Weaving Privacy into Your System Description
We are often asked how to best weave the Privacy, Confidentiality, Availability and Processing Integrity Trust Services Criteria (TSCs) into the System Description. The goal is to provide users of your System Description with a solid understanding of how each TSC that is in scope for your SOC 2 is being met. The Strike Graph System Description Builder can walk you through this exercise. However, if you do want to tackle this on your own, we have a few tips to offer.
We suggest that you start with a solid draft of your System Description written, but only for Security to start. This makes the process of weaving in the other TSCs less daunting. You should also have all of the controls that apply to the specific TSC prepared. At the end of this exercise, you will have integrated each of the controls (or logical grouping of controls) into the System Description. Some controls will easily fit into existing areas of your System Description, others may need their own sections or paragraphs. Your goals are to have good control integration and to set a solid foundation for meeting customer needs with respect to specific concerns for each TSC. For example, for Privacy, you will want to present the procedures you have in place to respond to a breach. For Processing Integrity, you will describe what controls are in place to validate the accuracy and completion of your calculations.
General Guidance for Integrating Any TSC
A few pointers that relate to all TSCs:
- Be sure to add Complementary User Entity Controls (CUECs) that specifically address each TSC. Examples:
- User organizations are responsible for updating their initial password (when applicable) to a value that meets the minimum complexity and security requirement of their own organization.
- User organizations are responsible for contacting COMPANY when they are aware of an incident that may affect the security and privacy of their users' data.
- You will want to describe how any of your sub-service organizations (or 3rd party partners) help you to meet the objectives of each TSC that is in scope. You can highlight these in your Service Commitments Section. For availability, maybe your cloud provider claims to uptime and you follow their lead? For Privacy, maybe you identify which of your vendors may have access to personal information?
Weaving in Privacy takes a bit of work as this TSC has quite a few more controls.
Step 1: The ‘8 Privacy Categories’
You will devote an entire section of your System Description to this area. You can incorporate this section within the Control Environment section. You will introduce the Privacy-only section with a lead-in paragraph that’s tailored to your organization. It will look something like this:
Then list each of the topics and add a few sentences to explain how your organization satisfies each topic. No need to overthink this process - simply add your relevant Privacy controls for that Privacy topic.
Step 2: Add Privacy 'service commitments'
You will need to describe the service commitments you make to your customers with respect to Privacy. Then when you mention ‘security commitments’ also add ‘and privacy’. For example, “Security and Privacy commitments to user entities are documented and communicated in Statements of Work (SOWs) and other customer agreements.”. If there are any specific privacy laws or regulations that you adhere to, include them here.
Step 3: Integrate “security...and privacy”
Where it makes sense to do so, simply add ‘and privacy’ behind any mention of ‘security’. But don't do a Find/Replace as you may end up with some very odd statements!
"All employees are required to complete security and privacy training upon hire and on an annual basis."
"Company has defined and implemented a set of physical access requirements to secure its IT environment as well as to protect the privacy of the information it holds."
Security and Privacy Management
COMPANY ABC has established an information security program to govern the controls and procedures that must be in place by the organization to protect against unauthorized access, use, or modification of data. The CTO is responsible for the oversight of the IT security program.
Step 4: Additional privacy paragraphs
Weave in all of the privacy controls that are left over after you have completed Step 1. You should be left with controls relating to change management, monitoring, incident management and a handful of other areas. Add these in places where they logically make sense throughout your System Description. For example, if you have a great change management control related to Privacy, add that as a separate paragraph within the Change Management section.