Overview:
The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy.
Action Items:
1) Create a privacy notice (externally facing) and privacy policy (internally facing) and publish on the company intranet for employees to access and review.
2) Create an inventory list of personnel with access to encryption keys for in-scope systems.
3) Inquire of the senior manager of compliance and director of security and engineering operations, or equivalent, to determine that access to the encryption keys for in-scope systems is restricted to authorized personnel.
4) Observe the application enrollment process to determine that the application is configured to restrict input to the following information: Name; E-mail; Nickname; Provider; Default Account; Account settings, as applicable to the entity.
5) Inspect the privacy notice and procedures to determine that the privacy notice includes information pertaining to the use, retention, and disposal of collected personal information.
6) Inspect completed training documentation for a sample of current employees and employees hired during the review period to determine that employees are required to complete security awareness trainings upon hire, and on an annual basis thereafter, to understand their obligations and responsibilities to comply with the company's corporate and business unit security policies for each employee sampled.
7) Inspect the user access reviews for a sample of quarters during the review period to determine that user access reviews, including privileged users, are performed by management on a quarterly basis to ensure that access to data is restricted and authorized and that accounts identified as inappropriate are investigated and resolved.
8) Inspect the privacy policy to determine that the privacy policies and procedures are in place to outline the entity's commitment to limit the use of personal information to the specified purposes for which it was collected and that the privacy policies are reviewed periodically by management.
Related Documents:
1) Privacy notice
2) Privacy policy
3) Inventory list of personnel with access to encryption keys for in-scope systems
4) Completed training documentation
5) Documented user access reviews
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Uses Personal Information for Intended Purposes—Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained unless a law or regulation specifically requires otherwise.
Article ID: 263
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-limiting-use-of-personal-information-p4-1-263.html