| § Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. |
soc2-employee-acceptable-use |
Acceptable Use of End-user Computing |
Acceptable use policy is in place to guide the organization's personnel on the proper use of information assets and their roles and responsibilities. |
| § Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. |
soc2-employee-onboarding |
Employee Onboarding Procedures |
Employee onboarding is coordinated between HR, IT and Security to ensure the appropriate training, access provisioning and system configurations are in place for each new hire. |
| § Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. |
soc2-employee-screening |
Employee Screening Procedures |
Interviews and background checks are conducted prior to hiring to ensure qualification and security. |
| § Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. |
soc2-policy-mgmt |
Policy Management Process |
A formal process is in place to maintain and update security policies, controls and procedures. Policies, controls and procedures are reviewed at least annually. |
| § Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. |
soc2-sanctions |
Non-Compliance Investigation and Sanctions |
Policies and processes are in place to investigate and take appropriate actions on any non-compliance to the organization's policies and procedures. |
| § Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. |
soc2-training-policy |
Policy and Compliance Training |
Employees and contractors receive training on the organization's security policies and procedures. |
| § Control Environment\n【CC1.2】 The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. |
|
|
|
| § Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
soc2-ism-scope |
Information Security Program and Scope |
The organization has an established security program with appropriate controls that are aligned to the organization's objectives and risk posture. |
| § Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
soc2-ism-policies |
Understanding the Policies and Controls/Procedures |
The organization's security program maintains documentation of high level policies and lower level controls and procedures. The policies and procedures cover the design, development, implementation, operation, maintenance and monitoring of in-scope systems. |
| § Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
soc2-ism-reporting |
Review and Reporting |
Metrics are defined to measure the effectiveness of controls and they are reported to/reviewed by senior management. |
| § Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
soc2-role-assignment |
Assignment of Roles and the Security Committee |
Security and compliance roles and responsibilities are clearly defined to ensure segregation of duties. |
| § Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
soc2-hr-mgmt |
HR Management and Reporting |
Organizational structure as well as individual job functions are established and communicated to all employees. |
| § Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
soc2-vendor-vtr |
Vendor Risk Assessment |
Risk assessments are conducted prior to engaging a new technology vendor. |
| § Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
soc2-vendor-contracts |
Vendor Contractual Agreements |
Third party vendors are required to sign applicale contractual agreements, such as BAA (for HIPAA), DPA (for GDPR), SLA (for service providers), accepting their responsibilities to meet applicable data protection and privacy requirements. |
| § Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
soc2-employee-onboarding |
Employee Onboarding Procedures |
Employee onboarding is coordinated between HR, IT and Security to ensure the appropriate training, access provisioning and system configurations are in place for each new hire. |
| § Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
soc2-employee-screening |
Employee Screening Procedures |
Interviews and background checks are conducted prior to hiring to ensure qualification and security. |
| § Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
soc2-employee-development |
Continuous Education and Skills Development |
The organization provides employees the opportunity to attend conferences, trade shows, and access to training courses and studies to maintain and further advance their skills relevant to their job functions and business objectives. |
| § Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
soc2-employee-recognition |
Employee Incentives and Rewards |
Employees receive regular peer recognition, feedback and rewards for positive behavior and impact. |
| § Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
soc2-training-awareness |
Ongoing Security Awareness Training |
Employees and contractors receive ongoing security awareness training at least annually. |
| § Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
soc2-training-hipaa |
Annual HIPAA Awareness Training |
Employees and contractors working with patient data and protected health information (PHI) are required to take HIPAA awareness training within 30 days of onboarding and annually thereafter. |
| § Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
soc2-training-policy |
Policy and Compliance Training |
Employees and contractors receive training on the organization's security policies and procedures. |
| § Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
soc2-bcdr |
BCDR Objectives and Roles |
Management team develops contingency plans for assignment of responsibility for internal controls with clear objectives and roles. |
| § Control Environment\n【CC1.5】 The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. |
soc2-hr-mgmt |
HR Management and Reporting |
Organizational structure as well as individual job functions are established and communicated to all employees. |
| § Control Environment\n【CC1.5】 The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. |
soc2-role-assignment |
Assignment of Roles and the Security Committee |
Security and compliance roles and responsibilities are clearly defined to ensure segregation of duties. |
| § Control Environment\n【CC1.5】 The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. |
soc2-employee-performance |
Employee Performance Review Process |
Performance reviews are conducted annually to evaluate performance of employees against expected levels. |
| § Control Environment\n【CC1.5】 The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. |
soc2-internal-comms |
Internal Business Communications |
Management and each individual department/team holds regular company-wide / departmental / team meetings to review and discuss various aspects of business performance and objectives. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-data-classification |
Data Classification Model |
Data classification model is defined to differentiate public, non-public, confidental/sensitive and critical data or information asset. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-data-handling |
Data Handling Process |
Data is handled according to its classification, including defined requirements for labeling, encryption, access control, retention and other applicable processes. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-data-lifecycle |
Data Inventory and Lifecycle Management |
Data is tagged according to its classification, and its lifecycle is defined. Transient and temporary data (or cache) is purged immediately after use. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-data-protection |
Data Protection Implementation and Processes |
