<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] Reports are from the AICPA Assurance Services Executive Committee (ASEC) released the revised version ([2014|Year 2014]) of the [Trust Services Principles and Criteria] ([TSP]).

[{$pagename}] examinations performed under the new standards must couple the Security Principle with any non-privacy principle. For instance, a [{$pagename}] that includes the [Availability] Principle must also include the [Security] Principle.

The Security Principle was restructured into the following seven categories:

* Organization and management: The criteria relevant to how the organization is structured and the processes the organization has implemented to manage and support people within its operating units. This includes criteria addressing accountability, [integrity], ethical values and qualifications of personnel, and the environment in which they function.
* Communications: The criteria relevant to how the [Entity] communicates its [policies|Policy], processes, procedures, commitments, and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system.
* [Risk Management] and design and implementation of controls: The criteria relevant to how the entity 
** (i) identifies potential risks that would affect the entity’s ability to achieve its objectives
** (ii) analyzes those [risks|Risk Assessment]
** (iii) develops responses to those [risks] including the design and implementation of [Access Control] and other [risk] mitigating actions
** (iv) conducts ongoing monitoring of [risks] and the [Risk Management] process.
* [Monitoring] of controls: The criteria relevant to how the entity performs [Monitoring] the system, including the suitability, and design and operating effectiveness of the controls, and takes action to address deficiencies identified.
* Logical and physical [Access Controls]: The criteria relevant to how the [Entity] restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement.
** System operations: The criteria relevant to how the organization manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement.
[Change Management]: The criteria relevant to how the organization identifies the need for changes to the system, makes the changes following a controlled change management process, and prevents unauthorized changes from being made to meet the criteria for the principle(s) addressed in the engagement.

The other non-privacy principles, [Availability], Processing [Integrity], and [Confidentiality], have also been modified to include criteria that are only applicable to the specific principle. This greatly reduces the redundancies found in the old [TSPs] when more than one non-privacy principle was in scope for the [{$pagename}] examination.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>