=Paper=
{{Paper
|id=Vol-3654/short7
|storemode=property
|title=Designing Data Classification and Secure Store Policy According to SOC 2 Type II (short paper)
|pdfUrl=https://ceur-ws.org/Vol-3654/short7.pdf
|volume=Vol-3654
|authors=Oleh Deineka,Oleh Harasymchuk,Andrii Partyka,Anatoliy Obshta,Nataliia Korshun
|dblpUrl=https://dblp.org/rec/conf/cpits/DeinekaHPOK24
}}
==Designing Data Classification and Secure Store Policy According to SOC 2 Type II (short paper)==
https://ceur-ws.org/Vol-3654/short7.pdf
Designing Data Classification and Secure Store Policy
According to SOC 2 Type II
Oleh Deineka1, Oleh Harasymchuk1, Andrii Partyka1, Anatoliy Obshta1,
and Nataliia Korshun2
1 Lviv Polytechnic National University, 12 Stepana Bandery str., Lviv, 79000, Ukraine
2 Borys Grinchenko Kyiv Metropolitan University, 18/2, Bulvarno-Kudriavska str., Kyiv, 04053, Ukraine
Abstract
This paper discusses the design of a data classification policy for SOC 2 Type II
compliance. SOC 2 Type II is a significant certification that attests to a service
organization’s ability to meet the Trust Services Criteria, which encompass security,
availability, processing integrity, confidentiality, and privacy. Data classification is a
critical first step in establishing a robust data security strategy, as it helps organizations
understand what data they have and assigns a level of sensitivity to that data, which
informs the security controls that should be applied. The main objectives of data
classification are to organize and manage data in a way that enhances its protection and
aligns with the overall data security strategy of an organization. Data security plays a
pivotal role in the data classification process, as it directly influences how classified data
is protected and managed. Designing a data classification policy for SOC 2 Type II
compliance involves several challenges and considerations that organizations must
navigate to effectively protect sensitive information and maintain the integrity of their
service delivery. These challenges and considerations include understanding the scope of
data, aligning with the Trust Services Criteria, balancing security with usability, training,
and awareness, regular updates, and reviews, defining classification levels, ensuring
consistency, automating classification, integration with other policies and controls,
dealing with third-party vendors, monitoring and enforcement, and legal and regulatory
compliance.
Keywords 1
SOC 2 Type II, data classification, data security, access management, storage.
1. Introduction methods to counteract such malicious acts, as
well as the development of infrastructure in
The modern world is characterized by a rapid this direction [4–9]. An important direction is
growth of information assets, which contain a the development of standards for safe data
rather high percentage of critical information. storage [10, 11]. Security standards allow a
Large volumes of such information primarily better understanding of how exactly an
require classification by various parameters institution controls access to data and ensures
and features, their reliable storage and their security and confidentiality [12].
transmission, as well as protection from The standards and requirements for data
unauthorized access. Recently, the number of storage for organizations can vary depending
possible attacks on information resources has on the country, the organization’s industry, the
been constantly increasing [1–3]. sensitivity level of the information, and other
Cybersecurity specialists are constantly factors. For a specific organization, there may
developing new standards, approaches, and
CPITS-2024: Cybersecurity Providing in Information and Telecommunication Systems, February 28, 2024, Kyiv, Ukraine
EMAIL oleh.r.deineka@lpnu.ua (O. Deineka); garasymchuk@ukr.net (O. Harasymchuk); andrijp14@gmail.com (A. Partyka);
anatolii.f.obshta@lpnu.ua (A. Obshta); n.korshun@kubg.edu.ua (N. Korshun)
ORCID: 0009-0005-9156-3339 (O. Deineka); 0000-0002-8742-8872 (O. Harasymchuk); 0000-0003-3037-8373 (A. Partyka); 0000-0001-
5151-312X (A. Obshta); 0000-0003-2908-970X (N. Korshun)
©️ 2024 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
398
�be specific standards and requirements practices, check how the company follows its
dictated by its needs and legal requirements. procedures, and how it registers changes in
Most organizations or institutions form their processes.
security policy based on international standards, SOC 2 Type II is a significant certification
which are mostly carried out with the within the landscape of data security and
participation of external auditing companies that compliance. It serves as an attestation by an
certify compliance with the standard [13, 14]. independent auditor that a service
However, there are still many problems organization has not only designed its systems
that professionals who deal with secure to meet the Trust Services Criteria but also that
storage of large volumes of data encounter. For it operates effectively over time. The Trust
instance, they have to grapple with issues of Services Criteria encompass several critical
data integrity, confidentiality, and areas: security, availability, processing
accessibility. Ensuring that the information integrity, confidentiality, and privacy.
