A Guide to SOC Data Classification
posted May 31, 2019 by Henry A. Silva, CPA, CGMA, MBA in the Business Blog
Are you preparing for a Systems and Organization Controls (SOC) Audit? Make sure your data classification is up to par! It is imperative for companies that host, manage, store or otherwise have access to customer data, to have a formalized data classification policy in place.
Trust is essential to building successful relationships between entities and their third-party business associates. To build and maintain confidence in the systems and controls that protect sensitive data, users of service organizations rely on Systems and Organization Controls, or SOC Reporting.
There are three types of SOC reports:
- SOC 1 reports examine internal controls at a service organization that impact a user entity’s controls over financial reporting.
- SOC 2 & 3 reports provide detail on the controls at a service organization relevant to the five trust service principles (security, availability, processing integrity, confidentiality and privacy).
Why is data classification important for a SOC audit?
Data classification is the most effective and efficient system for protecting data. It helps to categorize data to protect critical, sensitive, and classified information, and determine what baseline security controls are appropriate for safeguarding that data. Data that is not classified correctly may negatively impact a SOC auditor’s opinion of your controls.
How is data usually categorized?
It is important to understand what kind of data you are handling and how it is categorized within the trust service principles.
There are three basic categories of data:
- Public- This is any data that is (or can safely be) publicly known. This could include your address, store hours, CEO, etc. Because this data is readily available, there is no obligation to take any special effort to protect it.
- Internal- This is data that should not be spread outside the internal workings of the company. This includes company policies, handbooks, encryption keys and application programming interface (API) keys. If leaked, internal data can cause moderate risk/damage to the business.
- Confidential- This is data that could cause the company severe harm if it ends up in the wrong hands. This includes credit card information, prospective customer lists, data from inside your customer relationship management (CRM) platform, customer passwords and financial reports.
Some companies use additional categories, like “restricted” which handles credit card numbers for example. Don’t go too crazy with categorizing though! The more complex a data categorization system is, the higher the chances that data will be incorrectly categorized.
How do you go about classifying your data?
Check out our blog, Data Classification: Why is it Important?
While there isn’t a one size fits all approach to data classification, there are some good starting points that can help you develop your strategy:
- Define a data classification policy
- Train employees on how to properly handle each type of data class
- Identify sensitive data
- Review your security policies and procedures
- REPEAT! Data classification should be an ongoing process that you revisit often.
We can help you with your data classification. Contact us.