You should have listened to that warning your gut made when you decided to pick Messy Mike’s Money Tracker to track your company’s finances. There had to be some reason it was so affordable, right?
There was.
Today, when you logged in, all of your financial records were missing. The app looked just like it did when you logged into your account for the first time. After scrambling to get a hold of their customer service, you learn that they had suffered an embarrassing internal incident.
They give all of their employees the power to delete data. One of their newest employees, in trying to troubleshoot a problem unrelated to your environment, got a little overzealous and wiped out several customer records, including yours.
This is one of the situations the SOC 2 Confidentiality Trust Services Criteria is meant to protect against: accidental deletion. It’s also meant to protect against an inverse scenario: confidential data not getting deleted when it’s no longer needed – leaving it vulnerable to being stolen!SOC 2 has five different Trust Services Criteria that can be considered as areas of focus for your cybersecurity and compliance program. SOC 2 provides a lot of customizability, meaning that organizations have some control over which Trust Services Criteria it wants to follow and maintain. Only one is required, Security, and the other four are optional: Availability, Processing Integrity, Confidentiality, and Privacy.
In this guide, we’ll explain what the Confidentiality criteria requires, and discuss some of the practices used to comply with its requirements.
What is the SOC 2 Confidentiality Trust Services Criteria?
The SOC 2 Confidentiality Trust Services Criteria are a set of requirements that direct how organizations are supposed to handle confidential business information. It sets three core objectives that can be summarized as identify, protect, and dispose.
The name of the criteria is a little confusing and misleading. “Confidential information” is a phrase that conjures up images of classified documents and manila folders with “TOP SECRET” emblazoned on them.
The world of SOC 2 is focused more on the importance of having established data handling practices. Confidentiality is particularly focused on protecting confidential information from accidental or premature deletion.
When does the SOC 2 Confidentiality Trust Services Criteria apply to me?
When choosing the Trust Services Criteria for your SOC 2 audit, different aspects of your business need to be considered. The Confidentiality criteria specifically focuses on the information being retained from customers and the agreements maintained between the customer and the organization.
Ask yourself the following: does your business collect or store any data from your customers, such as intellectual property, personally identifiable information (PII) , passwords, financial information, and business operations information?
If the answer is yes, then the Confidentiality criteria is likely relevant to you!
How does Confidentiality compare to the Security Criteria?
While the two trust criteria of Security and Confidentiality seem similar on the surface and have some overlap, they have unique characteristics that warrant their separation.
The Security criteria primarily refers to the protection of information during its transfer, storage while at rest and preventing the misuse of software. The Confidentiality criteria on the other hand has to do with identifying, protecting, and disposing confidential information, along with meeting confidentiality agreements set forward in contracts or agreements.
Some of the questions that can be asked to help understand the problems the confidentiality criteria is meant to tackle are as follows:
What types of information are we collecting from our clients?
What data collection and storage information is outlined in our agreements?
How are we protecting the data we obtain and store from clients?
Is personally identifiable information stored on your organization’s network?
How is your organization disposing of data once it’s no longer needed?
Questions in this line can be answered in order to determine what information you will need to protect in your Confidentiality efforts, and what controls you will use to protect them.
SOC 2 Confidentiality Requirements
The Confidentiality Trust Services Criteria for SOC 2 requires some additional attention and controls in your cybersecurity program.
The core requirements of Confidentiality are that you identify , protect , and dispose of any confidential business information you collect in the course of doing business.
From the AICPA’s official SOC 2 guidelines themselves…
Identify, Protect, Dispose
Identification Controls
In order to do anything with confidential data, you must first identify it. Identification is the first requirement the AICPA calls out in their documentation.
“Identifies Confidential Information – Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained.”
In order to meet the identification requirement, your organization must institute practices to identify and define confidential data. Different types of confidential data may require different levels of protection. For example, PII usually requires a greater level of protection than other types of data.
Building on this, a SaaS company that provides HR services to its customers will collect a lot of different data about its customers’ employees. Some of that data is really important, such as social security numbers, while other data is less important, such as start/anniversary dates.
To meet this requirement, write a confidential data policy that does the following:
Define different classification levels for confidential data, and establish guidelines as to how new data should be classified
State the retention periods for different types of data, so they will be appropriately slated for disposal.