remains unaltered from creation through The importance of SOC 2 Type II lies in its
storage and retrieval can be a daunting task. ability to build trust with clients and
Moreover, professionals have to guarantee stakeholders. By demonstrating a commitment
confidentiality, so that only authorized to stringent data management practices,
individuals can access the data. They also need companies can assure clients that their
to ensure that the data is readily accessible sensitive data is handled responsibly. This is
when needed, which can be challenging in an especially crucial in sectors where data privacy
era of rapidly increasing data volumes. and security are paramount, such as financial
While there are a variety of effective services, healthcare, and cloud computing.
approaches, methods, and ways to organize big Moreover, the audit process SOC 2 Type II
data storage, there are still certain problems in helps organizations identify and mitigate
this area. The issue of searching for the potential security risks, ensuring that they
necessary information in unstructured data maintain a strong security posture. This
can be identified as a significant drawback. proactive approach to risk management is
ISO 27001 is a standard designed to ensure critical in an era where cyber threats are
proper management of a company’s digital constantly evolving, and data breaches can
assets, including financial information, have catastrophic consequences. Therefore,
intellectual property, employee data, and there is a constant search for new approaches
trusted third-party information. and methods to ensure reliable data storage
In turn, SOC 2 certification is more and user and device authentication where this
recognized and is usually preferred by data is stored [15–17].
American and Canadian companies. In an increasingly regulated environment,
Another important point: SOC is divided SOC 2 Type II compliance can also support
into SOC 1, SOC 2, and SOC 3. The first is adherence to legal and regulatory
exclusively about financial control, and the requirements. This can help organizations
third is mostly used for marketing purposes, so avoid costly penalties and legal issues
SaaS providers can focus solely on SOC 2. associated with non-compliance.
The Service and Organization Controls 2 From a business perspective, SOC 2 Type II
standard was developed by the American compliance can serve as a competitive
Institute of Certified Public Accountants using differentiator. It signals to the market that an
the Trust Services Criteria reliability criteria. organization is a reliable and secure partner,
SOC 2 provides an independent assessment of which can be instrumental in winning new
risk management control procedures in IT business and retaining existing customers [18].
companies that provide services to users. The result of implementing SOC 2 is a report
The standard pays special attention to data based on the AICPA Attestation Standards,
privacy and confidentiality, so it is turned to by section 101, Attest Engagement.
such giants as Google and Amazon—for them, Types of SOC 2 reports:
a high level of security and transparent data Type I report contains information about
processing processes are especially important. the design of control procedures and the result
External auditors are invited for certification. of an assessment of the internal control system
Their task is to study the implemented as of the date of the check. This type of report
399
�is a starting point for further building SOC 2 accessed, modified, or destroyed. The
Type II compliance. objectives are as follows:
Type II report proves compliance with Identify Sensitive Data: Data classification
requirements over a certain period. The enables organizations to determine which data
organization must demonstrate adherence to is sensitive and requires more robust
control measures and policies during this protection measures. This includes data such
period, which usually requires a certain degree as Personal Identifiable Information (PII),
of automation and long-term commitments. financial details, health records, and
Goal of the work: Development of a solution intellectual property.
for optimizing the classification of Facilitate Risk Management: By classifying
organizational data and its appropriate storage data, organizations can better understand the
by the SOC 2 Type II standard. risks associated with each type of data. Higher
Task: Analyze the main requirements for classification levels typically indicate a higher
data classification and their storage need for protection due to increased risk.
organization, identify shortcomings, and Enhance Regulatory Compliance: Many
search for the optimal solution in terms of industries are governed by regulations that
speed and economic efficiency to ensure mandate the protection of certain types of data
compliance with the SOC 2 Type II standard. or dictate specific rules for their storage and
access.
2. Overview of Data Classification Data classification is critical for compliance
with regulations such as the General Data
and its Role in Data Security Protection Regulation (GDPR), the Health
Insurance Portability and Accountability Act
Data classification is the process of organizing (HIPAA), and others.
data into categories that make it easier to Enable Focused Security Measures: Through
manage and protect based on its level of data classification, organizations can apply
sensitivity and the impact on the organization appropriate security controls where they are
should that data be disclosed, altered, or most needed. This targeted approach ensures
destroyed without authorization. It is a critical that the most sensitive data receives the highest
first step in establishing a robust data security level of security, optimizing the use of security
strategy because it helps organizations resources.
understand what data they have and assigns a Support Access Controls: Proper data
level of sensitivity to that data, which informs classification assists in the implementation of
the security controls that should be applied. effective access controls. It ensures that access to
Recognizing this is important as big data plays sensitive data is restricted to authorized
a key role in data analytics. It’s the analytics individuals based on their roles and the need-to-
that allows us to correctly understand and know principle.
interpret this data so that it can be used for Inform Data Lifecycle Management:
making correct and justified decisions, Classification helps determine how data should
predicting trends, etc. It’s important to be handled throughout its lifecycle, including
understand that big data repositories are not retention, storage, archiving, organizing access
just a “large database”. The main difference lies to it, and secure destruction policies.
