Overview:
The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy.
Action Items:
1) Create an access control policy and related procedures and publish on the company intranet for employees to access and review.
2) Inspect the application configurations to determine that in-scope applications are configured to allow end-users the ability to access the following information: Name; E-mail; Nickname; Provider; Default Account; Account settings, as applicable.
3) Inspect an example new account creation to determine that the application is configured to automatically perform edit checks on data entered during the account creation process so that new application accounts are set up according to the company’s input requirements.
4) Inspect the access listing for a sample of production database servers and employees terminated during the review period to determine that database access was revoked as a component of the employee termination process for each employee sampled.
5) Inspect the administrative access listings for the in-scope systems to determine that administrative access privileges to the centrally managed access control systems are restricted to user accounts accessible by authorized personnel.
Related Documents:
1) Access control policy
2) Application configurations for in-scope applications
3) Access listing for a sample of production database servers
4) Administrative account inventory
5) User account inventory
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Ensures Accuracy and Completeness of Personal Information—Personal information is accurate and complete for the purposes for which it is to be used.
2) Ensures Relevance of Personal Information—Personal information is relevant to the purposes for which it is to be used.
Article ID: 275
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-accuracy-of-personal-information-p7-1-275.html