Processing Integrity Criteria 1.1

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.1 says, “The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why the quality and accuracy of your data is important for SOC 2 compliance.

Does the Processing Integrity Category Apply to My Organization?

While the security category applies to all organizations pursuing SOC 2 compliance, knowing whether or not you should include additional categories depends on the type of services you offer. If your organization provides services to your clients that relies on the quality and accuracy of data that is processed and output for your clients, you would need to include the processing integrity category in your SOC 2 audit.

How to Comply with Processing Integrity Criteria 1.1

The processing integrity category asks whether or not a service organization’s processing services are provided in a complete, accurate, and timely manner. To comply with this category, or more specifically, processing integrity criteria 1.1, service organizations should use the following two points of focus relating to the quality and accuracy of data:

  1. Entities should identify information specifications that are required to support the use of products and services.
  2. Entities should define data necessary to support a product or service.

Let’s say that an auditor is verifying compliance with processing integrity criteria 1.1. The organization in question is an employee benefits service provider who provides reports to clients that they rely upon. The auditor will want to see that the organization defines the data that’s used in the report, which could be done by providing the source of the data, the date range that the data was used to produce the report, or how the data was calculated. Whichever way organizations decide to define the data, ensuring the quality and accuracy of data is critical to complying with the processing integrity category.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

I’m going to read for you the additional criteria for processing integrity. It’s one of the categories for the SOC 2 Trust Services Criteria. Processing integrity 1.1 says “The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.” If your company provides a service to its clients that relies upon the quality and accuracy of data that perhaps is processed and output in some format to your clients, this is a category that would apply to you and your service offering. For example, maybe you are an employee benefits service provider and you’re providing reports to your clients that they rely upon, you would want to provide a definition of the data that you’re using in that report you’re providing. You might specify the source of the data or where it came from, the relevant date range of the data that was used to produce the report, or you might provide some type of unit of measurement of how this data was arrived at or how you calculated it. So, any time you have a processing element to your service that relies upon core data you would want to disclose that and explain it, and that’s where the processing integrity category comes into play.

Confidentiality Criteria 1.2

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the confidentiality category in their audit, they would need to comply with the additional criteria for confidentiality. Confidentiality criteria 1.2 says, “The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss.

How Can Contractual Obligations Impact Confidential Information?

Understanding how contractual obligations impact confidential information is especially important in order to comply with confidentiality criteria 1.2, because in this new era of data privacy regulations, many organizations will be required to retain data for a certain period of time; however, knowing how long they have to retain that data can be tricky when clients start adding additional stipulations to confidentiality agreements. For example, let’s say that a business wants to partner with a service organization who is only required by law to retain their data for three years. Before partnering with the service organization, that business may stipulate that the service organization needs to retain the data for an additional two years. If this scenario happens with multiple clients, knowing which requirements apply to which sets of data is critical to avoid confusion, ensure that that data remains confidential, and is disposed of correctly.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

One of the aspects of the confidentiality category for the 2017 SOC 2 Trust Services Criteria is how you manage these contractual expectations from your clients. There might be legal and regulatory requirements that say that you have to keep certain data for a specific number of years, but the client may have contracted with you to keep the information for longer than that. When it comes to disposing of information, you have to know what those requirements are and apply the right scenario with the right obligations that you’ve committed yourself to. Ultimately, you want to be certain about the type of information you have, how long it is that you’re supposed to maintain it and meet the obligations that you’ve agreed to under this confidentiality clause in your agreements with your clients.

[/av_toggle]

[/av_toggle_container]

Confidentiality Criteria 1.1

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the confidentiality category in their audit, they would need to comply with the additional criteria for confidentiality. Confidentiality criteria 1.1 says, “The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why organizations should be classifying confidential information.

Classifying Confidential Information for SOC 2 Compliance

Often times when clients use an organization’s services, they’ll have data that requires various levels of classification. This might mean that you have to classify the data you hold as “confidential” versus “public.” So, why is classifying confidential information necessary for SOC 2 compliance? It all comes down to understanding which type of internal controls need to be implemented in order to ensure that confidential data remains protected as agreed upon. If your organization classifies data as “confidential” but fails to implement internal controls to properly secure that information, why would a client trust you with their information?

Complying with confidentiality criteria 1.1 then comes down to two key points of focus. The first is simple: auditors want to verify that the organization is in fact classifying confidential information and is doing so accurately. Secondly, auditors want to verify that an organization has procedures to destroy confidential information after the organization has held the information for the required time period. Many legal regulations and agreements have stipulations that require organizations to hold onto data for a specified period of time. For example, Article 5(e) under GDPR requires those organizations who process the personal data of EU data subjects to hold data for no longer than is necessary for the purposes for which it is being processed. While not an explicit time period, once the time it takes to process that personal data is up, the organization needs to have procedures in place to secure destroy that confidential data.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

The confidentiality category in the 2017 SOC 2 Trust Services Criteria has a lot to do with information classification, because you have to understand what the level of classification is for the information that you have in your control. If you have different levels of classification, such as listing one item as “secret,” “confidential,” or “public.” This is important to have labeled and categorized in the right way, so that you can apply the proper controls to the proper level of confidentiality. When it comes time to dispose information, there might be a policy in place that says that you won’t dispose of information that is classified as a certain level of confidentiality. These things are usually driven by contractual obligations with your clients. If you are providing a service where a client is saying to you that they want you to protect certain levels of information to X degree, which is different from the other information that you have, that’s where the confidentiality category applies to you and your service.

