Overview:
The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
Action Items:
1) Create a standard customer / use terms and conditions document and make this readily available and accessible for customers / users of in-scope systems.
2) Create a data retention and disposal policy and related procedures and publish on the company intranet for employees to access and review.
3) Create a data classification and handling policy and related procedures and publish on the company intranet for employees to access and review.
4) Inspect the customer agreements and terms for a sample of customers onboarded during the review period to determine that the entity’s commitments and associated system requirements are documented in customer contracts, agreements, and terms of use for each new customer sampled.
5) Inspect the data retention and disposal policy to determine that documented data retention and disposal policies are in place to guide personnel on the procedures for retention and disposal of confidential information.
6) Inspect the information classification policy to determine that a data classification policy is in place that defines data categories, protection levels, and appropriate handling measures for information utilized within the system.
7) Inspect the customer agreements’ provisions and production database backup configuration and logs to determine that the company backs up customer data every on a recurring basis in accordance with the backup policy and customer commitments, and retains data for the duration of the customer agreement.
Related Documents:
1) Customer terms of use
2) Data retention and disposal policy
3) Data classification and handling policy
4) Sample of customer agreements and signed terms and conditions
5) Production database backup configurations and logs
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Identifies Confidential information—Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained.
2) Protects Confidential Information from Destruction—Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information.
Article ID: 252
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-identifying-confidential-information-c1-1-252.html