CA requires that an entity requesting a certificate must prepare
and submit the appropriate certificate request data (registration
request) to an RA (or the CA) as specified in the CP.
11 The CA requires that the requesting entity submit its public key in
a self-signed message to the CA for certification. The CA requires
that the requesting entity digitally sign the registration request
using the private key that relates to the public key contained in the
registration request in order to
a. allow the detection of errors in the certificate application process
and
b. prove possession of the companion private key for the public key
being registered.
12 The certificate request is treated as acceptance of the terms of
conditions by the requesting entity to use that certificate as
described in the subscriber agreement.
13 The CA validates the identity of the RA authorized to issue
registration requests under a specific CP.
14 The CA requires that RAs submit the requesting entity's certificate
request data to the CA in a message (certificate request) signed by
the RA. The CA verifies the RA's signature on the certificate request.
15 The CA requires that the RA secure that part of the certificate
application process for which it (the RA) assumes responsibility in
accordance with the CA's certification practice statement (CPS).
16 The CA requires that RAs record their actions in an audit log.
17 The CA verifies the authenticity of the submission by the RA in
accordance with the CA's CPS.
2016, AICPA TSP 200.60

6.2 Certificate Renewal (if supported)
Criteria:
The certificate authority (CA) maintains controls to provide reasonable
assurance that certificate renewal requests are accurate, authorized, and
complete.
Certificate Renewal Request
1 The certificate renewal request includes at least the subscriber's
distinguished name, the serial number of the certificate (or other
information that identifies the certificate), and the requested
validity period. (The CA will only renew certificates that were issued
by the CA itself.)
2 The CA requires that the requesting entity digitally sign the
certificate renewal request using the private key that relates to the
public key contained in the requesting entity's existing public key
certificate.
3 The CA issues a new certificate using the subscriber's previously
certified public key, only if its cryptographic security is still
sufficient for the new certificate's intended lifetime, and no
indications exist that the subscriber's private key has been
compromised.
4 For renewal of authenticated certificates, the CA or the registration
authority (RA) processes the certificate renewal data to verify the
identity of the requesting entity and to identify the certificate to be
renewed.
5 For domain-validated certificates, the CA or the RA processes the
certificate renewal data to revalidate the domain in accordance with
the requirements of the certificate policy (CP).
6 The CA or the RA validates the signature on the certificate renewal
request.
7 The CA verifies the existence and validity of the certificate to be
renewed. The CA does not renew certificates that have been
revoked, expired, or suspended.
8 The CA or the RA verifies that the request, including the extension
of the validity period, meets the requirements defined in the CP.
9 The CA requires that RAs submit the certificate renewal data to the
CA in a message (certificate renewal request) signed by the RA.
10 The CA requires that the RA secures that part of the certificate
renewal process for which it (the RA) assumes responsibility in
accordance with the CP.
11 The CA requires that RAs record their actions in an audit log.
TSP 200.60 2016, AICPA

12 The CA verifies the authenticity of the submission by the RA.
13 The CA verifies the RA's signature on the certificate renewal
request.
14 The CA checks the certificate renewal request for errors or
omissions. This function may be delegated explicitly to the RA.
15 The CA or RA notifies subscribers prior to the expiration of their
certificate of the need for renewal in accordance with the CP.
16 The CA issues a signed notification indicating that the certificate
renewal has been successful.
17 The CA makes the new certificate available to the end entity in
6.3 Certificate Rekey
Criteria:
assurance that certificate rekey requests, including requests following
certificate revocation or expiration, are accurate, authorized, and complete.
1 A certificate rekey request includes, at least, the subscriber's
distinguished name, the serial number of the certificate, and the
requested validity period to allow the CA or the registration
authority (RA) to identify the certificate to rekey.
2 The CA requires that the requesting entity digitally sign, using the
existing private key, the certificate rekey request containing the
new public key.
3 For authenticated certificates, the CA or the RA processes the
certificate rekey request to verify the identity of the requesting
entity and identify the certificate to be rekeyed.
4 For domain-validated certificates, the CA or the RA processes the
certificate rekey request to revalidate the domain in accordance
with the requirements of the CP.
5 The CA or the RA validates the signature on the certificate rekey
request.
6 The CA or the RA verifies the existence and validity of the
certificate to be rekeyed.
7 The CA or the RA verifies that the certificate rekey request meets
the requirements defined in the relevant CP.
(continued)
2016, AICPA TSP 200.60

8 If an external RA is used, the CA requires that RAs submit the
entity's certificate rekey request to the CA in a message signed by
the RA.
9 If an external RA is used, the CA requires that the RA secure that
part of the certificate rekey process for which it (the RA) assumes
responsibility.
10 If an external RA is used, the CA requires that external RAs record
their actions in an audit log.
11 If an external RA is used, the CA verifies the RA's signature on the
certificate rekey request.
12 The CA or the RA checks the certificate rekey request for errors or
omissions.
13 The CA or RA notifies subscribers prior to the expiration of their
certificate of the need for rekey.
14 Prior to the generation and issuance of rekeyed certificates, the CA
or RA verifies the following:
a. The signature on the certificate rekey data submission
b. The existence and validity supporting the rekey request
c. That the request meets the requirements defined in the CP
Criteria:
assurance that certificate rekey requests following certificate revocation or
expiration are accurate, authorized, and complete.
1 Following the revocation or expiration of a subscriber's existing
certificate, the subscriber is required to follow the CA's subscriber
registration procedures to obtain a new certificate.
6.4 Certificate Issuance
Criteria:
assurance that certificates are generated and issued in accordance with the
CA's disclosed business practices.
TSP 200.60 2016, AICPA

1 The CA generates certificates using certificate request data and
manufactures the certificate as defined by the appropriate certificate
profile in accordance with ISO 9594/X.509 and ISO 15782-1
formatting rules as disclosed within the certificate policy (CP).
2 Validity periods are set in the CP and are formatted in accordance
with ISO 9594/X.509 and ISO 15782-1 as disclosed within the CP.
3 Extension fields are formatted in accordance with ISO 9594/X.509
and ISO 15782-1 as disclosed within the CP.
4 The CA signs the end entity's public key and other relevant
information with the CA's private signing key.
5 The CA publishes the certificate after the certificate has been
accepted by the requesting entity as disclosed in the CA's business
practices.
6 When a registration authority (RA) is used, the CA notifies the RA
when a certificate is issued to a subscriber for whom the RA
submitted a certificate request.
7 Certificates are issued based on approved subscriber registration,
certificate renewal, or certificate rekey requests in accordance with
the CP.
8 The CA issues a signed notification to the RA when a certificate is
issued to a subscriber for whom the RA submitted a certificate
request.
9 The CA issues an out-of-band notification to the subscriber when a
certificate is issued. When this notification includes initial activation
data, then control processes ensure safe delivery to the subscriber.
10 Whether certificates expire, are revoked, or are suspended, copies of
certificates are retained for the appropriate period of time specified
in the CP.
6.5 Certificate Distribution
Criteria:
assurance that upon issuance, complete and accurate certificates are
available to subscribers and relying parties in accordance with the CA's
disclosed business practices.
2016, AICPA TSP 200.60

1 The CA makes the certificates issued by the CA available to relevant
parties using an established mechanism (for example, a repository,
such as a directory) in accordance with the certificate policy.
2 Only authorized CA personnel administer the CA's repository or
alternative distribution mechanism.
3 The performance of the CA's repository or alternative distribution
mechanism is monitored and managed.
4 The integrity of the repository or alternative distribution
mechanism is maintained and administered.
5 When required under privacy legislation, certificates are made
available for retrieval only in those cases for which the subscriber's
consent is obtained.
6.6 Certificate Revocation
Criteria:
assurance that certificates are revoked based on authorized and validated
certificate revocation requests within the time frame in accordance with the
CA's disclosed business practices.
1 The CA provides a means of rapid communication to facilitate the
secure and authenticated revocation of the following:
a. One or more certificates of one or more subscribers
b. The set of all certificates issued by a CA based on a single public
and private key pair used by a CA to generate certificates
c. All certificates issued by a CA, regardless of the public and
private key pair used
2 The CA verifies or requires that the registration authority (RA)
verify the identity and authority of the entity requesting revocation
of a certificate in accordance with the certificate policy (CP).
3 If an external RA accepts revocation requests, the CA requires that
the RA submit signed certificate revocation requests to the CA in an
authenticated manner in accordance with the CP.
4 If an external RA accepts and forwards revocation requests to the
CA, the CA provides a signed acknowledgement of the revocation
request and confirmation of actions to the requesting RA.
5 The CA updates the certificate revocation list and other certificate
status mechanisms in the time frames specified within the CP and
in accordance with the format defined in ISO 9594/X.509 and ISO
15782-1.
TSP 200.60 2016, AICPA