in the fact that databases typically store Prioritize Security Efforts: In the event of a
structured data and have a fixed schema, while security incident, understanding the
repositories of unstructured data can also classification of affected data can help prioritize
store unstructured data and process large response and recovery efforts, thereby
volumes of information. The main objectives of minimizing the potential impact on the
data classification are to organize and manage organization.
data in a way that enhances its protection and Raise Awareness and Accountability: It
aligns with the overall data security strategy of promotes awareness among employees about
an organization. The process involves the types of data they handle and their
assigning categories to data based on its level responsibilities in safeguarding it, thereby
of sensitivity and the potential impact on the fostering a culture of security and accountability
organization if that data were to be improperly within the organization [19, 20].
400
�Data security plays a pivotal role in the data classification. This increases awareness and
classification process, as it directly influences reduces the likelihood of accidental data
how classified data is protected and managed. breaches or leaks, enhancing the reliability of
The role of data security in data classification their storage and control of access to them.
can be described through several key Auditing and Compliance Monitoring: Data
functions: security involves regular auditing and
Defining Protection Measures: Data monitoring to ensure that classified data is
security is the driving force behind the being managed by established security policies
selection of protection measures for each and procedures. This helps to identify and rectify
classification level. Once data is categorized, any deviations or weaknesses in the protection
data security principles guide the application of classified data [21, 22].
of appropriate security controls, such as
encryption, access controls, and monitoring 3. Challenges and Considerations
systems.
Risk Mitigation: Data security practices are
in Designing a Data
essential in mitigating the risks associated with Classification Policy for SOC 2
the handling of data. By understanding the Type II
classification of data, organizations can
implement security measures that are Designing a Data Classification policy for SOC 2
commensurate with the level of risk, ensuring Type II compliance involves several challenges
that sensitive data is afforded stronger and considerations that organizations must
safeguards. navigate to effectively protect sensitive
Regulatory Compliance: Many data security information and maintain the integrity of their
frameworks and regulations require the service delivery. Here are some of the key
classification of data as part of their challenges and considerations:
compliance standards. Data security ensures Understanding the Scope of Data:
that classified data is handled in a manner that Organizations must first identify and
complies with legal and industry-specific understand the types of data they handle,
requirements, thus avoiding potential fines which can be a complex task, especially for
and legal action. large or data-intensive businesses. This
Access Control: Data security policies involves mapping out where data resides, how
determine who has access to various classes of it flows through the organization, and what
data, based on their need to know and data is critical for the operation or sensitive by
authorization levels. By enforcing strict access nature.
control measures, data security helps prevent Aligning with Trust Services Criteria: SOC 2
unauthorized access to sensitive information. Type II revolves around the Trust Services
Data Lifecycle Management: The role of Criteria set by the AICPA, which include
data security extends throughout the entire security, availability, processing integrity,
lifecycle of the data, from creation to disposal. confidentiality, and privacy. A data
Security measures are applied differently at classification policy must ensure that controls
each stage of the lifecycle, depending on the are in place to address these criteria
classification of the data. appropriately for different categories of data.
Incident Response and Recovery: In case of Balancing Security with Usability:
a data breach or other security incident, the Implementing too stringent controls can
classification of the compromised data guides hinder business operations, while too lenient
the incident response and recovery efforts. controls can expose the organization to risk.
Data security teams can prioritize their actions Organizations must find the right balance to
based on the sensitivity of the data involved, ensure data is both secure and accessible to
ensuring that the most critical data is authorized users as needed and with
addressed first. appropriate rights and privileges.
Awareness and Training: Data security Training and Awareness: Employees must
involves educating and training employees on be aware of the data classification policy and
the importance of data classification and the understand their roles in maintaining
correct handling of data according to its
401
�compliance. Training programs are essential to Addressing these challenges and
ensure that all personnel can correctly handle considerations requires a strategic approach
data according to its classification. and ongoing commitment to maintaining a
Regular Updates and Reviews: Data robust data classification policy. Organizations
classification policies must be dynamic, may seek guidance from compliance experts,
reflecting changes in the business legal counsel, and SOC 2 audit professionals to
environment, emerging threats, new data design and implement a policy that not only
types, and regulatory requirements. Regular meets SOC 2 Type II requirements but also
reviews and updates to the policy are necessary supports the organization’s overall data
to maintain SOC 2 Type II compliance. governance strategy [23, 24].
