Page 14 - CITP Review
P. 14

Frameworks
            Two notable frameworks used to establish these best practices are the AICPA’s trust services and
            generally accepted privacy principles (GAPP).


            Trust services

            The AICPA’s trust services has five basic categories: security, availability, processing integrity,
            confidentiality, and privacy (see exhibit 1-1). Each of these is expanded upon to provide details on the
            characteristics and nature of each one as an effective control by outlining criteria and illustrative controls
            for each.




                                                                        2
                        Exhibit 1-1 — Trust services criteria categories

                    Category 1: Security           Information and systems are protected against unauthorized
                                                   access, unauthorized disclosure of information, and damage
                                                   to systems that could compromise the availability, integrity,
                                                   confidentiality, and privacy of information or systems and
                                                   affect the entity's ability to meet its objectives.

                    Category 2: Availability       Information and systems are available for operation and use
                                                   to meet the entity's objectives.

                    Category 3: Processing Integrity   System processing is complete, valid, accurate, timely, and
                                                   authorized to meet the entity's objectives.

                    Category 4: Confidentiality    Information designated as confidential is protected to meet
                                                   the entity's objectives.

                    Category 5: Privacy            Personal information is collected, used, retained, disclosed,
                                                   and disposed to meet the entity's objectives.


            Attest criteria include policies, communications, procedures, and monitoring. Attest procedures are also
            described as principles, criteria, and controls. The attest report is either a type I or type II.



            Generally accepted privacy principles
                                                                              3
            The generally accepted privacy principles (GAPP) are an international  set of principles related to the fifth
            element of trust services. GAPP is made up of 10 criteria (see exhibit 1-2). Each of these is expanded
            upon to provide details on the characteristics and nature of each criterion as an effective control by
            outlining details and illustrative controls for each.



            2
              AICPA, Trust Services Criteria
            www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-
            services-criteria.pdf.
            3  GAPP was jointly developed by the AICPA and Canadian Institute of Chartered Accountants (CICA).


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-6
   9   10   11   12   13   14   15   16   17   18   19