6 The CA records all certificate revocation requests and their outcome
in an audit log.
7 The CA or RA may provide an authenticated acknowledgement
(signature or similar) of the revocation to the entity who perpetrated
the revocation request.
8 When certificate renewal is supported and when a certificate is
revoked, all valid instances of the certificate are also revoked and
are not reinstated.
9 The subscriber of a revoked or suspended certificate is informed of
the change of status of its certificate.
6.7 Certificate Suspension (if supported)
Criteria:
The certificate authority (CA) maintains controls to provide reasonable
assurance that certificates are suspended based on authorized and
validated certificate suspension requests within the time frame in
1 The CA provides a means of rapid communication to facilitate the
secure and authenticated suspension of the following:
a. One or more certificates of one or more subscribers
b. The set of all certificates issued by a CA based on a single public
and private key pair used by a CA to generate certificates
c. All certificates issued by a CA, regardless of the public and
private key pair used
2 The CA verifies or requires that the external registration authority
(RA) verify the identity and authority of the entity requesting
suspension and reactivation of a certificate in accordance with the
certificate policy (CP).
3 If an external RA accepts suspension requests, the RA submits
signed certificate suspension requests to the CA in an authenticated
manner in accordance with the CP.
4 The CA or RA notifies the subscriber in the event of a certificate
suspension.
5 Certificate suspension requests are processed and validated in
accordance with the requirements of the CP.
(continued)
2016, AICPA TSP 200.60

6 The CA updates the certificate revocation list (CRL) and other
certificate status mechanisms upon certificate suspension. Changes
in certificate status are completed in a time frame determined by
the CP.
7 Certificates are suspended only for the allowable length of time in
8 Once a certificate suspension (hold) has been issued, the suspension
is handled in one of the following three ways:
a. An entry for the suspended certificate remains on the CRL with
no further action.
b. The CRL entry for the suspended certificate is replaced by a
revocation entry for the same certificate.
c. The suspended certificate is explicitly released and the entry
removed from the CRL.
9 A certificate suspension (hold) entry remains on the CRL until the
expiration of the underlying certificate or the expiration of the
suspension, whichever is first.
10 The CA updates the CRL and other certificate status mechanisms
upon the lifting of a certificate suspension in accordance with the
CA's CP.
11 The CA verifies or requires that the external RA verify the identity
and authority of the entity requesting that the suspension of a
certificate be lifted.
12 Certificate suspensions, and the lifting of certificate suspensions,
are recorded in an audit log.
6.8 Certificate Validation
Criteria:
assurance that timely, complete, and accurate certificate status information
(including certificate revocation lists [CRL] and other certificate status
mechanisms) is made available to relevant entities (subscribers and relying
parties or their agents) in accordance with the CA's disclosed business
practices.
TSP 200.60 2016, AICPA

1 The CA makes certificate status information available to relevant
entities (relying parties or their agents) using an established
mechanism in accordance with the certificate policy (CP). This is
achieved using the following:
a. Request Response Method. A request signed by the relying party
to the certificate status provider's responder. In turn, the
certificate status provider's responder responds with the
certificate status duly signed. (Online certificate status protocol
[OCSP] is an example protocol using this method.)
b. Delivery Method. A CRL signed by the CA and published within
the policy's time frame.
The following control procedures are applicable when CRLs are
used:
2 The CA digitally signs each CRL that it issues so that entities can
validate the integrity of the CRL and the date and time of issuance.
3 The CA issues CRLs at regular intervals, as specified in the CP,
even if no changes have occurred since the last issuance.
4 At a minimum, a CRL entry identifying a revoked certificate
remains on the CRL until the end of the certificate's validity period.
5 If certificate suspension is supported, a certificate suspension (hold)
entry, with its original action date and expiration date, remains on
the CRL until the normal expiration of the certificate or until the
suspension is lifted.
6 CRLs are archived in accordance with the requirements of the CP,
including the method of retrieval.
7 CAs include a monotonically increasing sequence number for each
CRL issued by that CA.
8 The CRL contains entries for all revoked unexpired certificates
issued by the CA.
9 Old CRLs are retained for the appropriate period of time specified in
the CA's CP.
10 Whether certificates expire, are revoked, or are suspended, copies of
certificates are retained for the appropriate period of time as
disclosed in the CP.
The following control procedures are applicable when online
certificate status mechanisms (for example, OCSP) are used:
11 If an online certificate status collection method (for example, OCSP)
is used, the CA requires that certificate status inquiries (for
example, OCSP requests) contain all required data in accordance
with the CP.
(continued)
2016, AICPA TSP 200.60

12 Upon the receipt of a certificate status request (for example, an
OCSP request) from a relying party or its agent, the CA returns a
definitive response to the relying party or its agent if
a. the request message is well formed;
b. the certificate status provider responder is configured to provide
the requested service;
c. the request contains the information (that is, certificate identity,
for example, serial number, object identifier, and so forth) needed
by the certificate status provider responder in accordance with
the CP; and
d. the certificate status provider's responder is able to locate the
certificate and interpret its status.
When these conditions are met, the CA or certificate status provider
produces a signed response message indicating the certificate's
status in accordance with the CP. If any of the previous conditions
are not met, then a status of unknown may be returned.
13 All response messages are digitally signed and include all required
data in accordance with the CP.
7. Subordinate CA Certificate Life Cycle Management Controls

reasonable assurance that subordinate CA certificate requests are accurate,
authenticated, and approved.
7.1 Subordinate CA Certificate Life Cycle Management
Criteria:
The parent certification authority (CA) maintains controls to provide
subordinate CA certificate requests are accurate, authenticated, and
approved;
subordinate CA certificate replacement (renewal and rekey) requests are
accurate, authorized, and complete;
new, renewed, and rekeyed subordinate CA certificates are generated
and issued in accordance with the CA's disclosed business practices;
upon issuance, complete and accurate subordinate CA certificates are
available to relevant entities (subscribers and relying parties) in
accordance with the CA's disclosed business practices;
subordinate CA certificates are revoked based on authorized and
validated certificate revocation requests; and
timely, complete, and accurate certificate status information (including
certificate revocation lists [CRLs] and other certificate status
mechanisms) is made available to any entity in accordance with the CA's
disclosed business practices.
TSP 200.61 2016, AICPA

Subordinate CA (sub-CA) Registration
1 The parent certificate policy (CP) specifies the requirements for
submission of sub-CA certification requests.
2 The parent CA authenticates the sub-CA certificate request in
accordance with the parent's CP.
3 The parent CA performs an assessment of the sub-CA certificate
applicant's compliance with the requirements of the parent CA's CP
before approving a sub-CA certificate request or, alternatively, the
sub-CA presents its certification practice statement for assessment.
Sub-CA Renewal
4 When sub-CA certificate renewal is permitted, the parent CA's CP
specifies the requirements for submission of sub-CA renewal
requests.
5 When sub-CA certificate renewal is permitted, the parent CA
authenticates the sub-CA certificate renewal request in accordance
with the CA's CP.
Sub-CA Rekey
6 The parent CA's CP specifies the requirements for submission of
sub-CA rekey requests.
7 The parent CA authenticates the sub-CA certificate rekey request in
Sub-CA Certificate Issuance
8 The parent CA generates certificates
a. using the appropriate certificate profile in accordance with the
CP and ISO 9594/X.509 and ISO 15782-1 formatting rules;
b. with the validity periods formatted in accordance with ISO
9594/X.509, ISO 15782-1, and the CP; and
c. when extensions are used, with extension fields formatted in
accordance with ISO 9594/X.509, ISO 15782-1, and the CP.
9 The parent CA signs the sub-CA certificate with the parent CA's
private signing key.
Sub-CA Certificate Distribution
10 The parent CA makes sub-CA certificates available to relevant
entities (for example, relying parties) using an established
mechanism (for example, a repository, such as a directory) in
accordance with the parent CA's CP.
Sub-CA Certificate Revocation
11 The parent CA verifies the identity and authority of the entity
requesting revocation of a sub-CA certificate in accordance with the
parent CA's CP.
(continued)
2016, AICPA TSP 200.61

12 The parent CA updates the CRL and other sub-CA certificate status
mechanisms upon certificate revocation in accordance with the
parent CA's CP.
Sub-CA Certificate Status Information Processing
13 The parent CA makes sub-CA certificate status information
available to relying parties using an established mechanism (for
example, CRL, online certificate status protocol, and so forth) in
accordance with the parent CA's CP.
TSP 200.61 2016, AICPA

.62
Appendix ARFC 3647, RFC 2527, and WebTrust Program for
Certification Authorities v1 Business Practices
A1. The certification authority maintains controls to provide reasonable
assurance that its certificate policy and certification practice statement address
the topics from RFC 3647, Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices FrameworkRequest For Comments Draft
(RFC 2527), or WebTrust Program for Certification Authorities v1, listed as
follows.
Section 1RFC 3647
Section No. RFC 3647 Section

1 Introduction
1.1 Overview
1.2 Document Name and Identification
1.3 PKI Participants
1.3.1 Certification Authorities
1.3.2 Registration Authorities
1.3.3 Subscribers
1.3.4 Relying Parties
1.3.5 Other Participants
1.4 Certificate Usage
1.4.1 Appropriate Certificate Uses
1.4.2 Prohibited Certificate Uses
1.5 Policy Administration
1.5.1 Organization Administering the Document
1.5.2 Contact Person
1.5.3 Person Determining CPS Suitability for the Policy
1.5.4 CPS Approval Procedures
1.6 Definitions and Acronyms
2 Publication and Repository Responsibilities
2.1 Repositories
2.2 Publication of Certification Information
2.3 Time or Frequency of Publication
2.4 Access Controls on Repositories
(continued)
2016, AICPA TSP 200.62


