Overview:
The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
Action Items:
1) Create a standard customer / use terms and conditions document and make this readily available and accessible for customers / users of in-scope systems.
2) Create a data retention and disposal policy and related procedures and publish on the company intranet for employees to access and review.
3) Inspect the customer agreements and terms for a sample of customers onboarded during the review period to determine that the entity’s commitments and associated system requirements are documented in customer contracts, agreements, and terms of use for each new customer sampled.
4) Inspect the data retention and disposal policy to determine that documented data retention and disposal policies are in place to guide personnel on the procedures for retention and disposal of confidential information.
5) Observe the user account / login portal, as applicable, to determine that the user account interface includes the ability to dispose of account data.
Related Documents:
1) Customer terms of use
2) Data retention and disposal policy
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Identifies Confidential Information for Destruction—Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached.
2) Destroys Confidential Information—Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction.
Article ID: 253
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-destroying-confidential-information-c1-2-253.html