Defining Classification Levels: Organizations
need to define clear and practical classification 4. Data Classification Policy Design
levels that reflect the sensitivity and value of the 4.1. Requirements
data. These levels will determine the
corresponding controls and handling
While SOC 2 Type II itself does not prescribe
procedures.
specific data classification policies, it does
Ensuring Consistency: Consistency in how
require organizations to effectively manage and
data is classified across different departments
protect the confidentiality, privacy, and security
and systems is crucial. Inconsistencies can lead
of information, by the Trust Services Criteria
to gaps in protection and potential compliance
(TSC). A Data Classification Policy is a critical
issues, which can result in possible data loss or
component of meeting these criteria, particularly
unauthorized access.
the Security criterion, which is common to all
Automating Classification: Manual data
SOC 2 audits.
classification can be error-prone and
A SOC 2 audit measures the effectiveness of
inefficient and can be quite time-consuming.
your processes and systems based on the Trust
Implementing automated classification
Service Criteria and checks compliance with
solutions can help, but it is essential to choose
information security standards and rules,
tools that align well with the organization’s
including Common Criteria standards. Here are
specific needs and compliance requirements.
some general requirements that a Data
Integration with Other Policies and
Classification Policy should address to support
Controls: The data classification policy must
SOC 2 Type II compliance:
integrate seamlessly with other organizational
Identification of Data Type: The policy should
policies, such as access control, incident
define the types of data handled by the
response, and data retention policies, and not
organization, including sensitive data subject to
slow down their operation.
SOC 2 considerations, such as PII, business
Dealing with Third-Party Vendors: If third-
confidential data, and intellectual property.
party vendors manage or have access to the
Classification Levels: The policy must
organization’s data, they must also adhere to
establish clear classification levels that reflect the
the data classification policy. This requires
sensitivity of the data. Common levels include
careful vendor management and sometimes
public, internal use only, confidential, and highly
additional contractual agreements or audits,
confidential.
regarding their rights and privileges.
Ownership and Responsibilities: The policy
Monitoring and Enforcement: Ongoing
should define roles and responsibilities for data
monitoring is needed to ensure that the data
classification, including data owners, custodians,
classification policy is being followed and that
and users, and outline their responsibilities in
controls are effective. This includes regular
maintaining data classification.
audits and reviews, which are part of SOC 2
Handling Requirements: For each
Type II requirements.
classification level, the policy should specify
Legal and Regulatory Compliance:
handling requirements, including storage,
Organizations must consider various legal and
transmission, access controls, encryption
regulatory frameworks that apply to their data
standards, and end-of-life procedures.
and ensure that the classification policy helps
Labeling and Marking: The policy should
them meet these obligations and does not
provide guidelines on how data should be
contradict current legislation.
402
�labeled or marked according to its classification To ensure alignment with SOC 2 Type II
to ensure that it is easily identifiable and handled requirements, developing a Data Classification
appropriately. Policy usually demands a comprehensive
Access Controls: The policy must address understanding of the AICPA’s TSC and the
access controls, ensuring that access to data is unique data protection requirements of the
based on the principle of least privilege and that organization. Engaging with seasoned
only authorized individuals can access sensitive compliance experts or auditors who can give
data. tailored advice and oversee compliance with
Retention and Disposal: The policy should the standard’s stipulations is highly
outline data retention periods and secure recommended. The AICPA’s guidance and
disposal methods for each classification level, frameworks such as ISO 27001, when
ensuring data is not kept longer than necessary consulted and utilized, can offer invaluable
and is disposed of securely. inputs for the creation and sustenance of a
Training and Awareness: The policy should strong data classification policy. It is crucial to
mandate regular training and awareness identify and categorize data based on its
programs for employees to understand the sensitivity, importance, and regulatory
importance of data classification and their role mandates. Moreover, regular reviews and
in it. updates of the policy should be conducted to
Auditing and Monitoring: The policy should ensure its efficiency and continued compliance
include provisions for regular auditing and with SOC 2 Type II requirements [25–29].
monitoring to ensure that classification
controls are effective and being followed. 4.2. Representation
Incident Response: The policy should be
linked to an incident response plan that A high-level overview of the interaction
addresses potential data breaches or loss, with between a system and its users, outlining the
procedures tailored to the classification level different functions (use cases) the system is
of the data involved. expected to perform and the roles that interact
Review and Update: The policy should with these functions.
specify intervals for reviewing and updating Considering the aforementioned
data classification procedures to ensure they requirements, we have developed the
remain relevant and effective as the following structure (Fig. 1), which fully allows
organization evolves, data volumes increase, for data classification, ensures their storage,
and new threats emerge. and authorizes access to them by SOC 2 Type II.
Third-Party Vendors: If data is shared with The diagram mentioned in the document
or handled by third-party vendors, the policy illustrates and provides detailed information
must extend to these vendors, often requiring about the various actions, processes, and roles
them to adhere to similar or compatible that are necessary to fulfill the requirements
classification and handling standards. for coverage.