3 Identification and Authentication
3.1 Naming
3.1.1 Type of Names
3.1.2 Need for Names to be Meaningful
3.1.3 Anonymity or Pseudonymity of Subscribers
3.1.4 Rules for Interpreting Various Name Forms
3.1.5 Uniqueness of Names
3.1.6 Recognition, Authentication, and Role of Trademarks
3.2 Initial Identity Validation
3.2.1 Method to Prove Possession of Private Key
3.2.2 Authentication of Organization Identity
3.2.3 Authentication of Individual Identity
3.2.4 Non-Verified Subscriber Information
3.2.5 Validation of Authority
3.2.6 Criteria for Interoperation
3.3 Identification and Authentication for Rekey Requests
3.3.1 Identification and Authentication for Routine Rekey
3.3.2 Identification and Authentication for Rekey After Revocation
3.4 Identification and Authentication for Revocation Request
4 Certificate Life Cycle Operational Requirements
4.1 Certificate Application
4.1.1 Who Can Submit a Certificate Application
4.1.2 Enrollment Process and Responsibilities
4.2 Certificate Application Processing
4.2.1 Performing Identification and Authentication Functions
4.2.2 Approval or Rejection of Certificate Applications
4.2.3 Time to Process Certificate Applications
4.3.1 CA Actions During Certificate Issuance
4.3.2 Notifications to Subscriber by the CA of Issuance of
Certificate
4.4 Certificate Acceptance
4.4.1 Conduct Constituting Certificate Acceptance
TSP 200.62 2016, AICPA


4.4.2 Publication of the Certificate by the CA
4.4.3 Notification of Certificate Issuance by the CA to Other
Entities
4.5 Key Pair and Certificate Usage
4.5.1 Subscriber Private Key and Certificate Usage
4.5.2 Relying Party Public Key and Certificate Usage
4.6 Certificate Renewal
4.6.1 Circumstances for Certificate Renewal
4.6.2 Who May Request Renewal
4.6.3 Processing Certificate Renewal Requests
4.6.4 Notification of New Certificate Issuance to Subscriber
4.6.5 Conduct Constituting Acceptance of a Renewal Certificate
4.6.6 Publication of the Renewal Certificate by the CA
Entities
4.7 Certificate Rekey
4.7.1 Circumstances for Certificate Rekey
4.7.2 Who May Request Certification of a New Public Key
4.7.3 Processing Certificate Rekeying Requests
4.7.5 Conduct Constituting Acceptance of a Rekeyed Certificate
4.7.6 Publication of the Rekeyed Certificate by the CA
Entities
4.8 Certificate Modification
4.8.1 Circumstances for Certificate Modification
4.8.2 Who May Request Certificate Modification
4.8.3 Processing Certificate Modification Requests
4.8.5 Conduct Constituting Acceptance of Modified Certificate
4.8.6 Publication of the Modified Certificate by the CA
Entities
(continued)
2016, AICPA TSP 200.62


4.9 Certificate Revocation and Suspension
4.9.1 Circumstances for Revocation
4.9.2 Who Can Request Revocation
4.9.3 Procedure for Revocation Request
4.9.4 Revocation Request Grace Period
4.9.5 Time Within Which CA Must Process the Revocation
Request
4.9.6 Revocation Checking Requirements for Relying Parties
4.9.7 CRL Issuance Frequency
4.9.8 Maximum Latency for CRLs
4.9.9 Online Revocation/Status Checking Availability
4.9.10 Online Revocation Checking Requirements
4.9.11 Other Forms of Revocation Advertisements Available
4.9.12 Special Requirements Related to Key Compromise
4.9.13 Circumstances for Suspension
4.9.14 Who Can Request Suspension
4.9.15 Procedure for Suspension Request
4.9.16 Limits on Suspension Period
4.10 Certificate Status Services
4.10.1 Operational Characteristics
4.10.2 Service Availability
4.10.3 Operational Features
4.11 End of Subscription
4.12 Key Escrow and Recovery
4.12.1 Key Escrow and Recovery Policy and Practices
4.12.2 Session Key Encapsulation and Recovery Policy and
Practices
5 Facility, Management, and Operational Controls
5.1 Physical Controls
5.1.1 Site Location and Construction
5.1.2 Physical Access
5.1.3 Power and Air Conditioning
5.1.4 Water Exposures
5.1.5 Fire Prevention and Protection
TSP 200.62 2016, AICPA


5.1.6 Media Storage
5.1.7 Waste Disposal
5.1.8 Off-Site Backup
5.2 Procedural Controls
5.2.1 Trusted Roles
5.2.2 Number of Persons Required per Task
5.2.3 Identification and Authentication for Each Role
5.2.4 Roles Requiring Separation of Duties
5.3 Personnel Controls
5.3.1 Qualifications, Experience, and Clearance Requirements
5.3.2 Background Check Procedures
5.3.3 Training Requirements
5.3.4 Retraining Frequency and Requirements
5.3.5 Job Rotation Frequency and Sequence
5.3.6 Sanctions for Unauthorized Actions
5.3.7 Independent Contractor Requirements
5.3.8 Documentation Supplied to Personnel
5.4 Audit Logging Procedures
5.4.1 Types of Events Recorded
5.4.2 Frequency of Processing Log
5.4.3 Retention Period for Audit Log
5.4.4 Protection of Audit Log
5.4.5 Audit Log Backup Procedures
5.4.6 Audit Collection System (Internal vs. External)
5.4.7 Notification to Event-Causing Subject
5.4.8 Vulnerability Assessments
5.5 Records Archival
5.5.1 Types of Records Archived
5.5.2 Retention Period for Archive
5.5.3 Protection of Archive
5.5.4 Archive Backup Procedures
5.5.5 Requirements for Time-Stamping of Records
5.5.6 Archive Collection System (Internal or External)
(continued)
2016, AICPA TSP 200.62


5.5.7 Procedures to Obtain and Verify Archive Information
5.6 Key Changeover
5.7 Compromise and Disaster Recovery
5.7.1 Incident and Compromise Handling Procedures
5.7.2 Computing Resources, Software, and/or Data Are Corrupted
5.7.3 Entity Private Key Compromise Procedures
5.7.4 Business Continuity Capabilities After a Disaster
5.8 CA or RA Termination
6 Technical Security Controls
6.1 Key Pair Generation and Installation
6.1.1 Key Pair Generation
6.1.2 Private Key Delivery to Subscriber
6.1.3 Public Key Delivery to Certificate Issuer
6.1.4 CA Public Key Delivery to Relying Parties
6.1.5 Key Sizes
6.1.6 Public Key Parameters Generation and Quality Checking
6.1.7 Key Usage Purposes (as per X.509 v3 Key Usage Field)
6.2 Private Key Protection and Cryptographic Module
Engineering Controls
6.2.1 Cryptographic Module Standards and Controls
6.2.2 Private Key (n out of m) Multi-Person Control
6.2.3 Private Key Escrow
6.2.4 Private Key Backup
6.2.5 Private Key Archival
6.2.6 Private Key Transfer Into or From a Cryptographic Module
6.2.7 Private Key Storage on Cryptographic Module
6.2.8 Method of Activating Private Key
6.2.9 Method of Deactivating Private Key
6.2.10 Method of Destroying Private Key
6.2.11 Cryptographic Module Rating
6.3 Other Aspects of Key Pair Management
6.3.1 Public Key Archival
6.3.2 Certificate Operational Periods and Key Pair Usage Periods
6.4 Activation Data
TSP 200.62 2016, AICPA


6.4.1 Activation Data Generation and Installation
6.4.2 Activation Data Protection
6.4.3 Other Aspects of Activation Data
6.5 Computer Security Controls
6.5.1 Specific Computer Security Technical Requirements
6.5.2 Computer Security Rating
6.6 Life Cycle Technical Controls
6.6.1 System Development Controls
6.6.2 Security Management Controls
6.6.3 Life Cycle Security Controls
6.7 Network Security Controls
6.8 Time-Stamping
7 Certificate, CRL, and OCSP Profiles
7.1 Certificate Profile
7.1.1 Version Number(s)
7.1.2 Certificate Extensions
7.1.3 Algorithm Object Identifiers
7.1.4 Name Forms
7.1.5 Name Constraints
7.1.6 Certificate Policy Object Identifier
7.1.7 Usage of Policy Constraints Extension
7.1.8 Policy Qualifiers Syntax and Semantics
7.1.9 Processing Semantics for the Critical Certificate Policies
Extension
7.2 CRL Profile
7.2.2 CRL and CRL Entry Extensions
7.3 OCSP Profile
7.3.2 OCSP Extensions
8 Compliance Audit and Other Assessments
8.1 Frequency and Circumstances of Assessment
8.2 Identity/Qualifications of Assessor
(continued)
2016, AICPA TSP 200.62


