Trust Services Principles and Criteria - -
which criteria are of interest to you?
An accountant licensed to perform SysTrust and WebTrust services verifies
that a Web site clearly describes how it does business and delivers
on its promises.
We have various programs for consumer and business to business sites,
as well as certification authorities.
These are explained in this section.
Trust Services Privacy Program
Good privacy is good business. Good privacy practices are a key part
of corporate governance and accountability. One of today’s key
business imperatives is maintaining the privacy of personal information.
As business systems and processes become increasingly complex and sophisticated,
more and more personal information is being collected. As a result,
personal information may be exposed to a variety of vulnerabilities,
including loss, misuse, and unauthorized access and disclosure. Those
vulnerabilities raise concerns for organizations, the government, and
the public in general.
Privacy is a risk management issue. Many organizations are looking for
assistance in managing privacy risk and certified public accountants/chartered
accountants (CPAs/CAs) are actively helping businesses develop and implement
privacy programs.
The AICPA and the CICA promulgated the AICPA/CICA Generally Accepted Privacy Principles (GAPP) for protecting personal information. GAPP incorporates concepts from significant domestic and international privacy laws, regulations, and guidelines (see Appendix B, “Comparison of International Privacy Concepts”). GAPP is the intellectual capital and body of knowledge that provides the foundation for CPA/CA-related privacy advisory and assurance services.
AICPA/CICA Overall Privacy Objective
| Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted Privacy Principles issued by the AICPA/CICA. |
Seeing the WebTrust Privacy seal on a web site tells consumers that an
accountant has independently verified that the business lives up to its
privacy commitments. Businesses displaying a seal have demonstrated a
strong commitment to customer privacy.
Trust Services Security Principle
Information you share with a web site can be misused or stolen. It can
be intercepted and opened during transmission over the Internet or hacked
into while it is stored on the other party's computer systems. Just recently,
the media has reported the theft of credit cards is on the rise. While
the financial risk is low, the inconvenience can be significant and your
sense of well being compromised.
From a business to business standpoint, the risks are very high. Suppose
another company finds out your bank account number? Or a corporate spy
learns that you use different pricing scales for business partners and
threatens to reveal that information?
The Trust Services Security Principle addresses these concerns by ensuring
that businesses maintain secure sites for e-Commerce.
Trust Services Security
| Our standards demand that the system is protected against unauthorized
access (both physical and logical). |
Trust Services Processing Integrity Principle
Have you ever wondered about how a web site handles customer complaints?
Or whether you'll receive your merchandise in time? Unfortunately, on
the Internet, every site looks inviting. Behind the scenes who knows?
Business transactions sent electronically to another party are susceptible
to loss, duplicate processing, or the corruption of information associated
with the transaction. For example, if an electronic order is sent through
the Internet from one company to another, without appropriate transaction
integrity controls, the buyer may not receive the goods ordered, or receive
more of the goods than originally requested, or receive the wrong goods
altogether.
However, if appropriate business practices are followed and processing
integrity controls exist and are operational within the system, the buyer
can be reasonably assured that the correct goods, in the correct quantity,
at the correct price are received when promised.
Customers expect their business transactions to be processed completely
and accurately. Complete means your order is processed without exception
and not processed more than once. Accurate means key information doesn't
get garbled later.
A site that has met the standards for Processing Integrity can be trusted.
Trust Services Processing Integrity
| Our standards demand that system processing is complete, accurate, timely,
and authorized. |
Trust Services Availability Principle
Service providers help their customers' communicate and conduct business
over the Internet through a number of services.
Some provide customers with a pipeline to the Internet. Some provide online
processing and other applications for use by their customers. And some
act as a data center processing operation for customers' businesses.
These services are vital to a customer's business and livelihood. It is
critical that a customer's access to the data center, network and/or Internet
backbone is available as advertised or promised by the service provider
in its service-level agreement. If the service is unavailable for a significant
period of time, customers may likewise suffer temporary loss of revenue,
impaired cash flow, and/or diminished public image.
By complying with the Trust Services Availability principle, a service
provider or other entity can demonstrate its ability to meet critical
needs of business customers.
To avoid risks and ensure the reliability of your service provider, insist
that your service provider meet the Trust Services Availability principle
and criteria.
Trust Services Availability
| The system is available for operation and use as committed or agreed. |
WebTrust for Certification Authorities (CAs) Engagements
Certification Authorities are an increasingly important component of electronic
commerce. Anyone selecting a CA should seek independent verification that
the following key areas have been examined:
CA Business Practices Disclosure
Security and privacy policies and practices are important matters, especially
to the customer of a CA. Thus, the WebTrust Business Practices Disclosure
Principle requires that the CA disclose its key and certificate life cycle
management business and information privacy practices. Information regarding
the CA's business practices should be made available to all subscribers
and all potential relying parties, typically by posting on its Web site.
Such disclosure may be contained in a Certificate Policy (CP) and/or Certification
Practice Statement (CPS), or other informative materials that are available
to users (subscribers and relying parties).
Service Integrity
Effective key management controls and practices are essential to the trustworthiness
of the public key infrastructure. Cryptographic key management controls
and practices cover CA key generation, CA key storage, backup and recovery,
CA public key distribution, CA key escrow (optional), CA key usage, CA
key destruction, CA key archival, the management of CA cryptographic hardware
through its life cycle, and CA-provided subscriber key management services
(optional). Strong key life cycle management controls are vital to guard
against key compromise which can damage the integrity of the public key
infrastructure.
CA Environmental Controls
The establishment and maintenance of a trustworthy CA environment is essential
to the reliability of the CA's business processes. Without effective CA
environmental controls, strong key and certificate life cycle management
controls are severely diminished in value.
CA environmental controls include CPS and CP management, security policy
management, security management, asset classification and management,
personnel security, physical and environmental security of the CA facility,
operations management, system access management, systems development and
maintenance, business continuity management, monitoring and compliance,
and event journalling.
Recognizing that the next wave of electronic commerce is business to business,
we are currently developing standards that can be applied to this aspect
of electronic commerce.
Overall, the standards cover the following aspects of eCommerce:
- Privacy of your personally identifiable information, such as name,
email address, payment information.
- Confidentiality of business information and data.
- Business practices and integrity, including how orders are handled
and complaints can be resolved.
- Security over private and confidential information.
- Non-repudiation of orders
- Availability of the web site and contracted services
