SOC 2 Security Controls

SOC 2 Security Controls

Excel Spreadsheet

Domain Title Domain_Control_Ref Domain_Control_Title Domain_Control_Summary
§ Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. soc2-employee-acceptable-use Acceptable Use of End-user Computing Acceptable use policy is in place to guide the organization's personnel on the proper use of information assets and their roles and responsibilities.
§ Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. soc2-employee-onboarding Employee Onboarding Procedures Employee onboarding is coordinated between HR, IT and Security to ensure the appropriate training, access provisioning and system configurations are in place for each new hire.
§ Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. soc2-employee-screening Employee Screening Procedures Interviews and background checks are conducted prior to hiring to ensure qualification and security.
§ Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. soc2-policy-mgmt Policy Management Process A formal process is in place to maintain and update security policies, controls and procedures. Policies, controls and procedures are reviewed at least annually.
§ Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. soc2-sanctions Non-Compliance Investigation and Sanctions Policies and processes are in place to investigate and take appropriate actions on any non-compliance to the organization's policies and procedures.
§ Control Environment\n【CC1.1】 The entity demonstrates a commitment to integrity and ethical values. soc2-training-policy Policy and Compliance Training Employees and contractors receive training on the organization's security policies and procedures.
§ Control Environment\n【CC1.2】 The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
§ Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. soc2-ism-scope Information Security Program and Scope The organization has an established security program with appropriate controls that are aligned to the organization's objectives and risk posture.
§ Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. soc2-ism-policies Understanding the Policies and Controls/Procedures The organization's security program maintains documentation of high level policies and lower level controls and procedures. The policies and procedures cover the design, development, implementation, operation, maintenance and monitoring of in-scope systems.
§ Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. soc2-ism-reporting Review and Reporting Metrics are defined to measure the effectiveness of controls and they are reported to/reviewed by senior management.
§ Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. soc2-role-assignment Assignment of Roles and the Security Committee Security and compliance roles and responsibilities are clearly defined to ensure segregation of duties.
§ Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. soc2-hr-mgmt HR Management and Reporting Organizational structure as well as individual job functions are established and communicated to all employees.
§ Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. soc2-vendor-vtr Vendor Risk Assessment Risk assessments are conducted prior to engaging a new technology vendor.
§ Control Environment\n【CC1.3】 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. soc2-vendor-contracts Vendor Contractual Agreements Third party vendors are required to sign applicale contractual agreements, such as BAA (for HIPAA), DPA (for GDPR), SLA (for service providers), accepting their responsibilities to meet applicable data protection and privacy requirements.
§ Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. soc2-employee-onboarding Employee Onboarding Procedures Employee onboarding is coordinated between HR, IT and Security to ensure the appropriate training, access provisioning and system configurations are in place for each new hire.
§ Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. soc2-employee-screening Employee Screening Procedures Interviews and background checks are conducted prior to hiring to ensure qualification and security.
§ Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. soc2-employee-development Continuous Education and Skills Development The organization provides employees the opportunity to attend conferences, trade shows, and access to training courses and studies to maintain and further advance their skills relevant to their job functions and business objectives.
§ Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. soc2-employee-recognition Employee Incentives and Rewards Employees receive regular peer recognition, feedback and rewards for positive behavior and impact.
§ Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. soc2-training-awareness Ongoing Security Awareness Training Employees and contractors receive ongoing security awareness training at least annually.
§ Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. soc2-training-hipaa Annual HIPAA Awareness Training Employees and contractors working with patient data and protected health information (PHI) are required to take HIPAA awareness training within 30 days of onboarding and annually thereafter.
§ Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. soc2-training-policy Policy and Compliance Training Employees and contractors receive training on the organization's security policies and procedures.
§ Control Environment\n【CC1.4】 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. soc2-bcdr BCDR Objectives and Roles Management team develops contingency plans for assignment of responsibility for internal controls with clear objectives and roles.
§ Control Environment\n【CC1.5】 The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. soc2-hr-mgmt HR Management and Reporting Organizational structure as well as individual job functions are established and communicated to all employees.