8.3 Assessor's Relationship to Assessed Entity
8.4 Topics Covered by Assessment
8.5 Actions Taken as a Result of Deficiency
8.6 Communications of Results
9 Other Business and Legal Matters
9.1 Fees
9.1.1 Certificate Issuance or Renewal Fees
9.1.2 Certificate Access Fees
9.1.3 Revocation or Status Information Access Fees
9.1.4 Fees for Other Services
9.1.5 Refund Policy
9.2 Financial Responsibility
9.2.1 Insurance Coverage
9.2.2 Other Assets
9.2.3 Insurance or Warranty Coverage for End-Entities
9.3 Confidentiality of Business Information
9.3.1 Scope of Confidential Information
9.3.2 Information Not Within the Scope of Confidential
Information
9.3.3 Responsibility to Protect Confidential Information
9.4 Privacy of Personal Information
9.4.1 Privacy Plan
9.4.2 Information Treated as Private
9.4.3 Information Not Deemed Private
9.4.4 Responsibility to Protect Private Information
9.4.5 Notice and Consent to Use Private Information
9.4.6 Disclosure Pursuant to Judicial or Administrative Process
9.4.7 Other Information Disclosure Circumstances
9.5 Intellectual Property Rights
9.6 Representations and Warranties
9.6.1 CA Representations and Warranties
9.6.2 RA Representations and Warranties
9.6.3 Subscriber Representations and Warranties
9.6.4 Relying Party Representations and Warranties
TSP 200.62 2016, AICPA


9.6.5 Representations and Warranties of Other Participants
9.7 Disclaimers of Warranties
9.8 Limitations of Liability
9.9 Indemnities
9.10 Term and Termination
9.10.1 Term
9.10.2 Termination
9.10.3 Effect of Termination and Survival
9.11 Individual Notices and Communications With Participants
9.12 Amendments
9.12.1 Procedure for Amendment
9.12.2 Notification Mechanism and Period
9.12.3 Circumstances Under Which OID Must be Changed
9.13 Dispute Resolution Provisions
9.14 Governing Law
9.15 Compliance With Applicable Law
9.16 Miscellaneous Provisions
9.16.1 Entire Agreement
9.16.2 Assignment
9.16.3 Severability
9.16.4 Enforcement (Attorney's Fees and Waiver of Rights)
9.17 Other Provisions
Section 2RFC 2527

1 Introduction
1.1 Overview
1.2 Identification
1.3 Community and Applicability
1.3.1 Certification Authorities
1.3.2 Registration Authorities
1.3.3 End Entities
(continued)
2016, AICPA TSP 200.62


1.3.4 Applicability
1.4 Contact Details
1.4.1 Specification Administration Organization
1.4.2 Contact Person
1.4.3 Person Determining CPS Suitability for the Policy
2 General Provisions
2.1 Obligations
2.1.1 CA Obligations
2.1.2 RA Obligations
2.1.3 Subscriber Obligations
2.1.4 Relying Party Obligations
2.1.5 Repository Obligations
2.2 Liability
2.2.1 CA Liability
2.2.2 RA Liability
2.3 Financial Responsibility
2.3.1 Indemnification by Relying Parties
2.3.2 Fiduciary Relationships
2.4 Interpretation and Enforcement
2.4.1 Governing Law
2.4.2 Severability, Survival, Merger, Notice
2.4.3 Dispute Resolution Procedures
2.5 Fees
2.5.1 Certificate Issuance or Renewal Fees
2.5.2 Certificate Access Fees
2.5.3 Revocation or Status Information Access Fees
2.5.4 Fees for Other Services Such as Policy Information
2.5.5 Refund Policy
2.6 Publication and Repository
2.6.1 Publication of CA Information
2.6.2 Frequency of Publication
2.6.3 Access Controls
2.6.4 Repositories
TSP 200.62 2016, AICPA


2.7 Compliance Audit
2.7.1 Frequency of Entity Compliance Audit
2.7.2 Identity/Qualifications of Auditor
2.7.3 Auditor's Relationship to Audited Party
2.7.4 Topics Covered by Audit
2.7.5 Actions Taken as a Result of Deficiency
2.7.6 Communications of Results
2.8 Confidentiality
2.8.1 Types of Information to Be Kept Confidential
2.8.2 Types of Information Not Considered Confidential
2.8.3 Disclosure of Certificate Revocation/Suspension Information
2.8.4 Release to Law Enforcement Officials
2.8.5 Release as Part of Civil Discovery
2.8.6 Disclosure Upon Owner's Request
2.8.7 Other Information Release Circumstances
2.9 Intellectual Property Rights
3 Identification and Authentication
3.1 Initial Registration
3.1.1 Type of Names
3.1.2 Need for Names to be Meaningful
3.1.3 Rules for Interpreting Various Name Forms
3.1.4 Uniqueness of Names
3.1.5 Name Claim Dispute Resolution Procedure
3.1.6 Recognition, Authentication, and Role of Trademarks
3.1.7 Method to Prove Possession of Private Key
3.1.8 Authentication of Organization Identity
3.1.9 Authentication of Individual Identity
3.2 Routine Rekey
3.3 Rekey After Revocation
3.4 Revocation Request
4 Operational Requirements
4.1 Certificate Application
(continued)
2016, AICPA TSP 200.62


4.3 Certificate Acceptance
4.4 Certificate Suspension and Revocation
4.4.1 Circumstances for Revocation
4.4.2 Who Can Request Revocation
4.4.3 Procedure for Revocation Request
4.4.4 Revocation Request Grace Period
4.4.5 Circumstances for Suspension
4.4.6 Who Can Request Suspension
4.4.7 Procedure for Suspension Request
4.4.8 Limits on Suspension Period
4.4.9 CRL Issuance Frequency (If Applicable)
4.4.10 CRL Checking Requirements
4.4.11 Online Revocation/Status Checking Availability
4.4.12 Online Revocation Checking Requirements
4.4.13 Other Forms of Revocation Advertisements
4.4.14 Checking Requirements for Other Forms of Revocation
Advertisements
4.4.15 Special Requirements Related to Key Compromise
4.5 Security Audit Procedures
4.5.1 Types of Events Recorded
4.5.2 Frequency of Processing Log
4.5.3 Retention Period for Audit Log
4.5.4 Protection of Audit Log
4.5.5 Audit Log Backup Procedures
4.5.6 Audit Collection System (Internal vs. External)
4.5.7 Notification to Event-Causing Subject
4.5.8 Vulnerability Assessments
4.6 Records Archival
4.6.1 Types of Records Archived
4.6.2 Retention Period for Archive
4.6.3 Protection of Archive
4.6.4 Archive Backup Procedures
4.6.5 Requirements for Time-Stamping of Records
4.6.6 Archive Collection System (Internal or External)
TSP 200.62 2016, AICPA


4.6.6 Procedures to Obtain and Verify Archive Information
4.7 Key Changeover
4.8 Compromise and Disaster Recovery
4.8.1 Computing Resources, Software, and/or Data Are Corrupted
4.8.2 Entity Public Key Is Revoked
4.8.3 Entity Key Is Compromised
4.8.4 Secure Facility After a Natural or Other Type of Disaster
4.9 CA Termination
5 Physical, Procedural, and Personnel Security Controls
5.1 Physical Controls
5.1.1 Site Location and Construction
5.1.2 Physical Access
5.1.3 Power and Air Conditioning
5.1.4 Water Exposures
5.1.5 Fire Prevention and Protection
5.1.6 Media Storage
5.1.7 Waste Disposal
5.1.8 Off-Site Backup
5.2 Procedural Controls
5.2.1 Trusted Roles
5.2.2 Number of Persons Required per Task
5.2.3 Identification and Authentication for Each Role
5.3 Personnel Controls
5.3.1 Background, Qualifications, Experience, and Clearance
Requirements
5.3.2 Background Check Procedures
5.3.3 Training Requirements
5.3.4 Retraining Frequency and Requirements
5.3.5 Job Rotation Frequency and Sequence
5.3.6 Sanctions for Unauthorized Actions
5.3.7 Contracting Personnel Requirements
5.3.8 Documentation Supplied to Personnel
(continued)
2016, AICPA TSP 200.62


6 Technical Security Controls
6.1 Key Pair Generation and Installation
6.1.1 Key Pair Generation
6.1.2 Private Key Delivery to Entity
6.1.3 Public Key Delivery to Certificate Issuer
6.1.4 CA Public Key Delivery to Users
6.1.5 Key Sizes
6.1.6 Public Key Parameters Generation
6.1.7 Parameter Quality Checking
6.1.8 Hardware/Software Key Generation
6.1.9 Key Usage Purposes (as per X.509 v3 Key Usage Field)
6.2 Private Key Protection
6.2.1 Standards for Cryptographic Module
6.2.2 Private Key (n out of m) Multi-Person Control
6.2.3 Private Key Escrow
6.2.4 Private Key Backup
6.2.5 Private Key Archival
6.2.6 Private Key Entry Into Cryptographic Module
6.2.7 Method of Activating Private Key
6.2.8 Method of Deactivating Private Key
6.2.9 Method of Destroying Private Key
6.3 Other Aspects of Key Pair Management
6.3.1 Public Key Archival
6.3.2 Usage Periods for the Public and Private Keys
6.4 Activation Data
6.4.1 Activation Data Generation and Installation
6.4.2 Activation Data Protection
6.4.3 Other Aspects of Activation Data
6.5 Computer Security Controls
6.5.1 Specific Computer Security Technical Requirements
6.5.2 Computer Security Rating
6.6 Life Cycle Technical Controls
6.6.1 System Development Controls
TSP 200.62 2016, AICPA


