Records management and information governance professionals are all too aware data breaches are on the rise. Clients know, too—and they are looking for organizations that fight back. Obtaining SOC 2 certification is one way to show your organization takes data security seriously. RIM and IG professionals play a central role in data security, and RIM/IG’s cross-organizational nature is the ideal launch pad for your organization’s information security and protection initiatives, including SOC 2 certification.

What is SOC 2 Certification?

SOC 2 is a voluntary certification offered by the Association of International Certified Professional Accountants and provides standards centered on the five pillars of the trust services criteria (“TSC”)[1]:

  1. Security
  2. Availability
  3. Processing Integrity
  4. Confidentiality
  5. Privacy

The standards aren’t rigid rules; rather, they comprise a data security program framework. Organizations seeking SOC 2 certification often implement internal controls customized to their business processes in relation to the TSC. Ultimately, organizations seeking certification must be able to pass an audit conducted by an AICPA-affiliated certified accountant. The audit process includes showing evidence the organization’s program satisfies the TSC.

RIM/IG Meets Data Security Compliance

It’s no secret data security and RIM/IG programs go together like peanut butter and jelly. A sound RIM/IG program aims to protect data, information, and records, ensuring their accessibility, availability, and integrity. It also ensures data, information, and records are defensibly disposed of when no longer needed. An organization can significantly mitigate its risks when it is managing only the information it needs.

Vendor Management

A primary consideration for RIM/IG professionals evaluating vendors is whether data will be protected. This importance is heightened when personal or proprietary data is involved. Vendor vetting considers a list of factors, which typically center around the TSC. Vendors with SOC 2 immediately check boxes, and they often receive priority consideration. Certification immediately demonstrates the vendor’s commitment to the protection of your organization’s data.

SOC 2 Within Your Organization

If your organization manages customer data, it may already have considered or achieved a SOC 2 certification. The TSC likely bring about warm fuzzies for RIM/IG professionals—they can bring to mind the beloved and familiar GARP principles including the principles of “Integrity” and “Availability.”[2] Other GARP principles also align with TSC, including “Protection”, which provides that protection should be provided to “assets that are private, confidential, privileged.”[3]

Confidentiality & Privacy Criteria

Under the TSC, “Confidentiality” is defined to include information that is “protected to meet the entity’s objectives”; if your organization deals with confidential customer data, this is a key standard. “Privacy” as a standard involves personal information that “is collected, used to meet the entity’s objectives.” The privacy sub-criteria elaborates that the “entity limits the use, retention, and disposal of personal information to support the achievement of its objectives related to privacy.” These elements can be easily included in a RIM/IG program.

Under the IG/RIM Umbrella

Whether your organization is preparing for SOC 2 certification or another data security-related certification, or simply wants to ensure the TSC principles are accounted for, your team members can leverage several RIM/IG program components to demonstrate it has the necessary processes, policies, and procedures in place.

Records/Data Inventory

This isn’t a new refrain, but it often bears repeating: You can’t protect information if you don’t know what you have. Organizations are always wise to keep a handle on their records and information by starting and maintaining a comprehensive data inventory. This is often accomplished through an information collection process. Important details should be gathered including location, format, data owner, and privacy or confidentiality classifications. A robust and regularly updated inventory helps organizations manage their information in a number of ways, even beyond protection: It can help support regular defensible disposition, accessibility for litigation and business needs, and greater privacy initiatives.

RIM/IG Policies

A well-drafted records and information management policy, along with corresponding procedures, tends to parallel many of the TSC principles; in particular, they reflect the principles touching on access, retention, and disposal. They can also impact business processes relating to data storage, processing, transfer, and archiving, as well as eDiscovery.

Relatedly, an organization’s record retention schedule policy can help demonstrate the organization has controls in place around limited retention and disposal of records. The TSC expressly mentions data retention and disposal, so this is a key effort—and another area in which RIM/IG professionals can significantly contribute.

Governance

TSC, and the certification process, can even impact and help shape the work of an IG steering committee. The committee is typically composed of stakeholder professionals and experts from the organization, and, according to the Information Governance Body of Knowledge (IBOK),  includes members from privacy and security. Although the TSCs don’t explicitly require governance, they do highlight governance as a good way to demonstrate controls.

Conclusion

Pearl Zhu, in her book 12 CIO Personas, said the purpose of “Information Management is to make sure the right information is shared with the right persons at the right time in the right place.” With that single sentence, Zhu highlighted the multidisciplinary nature of records and information management. She also perfectly connected RIM/IG to information security. Risks surrounding data breaches cannot be understated, and breaches cost organizations more each year. Therefore, it is increasingly important RIM/IG professionals are attuned to data security.

There are many parallels between the TSC framework and RIM/IG objectives, resulting in many opportunities to integrate TSC principles into policies. Evidence of successful implementation into, and enforcement of, relevant internal controls will never be a bad thing.

Ultimately, every organization can benefit from the TSC framework and regardless of whether an organization seeks formal certification, the development of formal TSC framework controls and procedures customized to the organization’s processes goes a long way in protecting your organization’s data while also providing guarantees to prospective business partners. And when evaluating vendors, don’t underestimate the guarantees provided by that official SOC 2 seal.

 Zasio prioritizes the protection of its customer data and is proud to display our SOC 2 certification badge. Ask us how we can help build data security into your RIM/IG program.

[1] 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, AICPA (2022), https://www.aicpa.org/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022.

[2] The Principles®, ARMA (2017), https://www.arma.org/page/principles.

[3] Id.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.