Data is protected according to its classification and storage capability, including encryption, access control, partitioning/separation, backup/recovery, and monitoring. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-audit-trails |
Audit Trails - System and Application Security Events Logging Standard |
Security events and logs from production systems and applications are captured as audit trails. Audit trails include sufficient data such as timestamp, user id, action taken to establish who did what, when, how. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-audit-trails-integrity |
Audit Trail Integrity - Security Controls and Log Retention |
Audit trails are protected against modification and unauthorized access. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-audit-types |
Types of System Audits |
The organization has defined auditing processes including system configuration monitoring, activity monitoring, access review, and controls compliance audit. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-events-analysis |
Security Event Analysis |
The security team monitors system security events and logs via a combination of automated tools and manual reviews. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-threat-intel |
Threat Intelligence Monitoring |
The security team subscribes to news, feeds, forums and special interests groups to receive updates on threat intel and updates on applicable regulations and compliance. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-threat-siem |
Centralized Security Information and Event Management |
Security events are logged and alerts are centrally aggregated for review and remediation. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-risk-assess |
Risk Assessment and Analysis |
Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-ccm-config |
Configuration Management Processes |
Configuration management processes are in place to provision systems and environments according to approved security standards. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-vuln-scan |
Vulnerability Scanning and Infrastructure Security Testing |
Vulnerability scan is performed at least quarterly for all production systems. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-vuln-remediation |
Security Findings Reporting, Tracking and Remediation |
All security vulnerability and findings (for both infrastructure and software) are prioritized and remediated based on its severity and impact, with a defined SLA. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-sdlc-pentest |
Application Penetration Testing |
Penetration testing is performed for each product at least annually and with major feature changes. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-sdlc-bugbounty |
Responsible Disclosure and Bug Bounty Program |
Security team maintains an external/public bug bounty program to enable continuous security testing and vulnerability reporting across major external facing products. |
| § Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
soc2-model-metrics |
Metrics, Measurements and Continuous Monitoring |
Metrics are defined to measure the effectiveness of controls and they are continuously monitored. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-employee-onboarding |
Employee Onboarding Procedures |
Employee onboarding is coordinated between HR, IT and Security to ensure the appropriate training, access provisioning and system configurations are in place for each new hire. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-model-architecture |
Security Architecture |
Security architecture is documented, including system and infrastructure security diagrams. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-model-principles |
Security Principles |
The organization incorporates best practices such as least-privilege or zero-trust in its security operating model. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-model-quality |
System Quality |
The organization communicates its commitment to quality of service to its users and customers. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-policy-mgmt |
Policy Management Process |
A formal process is in place to maintain and update security policies, controls and procedures. Policies, controls and procedures are reviewed at least annually. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-risk-mgmt |
Risk Management Process |
The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-risk-mitigation |
Risk Mitigation and Monitoring |
A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-role-assignment |
Assignment of Roles and the Security Committee |
Security and compliance roles and responsibilities are clearly defined to ensure segregation of duties. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-internal-comms |
Internal Business Communications |
Management and each individual department/team holds regular company-wide / departmental / team meetings to review and discuss various aspects of business performance and objectives. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-training-awareness |
Ongoing Security Awareness Training |
Employees and contractors receive ongoing security awareness training at least annually. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-training-hipaa |
Annual HIPAA Awareness Training |
Employees and contractors working with patient data and protected health information (PHI) are required to take HIPAA awareness training within 30 days of onboarding and annually thereafter. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-training-policy |
Policy and Compliance Training |
Employees and contractors receive training on the organization's security policies and procedures. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-ir-playbook |
Incident Categories and Playbooks |
Incident playbooks are created with detailed technical procedures to guide personnel in incident handling according to the incident classification and severity. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-ir-process |
Incident Management Process |
Incident response / escalation policies and processes are in place for incident reporting, triage, eradication, recovery, and postmortem analysis. |
| § Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
soc2-ir-sirt |
Security Incident Response Team (SIRT) |
Incident response team is established and assigned corresponding responsibilities. |
| § Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. |
soc2-model-quality |
System Quality |
The organization communicates its commitment to quality of service to its users and customers. |
| § Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. |
soc2-compliance-mgmt |
Compliance Program Management |
The organization has a program and defined process to manage compliance to applicable regulatory requirements and contractual obligations. |
| § Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. |
soc2-compliance-requests |
Requesting Audit and Compliance Reports |
Process and channels are established to communicate the compliance status to external stakeholders. |
| § Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. |
soc2-breach-investigate |
Breach Investigation and Notification Process |
Investigation and notification process is in place to handle suspected and/or confirmed data breaches. |
| § Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. |
soc2-privacy-notices |
Privacy, Terms and Consent Notices |
The organization has published privacy policy and established user consent process for data processing, in line with applicable regulations. |
| § Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. |
soc2-vendor-contracts |
Vendor Contractual Agreements |
Third party vendors are required to sign applicale contractual agreements, such as BAA (for HIPAA), DPA (for GDPR), SLA (for service providers), accepting their responsibilities to meet applicable data protection and privacy requirements. |
| § Risk Assessment\n【CC3.1】 The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. |
soc2-ism-scope |
Information Security Program and Scope |
The organization has an established security program with appropriate controls that are aligned to the organization's objectives and risk posture. |
| § Risk Assessment\n【CC3.1】 The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. |
soc2-risk-mgmt |
Risk Management Process |
The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval. |
| § Risk Assessment\n【CC3.1】 The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. |
soc2-risk-assess |
Risk Assessment and Analysis |
Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted. |
| § Risk Assessment\n【CC3.1】 The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. |
soc2-risk-mitigation |
Risk Mitigation and Monitoring |
A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk. |
| § Risk Assessment\n【CC3.1】 The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. |
soc2-risk-registry |
Risk Registry |
Risks identified from each risk assessment are documented and maintained. |
| § Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
soc2-risk-mgmt |
Risk Management Process |
The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval. |
| § Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
soc2-risk-assess |
Risk Assessment and Analysis |
Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted. |
| § Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
soc2-risk-mitigation |
Risk Mitigation and Monitoring |
A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk. |
| § Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
soc2-asset-physical |
Physical Asset Inventory |
All physical computing and information processing assets, such as laptops and workstations, are maintained in an asset inventory system. |
| § Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
soc2-asset-digital |
Digital Asset Inventory |
All digital and software-defined assets, such as virtual instances and code repositories, are discovered and maintained in an asset inventory system. |
| § Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
soc2-vendor-ssa |
Software and Systems Acquisition Process |
A list of approved software applications and system vendors are in place, with approval process defined for additional acquisition requests. |
| § Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
soc2-vendor-vtr |
Vendor Risk Assessment |
Risk assessments are conducted prior to engaging a new technology vendor. |
| § Risk Assessment\n【CC3.3】 The entity considers the potential for fraud in assessing risks to the achievement of objectives. |
soc2-risk-fraud |
Fraud Risks |
The organization considers both financial and IT fraud risks as part of its risk assessment process, including the pressures/incentives, opportunities and rationalities of people and/or department to commit fraud. |
| § Risk Assessment\n【CC3.4】 The entity identifies and assesses changes that could significantly impact the system of internal control. |
soc2-threat-intel |
Threat Intelligence Monitoring |
The security team subscribes to news, feeds, forums and special interests groups to receive updates on threat intel and updates on applicable regulations and compliance. |
| § Risk Assessment\n【CC3.4】 The entity identifies and assesses changes that could significantly impact the system of internal control. |
soc2-bcdr |
BCDR Objectives and Roles |
Management team develops contingency plans for assignment of responsibility for internal controls with clear objectives and roles. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-ism-reporting |
Review and Reporting |
Metrics are defined to measure the effectiveness of controls and they are reported to/reviewed by senior management. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-model-metrics |
Metrics, Measurements and Continuous Monitoring |
Metrics are defined to measure the effectiveness of controls and they are continuously monitored. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-audit-internal |
Manual Internal Auditing Activities |
The organization performs manual testing and reviews of systems, accounts and controls as needed. The audit may be performed by internal teams or external auditors. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-audit-request |
Audit Requests |
A process and channels have been established for internal teams and external entities (such as a customer) to request security reviews or audits. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-audit-review |
Review and Reporting of Audit Findings |
Results of each security assessment or audit are reviewed by security team, senior management, and other designated personnel. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-audit-tools |
Tools Used for Auditing and Security Assessments |
A set of tools are made available for the security and compliance personnel to conduct assessments, system scans, security testing and audits. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-audit-trails |
Audit Trails - System and Application Security Events Logging Standard |
Security events and logs from production systems and applications are captured as audit trails. Audit trails include sufficient data such as timestamp, user id, action taken to establish who did what, when, how. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-audit-trails-integrity |
Audit Trail Integrity - Security Controls and Log Retention |
Audit trails are protected against modification and unauthorized access. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-audit-training |
Audit Related Training, Education, Awareness and Responsibilities |
Employees and contractors are informed and trained on the organization's monitoring and auditing process. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-audit-types |
Types of System Audits |
The organization has defined auditing processes including system configuration monitoring, activity monitoring, access review, and controls compliance audit. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-vuln-scan |
Vulnerability Scanning and Infrastructure Security Testing |
Vulnerability scan is performed at least quarterly for all production systems. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-sdlc-pentest |
Application Penetration Testing |
Penetration testing is performed for each product at least annually and with major feature changes. |
| § Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
soc2-sdlc-bugbounty |
Responsible Disclosure and Bug Bounty Program |
Security team maintains an external/public bug bounty program to enable continuous security testing and vulnerability reporting across major external facing products. |
| § Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
soc2-ism-reporting |
Review and Reporting |
Metrics are defined to measure the effectiveness of controls and they are reported to/reviewed by senior management. |
| § Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
soc2-model-metrics |
Metrics, Measurements and Continuous Monitoring |
Metrics are defined to measure the effectiveness of controls and they are continuously monitored. |
| § Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
soc2-audit-review |
Review and Reporting of Audit Findings |
Results of each security assessment or audit are reviewed by security team, senior management, and other designated personnel. |
| § Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
soc2-audit-control-deficiency |
Remediation of Control Deficiencies |
Identified control deficiencies are communicated to parties responsible for taking corrective action. Remediation plans are proposed and monitored through resolution. |
| § Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
soc2-vuln-remediation |
Security Findings Reporting, Tracking and Remediation |
All security vulnerability and findings (for both infrastructure and software) are prioritized and remediated based on its severity and impact, with a defined SLA. |
| § Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
soc2-model-metrics |
Metrics, Measurements and Continuous Monitoring |
Metrics are defined to measure the effectiveness of controls and they are continuously monitored. |
| § Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
soc2-ism-reporting |
Review and Reporting |
Metrics are defined to measure the effectiveness of controls and they are reported to/reviewed by senior management. |
| § Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
soc2-ccm-monitor |
Configuration Monitoring and Auditing |
Monitoring software is used to monitor infrastructure and software for noncompliance with established configuration standards and security best practices. |
| § Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
soc2-sdlc-monitor |
Production System Monitoring and Paging |
On call teams are set up to receive pager notifications when a failure or error occurs in production. |
| § Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
soc2-compliance-monitor |
Continuous Compliance Monitoring |
Compliance status is tracked and monitored using an enterprise compliance tool. |
| § Control Activities\n【CC5.1】 The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. |
soc2-risk-assess |
Risk Assessment and Analysis |
Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted. |
| § Control Activities\n【CC5.1】 The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. |
soc2-risk-mgmt |
Risk Management Process |
The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval. |
| § Control Activities\n【CC5.1】 The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. |
soc2-risk-mitigation |
Risk Mitigation and Monitoring |
A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk. |
| § Control Activities\n【CC5.1】 The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. |
soc2-risk-registry |
Risk Registry |
Risks identified from each risk assessment are documented and maintained. |
| § Control Activities\n【CC5.2】 The entity also selects and develops general control activities over technology to support the achievement of objectives. |
soc2-risk-assess |
Risk Assessment and Analysis |
Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted. |
| § Control Activities\n【CC5.2】 The entity also selects and develops general control activities over technology to support the achievement of objectives. |
soc2-risk-mgmt |
Risk Management Process |
The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval. |
| § Control Activities\n【CC5.2】 The entity also selects and develops general control activities over technology to support the achievement of objectives. |
soc2-risk-mitigation |
Risk Mitigation and Monitoring |
A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk. |
| § Control Activities\n【CC5.2】 The entity also selects and develops general control activities over technology to support the achievement of objectives. |
soc2-risk-registry |
Risk Registry |
Risks identified from each risk assessment are documented and maintained. |
| § Control Activities\n【CC5.3】 The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. |
soc2-ism-scope |
Information Security Program and Scope |
The organization has an established security program with appropriate controls that are aligned to the organization's objectives and risk posture. |
| § Control Activities\n【CC5.3】 The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. |
soc2-ism-policies |
Understanding the Policies and Controls/Procedures |
The organization's security program maintains documentation of high level policies and lower level controls and procedures. The policies and procedures cover the design, development, implementation, operation, maintenance and monitoring of in-scope systems. |
| § Control Activities\n【CC5.3】 The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. |
soc2-policy-mgmt |
Policy Management Process |
A formal process is in place to maintain and update security policies, controls and procedures. Policies, controls and procedures are reviewed at least annually. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-asset-digital |
Digital Asset Inventory |
All digital and software-defined assets, such as virtual instances and code repositories, are discovered and maintained in an asset inventory system. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-aws |
Temporary Access to AWS Accounts and Resources |
Access to AWS cloud infrastructure is configured single sign on roles and temporary trusts. No persistent end-user access is configured. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-customer |
Platform Customer Access to Systems |
Customers are granted access to their accounts and data only after successful authentication and authorization through the appropriate applications, either through the web interface or API. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-mfa |
Multi-factor Authentication |
Multi-factor authentication (MFA) is required for all users with access to business critical systems. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-password |
Password Management |
Strong password management policy is in place. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-phi |
Access to PHI/ePHI |
Access to PHI/ePHI is restricted to only individuals with business need and protected by strong access control. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-rbac |
Role Based Access Control (RBAC) |
Access to systems and applications are provisioned based on a user's role / group. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-service |
Service Accounts |
Service accounts and application credentials are securely managed. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-sso |
Centralized Access Control and Single Sign On |
Access to business systems and applications is centrally managed via single sign on (SSO) when possible. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-standards |
Standards for Access Provisioning |
The organization incorporates security best practices and standards for provisioning access including unqiue user identification, automatic logoff, and least-privileged access. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-vpn |
VPN Remote Access |
Remote access to private and internal systems are configured via encrypted VPN channels. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-wifi |
Office Network and Wifi Access |
Office networks, including wireless access, are protected for internal business use only. Guest wireless access is provided on a separate logical network. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-prod |
Production Access and Secrets Management |
