Listen to: "A No-Nonsense Guide to SOC 2 Data Classification"
When we think about data security compliance or classification, there’s a strong tendency to think only in technical terms. But, the biggest security threats are often human in nature.
The good news is that the best solution to data security is human, too.
SOC2 data classification and compliance helps break data security into terms that people can understand.
By making sure that everyone who handles sensitive information understands the implications of handling it correctly or incorrectly, you can keep your organization compliant and avoid costly breaches.
What Is SOC2 Compliance?
SOC2 is a protocol that defines criteria for managing customer data based on five Trust Service Principles.” These principles are: security, privacy, accessability, processing integrity and confidentiality. Audits for SOC2 certification are administered by outside organizations like I.S. Partners.
The requirements for SOC2 certification are unique to each organization that seeks it. They are based on the unique character of the organization and the sensitive information that that organization handles. There are two types of SOC2 audits.
The Type 1 audit takes a look at the controls service organizations use to address any or all of the five Trust Service Principles. The goal of the audit is to provide assurance that controls are designed in a way that they effectively meet the organizations’s desired objectives.
The Type 2 audit includes everything in a Type 1. However, the process also involves attesting that an organization’s controls are tested for effectiveness.
Before you are ready to get compliant, you need to understand what sort of data you are handling and how it is categorized within the Trust Service Principles.
Understanding Categories of Data
The data that is handled under the Trust Service Principles can basically be broken into three broad categories based on how important it is to safeguard that data. The more important it is to protect data, the stricter its categorization. We break the categories into three basic levels:
Public data is any data that is, or can safely be, publicly known. Would you publish it on a postcard? This is public data. Examples can include your address, store hours, identity of your CEO and the like. There is no obligation to take any special effort to protect this data, as it is readily available.
Internal data is data that should not be spread outside the internal workings of the company. This data, if leaked, could cause moderate risk or damage to the business. Examples of internal data includes company handbooks and policies, encryption keys and API keys. This information could be used in a way that is harmful, but the harm that can be done is limited.
Confidential data is the data that, if it were released improperly, could cause the company severe harm. This harm could be financial, or it could be to the reputation of the company. Examples of confidential data include credit card information, prospective customer lists, data from inside your CRM, customer passwords, financial reports and confidential data entrusted to you by your customers.
Some companies create additional data categories, such as Restricted categories that handle information like credit card numbers. However, the more complex a data categorization system is, the better the chances that data will be categorized incorrectly. While there’s not a lot of risk in, say, categorizing something that is public data as internal, it can be very damaging to apply a less stringent label to a piece of data that could do a lot of harm if it got out into the wild.
Helping Team Members Understand How to Classify and Protect Data
Since human beings are the ones who will be classifying each individual piece of data, it’s important that they understand how classifications are decided and why. Start by classifying some existing data so that you have examples to work from. An easy place to start is the company handbook. Make labeling that clearly marks this information as Internal so that employees become familiar with the tag. Move on to some other easy to classify documents so that a variety of examples are available.
Then, begin training employees on the different classifications and when and how to apply each. Employee seminars and workshops are good venues for those who learn best in a classroom environment. You can also develop interactive training modules that cover important data classification topics.
Automate and Streamline Your Data Classification Process
The last thing you and your organization want is for individuals to make on the fly decisions about how data should be classified. Develop a strong policy that allows people to make the right choices quickly and easily. A flow chart or progression of questions can help people make decisions that are consistent with the company’s policy. Criteria to be addressed can include:
- Where is the data stored?
- Who is the authority on the sensitivity of this data?
- Who is responsible for backing this data up and applying permissions?
- What department handles expenses that are associated with gathering, storing and protecting this data?
Once rules are in place, much of the process can be automated. This removes the element of human error and makes your classifications both automatic and more consistent.
By having a good classification system in place, you can avoid costly mistakes. Everyone will know the sensitivity of each piece of data and the proper level of protection it should be offered.
Is your system working to protect your customers and your company? I.S. Partners, LLC can help you find out. We provide SOC2 compliance audits that provide actionable ideas on how to protect the data your customers and vendors entrust to you. Get in touch for a no-obligation consultation today. Call us at 215-675-1400 or request a quote online.