403
�Figure 1: Use case diagram
4.3. Roles it. This training should cover the data
classification policy, the different classification
We suggest applying for the following roles: levels, and the handling requirements for each
Employee: An employee is responsible for level.
adhering to the data classification policy, Data Steward: A data steward is responsible
correctly handling data according to its for the management and governance of data
classification, and reporting any incidents or within the organization. They ensure that data
violations. As the primary users of data within is classified correctly, that the classification
an organization, employees are responsible for policy is being followed, and that data is being
correctly handling data according to its used in compliance with legal and regulatory
classification level. This means that employees requirements. Data stewards play a crucial role
must understand the different classification in maintaining the integrity of the data
levels and the corresponding handling classification policy and ensuring that it is
requirements, such as storage, transmission, effectively implemented throughout the
access controls, and end-of-life procedures. In organization. They work closely with data
addition to correctly handling data, employees owners, custodians, and users to ensure that
are also responsible for adhering to the data data is correctly classified and that the
classification policy and reporting any appropriate controls and handling procedures
incidents or violations. This includes reporting are in place. Data stewards also monitor
any suspected data breaches, loss, or compliance with the data classification policy
unauthorized access to data. By promptly and report any incidents or violations to the
reporting incidents, employees can help the appropriate authorities.
organization to quickly respond and mitigate Auditor: An auditor plays a crucial role in
any potential damage or block unauthorized assessing an organization’s compliance with
access to data. To fulfill these responsibilities, SOC 2 requirements, including the data
employees must receive regular training and classification policy. They are responsible for
awareness programs to understand the independently reviewing the policy, processes,
importance of data classification, the rules, and and controls to ensure that they meet the Trust
methods of such classification, and their role in Services Criteria. The Trust Services Criteria
404
�encompass several critical areas: security, process more efficient, enabling users to locate
availability, processing integrity, and retrieve the necessary data quickly.
confidentiality, and privacy. The auditor’s role Machine learning classification is an integral
is to provide an objective evaluation of the part of a processing system [31–34].
organization’s compliance with these criteria ITSM: IT Service Management (ITSM) is
and to identify any areas where improvements responsible for the delivery of IT services that
may be needed. This helps the organization to support the data classification policy. This
maintain a strong security posture, and includes the provision of systems, tools, and
reputation among its clients and partners, and processes that enable the organization to
to demonstrate its commitment to protecting effectively classify, manage, and protect its
sensitive data [19]. data. ITSM also plays a key role in access
Admin: An admin plays a crucial role in management, request fulfillment, and incident
maintaining the smooth operation of an management [32].
organization’s IT systems. They are
responsible for deploying new app versions, 4.4. Actions and Processes for Review
monitoring system performance, and patching Customer Data
all operational staff. Here are some of the key
responsibilities of an admin in this context: New customer information or category
Deploying new app versions: Admins are appears: If new customer information or
responsible for rolling out new versions of category appears it should be added to
applications to ensure that users have access to Customer Data Catalog. Adding new customer
the latest features and security updates. This information could include collecting additional
involves testing the new version, preparing the details with any relevant information.
deployment plan, and coordinating with other Adding a new category could involve creating
teams to ensure a smooth rollout. Monitoring: a new grouping or segmenting the existing
Admins are responsible for monitoring the customer data into different categories. Adding
performance and availability of IT systems. new customer information or categories is
This involves tracking key metrics, identifying usually done to improve the effectiveness of the
and resolving issues, and ensuring that Customer Data Catalog and enable to make more
systems are operating at optimal levels. informed business decisions. However, it’s
Patching all operational staff: Admins are important to ensure that the new information or
responsible for ensuring that all operational category is collected and stored in compliance
staff have the latest security patches and with data protection regulations and customer
updates installed on their systems. This privacy laws.
involves identifying and deploying patches, The sensitivity level has changed: The
testing their effectiveness, and ensuring that sensitivity level of the data category refers to
all systems are up-to-date and secure. how valuable or confidential the information
SSO system: A Single Sign-On (SSO) system is, and how much damage or harm could be
is responsible for managing user caused if it were to be disclosed or accessed by
authentication and access control, the rights, unauthorized individuals or entities.
and privileges of authorized individuals. It When the sensitivity level of the data
ensures that users are correctly authenticated category has changed, it means that the level of
and that they have access only to the data that importance or confidentiality of the data has
they are authorized to access based on their increased or decreased. If a previously non-
roles and the data classification [30]. sensitive data category has now become
Processing System: A processing system sensitive due to changes in regulations,
plays a crucial role in managing data in line business practices, or legal requirements, the
with the data classification policy. It ensures sensitivity level of that data category has
that data is processed, stored, and transmitted increased. Conversely, if the sensitive data
securely, adhering to the policies set forth by category has become less important or
the organization. The processing system also valuable due to changes in business practices
involves data indexing, which is a method of or legal requirements, the sensitivity level of
organizing data to optimize its retrieval. This that data category has decreased. It is
function is crucial as it makes the data search
405
�important to review and assess the sensitivity your data can help you to better organize,
level of the data category to ensure that it is manage, and analyze your data [22].