Production keys and secrets are securely stored and protected. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-access-prod-data |
Production Data Access |
Access to production data is highly restricted. Access is reviewed and approved on a case-by-case basis. MFA is required. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-threat-firewall |
Firewall Protection |
Firewall protection is enabled across network, host, and application layer. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-threat-nids |
Network Intrusion Detection |
Network layer intrusion detection system is implemented. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-threat-hids |
Host Intrusion Detection |
Host instrusion detection and malicious activity monitoring agents are installed on endpoint hosts and servers. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-threat-webapp |
Web Application Protection |
Web application firewall and denial-of-service protection is enabled for external facing applications. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-data-lifecycle |
Data Inventory and Lifecycle Management |
Data is tagged according to its classification, and its lifecycle is defined. Transient and temporary data (or cache) is purged immediately after use. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-data-protection |
Data Protection Implementation and Processes |
Data is protected according to its classification and storage capability, including encryption, access control, partitioning/separation, backup/recovery, and monitoring. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-data-protection-at-rest |
Protecting Data At Rest |
Sensitive and confidential data is encrypted when stored. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-data-protection-in-transit |
Protecting Data In Transit |
Sensitive and confidential data is encrypted when transmitted across networks. |
| § Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
soc2-employee-acceptable-use |
Acceptable Use of End-user Computing |
Acceptable use policy is in place to guide the organization's personnel on the proper use of information assets and their roles and responsibilities. |
| § Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
soc2-access-change |
Access Establishment, Modification and Termination |
Changes to pre-established access (configured as part of onboarding) must be requested and approved by the employee's manager or security team prior to granting access. Non-standard access is revoked when no longer needed. |
| § Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
soc2-access-review |
Access Reviews |
User access permissions are reviewed as part of ongoing security monitoring and whenever an employee's role changes. |
| § Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
soc2-audit-internal |
Manual Internal Auditing Activities |
The organization performs manual testing and reviews of systems, accounts and controls as needed. The audit may be performed by internal teams or external auditors. |
| § Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
soc2-audit-types |
Types of System Audits |
The organization has defined auditing processes including system configuration monitoring, activity monitoring, access review, and controls compliance audit. |
| § Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
soc2-employee-exiting |
Employee Exiting/Termination Procedures |
Employee exiting is coordinated between HR, IT and Security to ensure proper access termination and return of equipment. |
| § Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
soc2-employee-onboarding |
Employee Onboarding Procedures |
Employee onboarding is coordinated between HR, IT and Security to ensure the appropriate training, access provisioning and system configurations are in place for each new hire. |
| § Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
soc2-vendor-ssa |
Software and Systems Acquisition Process |
A list of approved software applications and system vendors are in place, with approval process defined for additional acquisition requests. |
| § Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
soc2-access-standards |
Standards for Access Provisioning |
The organization incorporates security best practices and standards for provisioning access including unqiue user identification, automatic logoff, and least-privileged access. |
| § Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
soc2-access-change |
Access Establishment, Modification and Termination |
Changes to pre-established access (configured as part of onboarding) must be requested and approved by the employee's manager or security team prior to granting access. Non-standard access is revoked when no longer needed. |
| § Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
soc2-access-phi |
Access to PHI/ePHI |
Access to PHI/ePHI is restricted to only individuals with business need and protected by strong access control. |
| § Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
soc2-access-rbac |
Role Based Access Control (RBAC) |
Access to systems and applications are provisioned based on a user's role / group. |
| § Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
soc2-access-service |
Service Accounts |
Service accounts and application credentials are securely managed. |
| § Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
soc2-access-prod-data |
Production Data Access |
Access to production data is highly restricted. Access is reviewed and approved on a case-by-case basis. MFA is required. |
| § Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
soc2-ccm-aws |
Provisioning AWS Accounts |
AWS configuration is maintained as code and provisioned via automated code deploys. |
| § Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
soc2-data-protection |
Data Protection Implementation and Processes |
Data is protected according to its classification and storage capability, including encryption, access control, partitioning/separation, backup/recovery, and monitoring. |
| § Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
soc2-employee-exiting |
Employee Exiting/Termination Procedures |
Employee exiting is coordinated between HR, IT and Security to ensure proper access termination and return of equipment. |
| § Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
soc2-model-principles |
Security Principles |
The organization incorporates best practices such as least-privilege or zero-trust in its security operating model. |
| § Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
soc2-sdlc-iaaa |
Access Control of the Application (Identification, Authentication, Authorization, Accounting) |
All external facing applications are required to have appropriate access control implementation to protect non-public user data. |
| § Logical And Physical Access Controls\n【CC6.4】 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. |
soc2-physical |
Physical Security |
|
| § Logical And Physical Access Controls\n【CC6.4】 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. |
soc2-physical-datacenter |
Data Center Security |
Data center security is ensured by the cloud service provider. |
| § Logical And Physical Access Controls\n【CC6.4】 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. |
soc2-employee-exiting |
Employee Exiting/Termination Procedures |
Employee exiting is coordinated between HR, IT and Security to ensure proper access termination and return of equipment. |
| § Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. |
soc2-asset-physical |
Physical Asset Inventory |
All physical computing and information processing assets, such as laptops and workstations, are maintained in an asset inventory system. |
| § Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. |
soc2-data-deletion |
Data Deletion Procedures |
Data is retained for designated periods of time according to regulatory and/or contractual requirements, and deleted when the retention period expires. |
| § Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. |
soc2-data-handling |
Data Handling Process |
Data is handled according to its classification, including defined requirements for labeling, encryption, access control, retention and other applicable processes. |
| § Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. |
soc2-data-lifecycle |
Data Inventory and Lifecycle Management |
Data is tagged according to its classification, and its lifecycle is defined. Transient and temporary data (or cache) is purged immediately after use. |
| § Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. |
soc2-mdm-disposal |
Media Disposal Process |
Media containing critical / sensitive data (such as PII or ePHI) is disposed securely. |
| § Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. |
soc2-mdm-usb |
Use of USB Flash Drive and External Storage Device |
Use of USB flash drive or similar removable storage device to store sensitive and critical data is prohibited and must be handled on an exception basis approved by security. |
| § Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
soc2-access-aws |
Temporary Access to AWS Accounts and Resources |
Access to AWS cloud infrastructure is configured single sign on roles and temporary trusts. No persistent end-user access is configured. |
| § Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
soc2-access-mfa |
Multi-factor Authentication |
Multi-factor authentication (MFA) is required for all users with access to business critical systems. |
| § Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
soc2-access-service |
Service Accounts |
Service accounts and application credentials are securely managed. |
| § Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
soc2-access-standards |
Standards for Access Provisioning |
The organization incorporates security best practices and standards for provisioning access including unqiue user identification, automatic logoff, and least-privileged access. |
| § Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
soc2-access-vpn |
VPN Remote Access |
Remote access to private and internal systems are configured via encrypted VPN channels. |
| § Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
soc2-access-wifi |
Office Network and Wifi Access |
Office networks, including wireless access, are protected for internal business use only. Guest wireless access is provided on a separate logical network. |
| § Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
soc2-data-protection-in-transit |
Protecting Data In Transit |
Sensitive and confidential data is encrypted when transmitted across networks. |
| § Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
soc2-sdlc-iaaa |
Access Control of the Application (Identification, Authentication, Authorization, Accounting) |
All external facing applications are required to have appropriate access control implementation to protect non-public user data. |
| § Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
soc2-threat-firewall |
Firewall Protection |
Firewall protection is enabled across network, host, and application layer. |
| § Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
soc2-threat-hids |
Host Intrusion Detection |
Host instrusion detection and malicious activity monitoring agents are installed on endpoint hosts and servers. |
| § Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
soc2-threat-nids |
Network Intrusion Detection |
Network layer intrusion detection system is implemented. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-access-vpn |
VPN Remote Access |
Remote access to private and internal systems are configured via encrypted VPN channels. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-access-prod-data |
Production Data Access |
Access to production data is highly restricted. Access is reviewed and approved on a case-by-case basis. MFA is required. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-data-classification |
Data Classification Model |
Data classification model is defined to differentiate public, non-public, confidental/sensitive and critical data or information asset. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-data-handling |
Data Handling Process |
Data is handled according to its classification, including defined requirements for labeling, encryption, access control, retention and other applicable processes. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-data-lifecycle |
Data Inventory and Lifecycle Management |
Data is tagged according to its classification, and its lifecycle is defined. Transient and temporary data (or cache) is purged immediately after use. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-data-protection |
Data Protection Implementation and Processes |
Data is protected according to its classification and storage capability, including encryption, access control, partitioning/separation, backup/recovery, and monitoring. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-data-protection-at-rest |
Protecting Data At Rest |
Sensitive and confidential data is encrypted when stored. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-data-protection-in-transit |
Protecting Data In Transit |
Sensitive and confidential data is encrypted when transmitted across networks. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-data-protection-in-use |
Protecting Data In Use |
Audit trail is enabled to monitor data access when in use. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-employee-acceptable-use |
Acceptable Use of End-user Computing |
Acceptable use policy is in place to guide the organization's personnel on the proper use of information assets and their roles and responsibilities. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-mdm-byod |
Support and Management of BYOD Devices |
BYOD devices are not allowed to connect to production environments containing critical data. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-mdm-disposal |
Media Disposal Process |
Media containing critical / sensitive data (such as PII or ePHI) is disposed securely. |
| § Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
soc2-mdm-usb |
Use of USB Flash Drive and External Storage Device |
Use of USB flash drive or similar removable storage device to store sensitive and critical data is prohibited and must be handled on an exception basis approved by security. |
| § Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
soc2-ccm-config |
Configuration Management Processes |
Configuration management processes are in place to provision systems and environments according to approved security standards. |
| § Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
soc2-ccm-provision-endpoint |
User Endpoint Security Controls and Configuration |
End-user computing systems are configured with required baseline security controls including disk encyrption, unique user account and strong password policy, host firewall, screenlock protection, auto-update of security patches, and endpoint security agent for configuration monitoring and malware protection. |
| § Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
soc2-ccm-provision-server |
Server Hardening Guidelines and Processes |
Server systems are provisioned using pre-approved configurations or images approved by the security team. |
| § Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
soc2-mdm-byod |
Support and Management of BYOD Devices |
BYOD devices are not allowed to connect to production environments containing critical data. |
| § Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
soc2-sdlc-dev |
Software Development Process |
A secure software development process, coding standards, and release strategy is established to ensure security is built-in to the products and applications. |
| § Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
soc2-sdlc-scm |
Source Code Management |
Source code management system with version control is used to maintain software codes |
| § Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
soc2-sdlc-foss |
Free and Open Source Software (FOSS) Security |
A code analysis tool is in place to analyze open source components for potential security vulnerabilities and licensing issues. |
| § Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
soc2-threat-malware |
Malware Protection |
Malware protection agent is installed and activated at all times on endpoint devices. |
| § Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
soc2-vendor-ssa |
Software and Systems Acquisition Process |
A list of approved software applications and system vendors are in place, with approval process defined for additional acquisition requests. |
| § System Operations\n【CC7.1】 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
soc2-ccm-config |
Configuration Management Processes |
Configuration management processes are in place to provision systems and environments according to approved security standards. |
| § System Operations\n【CC7.1】 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
soc2-ccm-monitor |
Configuration Monitoring and Auditing |
Monitoring software is used to monitor infrastructure and software for noncompliance with established configuration standards and security best practices. |
| § System Operations\n【CC7.1】 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
soc2-vuln-scan |
Vulnerability Scanning and Infrastructure Security Testing |
Vulnerability scan is performed at least quarterly for all production systems. |
| § System Operations\n【CC7.1】 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
soc2-sdlc-pentest |
Application Penetration Testing |
Penetration testing is performed for each product at least annually and with major feature changes. |
| § System Operations\n【CC7.1】 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
soc2-sdlc-bugbounty |
Responsible Disclosure and Bug Bounty Program |
Security team maintains an external/public bug bounty program to enable continuous security testing and vulnerability reporting across major external facing products. |
| § System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
soc2-ccm-monitor |
Configuration Monitoring and Auditing |
Monitoring software is used to monitor infrastructure and software for noncompliance with established configuration standards and security best practices. |
| § System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
soc2-audit-internal |
Manual Internal Auditing Activities |
The organization performs manual testing and reviews of systems, accounts and controls as needed. The audit may be performed by internal teams or external auditors. |
| § System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
soc2-audit-trails |
Audit Trails - System and Application Security Events Logging Standard |
Security events and logs from production systems and applications are captured as audit trails. Audit trails include sufficient data such as timestamp, user id, action taken to establish who did what, when, how. |
| § System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
soc2-audit-types |
Types of System Audits |
The organization has defined auditing processes including system configuration monitoring, activity monitoring, access review, and controls compliance audit. |
| § System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
soc2-events-analysis |
Security Event Analysis |
The security team monitors system security events and logs via a combination of automated tools and manual reviews. |
| § System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
soc2-threat-nids |
Network Intrusion Detection |
Network layer intrusion detection system is implemented. |
| § System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
soc2-threat-hids |
Host Intrusion Detection |
Host instrusion detection and malicious activity monitoring agents are installed on endpoint hosts and servers. |
| § System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
soc2-threat-siem |
Centralized Security Information and Event Management |
Security events are logged and alerts are centrally aggregated for review and remediation. |
| § System Operations\n【CC7.3】 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
soc2-ir-sirt |
Security Incident Response Team (SIRT) |
Incident response team is established and assigned corresponding responsibilities. |
| § System Operations\n【CC7.3】 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
soc2-ir-process |
Incident Management Process |
Incident response / escalation policies and processes are in place for incident reporting, triage, eradication, recovery, and postmortem analysis. |
| § System Operations\n【CC7.3】 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
soc2-ir-playbook |
Incident Categories and Playbooks |
Incident playbooks are created with detailed technical procedures to guide personnel in incident handling according to the incident classification and severity. |
| § System Operations\n【CC7.3】 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
soc2-ir-records |
Incident Tracking and Records |
Each incident is tracked with applicable attributes and notes, and the incident records are stored in an approved ticketing system. |
| § System Operations\n【CC7.3】 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
soc2-vuln-remediation |
Security Findings Reporting, Tracking and Remediation |
All security vulnerability and findings (for both infrastructure and software) are prioritized and remediated based on its severity and impact, with a defined SLA. |
| § System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
soc2-ir-playbook |
Incident Categories and Playbooks |
Incident playbooks are created with detailed technical procedures to guide personnel in incident handling according to the incident classification and severity. |
| § System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
soc2-ir-process |
Incident Management Process |
Incident response / escalation policies and processes are in place for incident reporting, triage, eradication, recovery, and postmortem analysis. |
| § System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
soc2-ir-sirt |
Security Incident Response Team (SIRT) |
Incident response team is established and assigned corresponding responsibilities. |
| § System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
soc2-breach-customer |
Platform Customer Responsibilities in a Possible Breach |
Customer responsibilities are defined in the case of a breach related to or resulted from customer activities. |
| § System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
soc2-breach-investigate |
Breach Investigation and Notification Process |
Investigation and notification process is in place to handle suspected and/or confirmed data breaches. |
| § System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
soc2-breach-letter |
