<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Confidentiality Policy Best Practices

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Your confidentiality policy defines procedures to handle confidential information about clients, partners, and the company. Clients and partners expect you to keep their data secure, and a confidentiality policy will demand this same expectation of your employees.

Best Practices When Writing Your Confidentiality Policy

Answer this question: What is confidential in your business?

Confidential data is any information that would cause reputational and/or financial harm if it was exposed outside of your organization. Examples of confidential data are financial reports, customer databases, passwords, CRMs, lists of prospective customers, business strategies, and other intellectual property.

Confidentiality can sometimes be confused with privacy, but they mean very different things from a legal standpoint. In the context of a SOC 2 confidentiality policy, confidentiality focuses on personal information shared with a trusted advisor, such as a lawyer or therapist. This information generally cannot be shared with third parties without the client’s consent. Privacy generally refers to actions you take that should carry a reasonable expectation of privacy - such as using a restaurant bathroom or the activities you do within your home. As far as your confidentiality policy, customer data and PII maybe be considered private, but not confidential. It depends on the customer/vendor and should be evaluated case by case.

🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Commpliance Course.

Lock and secure paper documents

Many organizations focus solely on protecting confidential data digitally and overlook proper protections for paper copies. Hard copies of confidential information are commonly left out in the open on employees’ desks, shelves, and cabinets with few - if any - physical controls. Designate well-organized, lockable spaces for confidential data and train users on your expectations for using those spaces. Ensure these expectations are backed with proper policies and procedures.

Use only approved business software for storing and processing confidential information

Your organization’s policies should clearly state how and where confidential information is stored and processed. Historically, several companies ended up being mentioned in the newspaper after an employee lost confidential information stored on a USB drive or laptop hard drive. The confidential data should never have been stored outside the organization’s internal systems, but there were no established guidelines to enforce proper data handling expectations.

Shred paper documents when no longer needed

Provide shredders throughout your organization’s office spaces for convenient and secure disposal of unneeded confidential information. Without easy access to shredders, employees may opt to use their recycle bin - or use a box sitting out in plain sight on their desks - as a short-term holding place.

Enforce a clean desk and clean screen policy

It can be useful to include a clean desk policy in your SOC 2 confidentiality policy. This will help enforce some of the previously discussed bullet points. Ultimately, you want your employees to keep as little confidential data on their desks and workstation desktops as possible.

The clean desk policy will give guidance on:

  • The proper use of secure storage areas and shredding practices for confidential data
  • What information can be written down and/or stored on removable media

The clean screen policy may include requirements such as:

  • Installing a privacy filter on employee monitors
  • Instructing users to lock workstation desktops if users step away from their desks (screen locks can also be technically enforced so that workstation desktops lock automatically after a set period of inactivity)

Require that confidential information be accessed exclusively on secure devices

This requirement will help ensure that employees aren’t storing confidential data on unencrypted hard drives, removable media, personal devices or any other storage media forbidden by your organization.

Wipe confidential information from BYOD and removable media upon termination of employment

Protecting confidential information “in flight” as you go about your day-to-day business is important, but ensuring you can properly sanitize it outside the walls of your organization is critical as well. Tools such as an MDM (Mobile Device Management) solution can help you selectively wipe confidential data from personal devices when employees are terminated - or if those employee devices are lost or stolen.

Prohibit the sharing of confidential information with anyone outside the company or anyone within the company who does not have appropriate privileges

As you create and start enforcing the necessary confidentiality policy and procedures to protect your confidential data, you also need to make decisions on who should have access to it. Just because an employee has a network account and access to the general network shares does not mean he or she should have “wide open” access to all company data.

Set up employee access with the principle of least privilege, making sure they have access to just the amount of information they need to do their jobs.

To learn more about how StrongDM helps companies with SOC 2 compliance as it relates to a confidential policy, make sure to check out our SOC 2 Compliance Use Case.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

ISO 27001 vs SOC 2
ISO 27001 vs. SOC 2: Understanding the Difference
SOC 2 and ISO 27001 both provide companies with strategic frameworks and standards to measure their security controls and systems against. But what’s the difference between SOC 2 vs. ISO 27001? In this article, we’ll provide an ISO 27001 and SOC 2 comparison, including what they are, what they have in common, which one is right for you, and how you can use these certifications to improve your overall cybersecurity posture.
Answering auditor questions in a SOC 2 review
Answering Auditors’ Questions in a SOC 2 Review
We recently completed our own SOC 2 audit, so we thought we’d review how we dogfooded our own product. We’ll share tips and tricks to make the audit process a little easier, whether you’re wrapping up your own or about to dive into the coming year’s audit. Here are the questions auditors asked us during our own SOC 2 audit and the commands and strongDM tooling we used to gather the evidence they requested.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.