6.6.2 Security Management Controls
6.6.3 Life Cycle Security Controls
6.7 Network Security Controls
6.8 Cryptographic Module Engineering Controls
7 Certificate and CRL Profiles
7.1 Certificate Profile
7.1.2 Certificate Extensions
7.1.3 Algorithm Object Identifiers
7.1.4 Name Forms
7.1.5 Name Constraints
7.1.6 Certificate Policy Object Identifier
7.1.7 Usage of Policy Constraints Extension
7.1.9 Processing Semantics for the Critical Certificate Policies
Extension
7.2 CRL Profile
7.2.2 CRL and CRL Entry Extensions
8 Specification Administration
8.1 Specification Change Procedures
8.2 Publication and Notification Policies
8.3 CPS Approval Procedures
Section 3WebTrust Program for Certification Authorities v1
WebTrust Program for Certification Authorities

No. v1Disclosures Criteria
General
1 Identification of each certificate policy (CP) and certification practice
statement (CPS) for which the certification authority (CA) issues
certificates
2 Community and applicability, including a description of the types of
entities within the public key infrastructure (PKI) and the
applicability of certificates issued by the CA
(continued)
2016, AICPA TSP 200.62


3 Contact details and administrative provisions, including the
following:
Contact person
Identification of the policy authority
Street address
Version and effective date(s) of each CP and CPS
4 Any applicable provisions regarding apportionment of liability
5 Financial responsibility, including the following:
Indemnification by relying parties
Fiduciary relationships
6 Interpretation and enforcement, including the following:
Governing law
Severability, survival, merger, and notice
Dispute resolution procedures
7 Fees, including the following:
Certificate issuance or renewal fees
Certificate access fees
Revocation or status information access fees
Fees for other services, such as policy information
Refund policy
8 Publication and repository requirements, including the following:
Publication of CA information
Frequency of publication
Access controls
9 Compliance audit requirements, including the following:
Frequency of entity compliance audit
Auditor's relationship to the audited party
Topics covered by the audit
Actions taken as a result of deficiency
Communication of results
10 Description of the conditions for applicability of certificates issued
by the CA that reference a specific CP, including the following:
Specific permitted uses for the certificates if such use is limited to
specific applications
Limitations on the use of certificates if there are specified
prohibited uses for such certificates
TSP 200.62 2016, AICPA


11 CA and/or registration authority (RA) obligations:
Notification of issuance of a certificate to the subscriber, who is
the subject of the certificate being issued
Notification of issuance of a certificate to others than the subject
of the certificate
Notification of revocation or suspension of a certificate to the
subscriber whose certificate is being revoked or suspended
Notification of revocation or suspension of a certificate to others
than the subject whose certificate is being revoked or suspended
12 RA obligations, including the following:
Identification and authentication of subscribers
Validation of revocation and suspension requests
Verification of subscriber renewal or rekey requests
13 Repository obligations, including timely publication of certificates
and certificate revocation lists (CRLs)
14 Subscriber obligations, including the following:
Accuracy of representations in certificate application
Protection of the subscriber's private key
Restrictions on private key and certificate use
Notification upon private key compromise
15 Relying party obligations, including the following:
Purposes for which certificate is used
Digital signature verification responsibilities
Revocation and suspension checking responsibilities
Acknowledgment of applicable liability caps and warranties
16 Any applicable reliance or financial limits for certificate usage
Key Life Cycle Management
17 CA key pair generation, including the following:
What key sizes are required
What key generation algorithm is required
Whether key generation is performed in hardware or software
What standards are required for the module used to generate the
keys (for example, the required ISO 15782-1/FIPS 140-1/ANSI
X9.66 level of the module)
For what purposes the key may be used
For what purposes usage of the key is restricted
The usage periods or active lifetimes for the CA public and
private key, respectively
(continued)
2016, AICPA TSP 200.62


18 CA private key protection, including the following:
What standards are required for the module used to store the CA
private signature key (for example, the required ISO
15782-1/FIPS 140-1/ANSI X9.66 level of the module)
Whether the CA private key is maintained under m out of n
multiperson control
Whether the CA private signature key is escrowed
Whether the CA private signing key is backed up
Whether the CA private and public signature keys are archived
19 Whether the CA provides subscriber key management services and
a description of the services provided
20 CA public key distribution, including a description of how the CA's
public key is provided securely to subscribers and relying parties
21 Key changeover, including a description of the procedures used to
provide a new public key to a CA's users
22 Subscriber key pair generation (if the CA provides subscriber key
pair generation services), including the following:
How the subscriber's private key is provided securely to the
subscriber
What key sizes are required
What key generation algorithm is required
Whether key pair generation is performed in hardware or
software
What standards are required for the module used to generate the
keys (for example, the required ISO 15782-1/FIPS 140-1/ANSI
X9.66 level of the module)
For what purposes the key may be used
For what purposes usage of the key is restricted
23 Subscriber private key protection (if the CA provides subscriber key
management services), including the following:
Whether the subscriber's decryption private key is backed up
Whether the subscriber's decryption private key is archived
Under what conditions a subscriber's private key can be destroyed
Whether subscriber private decryption keys are escrowed by the
CA
Certificate Life Cycle Management
24 Whether certificate suspension is supported
TSP 200.62 2016, AICPA


25 Initial registration, including a description of the CA's requirements
for the identification and authentication of subscribers and
validation of certificate requests during entity registration or
certificate issuance:
Types of names assigned to the subject and rules for interpreting
various name forms
Whether names have to be meaningful or not
Whether names have to be unique
How name claim disputes are resolved
Recognition, authentication, and role of trademarks
If and how the subject must prove possession of the companion
private key for the public key being provided for a certificate
How the subscriber's public key is provided securely to the CA for
issuance of a certificate
Authentication requirements for organizational identity of subject
Authentication of individual identity
Required certificate request data
How the CA verifies the authority of the subscriber to request a
certificate
How the CA verifies the accuracy of the information included in
the subscriber's certificate request
Whether the CA checks certificate requests for errors or omissions
26 Registration requirements when external registration authorities
(RA) are used, including the CA's procedures for the following:
Validating the identity of external registration authorities
Authorizing external registration authorities
Requirements for the external registration authority to secure
that part of the certificate application, certificate renewal, and
certificate rekey processes for which the RA assumes
responsibility
How the CA verifies the authenticity of certificate request
submissions received from an external RA
27 Certificate renewal, including a description of the CA's procedures
for the following:
Notifying subscribers of the need for renewal
Identification and authentication
Renewal request verification
28 Routine rekey, including a description of the identification and
authentication and rekey request verification procedures
(continued)
2016, AICPA TSP 200.62


29 Rekey after revocation or expiration, including a description of the
identification and authentication and rekey request verification
procedures for rekey after the subject certificate has been revoked
30 Certificate issuance, including a description of the requirements
regarding the following:
Issuance of a certificate
Notification to the applicant of such issuance
Certificate format requirements
Validity period requirements
Extension field requirements (that is, what extension fields are
honored and how they are to be populated)
31 Certificate acceptance, including a description of the requirements
regarding acceptance of an issued certificate and for consequent
publication of certificates
32 Certificate distribution, including a description of the CA's
established mechanism (for example, a repository such as a
directory) for making available to relying parties the certificates and
CRLs that it issues
33 Certificate revocation, including the following:
Circumstances under which a certificate may or must be revoked
Identification and authentication procedures required for
revocation requests
Procedures used for initiation, authorization, and verification of
certificate revocation requests
Revocation request grace period available to the subscriber
Any variations on the preceding stipulations in the event that the
revocation is the result of private key compromise (as opposed to
other reasons for revocation)
Procedures to provide a means of rapid communication to
facilitate the secure and authenticated revocation of (1) one or
more certificates of one or more entities; (2) the set of all
certificates issued by a CA based on a single public and private
key pair used by a CA to generate certificates; and (3) all
certificates issued by a CA, regardless of the public and private
key pair used
Procedures for notifying the subscriber upon revocation of the
subscriber's certificate
Whether the external RA is notified upon the revocation of a
subscriber's certificate for which the revocation request was
processed by the external RA
How and when the subscriber's certificate status information is
updated upon certificate revocation
TSP 200.62 2016, AICPA


34 Certificate suspension, including the following:
Circumstances under which a certificate may or must be
suspended
Identification and authentication procedures required for
revocation requests
Procedures used for initiation, authorization, and verification of
certificate suspension requests
How long the suspension may last
Circumstances under which the suspension of a certificate may or
must be lifted
Authorization criteria to request the lifting of a certificate
suspension
Any variations on the preceding stipulations if the suspension is
the result of private key compromise (as opposed to other reasons
for suspension)
Procedures to provide a means of rapid communication to
facilitate the secure and authenticated suspension of (1) one or
more certificates of one or more entities; (2) the set of all
certificates issued by a CA based on a single public and private
key pair used by a CA to generate certificates; and (3) all
certificates issued by a CA, regardless of the public and private
key pair used
Procedures for notifying the subscriber upon suspension of the
subscriber's certificate
Whether the external RA is notified upon the suspension of a
subscriber's certificate for which the suspension request was
processed or submitted by the external RA
How and when the subscriber's certificate status information is
updated upon certificate suspension and the lifting of a certificate
suspension
35 Provision of certificate status information, including the following:
What mechanism is used (CRLs, online certificate status protocol
[OCSP], other)
If a CRL mechanism is used, the issuance frequency
Requirements on relying parties to check CRLs
Online revocation and status checking availability
Requirements on relying parties to perform online revocation and
status checks
Other forms of revocation advertisements available
Requirements on relying parties to check other forms of
revocation advertisements
(continued)
2016, AICPA TSP 200.62


