After the leak of a secretly taped business meeting where the owner of Papa John’s used a racial slur, consumer backlash led the CEO to resign, hurt sales, and impacted stock prices. Confidentiality — or the lack of it — can deeply affect business success. Not surprisingly, the SOC 2 confidentiality criteria is one of the framework’s five central trust principles.
What Is the SOC 2 Confidentiality Criteria?
The American Institute of Certified Public Accountants defines the Confidentiality Trust Services Criteria as making sure “information designated as confidential is protected to meet the entity’s objectives.” In other words, the Confidentiality TSC looks at how well your organization keeps confidential data secure and secret.
This pillar has two areas of focus for SOC 2 compliance:
- C1.1: “The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.”
- C1.2: “The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.”
Meeting these objectives requires a combination of policies, security controls, and technology safeguards.
Examples of Confidential Data
Protected files generally fall into a few categories:
- Financial data, such as sales forecasts and banking records
- Client information, including service contracts and CRM records
- Legal documents like business contracts, negotiations, and law firm communications
- Proprietary data, from product formulas to manufacturing records
- Non-disclosure agreements, employee SSNs, and employment contracts
Business communications range in confidentiality. Some emails need the highest level of secrecy, and others are designed for sharing internally, but not with the general public. The same goes for business meetings.
Confidentiality Vs. Privacy
Why does SOC 2 have a TSC for confidentiality if there’s also one for privacy? Even though confidentiality and privacy are closely related, both principles have important differences.
Privacy mainly deals with personal information and sensitive user data. For example, payment gateways need robust cybersecurity defenses to keep consumer credit card data safe.
Confidentiality generally refers to sensitive business data. For the same payment gateways, the SOC 2 Confidentiality criteria would impact documents like internal profit and loss statements.
What Is Confidentiality in Information Security?
Confidentiality isn’t just one of the five main TSCs in the SOC 2 framework. It’s also part of the cybersecurity CIA triad. To be effective, any information security system must provide confidentiality, (processing) integrity, and availability.
The definition of confidentiality for infosec applications is broader, involving preventing unauthorized access to sensitive data. Depending on the nature of your business, both physical and electronic access control measures may be necessary to protect confidential information.
According to the National Institute of Standards and Technology, confidentiality means “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” This definition is used in NIST SP 800-171, a framework for defense contractors.
What Does the Confidentiality TSC Require?
SOC 2 certification audits look at several areas of focus to determine if your system follows confidentiality best practices.
1. Data Assessment and Classification
Your organization needs an effective system to categorize data and flag confidential information. This means clearly defining what documents are confidential, locating sensitive records, and outlining policies for creating, using, and storing data.
2. Access Controls
Restricting access to sensitive data is vital for confidentiality. Not only do you need to make sure workers use passwords, unique credentials, and multifactor authentication, but you also have to set access restrictions based on employee level.
3. Data and Network Security
To protect data against cyberattacks, confidential information must be encrypted, both when stored and in transit. The gold standard is AES 256 encryption technology, along with Transport Layer Security for network data. Antimalware tools and firewalls help keep threat actors away from protected files.
4. Data Disposal Policies
The SOC 2 confidentiality criteria requires policies for document retention and destruction. There should be procedures in place to prevent unauthorized file deletion, but also to securely dispose of confidential files once the retention period ends.
Why Is Confidentiality Important for SOC 2 Certification?
Confidentiality is vital for your organization’s reputation, financial well-being, growth, and operational security.
Brand Reputation
Boardroom discussions need to remain confidential for corporations to reach business objectives and financial targets. Leaked emails, audio, or video files can trigger PR disasters, unleash consumer backlash on social media, and cause lasting harm to stock prices.
Customer Trust
Clients need to know they can trust your systems, personnel, and security safeguards. A single betrayal of confidentiality can lead to canceled contracts and loss of decades-long partnerships. Shortly after a widespread data breach, cloud provider Snowflake saw its shares drop by at least 5%.
Business Operations
If cybercriminals obtain confidential login data, such as system admin passwords or high-level access credentials, they can cause massive damage to operations:
- Crashing data platforms
- Sabotaging equipment
- Locking out access to system data
- Stealing client lists
Unexpected downtime is devastating to enterprises in every industry, from manufacturers and lenders to airlines and SaaS providers.
Proprietary Secrets
Unauthorized access to company secrets can come from internal and external threats. Unscrupulous employees can leak product designs or sell prototypes to competitors. Hackers have even stolen code repositories for projects in development, threatening to release them publicly unless a ransom is paid.
How Can Your Organization Implement SOC 2 Confidentiality Controls?
By following confidentiality best practices, your organization can meet SOC 2 compliance objectives organically.
Embrace workflow automation and data management tools. Automation technology helps you locate confidential records, track access, and automatically store newly created files in secure locations.
Create data loss prevention policies. Restrict who has access to records, what changes they can make, and when.
Implement DLP safeguards. Invest in cybersecurity tools to flag suspicious traffic and block attachments on outgoing emails.
Follow the Principle of Least Privilege. Only give employees the minimum system access necessary for their role, regularly review permissions, and carefully vet administrators.
The SOC 2 framework doesn’t lay out a specific set of controls for every industry. In fact, the only difference between SOC 2 Type 1 and Type 2 audits is the need to show ongoing compliance, not the number of controls.
Ensure SOC 2 Confidentiality Compliance With Compyl
Visualizing your organization’s sensitive data and controlling the document workflow can improve confidentiality at every level. Compyl streamlines compliance with SOC 2 criteria thanks to advanced data management tools. Learn more about this state-of-the-art SOC 2 platform today.