Availability Criteria 1.3

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability. Availability criteria 1.3 says, “The entity tests recovery plan procedures supporting system recovery to meet its objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s find out why you need to be testing your business continuity plan.

The Importance of Testing Your Business Continuity Plan

The importance of testing your business continuity plan comes down to this: if disaster strikes and you haven’t effectively practiced implementing your business continuity plan, how will you know for certain if it works? There’s no telling how extreme a disaster will be, so practicing different scenarios on a regular basis should be a top priority amongst organizations pursuing SOC 2 compliance. For example, if your organization is impacted by a tornado and you have a critical employee who is unable to come into the office because of that disaster, how will your business continuity plan work? Is there someone else who could carry out that person’s responsibilities to ensure that your services remain available as agreed upon?

When an auditor is assessing compliance with availability criteria 1.3, they’ll use two main points of focus to guide them. First, they’ll want to validate that your organization is testing your business continuity plan on a period basis. They’ll do so by checking that your business continuity plan testing includes the following:

  • Developing different testing scenarios based on threat likelihood and magnitude
  • Considering system components from across your organization that might impair the availability of your system
  • Using scenarios that consider the potential lack of availability of key personnel
  • Revising your business continuity plan based on the results of testing

Secondly, auditors will want to ensure that your organization tests for the integrity and completeness of backup data on a regular basis.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

The business continuity test is a very important element to SOC 2 availability criteria 1.3. I know we, as auditors, talk a lot about tests that we want you to perform. BCP testing is another one of those tests that is worth its weight in gold when you have an actual event. BCP testing will help you practice if you weren’t able to be in the facility that you’re used to being in every day. Let’s say you lost a key member of your staff because there was a tornado. She’s working out of her home trying to take care of her family, get her house and living arrangements back up and running, and is unable to be at work. How would you continue operations while that key member is distracted because of an environmental event that occurred? Going through those tests and scenarios will help you prepare, but there’s a very specific test that you have to have evidence to show your auditor that you’ve performed is the test of the veracity of your data backups. You need to be able to show on a random basis that the backup occurred, it was successful, and the data can actually be restored. There have been several cases where we’ve performed that test, and we’ve gone in and randomly selected a backup and the backup had failed, the data that they were expecting to be there wasn’t – perhaps the media went bad – and so these are reasons why you should check those things and make sure that you have good data backups, and if you’ve performed testing yourself to be able to show the auditor that that is a part of your day-to-day system operations.

[/av_toggle]

[/av_toggle_container]

Availability Criteria 1.2

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability. Availability criteria 1.2 says, “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” We’ve discussed how organizations can comply with this criterion, but we believe there’s a key component that requires further discussion: data backup processes. Let’s take a look at why organizations need to have proper data backup processes and how it impacts SOC 2 compliance.

Data Backup Processes and SOC 2 Compliance

We know that disasters happen when we’re least expecting it, so taking proactive measures to protect the data that your organization holds is paramount to SOC 2 compliance. This includes ensuring that data remains available, complete, and accessible at all times. For example, if your organization is impacted by a hurricane and is unable to physically access your office building, how will you access your data so that you can continue to provide the services you offer? If you’re forced to set up an off-site location until your office building has recovered from an environmental disaster, would you have access to your data? These are the things you need to consider for SOC 2 compliance.

During a SOC 2 audit, an auditor will want to ensure that your organization has effective data backup processes in place in order to comply with availability criteria 1.2. An auditor will ask questions such as:

  • What data does your organization hold?
  • How much data do you have?
  • What type of gap between the last data backup and a security incident would there be?

Having such data backup processes in place assists organizations in meeting the goal behind the availability category, which is that the services or systems that your organization offers are available for operation and use as agreed upon.

Another thing to prepare for SOC 2 availability criteria 1.2 is your data backup processes. If you do have an environmental event where you can’t access your facilities or your equipment is destroyed, you have to restore operations. Your data backup processes will be very important. Where is your data? How much data do you have? What type of gap between the last backup and time of the event will there be? What’s acceptable for you there? These are questions that your auditor will ask you. The reason why you want to be able to demonstrate that that data is available and accessible at some remote location is because we’re thinking about a scenario where you can’t get into your offices, and you have to go to some alternative processing facility in order to resume operations and continue delivering your services while the building that you’re in is unavailable to you due to some environmental event. Think about what you’re doing with data and make sure that it is available, complete, and accessible in a far-enough away place from your primary facility so that you can restore operations there, if necessary.

[/av_toggle]

[/av_toggle_container]