being protected adequately and to make any Step 3: Using Integration Tools to Manage
necessary adjustments to security measures and Store Your Data
and access controls. After you have identified the types of data
The description of an existing category has your company owns and the metadata
changed: If the data being collected for a associated with that data, the next step is to use
specific category is changing or expanding, the integration tools to manage and store your
description of that category may need to be data. Integration tools allow you to extract data
edited to reflect the new data category being from various sources, transform it into a
collected. Editing the description of an existing common format, and load it into a data store.
customer data category is usually done to This process, known as Extract, Transform,
ensure that the information being collected is Load (ETL), allows you to consolidate your
accurately and completely described [22]. data into a single location, making it easier to
manage and analyze [31–34].
4.5. Data Flow Design Step 4: Creating a Data Model
Once your data has been extracted,
This diagram provides all data flow steps: transformed, and loaded into a data store, the
Step 1: Understanding the Types of Data Your next step is to create a data model. A data model
Company Owns is a visual representation of the relationships
The first step in creating a Data Flow between different data elements. It provides a
Diagram is to understand the types of data framework for organizing and structuring your
your company owns. Data can be broadly data and can help you to identify patterns and
classified into three categories: structured, trends within your data [37].
semi-structured, and unstructured. Step 5: Classifying and Linking Your Data to
Structured data refers to data that is Metadata
organized in a predefined manner, such as data After you have created a data model, the
stored in a relational database. Structured data next step is to classify your data and link it to
is easy to search, analyze, and manipulate, as it the metadata associated with it. This involves
follows a consistent format. Semi-structured assigning a level of sensitivity to your data,
data refers to data that has some level of based on its importance and the potential
organization but does not follow a strict impact if it were to be lost or stolen. Once your
format. Examples of semi-structured data data has been classified, you can link it to the
include XML and JSON files, which contain data metadata associated with it, providing
in a hierarchical format, but do not have a fixed additional context and information about the
schema. data [38].
Unstructured data refers to data that has no Step 6: Visualizing and Managing Your Data
inherent structure or organization. Examples The final step in creating a Data Flow
of unstructured data include text documents, Diagram is to create an application that allows
images, and videos. Unstructured data can be you to visualize and manage your data. This
difficult to search, analyze, and manipulate, as application should provide a user-friendly
it does not follow a consistent format [35, 36]. interface for accessing, analyzing, and
Step 2: Understanding the Metadata manipulating your data. It should also include
Associated with Your Data Once you have logic for managing access, requests, and
identified the types of data your company incidents, and should be integrated with your
owns, the next step is to understand the ITSM system to ensure that data is handled
metadata associated with that data. Metadata according to your company’s policies and
refers to data that provides information about procedures [39, 40].
other data. For example, the metadata This solution presents a host of advantages
associated with a text document might include over traditional product-based offerings from
the author, date of creation, and file size. various companies. One of the key benefits is
Understanding the metadata associated with the flexibility to choose the hosting
environment that best fits your needs, be it on-
premise or cloud-based. This allows you to
406
�align the solution with your operational protect its data. It’s a clear signal to clients that
requirements and infrastructure capabilities. their data is safe, secure, and handled in a
Furthermore, you have the freedom to manner that meets or exceeds industry
select the technology stack that best suits your standards.
project. This means that you’re not limited to a Another benefit of SOC 2 Type II is that it
predetermined set of technologies, but can can provide a competitive edge. Companies
tailor the solution to leverage the most that have achieved SOC 2 Type II compliance
relevant and efficient tools for your specific can differentiate themselves from competitors
needs. that haven’t. This can be a decisive factor for
In terms of team composition, you can potential customers when choosing between
assemble a team that is uniquely suited to the different service providers.
project at hand. This flexibility ensures that the Furthermore, the SOC 2 Type II report can
right expertise and skills are applied to deliver help companies avoid penalties related to non-
the best possible outcomes. compliance. Various laws and regulations
Another advantage is the budgeting require businesses to take certain steps to
flexibility. Unlike vendor-specific solutions protect customer data. By achieving SOC 2
that may come with fixed licensing costs, the Type II compliance, companies can
budget for this solution can be adjusted demonstrate that they are meeting these
according to your financial capacity and requirements, thus avoiding potential fines
project requirements. This can result in and legal complications.
significant cost savings without compromising The SOC 2 Type II report can also help
on quality or performance. companies identify and address vulnerabilities
Lastly, this solution offers robust change in their information security controls. The
and feature management capabilities. This process of achieving compliance requires a
means that it can easily adapt to evolving comprehensive review of a company’s
business needs, with the ability to incorporate information security policies and procedures.
new features and make necessary changes in a This can help identify any weaknesses or gaps
timely and efficient manner. This flexibility that need to be addressed, thereby
ensures the solution remains relevant and strengthening the company’s overall security
continues to deliver value over time. posture.
