SOC 2 Academy: Classifying Confidential Information

by Joseph Kirkpatrick / March 29th, 2019

Confidentiality Criteria 1.1

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the confidentiality category in their audit, they would need to comply with the additional criteria for confidentiality. Confidentiality criteria 1.1 says, “The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why organizations should be classifying confidential information.

Classifying Confidential Information for SOC 2 Compliance

Often times when clients use an organization’s services, they’ll have data that requires various levels of classification. This might mean that you have to classify the data you hold as “confidential” versus “public.” So, why is classifying confidential information necessary for SOC 2 compliance? It all comes down to understanding which type of internal controls need to be implemented in order to ensure that confidential data remains protected as agreed upon. If your organization classifies data as “confidential” but fails to implement internal controls to properly secure that information, why would a client trust you with their information?

Complying with confidentiality criteria 1.1 then comes down to two key points of focus. The first is simple: auditors want to verify that the organization is in fact classifying confidential information and is doing so accurately. Secondly, auditors want to verify that an organization has procedures to destroy confidential information after the organization has held the information for the required time period. Many legal regulations and agreements have stipulations that require organizations to hold onto data for a specified period of time. For example, Article 5(e) under GDPR requires those organizations who process the personal data of EU data subjects to hold data for no longer than is necessary for the purposes for which it is being processed. While not an explicit time period, once the time it takes to process that personal data is up, the organization needs to have procedures in place to secure destroy that confidential data.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

The confidentiality category in the 2017 SOC 2 Trust Services Criteria has a lot to do with information classification, because you have to understand what the level of classification is for the information that you have in your control. If you have different levels of classification, such as listing one item as “secret,” “confidential,” or “public.” This is important to have labeled and categorized in the right way, so that you can apply the proper controls to the proper level of confidentiality. When it comes time to dispose information, there might be a policy in place that says that you won’t dispose of information that is classified as a certain level of confidentiality. These things are usually driven by contractual obligations with your clients. If you are providing a service where a client is saying to you that they want you to protect certain levels of information to X degree, which is different from the other information that you have, that’s where the confidentiality category applies to you and your service.