§ Control Environment\n【CC1.5】 The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. soc2-role-assignment Assignment of Roles and the Security Committee Security and compliance roles and responsibilities are clearly defined to ensure segregation of duties.
§ Control Environment\n【CC1.5】 The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. soc2-employee-performance Employee Performance Review Process Performance reviews are conducted annually to evaluate performance of employees against expected levels.
§ Control Environment\n【CC1.5】 The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. soc2-internal-comms Internal Business Communications Management and each individual department/team holds regular company-wide / departmental / team meetings to review and discuss various aspects of business performance and objectives.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-data-classification Data Classification Model Data classification model is defined to differentiate public, non-public, confidental/sensitive and critical data or information asset.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-data-handling Data Handling Process Data is handled according to its classification, including defined requirements for labeling, encryption, access control, retention and other applicable processes.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-data-lifecycle Data Inventory and Lifecycle Management Data is tagged according to its classification, and its lifecycle is defined. Transient and temporary data (or cache) is purged immediately after use.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-data-protection Data Protection Implementation and Processes Data is protected according to its classification and storage capability, including encryption, access control, partitioning/separation, backup/recovery, and monitoring.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-audit-trails Audit Trails - System and Application Security Events Logging Standard Security events and logs from production systems and applications are captured as audit trails. Audit trails include sufficient data such as timestamp, user id, action taken to establish who did what, when, how.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-audit-trails-integrity Audit Trail Integrity - Security Controls and Log Retention Audit trails are protected against modification and unauthorized access.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-audit-types Types of System Audits The organization has defined auditing processes including system configuration monitoring, activity monitoring, access review, and controls compliance audit.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-events-analysis Security Event Analysis The security team monitors system security events and logs via a combination of automated tools and manual reviews.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-threat-intel Threat Intelligence Monitoring The security team subscribes to news, feeds, forums and special interests groups to receive updates on threat intel and updates on applicable regulations and compliance.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-threat-siem Centralized Security Information and Event Management Security events are logged and alerts are centrally aggregated for review and remediation.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-risk-assess Risk Assessment and Analysis Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-ccm-config Configuration Management Processes Configuration management processes are in place to provision systems and environments according to approved security standards.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-vuln-scan Vulnerability Scanning and Infrastructure Security Testing Vulnerability scan is performed at least quarterly for all production systems.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-vuln-remediation Security Findings Reporting, Tracking and Remediation All security vulnerability and findings (for both infrastructure and software) are prioritized and remediated based on its severity and impact, with a defined SLA.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-sdlc-pentest Application Penetration Testing Penetration testing is performed for each product at least annually and with major feature changes.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-sdlc-bugbounty Responsible Disclosure and Bug Bounty Program Security team maintains an external/public bug bounty program to enable continuous security testing and vulnerability reporting across major external facing products.
§ Communication And Information\n【CC2.1】 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. soc2-model-metrics Metrics, Measurements and Continuous Monitoring Metrics are defined to measure the effectiveness of controls and they are continuously monitored.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-employee-onboarding Employee Onboarding Procedures Employee onboarding is coordinated between HR, IT and Security to ensure the appropriate training, access provisioning and system configurations are in place for each new hire.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-model-architecture Security Architecture Security architecture is documented, including system and infrastructure security diagrams.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-model-principles Security Principles The organization incorporates best practices such as least-privilege or zero-trust in its security operating model.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-model-quality System Quality The organization communicates its commitment to quality of service to its users and customers.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-policy-mgmt Policy Management Process A formal process is in place to maintain and update security policies, controls and procedures. Policies, controls and procedures are reviewed at least annually.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-risk-mgmt Risk Management Process The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-risk-mitigation Risk Mitigation and Monitoring A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-role-assignment Assignment of Roles and the Security Committee Security and compliance roles and responsibilities are clearly defined to ensure segregation of duties.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-internal-comms Internal Business Communications Management and each individual department/team holds regular company-wide / departmental / team meetings to review and discuss various aspects of business performance and objectives.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-training-awareness Ongoing Security Awareness Training Employees and contractors receive ongoing security awareness training at least annually.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-training-hipaa Annual HIPAA Awareness Training Employees and contractors working with patient data and protected health information (PHI) are required to take HIPAA awareness training within 30 days of onboarding and annually thereafter.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-training-policy Policy and Compliance Training Employees and contractors receive training on the organization's security policies and procedures.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-ir-playbook Incident Categories and Playbooks Incident playbooks are created with detailed technical procedures to guide personnel in incident handling according to the incident classification and severity.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-ir-process Incident Management Process Incident response / escalation policies and processes are in place for incident reporting, triage, eradication, recovery, and postmortem analysis.