Any variations on the previous stipulations when the suspension

or revocation is the result of private key compromise (as opposed
to other reasons for suspension or revocation)
The CA's requirements for archival and retention of CRLs or
other certificate status information
Whether copies of all certificates issued (including all expired,
revoked, or suspended certificates) are retained and disclosure of
the retention period
If an online status mechanism is used (for example, OCSP),
certificate status request content requirements
If an online status mechanism is used (for example, OCSP),
definitive response message data content requirements
What key is used to digitally sign definitive response messages
Whether the CA signs error messages when returned in response
to certificate status requests
36 Certificate profile, including the following:
Version number(s) supported
Certificate extensions populated and their criticality
Cryptographic algorithm object identifiers
Name forms (that is, naming hierarchy used to ensure that the
certificate subject can be uniquely identified, if required) used for
the CA, RA, and subscribers' names
Name constraints used and the name forms used in the name
constraints
Applicable Certificate Policy Object Identifier(s)
Usage of the policy constraints extension
Policy qualifiers syntax and semantics
Processing semantics for the critical CP extension
37 CRL profile, including the following:
Version numbers supported for CRLs
CRL and CRL entry extensions populated and their criticality
38 Integrated circuit card (ICC) life cycle management, including the
following:
Whether ICCs are issued by the CA (or RA)
If supported, a description of the CA's ICC life cycle management
processes, including a description of the ICC distribution process
TSP 200.62 2016, AICPA


39 CPS and CP administration:
CPS and CP change control procedures
Publication and notification policies
CPS and CP approval procedures
40 CA termination, including a description of the CA's procedures for
termination and for termination notification of a CA or RA, including
the identity of the custodian of CA and RA archival records
41 Confidentiality, including the following:
Applicable statutory or regulatory requirements to keep
information confidential
Kinds of information to be kept confidential
Kinds of information not considered confidential
Disclosure of information concerning certificate revocation and
suspension
Release to law enforcement officials
Release as part of civil discovery
Disclosure upon owner's request
Other information release circumstances
42 Intellectual property rights
43 Physical security controls, including the following:
Site location and construction
Physical access controls, including authentication controls to
control and restrict access to CA facilities
Power and air conditioning
Water exposures
Fire prevention and protection
Media storage
Waste disposal
Off-site backup
44 Business continuity management controls, including the following:
Whether the CA has business continuity plans to maintain or
restore the CA's business operations in a reasonably timely
manner following interruption to, or failure of, critical business
processes
(continued)
2016, AICPA TSP 200.62


Whether the CA's business continuity plans define an acceptable

system outage and recovery time and disclosure of the defined
time period(s)
How frequently backup copies of essential business information
and software are taken
Proximity of recovery facilities to the CA's main site
45 Event logging, including the following:
How frequently the CA archives event journal data
How frequently event journals are reviewed
TSP 200.62 2016, AICPA

.63
Appendix BIllustrative Examples of Practitioner Reports

B1. This appendix presents four illustrative reports for WebTrust for
Certification Authorities engagements, which are performed under AT section
101, Attest Engagements (AICPA, Professional Standards), using the Trust
Services Criteria for Certification Authorities.
B2. Paragraph .09 of AT section 101 states that a practitioner may report
on a written assertion or directly on the subject matter. Examples of both kinds
of reports are included in this appendix.
Example 1Reporting on Managements Assertion, Unqualified
Opinion, All of the Trust Services Criteria for Certification
Authorities Are Applicable
Report of Independent Accountant
To the Management of
ABC Certification Authority, Inc.:
We have examined the assertion by the management of ABC Certification
Authority, Inc. (ABC-CA) [link to management's assertion] that in providing its
Certification Authority (CA) services at [location], ABC-CA, during the period
[date] through [date], it
r disclosed its Business, Key Life Cycle Management, Certificate
Life Cycle Management, and CA Environmental Control practices
in its
Certification Practice Statement, and

Certificate Policy (if applicable)
r maintained effective controls to provide reasonable assurance
that
ABC-CA's Certification Practice Statement is consistent

with its Certificate Policy (if applicable)
ABC-CA provides its services in accordance with its Cer-
tificate Policy (if applicable) and Certification Practice
Statement

that
the integrity of keys and certificates it manages is estab-

lished and protected throughout their life cycles;
the integrity of subscriber keys and certificates it man-
ages is established and protected throughout their life
cycles;
the Subscriber information is properly authenticated (for
the registration activities performed by ABC-CA); and
2016, AICPA TSP 200.63

subordinate CA certificate requests are accurate, authen-

ticated, and approved
that
logical and physical access to CA systems and data is
restricted to authorized individuals;
the continuity of key and certificate management opera-
tions is maintained; and
CA systems development, maintenance, and operations
are properly authorized and performed to maintain CA
systems integrity
for the [list CAs and roots that are subject to examination], based on the
AICPA/CICA Trust Services Criteria for Certification Authorities [link to Trust
Services Criteria for Certification Authorities].
ABC-CA's management is responsible for its assertion. Our responsibility is to
express an opinion on management's assertion based on our examination.
tablished by the American Institute of Certified Public Accountants, and ac-
cordingly, included (1) obtaining an understanding of ABC-CA's key and cer-
tificate life cycle management business practices and its controls over key and
certificate integrity, over the authenticity and privacy of subscriber and relying
party information, over the continuity of key and certificate life cycle manage-
ment operations, and over the development, maintenance, and operation of
systems integrity; (2) selectively testing transactions executed in accordance
with disclosed key and certificate life cycle management business practices;
(3) testing and evaluating the operating effectiveness of the controls; and (4)
opinion.
The relative effectiveness and significance of specific controls at ABC-CA and
their effect on assessments of control risk for subscribers and relying parties
are dependent on their interaction with the controls and other factors present
at individual subscriber and relying party locations. We have performed no
procedures to evaluate the effectiveness of controls at individual subscriber
and relying party locations.
Because of the nature and inherent limitations of controls, ABC-CA's ability to
meet the aforementioned criteria may be affected. For example, controls may
not prevent, or detect and correct, error, fraud, unauthorized access to systems
and information, or failure to comply with internal and external policies or
requirements. Also, the projection of any conclusions based on our findings to
future periods is subject to the risk that changes may alter the validity of such
conclusions.
In our opinion, for the period [date] through [date], ABC-CA management's
assertion, as set forth in the first paragraph, is fairly stated, in all material
respects, based on the AICPA/CICA Trust Services Criteria for Certification
Authorities.
This report does not include any representation as to the quality of ABC-CA's
services beyond those covered by the Trust Services Criteria for Certification
TSP 200.63 2016, AICPA

Authorities, nor the suitability of any of ABC-CA's services for any customer's
intended purpose.
[Name of CPA firm]
[City, State]
[Date]
Example 2Reporting on Managements Assertion, Unqualified

Opinion, Certification Authority Uses External Registration
Authorities for Specific Subscriber Registration Activities as
Disclosed in ABC-CAs Business Practice Disclosures. Report Does
Not Extend to the Controls Exercised by the External Registration
Authorities
[date] through [date], management of ABC-CA
in its
Certification Practice Statement and
that
Statement
that
cycles;
2016, AICPA TSP 200.63


that
systems integrity
Services Criteria for Certification Authorities].
ABC-CA makes use of external registration authorities for specific subscriber
registration activities as disclosed in ABC-CA's business practice disclosures.
Our examination did not extend to the controls exercised by the external reg-
istration authorities.
opinion.
conclusions.
TSP 200.63 2016, AICPA

Authorities.
intended purpose.
[Name of CPA firm]
[City, State]
[Date]
Example 3Reporting on the Subject Matter, Unqualified

Opinion, All of the Trust Services Criteria for Certification
We have examined, for its [location], ABC Certification Authority, Ltd.'s (ABC-
CA) disclosure of its Business, Key Life Cycle Management, Certificate Life
Cycle Management, and CA Environmental Controls on its website, the con-
sistency of its Certification Practice Statement with its Certificate Policy (if
applicable) and the provision of services in accordance with its Certificate Pol-
icy (if applicable) and Certification Practice Statement and the effectiveness
of its controls over key and certificate integrity, over the authenticity and pri-
vacy of subscriber and relying party information, over the continuity of key
and certificate life cycle management operations, and over the development,
maintenance, and operation of systems integrity for the [list CAs and roots
that are subject to examination], during the period [date] through [date]. These
disclosures and controls are the responsibility of the ABC-CA's management.
Our responsibility is to express an opinion based on our examination.
opinion.
2016, AICPA TSP 200.63


conclusions.
In our opinion, during the period [date] through [date], ABC-CA, in all material
respects
r disclosed its Key and Certificate Life Cycle Management busi-
ness practices and provided such services in accordance with its
disclosed practices;
that ABC-CA's Certification Practice Statement is consistent with
its Certificate Policy (if applicable) and that ABC-CA provides its
services in accordance with its Certificate Policy (if applicable)
and Certification Practice Statement;
that subscriber information was properly authenticated (for the
registration activities performed by ABC-CA) and the integrity of
keys and certificates it managed was established and protected
throughout their life cycles; and
that subscriber and relying party information was restricted to
authorized individuals and protected from uses not specified in the
CA's business practices disclosure; the continuity of key and cer-
tificate life cycle management operations was maintained; and CA
systems development, maintenance, and operations were properly
authorized and performed to maintain CA systems integrity
based on the AICPA/CICA Trust Services Criteria for Certification Authorities
[link to Trust Services Criteria for Certification Authorities].
intended purpose.
[Name of CPA firm]
[City, State]
[Date]
TSP 200.63 2016, AICPA