Lastly, the SOC 2 Type II report can help
4.6. Value of SOC 2 Type II Compliance improve a company’s internal processes. The
process of achieving compliance requires a
The SOC 2 Type II report has become a company to document and formalize its
standard requirement for businesses looking information security policies and procedures.
to assure clients, partners, and stakeholders This can lead to more efficient and effective
about the security of their data and systems. processes, as well as a greater understanding
This report, issued by an independent auditor, of the company’s information security risks
offers an in-depth review and attestation of the and controls among employees [41, 42].
effectiveness of a company’s information
security controls over some time. 5. Conclusions
The main reason why the SOC 2 Type II
report is valuable to a company is that it According to the document: In conclusion,
provides clear evidence that the company has designing a data classification policy for SOC 2
robust and effective controls in place to protect Type II compliance is a complex but crucial
customer data. In today’s digital age, data task for organizations. SOC 2 Type II is a
security is a top priority for businesses and significant certification that attests to a service
customers alike. A data breach not only leads organization’s ability to meet the Trust
to financial loss but also damages a company’s Services Criteria, which encompass security,
reputation. availability, processing integrity,
The SOC 2 Type II report helps build trust confidentiality, and privacy. Data classification
with customers by demonstrating that a is a critical first step in establishing a robust
company has taken necessary measures to data security strategy, as it helps organizations
407
�understand what data they have and assigns a Commun. Technol. Human. Dev. 10(4)
level of sensitivity to that data, which informs (2018)1–18.
the security controls that should be applied. [4] A. Singh, A. Kumar, S. Namasudra,
The main objectives of data classification are to DNACDS: Cloud IoE Big Data Security
organize and manage data in a way that and Accessing Scheme Based on DNA
enhances its protection and aligns with the Cryptography, Frontiers Comput. Sci.
overall data security strategy of an 18(1) (2024) 181801. doi:
organization. Designing a data classification 10.1007/s11704-022-2193-3.
policy for SOC 2 Type II compliance involves [5] O. Harasymchuk, et al., Generator of
several challenges and considerations that Pseudorandom Bit Sequence with
organizations must navigate to effectively Increased Cryptographic Security,
protect sensitive information and maintain the Metallurgical and Mining Industry Sci.
integrity of their service delivery. These Tech. J. 5 (2014) 25–29.
challenges and considerations include [6] V. Lakhno, et al., Management of
understanding the scope of data, aligning with Information Protection Based on the
the Trust Services Criteria, balancing security Integrated Implementation of Decision
with usability, training, and awareness, regular Support Systems, Eastern-European J.
updates, and reviews, defining classification Enterprise Technol. Inf. and Controlling
levels, ensuring consistency, automating Syst. 5(9(89)) (2017) 36–41. doi:
classification, integration with other policies 10.15587/1729-4061.2017.111081.
and controls, dealing with third-party vendors, [7] H. Hulak, et al., Formation of
monitoring and enforcement, and legal and Requirements for the Electronic Record-
regulatory compliance. Addressing these Book in Guaranteed Information
challenges and considerations requires a Systems of Distance Learning,
strategic approach and ongoing commitment Cybersecurity Providing in Information
to maintaining a robust data classification and Telecommunication Systems Vol.
policy. Organizations may seek guidance from 2923 (2021) 137–142.
compliance experts, legal counsel, and SOC 2 [8] V. Maksymovych, et al., Development of
audit professionals to design and implement a Additive Fibonacci Generators with
policy that not only meets SOC 2 Type II Improved Characteristics for
requirements but also supports the Cybersecurity Needs, Appl. Sci. 12(3)
organization’s overall data governance (2022) 1519. doi:
strategy. The proposed solution aims to 10.3390/app12031519.
demonstrate the simplicity of the process that [9] V. Maksymovych, et al., Combined
can be developed using the technologies and Pseudo-Random Sequence Generator for
resources that are acceptable to the company Cybersecurity, Sensors 22(24) (2022)
within an affordable budget. 9700. doi: 10.3390/s22249700.
[10] URL: https://secureframe.com/hub/
References soc-2/compliance-documentation
[11] URL: https://www.iso.org/standard/
27001
[1] B. Matturdi, et al., Big Data Security and
[12] V. Buriachok, et al., Invasion Detection
Privacy: A review, China Communi-
Model using Two-Stage Criterion of
cations, 11(14) (2014) 135–145. doi:
Detection of Network Anomalies, in:
10.1109/CC.2014.7085614.