Sample Notification Letter to Customers in Case of Breach |
Communication template is in place for external notification of a breach. |
| § System Operations\n【CC7.5】 The entity identifies, develops, and implements activities to recover from identified security incidents. |
soc2-ccm-emergency |
Emergency Change |
An emergency change process is in place for break-glass procedure. Details of any emergency change are retroactively documented and approved. |
| § System Operations\n【CC7.5】 The entity identifies, develops, and implements activities to recover from identified security incidents. |
soc2-ir-playbook |
Incident Categories and Playbooks |
Incident playbooks are created with detailed technical procedures to guide personnel in incident handling according to the incident classification and severity. |
| § System Operations\n【CC7.5】 The entity identifies, develops, and implements activities to recover from identified security incidents. |
soc2-ir-process |
Incident Management Process |
Incident response / escalation policies and processes are in place for incident reporting, triage, eradication, recovery, and postmortem analysis. |
| § System Operations\n【CC7.5】 The entity identifies, develops, and implements activities to recover from identified security incidents. |
soc2-ir-tabletop |
Tabletop Exercise |
Tabletop exercises and/or simulated incident drills are performed at least annually to validate and update the incident response process. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-ccm-aws |
Provisioning AWS Accounts |
AWS configuration is maintained as code and provisioned via automated code deploys. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-ccm-aws-deploy |
Deploying Changes to AWS |
Cloud infrastructure changes and software code deploys follow a defined change request process with automated and/or manual reviews and approvals. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-ccm-config |
Configuration Management Processes |
Configuration management processes are in place to provision systems and environments according to approved security standards. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-ccm-emergency |
Emergency Change |
An emergency change process is in place for break-glass procedure. Details of any emergency change are retroactively documented and approved. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-ccm-network |
Configuration and Management of Network Controls |
Network devices are configured to remove vendor default security configurations. Network layer security controls are in place to enable traffic filtering/monitoring for applicable environments. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-ccm-patch |
Patch Management Procedures |
Operating systems on both end-user computing devices and server systems are required to maintain up-to-date security patches in an automated process. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-ccm-prodcm |
Production Deploy / Code Promotion Processes |
Code deploys to production require an approved change ticket with sufficent details about the code change. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-ccm-provision-endpoint |
User Endpoint Security Controls and Configuration |
End-user computing systems are configured with required baseline security controls including disk encyrption, unique user account and strong password policy, host firewall, screenlock protection, auto-update of security patches, and endpoint security agent for configuration monitoring and malware protection. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-ccm-provision-mgmt |
Configuration and Provisioning of Management Systems |
System management tools are provisioned following the same requirements and configurations as any production system. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-ccm-provision-prod |
Production Systems Provisioning |
Provisioning of any production system or resource requires a change request that is reviewed and approved by both engineering and security. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-ccm-provision-server |
Server Hardening Guidelines and Processes |
Server systems are provisioned using pre-approved configurations or images approved by the security team. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-sdlc-appsec-req |
High Level Application Security Requirements |
Application security requirements are defined following OWASP Top Ten best practices. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-sdlc-design |
Secure Design and Application Threat Modeling |
Security considerations are mandatory as part of new system design and feature development. Threat modeling is jointly performed by security and development teams as needed. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-sdlc-dev |
Software Development Process |
A secure software development process, coding standards, and release strategy is established to ensure security is built-in to the products and applications. |
| § Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
soc2-sdlc-scm |
Source Code Management |
Source code management system with version control is used to maintain software codes |
| § Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
soc2-risk-mgmt |
Risk Management Process |
The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval. |
| § Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
soc2-risk-assess |
Risk Assessment and Analysis |
Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted. |
| § Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
soc2-risk-mitigation |
Risk Mitigation and Monitoring |
A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk. |
| § Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
soc2-risk-registry |
Risk Registry |
Risks identified from each risk assessment are documented and maintained. |
| § Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
soc2-risk-insurance |
Cyber Liability Insurance |
The organization holds cyber liability insurance with sufficient coverage based on its risk profile |
| § Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
soc2-bcdr |
BCDR Objectives and Roles |
Management team develops contingency plans for assignment of responsibility for internal controls with clear objectives and roles. |
| § Risk Mitigation\n【CC9.2】 The entity assesses and manages risks associated with vendors and business partners. |
soc2-compliance-mgmt |
Compliance Program Management |
The organization has a program and defined process to manage compliance to applicable regulatory requirements and contractual obligations. |
| § Risk Mitigation\n【CC9.2】 The entity assesses and manages risks associated with vendors and business partners. |
soc2-vendor-contracts |
Vendor Contractual Agreements |
Third party vendors are required to sign applicale contractual agreements, such as BAA (for HIPAA), DPA (for GDPR), SLA (for service providers), accepting their responsibilities to meet applicable data protection and privacy requirements. |
| § Risk Mitigation\n【CC9.2】 The entity assesses and manages risks associated with vendors and business partners. |
soc2-vendor-vtr |
Vendor Risk Assessment |
Risk assessments are conducted prior to engaging a new technology vendor. |
| § Risk Mitigation\n【CC9.2】 The entity assesses and manages risks associated with vendors and business partners. |
soc2-sdlc-outsourcing |
Outsourced Software Development |
Software development performed by contractors or outsourced vendors follow the same secure development standards and requirements. |