Example 4Reporting on Managements Assertion With Respect
to Reporting to Federal Authorities, (U.S. Federal Public Key
Infrastructure Requirements and Bridge Certification A Scenarios)
Unqualified Opinion, All of the Trust Services Criteria for
Certification Authorities Are Applicable
[date] through [date], management of ABC-CA
in its
ABC-CA Certificate Policy Version #.# dated [date] [link]
(ABC-CA CP) (including sections 1, 2, 3, 4, 5, 6, 7, 8, and
9)
ABC-CA Certification Practices Statement Version #.#
dated [date] [link]1 (ABC-CA CPS") that is consistent
with the ABC-CA CP (including sections 1, 2, 3, 4, 5,
6, 7, 8 and 9)
(if applicable) Memorandum of Agreement dated [date]
between the Federal PKI Policy Authority and ABC-CA
(ABC-MOA) (including all [or specified] sections except
###)
r provided its CA services in accordance with its disclosed practices
including
ABC-CA CP (including sections 1, 2, 3, 4, 5, 6, 7, 8, and
9)
ABC-CA CPS that is consistent with the ABC-CP (includ-
ing sections 1, 2, 3, 4, 5, 6, 7, 8, and 9)
(if applicable) ABC-MOA (including all [or specified] sec-
tions)
that
cycles;
1
Include the text (restricted to ABC-CA Participants) or similar language if the certification
practice statement is not publicly disclosed.
2016, AICPA TSP 200.63


ticated, and approved;
that
CA systems development, maintenance and operations
systems integrity
Services Principle for Certification Authorities Criteria].
Our examination, which commenced on [date] and ended on [date field work
ended], was conducted in accordance with attestation standards established
by the American Institute of Certified Public Accountants, and accordingly,
included (1) obtaining an understanding of ABC-CA's key and certificate life
cycle management business practices and its controls over key and certificate
integrity, over the authenticity and privacy of subscriber and relying party
information, over the continuity of key and certificate life cycle management
operations, and over the development, maintenance, and operation of systems
integrity; (2) selectively testing transactions executed in accordance with dis-
closed key and certificate life cycle management business practices; (3) testing
and evaluating the operating effectiveness of the controls; and (4) performing
such other procedures as we considered necessary in the circumstances. We
believe that our examination provides a reasonable basis for our opinion.
are dependent on their interaction with the controls, and other factors present
conclusions.
Authorities.
TSP 200.63 2016, AICPA

intended purpose.
This report is intended solely for the information and use of ABC-CA and the
Federal PKI Policy Authority and is not intended to be, and should not be, used
by anyone other than ABC-CA and the Federal PKI Policy Authority.
[Name of CPA firm]
[City, State]
[Date]
2016, AICPA TSP 200.63

.64
Appendix CIllustrative Examples of Managements Assertion

Example 1Assertion by Management of a Certification
Authority, All of the Trust Services Criteria for Certification
Assertion by Management of ABC Certification Authority, Inc.
Regarding Its Disclosure of Its Business Practices and Its Controls
Over Its
Certification Authority Operations During the Period [Date] Through
[Date]
[Date]
ABC Certification Authority, Inc. operates as a Certification Authority (CA)
known as ABC-CA. ABC-CA, as a Root CA [or as a subordinate CA of DEF
Certification Authority, Inc.], provides the following certification authority ser-
vices:
r Subscriber key management services
r Subscriber registration
r Certificate renewal
r Certificate rekey
r Certificate issuance
r Certificate distribution (using an online repository)
r Certificate revocation
r Certificate suspension
r Certificate status information processing (using an online reposi-
tory)
r Integrated circuit card life cycle management
Management of ABC-CA is responsible for establishing and maintaining effec-
tive controls over its CA operations, including CA business practices disclosure
[link to CA Business Practices Disclosure], service integrity (including key and
certificate life cycle management controls), and CA environmental controls.
These controls contain monitoring mechanisms, and actions are taken to cor-
rect deficiencies identified.
Controls have inherent limitations, including the possibility of human error
and the circumvention or overriding of controls. Accordingly, even effective
controls can provide only reasonable assurance with respect to ABC-CA's Cer-
tification Authority operations. Furthermore, because of changes in conditions,
the effectiveness of controls may vary over time.
Management has assessed the controls over its CA operations. Based on that as-
sessment, in ABC Certification Authority, Inc. (ABC-CA) Management's opin-
ion, in providing its Certification Authority (CA) services at [location], ABC-CA,
during the period [date] through [date]
in its
TSP 200.64 2016, AICPA

that
Statement
that
cycles;
that
systems integrity
for the [list CAs and roots that are subject to examination], in accordance with
on the AICPA/CICA Trust Services Criteria for Certification Authorities [link
to Trust Services Criteria for Certification Authorities] including the following:
CA Business Practices Management
Service Integrity
CA Key Life Cycle Management Controls
CA Key Generation
CA Key Storage, Backup, and Recovery
CA Public Key Distribution
CA Key Usage
CA Key Archival and Destruction
CA Key Compromise
2016, AICPA TSP 200.64

CA Cryptographic Hardware Life Cycle Management

CA-Key Escrow (if applicable)
Subscriber Key Life Cycle Management Controls
CA-Provided Subscriber Key Generation Services (if sup-
ported)
CA-Provided Subscriber Key Storage and Recovery Services
(if supported)
Integrated Circuit Card Life Cycle Management (if sup-
ported)
Certificate Life Cycle Management Controls
Subscriber Registration
Certificate Renewal (if supported)
Certificate Rekey
Certificate Issuance
Certificate Distribution
Certificate Revocation
Certificate Suspension (if supported)
Certificate Validation
Security Management
Asset Classification and Management
Personnel Security
Physical and Environmental Security
Operations Management
System Access Management
Systems Development and Maintenance
Business Continuity Management
Monitoring and Compliance
Audit Logging
[Name]
[Title]
Example 2Assertion by Management of a Certification

Authority, All of the Trust Services Criteria for Certification
Authorities Are Applicable, Certification Authority Uses External
Registration Authorities and Does Not Support Key Escrow,
Certificate Renewal, Certificate Suspension, the Use of Integrated
Circuit Cards, or the Provision of Subscriber Key Management
Services)
Assertion by Management of ABC Certification Authority, Inc.
Regarding Its Disclosure of Its Business Practices and Its
Controls Over Its Certification Authority Operations During the
Period [Date] through [Date]
[Date]
ABC Certification Authority, Inc. operates as a Certification Authority (CA)
known as ABC-CA. ABC-CA, as a Root CA [or as a subordinate CA of DEF
Certification Authority, Inc.], provides the following certification authority ser-
vices:
TSP 200.64 2016, AICPA

r Certificate rekey
r Certificate issuance
r Certificate distribution (using an online repository)
r Certificate revocation
r Certificate status information processing (using an online reposi-
tory)
ABC-CA makes use of external registration authorities for specific subscriber
registration activities as disclosed in ABC-CA's business practice disclosures.
Management of ABC-CA is responsible for establishing and maintaining effec-
tive controls over its Certification Authority operations, including CA business
practices disclosure [link to CA Business Practices Disclosure], service integrity
(including key and certificate life cycle management controls), and CA environ-
mental controls. These controls contain monitoring mechanisms, and actions
are taken to correct deficiencies identified.
Controls have inherent limitations, including the possibility of human error
and the circumvention or overriding of controls. Accordingly, even effective
internal control can provide only reasonable assurance with respect to ABC-
CA's Certification Authority operations. Furthermore, because of changes in
conditions, the effectiveness of controls may vary over time.
Management has assessed the controls over its CA operations. Based on that
assessment, to the best of our knowledge and belief, we confirm that in provid-
ing its Certification Authority (CA) services at [location], ABC-CA, during the
period [date] through [date], ABC-CA
in its
that
Statement
that
cycles;
2016, AICPA TSP 200.64


that
systems integrity
for the [list CAs and roots that are subject to examination], in accordance with
the AICPA/CICA Trust Services Criteria for Certification Authorities [link to
Trust Services Criteria for Certification Authorities] including the following:
Service Integrity
CA Key Generation
CA Key Usage
CA Key Compromise
ported)
(if supported)
ported)
Certificate Rekey
Security Management
Personnel Security
TSP 200.64 2016, AICPA