Workshop on Cybersecurity Providing in
[2] V. Susukailo, I. Opirskyy, S. Vasylyshyn,
Information and Telecommunication
Analysis of the Attack Vectors Used by
Systems, vol. 2746 (2020) 23–32.
Threat Actors During the Pandemic,
[13] P. Anakhov, et al., Evaluation Method of
IEEE 15th International Scientific and
the Physical Compatibility of Equipment
Technical Conference on Computer
in a Hybrid Information Transmission
Sciences and Information Technologies
Network, J. Theor. Appl. Inf. Technol.
(2020) 261–264.
100(22) (2022) 6635–6644.
[3] M. Islam, et al., Security Threats for Big
[14] P. Skladannyi, et al., Improving the
Data: An Empirical Study, Int. J. Inf.
Security Policy of the Distance Learning
408
� System based on the Zero Trust Concept, /frc/assuranceadvisoryservices/soc-
in: Cybersecurity Providing in for-service-organizations
Information and Telecommunication [26] E. Gelbstein, IS Audit Basics: The
Systems, vol. 3421 (2023) 97–106. Domains of Data and Information Audits,
[15] V. Maksymovych, et al., Simulation of ISACA J. 6 (2016).
Authentication in Information- [27] U. Mattsson, Practical Data Security and
Processing Electronic Devices Based on Privacy for GDPR and CCPA, ISACA J. 3
Poisson Pulse Sequence Generators. (3) (2020).
Electronics 11(13) (2022) 2039. doi: [28] G. Pearce, Boosting Cyber Security With
10.3390/electronics11132039. Data Governance and Enterprise Data
[16] J. Yi, Y. Wen, An Improved Data Backup Management, ISACA J. 3 (2017).
Scheme Based on Multi-Factor [29] D. Cannon, IT Service Management: A
Authentication, IEEE 9th Intl Conference Guide for ITIL Foundation Exam
on Big Data Security on Cloud Candidates, BCS (2012).
(BigDataSecurity), IEEE Intl Conference [30] A. Harper, et al., Gray Hat Hacking: The
on High Performance and Smart Ethical Hacker’s Handbook, McGraw Hill
Computing (HPSC), IEEE Intl Conference (2015).
on Intelligent Data and Security (IDS) [31] C. Cote, M. Lah, Professional Microsoft
(2023). doi: 10.1109/BigDataSecurity- SQL Server 2014 Integration Services
HPSC-IDS58521.2023.00041. (SSIS), Wrox (2014).
[17] D. Shevchuk, et al., Designing Secured [32] S. Chauhan, Mastering Apache Airflow
Services for Authentication, Authori- (2020).
zation, and Accounting of Users, in: [33] A. Gaikwad, Learning AWS Glue (2021).
Cybersecurity Providing in Information [34] D. Anoshin, R. Avdeev, R. van Vliet, Azure
and Telecommunication Systems II Vol. Data Factory Cookbook (2020).
3550 (2023) 217–225. [35] N. Karumanchi, Data Structures and
[18] A. Calder, S. Watkins, IT Governance: An Algorithms Made Easy: Data Structures
International Guide to Data Security and and Algorithmic Puzzles (2011).
ISO27001/ISO27002, Kogan Page [36] R. Watson, Data Management: Databases
(2019). and Organizations (2017).
[19] ARMA International, “Information [37] S. Hoberman, Data Modeling Made
Classification: Getting It Right”. URL: Simple: A Practical Guide for Business
https://www.arma.org/ and IT Professionals (2005).
[20] Vic (J.R.) Winkler, Securing the Cloud: [38] C. Aggarwa, Data Classification:
Cloud Computer Security Techniques Algorithms and Applications (2014).
and Tactics (2011). doi: 10.1016/C2009- [39] Y. Duhamel, Microsoft Power Platform
0-30544-9. Enterprise Architecture (2020).
[21] D. Alexander, et al., Information Security [40] R. Collie, A. Singh, Power BI: Moving
Management Principles, BCS, The Beyond Power Pivot and Excel (2020).
Chartered Institute for IT, Updated [41] AICPA, Understanding SOC 2 Reports.
edition (2013). URL: https://www.aicpa.org/
[22] M. Rhodes-Ousley, Information Security: interestareas/frc/assuranceadvisoryser
The Complete Reference, Second Edition vices/aicpasoc2report.html
(2012). [42] Why SOC 2 Type II Certification Matters.
[23] M. Harkins, Managing Risk and URL: https://www.alertlogic.com/blog/
Information Security: Protect to Enable why-soc-2-type-ii-certification-matters/
(2016).
[24] T. Peltier, Information Security Policies,
Procedures, and Standards: Guidelines
for Effective Information Security
Management (2016).
[25] AICPA “SOC 2®—SOC for Service
Organizations: Trust Services Criteria”.
URL: https://us.aicpa.org/ interestareas
409
