SOC 2 Breach and Incident Notification (P6.6)

Overview:
The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.

Action Items:
1) Create an escalation procedure and publish on the company intranet for employees to access and review.
2) Create an incident response policy and related procedures and publish on the company intranet for employees to access and review.
3) Inspect the escalation procedure to determine that documented escalation procedures for reporting security incidents are in place to guide employees in identifying, reporting, and acting upon system security breaches and other incidents.
4) Inspect the change control tickets for a sample of privacy incidents to determine that incidents requiring a change to the system follow the standard change control process for each incident sampled.
5) Inspect the breach notification procedure to determine that the company has implemented a formal breach notification process to notify effected parties in the event of a security breach.

Related Documents:
1) Escalation procedure
2) Incident response policy
3) Change tickets for a sample of changes

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Remediates Misuse of Personal Information by a Third Party—The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.
2) Provides Notice of Breaches and Incidents—The entity has a process for providing notice of breaches and incidents to affected data subjects, regulators, and others to meet the entity's objectives related to privacy.