Which criteria are of interest to you?

An accountant licensed to perform SysTrust and WebTrust services provides a report that gives assurance attesting to an entity's compliance with the Trust Services Principles and Criteria.

We have various programs for consumer and business to business sites, as well as certification authorities. This include programs relating to Privacy Availability Security Processing Integrity, confidentiality and systems reliability.

These are explained in this section.

 

Privacy Program

Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity's privacy notice and with the criteria set forth in Generally Accepted Privacy Principles issued by the AICPA/CICA.

Good privacy is good business. Good privacy practices are a key part of corporate governance and accountability. One of today's key business imperatives is maintaining the privacy of personal information. As business systems and processes become increasingly complex and sophisticated, more and more personal information is being collected. As a result, personal information may be exposed to a variety of vulnerabilities, including loss, misuse, and unauthorized access and disclosure. Those vulnerabilities raise concerns for organizations, the government, and the public in general.

Privacy is a risk management issue. Many organizations are looking for assistance in managing privacy risk and certified public accountants/chartered accountants (CPAs/CAs) are actively helping businesses develop and implement privacy programs.

The AICPA and the CICA promulgated the AICPA/CICA Generally Accepted Privacy Principles (GAPP) for protecting personal information. GAPP incorporates concepts from significant domestic and international privacy laws, regulations, and guidelines (see Appendix B, "Comparison of International Privacy Concepts"). GAPP is the intellectual capital and body of knowledge that provides the foundation for CPA/CA-related privacy advisory and assurance services. (see www.cica.ca/privacy)

Licensed auditors can provide a WebTrust seal that can be displayed on the client's web site.

 

AICPA/CICA Overall Privacy Objective

Seeing the WebTrust Privacy seal on a web site tells consumers that an accountant has independently verified that the business lives up to its privacy commitments. Businesses displaying a seal have demonstrated a strong commitment to customer privacy.

 

Security Principle

Our standards demand that the system is protected against unauthorized access (both physical and logical).

Information you share with a web site can be misused or stolen. It can be intercepted and opened during transmission over the Internet or hacked into while it is stored on the other party's computer systems. Just recently, the media has reported the theft of credit cards is on the rise. While the financial risk is low, the inconvenience can be significant and your sense of well being compromised.

From a business to business standpoint, the risks are very high. Suppose another company finds out your bank account number? Or a corporate spy learns that you use different pricing scales for business partners and threatens to reveal that information?

The Trust Services Security Principle addresses these concerns by ensuring that businesses maintain secure sites for e-Commerce.

Licensed auditors may provide either a WebTrust or SysTrust seal to clients that can be displayed on the client's web site.

 

Processing Integrity Principle

Our standards demand that system processing is complete, accurate, timely, and authorized.

Have you ever wondered about how a web site handles customer complaints? Or whether you'll receive your merchandise in time? Unfortunately, on the Internet, every site looks inviting. Behind the scenes who knows?

Business transactions sent electronically to another party are susceptible to loss, duplicate processing, or the corruption of information associated with the transaction. For example, if an electronic order is sent through the Internet from one company to another, without appropriate transaction integrity controls, the buyer may not receive the goods ordered, or receive more of the goods than originally requested, or receive the wrong goods altogether.

However, if appropriate business practices are followed and processing integrity controls exist and are operational within the system, the buyer can be reasonably assured that the correct goods, in the correct quantity, at the correct price are received when promised.

Customers expect their business transactions to be processed completely and accurately. Complete means your order is processed without exception and not processed more than once. Accurate means key information doesn't get garbled later.

A site that has met the standards for Processing Integrity can be trusted.

Licensed auditors may provide either a WebTrust or SysTrust seal to clients that can be displayed on the client's web site.

 

Processing Integrity

Availability Principle

The system is available for operation and use as committed or agreed.

Service providers help their customers' communicate and conduct business over the Internet through a number of services.

Some provide customers with a pipeline to the Internet. Some provide online processing and other applications for use by their customers. And some act as a data center processing operation for customers' businesses.

These services are vital to a customer's business and livelihood. It is critical that a customer's access to the data center, network and/or Internet backbone is available as advertised or promised by the service provider in its service-level agreement. If the service is unavailable for a significant period of time, customers may likewise suffer temporary loss of revenue, impaired cash flow, and/or diminished public image.

By complying with the Trust Services Availability principle, a service provider or other entity can demonstrate its ability to meet critical needs of business customers.

To avoid risks and ensure the reliability of your service provider, insist that your service provider meet the Trust Services Availability principle and criteria.

 

WebTrust for Certification Authorities (CAs) Engagements
& WebTrust for Extended Validation CErtificates

Certification Authorities are an increasingly important component of electronic commerce. Anyone selecting a CA should seek independent verification that the following key areas have been examined:

Confidentiality

System Reliability

CA Business Practices Disclosure

Security and privacy policies and practices are important matters, especially to the customer of a CA. Thus, the WebTrust Business Practices Disclosure Principle requires that the CA disclose its key and certificate life cycle management business and information privacy practices. Information regarding the CA's business practices should be made available to all subscribers and all potential relying parties, typically by posting on its Web site. Such disclosure may be contained in a Certificate Policy (CP) and/or Certification Practice Statement (CPS), or other informative materials that are available to users (subscribers and relying parties).

Service Integrity

Effective key management controls and practices are essential to the trustworthiness of the public key infrastructure. Cryptographic key management controls and practices cover CA key generation, CA key storage, backup and recovery, CA public key distribution, CA key escrow (optional), CA key usage, CA key destruction, CA key archival, the management of CA cryptographic hardware through its life cycle, and CA-provided subscriber key management services (optional). Strong key life cycle management controls are vital to guard against key compromise which can damage the integrity of the public key infrastructure.

CA Environmental Controls

The establishment and maintenance of a trustworthy CA environment is essential to the reliability of the CA's business processes. Without effective CA environmental controls, strong key and certificate life cycle management controls are severely diminished in value.

CA environmental controls include CPS and CP management, security policy management, security management, asset classification and management, personnel security, physical and environmental security of the CA facility, operations management, system access management, systems development and maintenance, business continuity management, monitoring and compliance, and event journaling.

WebTrust for Extended Validation Certificates
(see also www.cabforum.org)

The Guidelines for Extended Validation Certificates have been developed by the CA/Browser Forum (CAB Forum), a voluntary organization of leading certificate authorities and Internet Browser software vendors. These guidelines establish requirements for a new type of Extended Validation (EV) certificate, including standardized procedures for verifying and ensuring the identity of the certificate holder.

WebTrust for Extended Validation Certificates is based on the Guidelines developed by the CAB Forum. They have been written to enable a practitioner to issue ad attestation report for general use. Together with WebTrust for Certificate Authorities, practitioners can offer a complete trust building service to this important sector of the internet community.