Overview:
The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy.
Action Items:
1) Create an escalation procedure and publish on the company intranet for employees to access and review.
2) Inspect the escalation procedure to determine that documented escalation procedures for reporting security incidents are in place to guide employees in identifying, reporting, and acting upon system security breaches and other incidents.
3) Inspect the change control tickets for a sample of privacy incidents to determine that reported or detected privacy incidents and disclosures are tracked within a ticketing system until resolved.
Related Documents:
1) Escalation procedure
2) Change tickets for a sample of changes
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Creates and Retains Record of Detected or Reported Unauthorized Disclosures—The entity creates and maintains a record of detected or reported unauthorized disclosures of personal information that is complete, accurate, and timely.
Article ID: 270
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-recording-unauthorized-disclosures-p6-3-270.html