Audit Logging
[Name]
[Title]
2016, AICPA TSP 200.64

.65
Appendix DIllustrative Example of Managements

Representation
Example 1Management Representation Letter for a
Certification Authority, All of the Trust Services Criteria for
Certification Authorities Are Applicable
[Date]
[Name of CPA or Chartered Accountant firm] [Address]
Dear Members of the Firm:
Management confirms its understanding that your examination of our asser-
tion related to ABC Certification Authority, Inc.'s (ABC-CA) business practices
disclosure and controls over its Certification Authority operations during the
period [date] through [date], was made for the purpose of expressing an opinion
on whether our assertion is fairly presented, in all material respects, and that
your opinion is based on criteria for effective controls as stated in our asser-
tion document. We are responsible for our assertion. In connection with your
examination, management of ABC-CA
a. acknowledges its responsibility for establishing and maintaining
effective controls over its Certification Authority (CA) operations
at [location], including CA business practices disclosure, service
integrity (including key and certificate life cycle management con-
trols), and CA environmental controls.
b. has performed an assessment and believes that ABC-CA's CA busi-
ness practices disclosure, service integrity (including key and cer-
tificate life cycle management controls), and CA environmental con-
trols met the minimum requirement of the criteria described in our
assertion document during the period [date] through [date].
c. believes the stated criteria against which our assertion has been
assessed are reasonable and appropriate.
d. has disclosed to you that there are no significant deficiencies in
the design or operation of the controls, which could adversely af-
fect ABC-CA's ability to comply with the control criteria related to
ABC-CA's CA business practices disclosure, service integrity (in-
cluding key and certificate life cycle management controls), and CA
environmental controls, consistent with our assertions.
e. has made available to you all significant information and records
related to our assertion.
f. has responded fully to all inquiries made to us by you during your
examination.
g. has disclosed to you any changes occurring, or planned to occur,
subsequent to [date field work ended], in controls or other factors
that might significantly affect the controls, including any corrective
actions taken by management with regard to significant deficien-
cies.
In management's opinion, ABC-CA, in providing its Certification Authority
(CA) services at [location], ABC-CA, during the period [date] through [date]
TSP 200.65 2016, AICPA

r disclosed its key and certificate life cycle management business
practices and provided such services in accordance with its dis-
closed practices
that
subscriber information was properly authenticated (for
the registration activities performed by ABC-CA) and
the integrity of keys and certificates it managed was es-
tablished and protected throughout their life cycles
that
subscriber and relying party information was restricted
to authorized individuals and protected from uses not
specified in the CA's business practices disclosure;
the continuity of key and certificate life cycle manage-
ment operations was maintained; and
were properly authorized and performed to maintain CA
systems integrity
AICPA/CICA Trust Services Criteria for Certification Authorities including the
following:
Service Integrity
CA Key Generation
CA Key Usage
CA Key Compromise
ported)
(if supported)
ported)
Certificate Rekey
2016, AICPA TSP 200.65

Security Management
Personnel Security
Audit Logging
Very truly yours,
[Name]
[Title]
Example 2Management Representation Letter for a

Certification Authority That Uses External Registration Authorities
and Does Not Support Key Escrow, Certificate Renewal,
Certificate Suspension, Use of Integrated Circuit Cards, or
Provision of Subscriber Key Management Services
[Date]
[Name of CPA or Chartered Accountant firm] [Address]
Dear Members of the Firm:
Management confirms its understanding that your examination of our asser-
tion related to ABC Certification Authority, Inc.'s (ABC-CA) business practices
disclosure and controls over its Certification Authority (CA) operations dur-
ing the period [date] through [date], was to enable you to express an opinion
on whether our assertion is fairly presented, in all material respects, based
on the AICPA/CICA Trust Services Criteria for Certification Authorities, and
that your opinion is based on criteria for effective controls as stated in our as-
sertion document. ABC-CA makes use of external registration authorities for
specific subscriber registration activities, as disclosed in ABC-CA's business
practice disclosures. We are responsible for our assertion. In connection with
your examination, management
a. acknowledges its responsibility for establishing and maintaining
effective controls over its CA operations, including CA business
practices disclosure, service integrity (including key and certificate
life cycle management controls), and CA environmental controls.
b. has performed an assessment and believes that ABC-CA's CA busi-
ness practices disclosure, service integrity (including key and cer-
tificate life cycle management controls), and CA environmental
controls, met the minimum requirement of the criteria described
in our assertion document during the period [date] through [date].
TSP 200.65 2016, AICPA

c. believes the stated criteria against which our assertion has been
assessed are reasonable and appropriate.
d. has disclosed to you that there are no significant deficiencies in the
design or operation of the controls, which could adversely affect
the Company's ability to comply with the control criteria related to
ABC-CA's CA business practices disclosure, service integrity (in-
cluding key and certificate life cycle management controls), and CA
environmental controls, consistent with the assertions of manage-
ment.
e. has made available to you all significant information and records
related to our assertion.
f. has responded fully to all inquiries made to us by you during your
examination.
g. has disclosed to you any changes occurring, or planned to occur,
subsequent to [date], in controls or other factors that might signif-
icantly affect the controls, including any corrective actions taken
by management with regard to significant deficiencies.
In management's opinion, ABC-CA, in providing its Certification Authority
(CA) services at [location], ABC-CA, during the period [date] through [date]
r disclosed its key and certificate life cycle management business
practices and provided such services in accordance with its dis-
closed practices
that
subscriber information was properly authenticated (for

the registration activities performed by ABC-CA) and
the integrity of keys and certificates it managed was es-
tablished and protected throughout their life cycles
that
subscriber and relying party information was restricted

to authorized individuals and protected from uses not
specified in the CA's business practices disclosure;
the continuity of key and certificate life cycle manage-
ment operations was maintained; and
were properly authorized and performed to maintain CA
systems integrity
AICPA/CICA Trust Services Criteria for Certification Authorities, including
the following:
2016, AICPA TSP 200.65

Service Integrity
CA Key Generation
CA Key Usage
CA Key Compromise
ported)
(if supported)
ported)
Certificate Rekey
Security Management
Personnel Security
Audit Logging
Very truly yours,
[Name]
[Title]
TSP 200.65 2016, AICPA

19496-349
888.777.7077 | aicpa.org

TSPC16D

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

TSPC16D

Diunggah oleh

Hak Cipta:

Format Tersedia

Issued by the AICPA Assurance Services

Executive Committee (ASEC)

AAG-EBP-Copyright.indd 1 2/25/16 2:38 PM

Copyright 2016 by American Institute of Certified Public Accoun-

2016, AICPA TSP

TSP Section 100Trust Services Principles and Criteria for Security,

TSP Section 100ATrust Services Principles and Criteria for Security,

TSP Section 200Trust Services Principles and Criteria for

2016, AICPA Contents

TSP Section 200Trust Services Principles and Criteria for

Contents 2016, AICPA

2016, AICPA TSP 100.03

standards), include examination, review,2 and agreed-upon procedures engage-

TSP 100.04 2016, AICPA

2016, AICPA TSP 100.07

Principles, Criteria, Controls, and Risks

Trust Services Principles

TSP 100.08 2016, AICPA

2016, AICPA TSP 100.13

entity personnel. Confidentiality is distinguished from privacy in

TSP 100.13 2016, AICPA

2016, AICPA TSP 100.14

g. Change management. The criteria relevant to how the entity iden-

Criteria Common to All [Security, Availability, Processing Integrity,

TSP 100.15 2016, AICPA

Criteria Common to All [Security, Availability, Processing Integrity,

2016, AICPA TSP 100.15

Criteria Common to All [Security, Availability, Processing Integrity,

TSP 100.15 2016, AICPA

Criteria Common to All [Security, Availability, Processing Integrity,

2016, AICPA TSP 100.15

Criteria Common to All [Security, Availability, Processing Integrity,

TSP 100.15 2016, AICPA

Criteria Common to All [Security, Availability, Processing Integrity,

2016, AICPA TSP 100.15

Criteria Common to All [Security, Availability, Processing Integrity,

TSP 100.15 2016, AICPA

Criteria Common to All [Security, Availability, Processing Integrity,

2016, AICPA TSP 100.15

Criteria Common to All [Security, Availability, Processing Integrity,

TSP 100.15 2016, AICPA

Criteria Common to All [Security, Availability, Processing Integrity,

2016, AICPA TSP 100.16

TSP 100.17 2016, AICPA

2016, AICPA TSP 100.17

TSP 100.17 2016, AICPA

2016, AICPA TSP 100.17

TSP 100.18 2016, AICPA

2016, AICPA TSP 100.18

TSP 100.18 2016, AICPA

2016, AICPA TSP 100.18

TSP 100.18 2016, AICPA

2016, AICPA TSP 100.18

TSP 100.18 2016, AICPA

2016, AICPA TSP 100.18

TSP 100.18 2016, AICPA

2016, AICPA TSP 100.18

TSP 100.18 2016, AICPA

2016, AICPA TSP 100.18

TSP 100.18 2016, AICPA

2016, AICPA TSP 100.18

TSP 100.18 2016, AICPA

2016, AICPA TSP 100.18

TSP 100.18 2016, AICPA