Include a process for reviewing new types of data and classifying them as needed
Include a process for periodically reviewing all types of data being collected and updating the policy as needed
Protection Controls
Where the SOC 2 Confidentiality Criteria talks about “protection,” it’s focused on protecting data from accidental deletion.
Protects Confidential Information from Destruction – Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information.
To comply with the protection requirement of the Confidentiality criteria, add the following to your confidential data policy:
Define protections for each classification level you have created in your confidential data policy, such as encryption and access limitations
For example: only admin-level users are permitted to access confidential data.
Include a process for periodic review activities of user access to confidential data
You could also implement policies limiting the number of machines able to access the information and the accounts able to access the information, or requiring a password to access the information from an encrypted location. By ensuring that only qualified personnel are able to delete data, accidental deletion becomes much more unlikely.
The Confidentiality Criteria also wants you to pay particular attention to protecting data when implementing system changes.
Protects Confidential Information — The entity [organization being audited] protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality.
System updates are common moments of failure, as new data erases the old. Ensuring your updates are deployed in a safe way and having backups of protected data will help you meet this requirement.
Be prepared to prove you are upholding your protection efforts during your audit! You may be expected to provide documentation for each access review session, screenshots of access settings, and more.
Disposal Controls
When you no longer need to store confidential data, destroying it is the best way to keep it from falling into the wrong hands! The disposal requirement concerns processes and procedures for the destruction and removal of confidential information from your systems.
Identifies Confidential Information for Destruction – Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached.
Destroys Confidential Information – Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction.”
The methodologies employed by the organization for the sanitization and destruction of information needs to be outlined and evidence of the procedure needs to be documented.
For example these processes can include the deletion of the data and physical destruction/zeroing of drives where the information was stored.
There is one more element that SOC 2 requires to meet the disposal criteria: documentation!
C1.2.1 – Disposal of confidential data and assets containing confidential data is documented and evidence of destruction is retained.
To comply with the disposal requirements, consider adding the following to your confidential data policy:
Define the methods your organization uses to dispose of confidential information
Create a process for periodically reviewing disposal activities, including an internal audit to check for any confidential information that is overdue for destruction
Remember, information can be recovered from drives unless they are properly, physically disposed of. Simply “deleting the data” may not be sufficient!
Confidentiality Partnership Requirements
Beyond identify, protect, and dispose, there are a couple of requirements the SOC 2 Confidentiality Criteria has regarding your business partners.
The first has to do with communicating about confidential information.
Communicates Objectives Related to Confidentiality and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.
Put more simply, SOC 2 Confidentiality requires that you be transparent about how you handle confidential information. If you change how you’re managing confidential data, you need to tell the relevant parties.
The next items have to do with vendor management, and are relevant if vendors handle any confidential information on your behalf.
Obtains Confidentiality Commitments from Vendors and Business Partners — The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information.
Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements.
Essentially, you need to ensure that vendors handling confidentiality data on your behalf are treating it the same way you do: identifying, protecting, and disposing of it.
You also need to have a process in-place to assess how good your vendors are at doing this.
Is Confidentiality always needed?
Most modern businesses will benefit from including Confidentiality in their SOC 2 audit , since most do collect some amount of confidential information from their customers. However, not all SOC 2 reports include them.
There are a couple of reasons why companies might choose to forgo Confidentiality. They range from mostly harmless to deliberately misleading. None of them come from the standpoint of having a better security program or better SOC 2 report.
They want to reduce the compliance and audit burden on their organization – it’s easier to skip Confidentiality.
SOC 2 is seen as a checkbox: The contents of the report may not matter to some companies that just want to get a SOC 2 – and customers who just want to see that there is in fact a SOC 2.
The company has lackluster Confidentiality practices and wants to avoid being audited on them.
That said, most companies who successfully meet the SOC 2 Security Criteria are usually pretty close to doing everything they need to do for Confidentiality anyways.
You can likely figure out which vendors are actually making their best effort in their security programs by actually reading their SOC 2 reports.
SOC 2 Confidentiality
Information security – the name itself is all about securing information. Good confidentiality practices are a core element of that, whether they’re required topics every SOC 2 or not.
Unless you’re Donna’s Bakery , you should pursue the Confidentiality Trust Services Criteria!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.