Confidentiality and security are used interchangeably in the security industry however in a SOC 2 examination, the Security and Confidentiality Trust Services Categories and Trust Service Criteria are significantly different. The Confidentiality Trust Services Category is an additional category that may be included in your SOC 2 examination based on your commitments and system requirements. In this post, we will break down each criterion in simple terms so you know what to expect from your SOC 2 auditors and the ByteChek difference.
Overview of the criteria for Confidentiality
C1.1 and C1.2
C1.1 The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
Key Concepts Assessed in C1.1 and C1.2
Data Classification and Data Disposal Policy
Typical evidence requests: You will be required to provide your data classification and data disposal policies and procedures. Your auditors will be concerned with the contents of the policy to ensure that it outlines the procedures your team follows to properly manage, secure, and dispose of different types of data. The policy should define your organization’s data classification types (i.e. confidential, classified, unclassified, etc.) and the procedures and tools utilized to dispose of sensitive data your organization maintains. This policy should be updated and reviewed on at least an annual basis.
With ByteChek, our platform is built with an intuitive information security policy generator which will help you quickly create a robust and detailed policy that includes data classification and data disposal policies and procedures. If you already have a policy, you can upload it directly to our platform to address this control. We also take care of the communication to users, your employees can use the ByteChek platform to read and acknowledge their understanding of the data classification and data disposal procedures (and other applicable policies and procedures).
Use of Test Data
Typical evidence requests: Your auditors may request policy-based evidence and system-generated evidence for this concept. The policy should outline a clear directive that prohibits the use of production data in a test or non-production environments. This statement is generally included in a change management or system development lifecycle (SDLC) policy. Your auditors may also request screenshots or conduct observations of your test environment to observe the type of test data utilized. If you are leveraging a test data generator or a sanitization tool, be prepared to provide screenshots of these tools.
With ByteChek, our platform is built with an intuitive information security policy generator which will help you quickly create a robust and detailed policy that includes SDLC procedures that prohibit the use of production data in test environments. If you already have a policy, you can upload it directly to our platform to address this control. We also take care of the communication to users, your employees can use the ByteChek platform to read and acknowledge their understanding of the SDLC procedures (and other applicable policies and procedures). Our team will work closely with you to determine if additional evidence is required beyond this policy.
Deletion or Purging of Customer Data
Typical evidence requests: Be prepared to describe the process your organization follows to remove customer data from your environment. The source of truth for how this control will be tested can be found in your Master Services Agreements (MSAs) or other contracts with your customers. If you commit to deleting customer data after they leave your service or upon request, your auditors will request evidence based on these commitments. Example evidence here can include a system-generated listing from your ticketing system showing all customers that requested data deletion during the testing period. Your auditors will select a sample of these users and request evidence showing that customer data was deleted within the timeframe specified in your contracts.
With ByteChek, our platform is built with an intuitive and quick questionnaire for you to describe your data deletion process and the tools utilized in this data deletion process. Our team will review these responses, dive deep into your MSA, and work with you to determine the best way to prove the operating effectiveness of this control. We understand this is a concept that is unique for each organization and a one-size-fits-all approach doesn’t work here.
The ByteChek Difference
We started ByteChek with one goal in mind: Make Compliance Suck Less. This blog post covers a small subset of the controls we built our platform to automate and move away from status quo SOC 2 examinations and other framework audits. Automating compliance and eliminating screenshots, document uploads, and generic evidence requests help your team focus on growing and securing your business. Reach out to our team to learn how you can automate compliance and set up a demo of the ByteChek platform.