Confidentiality Trust Services Criteria in a SOC 2

Confidentiality trust services criteria

The available Trust Services Criteria (TSC) as defined by the American Institute of Certified Public Accountants (AICPA) that are options to be included in a SOC 2 audit are the following:

  • Security (also known as common criteria). Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  • Availability. Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  • Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
  • Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

The only TSC that is required to be in every SOC 2 examination is the security TSC, which is also referred to as the common criteria. The other four TSCs are options to be included in the examination at the discretion of the service organization.

In this blog post we will look specifically at the confidentiality trust services criteria. For additional information on the current SOC 2 guidance and criteria, refer to our article on the New Trust Services Criteria.

What is confidentiality trust services criteria?

What is the Confidentiality Trust Services Criteria?

The term “confidential information” and its meaning can vary between organizations or location throughout the world and potentially cover a wide range of information security practices. If the service organization has outlined contractual commitments with its clients related to the protection of data as the data custodian, then the confidentiality TSC should be considered.

Unlike personal information (covered by the Privacy TSC), confidential information is not so easily defined. Any personal or non-personal information or data can be designated as confidential, and once it is, it needs to be protected appropriately, or as agreed upon with clients. Interpretations of this type of information often vary significantly from one client or company to another. Some examples of confidential information include, but are not limited to:

  • Transaction details
  • Engineering drawings
  • Business plans
  • Banking information
  • Legal documents

How do I know if my Organization Needs the Confidentiality Trust Services Criteria?

Choosing the correct criteria to include in the scope of a SOC 2 examination is an important process for a service organization. A service organization should be educated on the available criteria and the applicability they have on their system. Having knowledge and oversight from an experienced audit firm that performs SOC 2 examinations is very beneficial and will result in a more successful examination.

At Linford & Company, we have helped many clients determine the boundaries of their system and select the appropriate TSCs to include in their SOC 2 examination. Contact us for a free consultation to perform a SOC 2 audit or any other audit or assessment from our auditing services.

When determining if confidentiality should be included, a service organization should look at their existing clients and agreements they have with their clients. Is part of the agreement that they are holding data and keeping it protected? Was a confidentiality agreement or non-disclosure agreement signed between the service organization and the client?

If the data the service organization is maintaining includes personal information, the privacy TSC should be considered (see additional blog post on the differences between privacy and confidentiality). If the data does not include personal data, the confidentiality TSC should be considered.

If confidentiality of data is key to your clients, it should be an included TSC in your SOC 2 Report.

For example, if the service organization holds banking information as part of their services, they may want to consider the confidentiality TSC. They would need to have a policy documented that covers how they handle this banking information and be able to demonstrate how they are protecting it. Additionally, their policy should include notification to the client in the event there is a breach and the banking information gets accessed outside of the agreed upon terms.

What additional testing is included?

What Additional Testing is Included with the Confidentiality Trust Services Criteria?

The Confidentiality TSC focuses on testing that information designated as confidential is protected as committed or agreed to with clients. When testing this TSC it is important that a policy is documented that defines the various types of data that a service organization has in their possession and how they then handle each type of data. Additionally, the policy should include what notification is required in the event there is a violation to the agreement that is in place around the protection of data.

Specific additional areas of review required outside of the common criteria (security TSC) for confidentiality will cover:

  • Identification of confidential information: Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained.
  • Protection of confidential information from destruction: Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information.
  • Destruction of confidential information: Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached.

Summary

While the confidentiality TSC is not required in a SOC 2 examination, it is an important TSC for service organizations that need to demonstrate how they are keeping client data confidential.

Linford & Company has extensive experience providing SOC 2 examinations, including pre-assessments, to help prepare service organizations go through the process of obtaining a SOC 2 for the first time. If you are interested in learning more about SOC 2 examinations or any of the services provided by Linford & Co., please click the following links: SOC 1, SOC 2, HIPAA audits, Royalty Audits, FedRAMP, Processing Integrity.