Trust Services Principles and Criteria
(Incorporating SysTrust and WebTrust)
Trust Services (including WebTrust and SysTrust) are defined as a set of professional assurance and advisory services based on a common framework (i.e., a core set of principles and criteria) to address the risks and opportunities of information technology.
SysTrust and WebTrust are two specific services jointly developed by the CICA and AICPA that are based on the Trust Services Principles and Criteria. The Trust Services Principles and Criteria may, however, be used to offer services other than SysTrust and WebTrust.
The CICA/AICPA Privacy Framework consists of nine privacy practices that are key to the proper management of personal information and are based on internationally known fair information practices. Privacy laws and regulations from various jurisdictions around the world require many of these practices. Though they may not be widely known, these nine privacy practices appear in most comprehensive privacy laws worldwide. They include:
Notice The entity provides notice about its privacy policies and practices to individuals at or before the information is collected, or as soon as practicable thereafter. The notice describes the purpose for which personal information is collected and how it will be used.
Choice and consent The entity describes the choices available to the individual and obtains consent from the individual with respect to the collection, use, disclosure, and retention of personal information.
Collection The entity limits the collection of personal information to that which is necessary for the purposes described in the notice.
Use and retention The entity limits the use of personal information to purposes described in the notice and for which the individual has provided either implicit or explicit consent. The entity retains personal information for only as long as necessary for the fulfillment of the stated purposes, or as required by laws and regulations.
Access The entity provides access to the individual with to review, update, block further use, or erase his or her personal information.
Onward Transfer and disclosure The entity discloses personal information to third parties only for the purposes described in the notice and for which the individual has provided either implicit or explicit consent, or as permitted by laws and regulations. The entity discloses personal information only to third parties who provide substantially equivalent protection as the entity.
Security The entity takes reasonable precautions to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction based on the sensitivity and value of the information.
Integrity The entity maintains accurate, complete, relevant and reliable personal information for the purposes for which it is used.
Management and enforcement The entity designates one or more individuals who are accountable for the entity’s compliance with its privacy policies. The entity has a periodic process to assess and verify compliance with its privacy policies. The entity has procedures to address privacy-related inquiries and disputes.
Trust Services provides for a modular approach using five different principles—security, availability, processing integrity, online privacy and confidentiality. It is possible for the client to request a separate Trust Services examination that covers one or any combination of the principles. Principles provide the basis for describing various aspects of the system under examination with logical groupings of suitable criteria.
Copyright © 2003 by American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants. Used with permission..