As service organizations prepare for SOC 2 examinations, understanding the roles of the Privacy and Confidentiality Trust Services Criteria (TSC) can help them manage risk more effectively and optimize the scope of SOC 2 audits.
Privacy and Confidentiality are two of the five TSCs that can be considered in a SOC 2 review. The Security criteria is mandatory, while Confidentiality and Privacy, along with Availability and Processing Integrity, are optional areas for review.
The Confidentiality and Privacy criteria, although similar in nature, have important differences that a service organization should consider as it decides which criteria should be included in an upcoming SOC 2 review.
Understanding Privacy vs. Confidentiality
It’s important for companies scoping a SOC 2 audit to understand the differences between the Confidentiality and Privacy criteria:
Confidentiality
Confidentiality refers to a service organization’s ability to secure proprietary information from unauthorized access or disclosure. The types of data that need to be secured will vary among providers, but typically include:
- Business plans
- Trade secrets
- And similar forms of information.
Privacy
Privacy refers to the service organization’s ability to collect, use, retain, dispose of, and disclose personally identifiable information (PII) in accordance with client agreements as well as any applicable laws or regulations. This will typically include:
- Customer and employee names
- Addresses
- Medical or financial data
- Purchase histories
- And similar data that can be associated with a specific individual.
When to Choose Specific Trust Criteria
Deciding whether to include one, the other, or both criteria depends on several factors, including the types of data the service organization handles on behalf of its clients and the sensitivity of that data.
For example, the Privacy TSC is important for providers that interact directly with individuals or process PII on behalf of their clients. In these instances, the service organization’s client (and their customers) will share data with the system and thus may also want to understand the steps the service organization follows to protect that sensitive data within the system.
The applicability of the Confidentiality TSC will likely vary among service organizations and their clients, but it often comes into scope when the provider is processing or using information it is contractually required to protect.
For instance, a service organization that provides purchasing software for its clients will need to secure the customers’ purchase history from unauthorized access, but with perhaps less technical rigor than it would apply to someone’s health insurance claim or personally identifiable data.
Developing Privacy and Confidentiality Controls for Compliance
After classifying data and selecting the appropriate criteria, service organizations will need to design and implement appropriate controls to ensure compliance with the Privacy and Confidentiality TSCs.
Effective Privacy controls often include policies and procedures for:
- Obtaining and documenting customer consent for data.
- Limiting the collection of PII to what’s needed for legitimate business purposes.
- Cleansing non-relevant data as it’s being collected.
- Providing individuals with access to their information, as requested.
- Destroying information that isn’t needed or for which a legitimate purpose has expired.
Effective Confidentiality controls may vary, but often address:
- Classifying information based on its sensitivity.
- Restricting access to a need-to-know basis.
- Monitoring access to stored confidential information.
- Encrypting confidential information while it’s being shared or stored.
Choosing the right TSC, or a combination of criteria, is important in mitigating risk while also developing an effective and cost-effective scope for a cloud service provider’s SOC 2 audit.
For more information about Privacy vs. Confidentiality or if you need help preparing for your SOC audit, contact our team.
Cyber Incident Response, Business Impacts, and SOC 2
Click here to download a copy of the slide deck used during the presentation.
In this webinar, learn how cyber incident response and SOC 2 audits intersect with one another, the challenges and impacts we see our clients face, and ways you can automate the process with BreachRx.
Let’s talk about your project.
Whether you need to unravel a complex challenge, launch a new initiative, or want to take your business to the next level, we’re here. Share your vision and we can help you achieve it.
SOC 2 & Risk Management
Formally identifying and addressing risk is an audit requirement, but is also a responsible exercise for your company to undertake. Download our guide and gain insight into the types of risks that should be on your radar.
5 Things to Do Prior to a SOC 2 Audit
Learn how to avoid the most common mistakes that can increase the complexity and cost of obtaining a SOC 2 compliance report.
Your customers depend on the results of SOC 2 audits as they evaluate cloud service providers, but five common mistakes — ranging from preparing improperly for an audit to ignoring ongoing risk management— can extend the audit process, increase the cost, or hinder your ability to take advantage of the assurance a SOC 2 compliance report offers your customers.
Download our white paper today to gain real-world insights from our experienced SOC 2 audit practitioners.
Improving Cloud Security Controls Before a SOC 2 Audit
With cloud service providers (CSPs) increasingly integrated into companies’ day–to–day operations, security is crucial for your organization’s success.
A SOC 2 Attestation provides assurance to customers and prospects that you are following current security practices through an objective, third–party evaluation
of your compliance with the SOC 2 criteria.
Download our white paper, “Improving Cloud Security Controls Before a SOC 2 Audit,” to learn simple ways to improve your cloud security. The paper outlines:
- The Shared Responsibility Model, including key questions to ask CSPs
and common cloud threats. - Key controls reviewed during a SOC 2 audit, including logical access,
data protection, monitoring, and endpoint and application security. - What a SOC 2 audit includes, and how a SOC 2 readiness platform can
help you prepare.