We are often asked how to best weave the Privacy, Confidentiality, Availability and Processing Integrity Trust Services Criteria (TSCs) into the System Description. The goal is to provide users of your System Description with a solid understanding of how each TSC that is in scope for your SOC 2 is being met. The Strike Graph System Description Builder can walk you through this exercise. However, if you do want to tackle this on your own, we have a few tips to offer.  

Start with a solid draft.

We suggest that you start with a solid draft of your System Description written, but only for Security to start. This makes the process of weaving in the other TSCs less daunting. You should also have all of the controls that apply to the specific TSC prepared. At the end of this exercise, you will have integrated each of the controls (or logical grouping of controls) into the System Description. Some controls will easily fit into existing areas of your System Description, others may need their own sections or paragraphs. Your goals are to have good control integration and to set a solid foundation for meeting customer needs with respect to specific concerns for each TSC. For example, for Privacy, you will want to present the procedures you have in place to respond to a breach. For Processing Integrity, you will describe what controls are in place to validate the accuracy and completion of your calculations.

General guidance for integrating any TSC

A few pointers that relate to all TSCs:

Add Complementary User Entity Controls (CUECs) that specifically address each TSC.

Examples:

User organizations are responsible for updating their initial password (when applicable) to a value that meets the minimum complexity and security requirement of their own organization.

User organizations are responsible for contacting COMPANY when they are aware of an incident that may affect the security and privacy of their users' data.

Describe sub-service and third-party organizations' roles

Describe how any of your sub-service organizations (or third-party partners) help you to meet the objectives of each TSC that is in scope. You can highlight these in your Service Commitments Section. For availability, maybe your cloud provider claims to uptime and you follow their lead? For Privacy, maybe you identify which of your vendors may have access to personal information? 

Privacy

Weaving in privacy takes a bit of work as this TSC has quite a few more controls. 

Step 1: The eight privacy categories 

You will devote an entire section of your System Description to this area. You can incorporate this section within the Control Environment section. You will introduce the Privacy-only section with a lead-in paragraph that’s tailored to your organization.

It will look something like this:

Privacy Policies

The IT Security Policy contains guidelines specific to data privacy and is posted to the company intranet site. The public-facing privacy notice (“Privacy Policy”) covers the following topics: Notice, Choice and Consent, Collection, Use, Retention and Disposal, Access, Disclosure to 3rd parties, Security for Privacy, Quality, and Monitoring and Enforcement. The Privacy Policy includes the following:

Then list each of the topics and add a few sentences to explain how your organization satisfies each topic. No need to overthink this process - simply add your relevant Privacy controls for that Privacy topic.  

Step 2:  Add privacy service commitments   

You will need to describe the service commitments you make to your customers with respect to Privacy. Then when you mention ‘security commitments’ also add ‘and privacy’. For example, “Security and Privacy commitments to user entities are documented and communicated in Statements of Work (SOWs) and other customer agreements.”. If there are any specific privacy laws or regulations that you adhere to, include them here.

Step 3:  Integrate security and privacy  

Where it makes sense to do so, simply add ‘and privacy’ behind any mention of ‘security’. But don't do a Find/Replace as you may end up with some very odd statements! 

Examples: 

"All employees are required to complete security and privacy training upon hire and on an annual basis."  

"Company has defined and implemented a set of physical access requirements to secure its IT environment as well as to protect the privacy of the information it holds."

Security and Privacy Management 

COMPANY ABC has established an information security program to govern the controls and procedures that must be in place by the organization to protect against unauthorized access, use, or modification of data. The CTO  is responsible for the oversight of the IT security program. 

COMPANY ABC also has a data privacy program to govern controls for both internal and external-facing data privacy principles, as described below. The policies define common security and privacy requirements for all company personnel and systems. The Data Privacy Policy is reviewed and approved by both Legal and the CTOs (the document owner) annually or as business needs change. The CTO  is also responsible for implementing the risk management framework and the policies within the organization as they relate to information security and data privacy, as well as monitoring their implementation.

Step 4:  Additional privacy paragraphs

Weave in all of the privacy controls that are left over after you have completed Step 1. You should be left with controls relating to change management, monitoring, incident management and a handful of other areas. Add these in places where they logically make sense throughout your System Description. For example, if you have a great change management control related to Privacy, add that as a separate paragraph within the Change Management section.