In addition to the requirements attached to Security, businesses should fulfill the controls for other relevant categories based on the commitments they make to their customers. Below are some examples of the additional categories, as well as the types of controls that satisfy the trust services criteria in these categories.
Provides notice of privacy practices to relevant parties.
The notice is updated and communicated in a timely manner, including changes in the use of personal information.
Obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing.
This includes definitions of processed data, and product and service specifications, to support the use of products and services.
Identifies and maintains confidential information to meet objectives related to confidentiality.
Retention and Classification
Identifies and maintains confidential information to meet its objectives related to confidentiality.
Disposal of Information
Dispose of confidential information to meet EMSI’s objectives related to confidentiality.
Maintains, monitors, and evaluates current processing capacity and use of system components like infrastructure, data, and software.
Maintaining processing capacity and use of system components (infrastructure, data, and software) to manage demand and enable the implementation of additional capacity to help meet objectives.
Backups and Environmental Controls
Environmental protection, software, data backup processes, and recovery infrastructure to meet objectives.
Testing of recovery plan procedures supporting system recovery to meet objectives.