Your SOC 2 confidentiality policy defines procedures to handle confidential information about clients, partners, and the company. Clients and partners expect you to keep their data secure and a confidentiality policy will demand this same expectation of your employees.
Here are best practices to consider when writing your confidentiality policy:
Answer this question: “What is confidential in your business?”
Confidential data is any information that would cause reputational and/or financial harm if it was exposed outside of your organization. Examples of confidential data are financial reports, customer databases, passwords, CRMs, lists of prospective customers, business strategies and other intellectual property.
Confidentiality can sometimes be confused with privacy, but they mean very different things from a legal standpoint. In the context of a SOC 2 confidentiality policy, confidentiality focuses on personal information shared with a trusted advisor, such as a lawyer or therapist. This information generally cannot be shared with third parties without the client’s consent. Privacy generally refers to actions you take that should carry a reasonable expectation of privacy - such as using a restaurant bathroom or the activities you do within your home. As far as your confidentiality policy, customer data and PII maybe be considered private, but not confidential. It depends on the customer/vendor and should be evaluated case by case.
Follow confidentiality best practices
- Lock and secure paper documents - Many organizations focus solely on protecting confidential data digitally and overlook proper protections for paper copies. Hard copies of confidential information are commonly left out in the open on employees’ desks, shelves and cabinets with few - if any - physical controls. Designate well-organized, lockable spaces for confidential data and train users on your expectations for using those spaces. Ensure these expectations are backed with proper policies and procedures.
- Use only approved business software for storing and processing confidential information - Your organization’s policies should clearly state how and where confidential information is stored and processed. Historically, several companies ended up being mentioned in the newspaper after an employee lost confidential information stored on a USB drive or laptop hard drive. The confidential data never should have been stored outside the organization’s internal systems, but there were no established guidelines to enforce proper data handling expectations.
- Shred paper documents when no longer needed - Provide shredders throughout your organization’s office spaces for convenient and secure disposal of unneeded confidential information. Without easy access to shredders, employees may opt to use their recycle bin - or use a box sitting out in plain sight on their desks - as a short-term holding place.
- Enforce a clean desk and clean screen policy
It can be useful to include a clean desk policy in your SOC 2 confidentiality policy. This will help enforce some of the previously discussed bullet points. Ultimately, you want your employees to keep as little confidential data on their desk and workstation desktop as possible. The clean desk policy will give guidance on:
- The proper use of secure storage areas and shredding practices for confidential data
- What information can be written down and/or stored on removable media
The clean screen policy may include requirements such as:
- Installing a privacy filter on employee monitors
- Instructing users to lock workstation desktops if users step away from their desks (screen locks can also be technically enforced so that workstation desktops lock automatically after a set period of inactivity)
- Require that confidential information be accessed exclusively on secure devices - This requirement will help ensure that employees aren’t storing confidential data on unencrypted hard drives, removable media, personal devices or any other storage media forbidden by your organization.
- Wipe confidential information from BYOD and removable media upon termination of employment - Protecting confidential information “in flight” as you go about your day-to-day business is important, but ensuring you can properly sanitize it outside the walls of your organization is critical as well. Tools such as an MDM (Mobile Device Management) solution can help you selectively wipe confidential data from personal devices when employees are terminated - or if those employee devices are lost or stolen.
- Prohibit the sharing of confidential information with anyone outside the company or anyone within the company who does not have appropriate privileges
As you create and start enforcing the necessary SOC 2 confidentiality policy and procedures to protect your confidential data, you also need to make decisions on who should have access to it. Just because an employee has a network account and access to the general network shares does not mean he or she should have “wide open” access to all company data. Setup employee access to confidential with the principle of least privilege, making sure they have access to just the amount of information they need to do their jobs.