SOC – WebTrust – Privacy – Cybersecurity
SOC 3 WebTrust and SysTrust for Service Organizations
The SOC – WebTrust – Privacy – Cybersecurity Trust Services Principles and Criteria are a set of professional attestation and advisory services that form the basis for both the WebTrustTM and SysTrustSM Services. The Trust Services are a broad-based set of principles and criteria put forth jointly by the American Institute of Certified Public Accountants (AICPA). In today’s global economy, companies are relying more and more on complex and powerful information technology systems. In order to gain the trust of key stakeholders, many companies choose to undergo a WebTrustTM or SysTrustSM audit when a SOC 1 SSAE 16 or SOC 2 AT 101 audit is not appropriate.
A Trust Services audit is performed by a licensed CPA firm and can be a key differentiator in today’s competitive global market. With today’s dependence on information systems, Trust Services provides comfort around key business processes by ensuring information systems provide timely and reliable information while maintaining privacy and confidentiality of information.
The WebTrust service is primarily designed for e-commerce systems and is comprised of a family of assurance services including:
- WebTrust Online Privacy. The scope of the assurance engagement includes the relevant online Privacy principle and criteria
- WebTrust Consumer Protection. The scope of the assurance engagement includes both the Processing Integrity and relevant online Privacy Principles and Criteria
- WebTrust. The scope of the assurance engagement includes one or more combinations of the Principles and Criteria not anticipated above
- WebTrust for Certification Authorities. The scope of the assurance engagement includes the Principles and related Criteria unique to certification authorities
As with the WebTrust service, the SOC 3 SysTrust for Service Organizations is comprised of a family of assurance services designed for a wide variety of information technology-based systems that are defined by the entity. The scope of these reports can include one or more of the following Principles and Criteria:
- Security: The system is protected against unauthorized access (both physical and logical)
- Availability: The system is available for operation and use as committed or agreed
- Processing Integrity: System processing is complete, accurate, timely, and authorized
- Confidentiality: Information designated as confidential is protected as committed or agreed
- Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA.
Unlike a SOC 2 report (which is a restricted use report), WebTrustTM and SysTrustSM reports are general use reports, which means upon attainment of an unqualified report, they can be freely distributed or posted on a website as a seal for one full calendar year from the date of issue. This is important, as the report can provide comfort to your company’s many key stakeholders including customers, business partners, creditors, bankers, regulators, and other stakeholders who may rely on e-commerce and information technology systems.