§ Communication And Information\n【CC2.2】 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. soc2-ir-sirt Security Incident Response Team (SIRT) Incident response team is established and assigned corresponding responsibilities.
§ Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. soc2-model-quality System Quality The organization communicates its commitment to quality of service to its users and customers.
§ Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. soc2-compliance-mgmt Compliance Program Management The organization has a program and defined process to manage compliance to applicable regulatory requirements and contractual obligations.
§ Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. soc2-compliance-requests Requesting Audit and Compliance Reports Process and channels are established to communicate the compliance status to external stakeholders.
§ Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. soc2-breach-investigate Breach Investigation and Notification Process Investigation and notification process is in place to handle suspected and/or confirmed data breaches.
§ Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. soc2-privacy-notices Privacy, Terms and Consent Notices The organization has published privacy policy and established user consent process for data processing, in line with applicable regulations.
§ Communication And Information\n【CC2.3】 The entity communicates with external parties regarding matters affecting the functioning of internal control. soc2-vendor-contracts Vendor Contractual Agreements Third party vendors are required to sign applicale contractual agreements, such as BAA (for HIPAA), DPA (for GDPR), SLA (for service providers), accepting their responsibilities to meet applicable data protection and privacy requirements.
§ Risk Assessment\n【CC3.1】 The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. soc2-ism-scope Information Security Program and Scope The organization has an established security program with appropriate controls that are aligned to the organization's objectives and risk posture.
§ Risk Assessment\n【CC3.1】 The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. soc2-risk-mgmt Risk Management Process The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval.
§ Risk Assessment\n【CC3.1】 The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. soc2-risk-assess Risk Assessment and Analysis Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted.
§ Risk Assessment\n【CC3.1】 The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. soc2-risk-mitigation Risk Mitigation and Monitoring A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk.
§ Risk Assessment\n【CC3.1】 The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. soc2-risk-registry Risk Registry Risks identified from each risk assessment are documented and maintained.
§ Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. soc2-risk-mgmt Risk Management Process The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval.
§ Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. soc2-risk-assess Risk Assessment and Analysis Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted.
§ Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. soc2-risk-mitigation Risk Mitigation and Monitoring A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk.
§ Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. soc2-asset-physical Physical Asset Inventory All physical computing and information processing assets, such as laptops and workstations, are maintained in an asset inventory system.
§ Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. soc2-asset-digital Digital Asset Inventory All digital and software-defined assets, such as virtual instances and code repositories, are discovered and maintained in an asset inventory system.
§ Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. soc2-vendor-ssa Software and Systems Acquisition Process A list of approved software applications and system vendors are in place, with approval process defined for additional acquisition requests.
§ Risk Assessment\n【CC3.2】 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. soc2-vendor-vtr Vendor Risk Assessment Risk assessments are conducted prior to engaging a new technology vendor.
§ Risk Assessment\n【CC3.3】 The entity considers the potential for fraud in assessing risks to the achievement of objectives. soc2-risk-fraud Fraud Risks The organization considers both financial and IT fraud risks as part of its risk assessment process, including the pressures/incentives, opportunities and rationalities of people and/or department to commit fraud.
§ Risk Assessment\n【CC3.4】 The entity identifies and assesses changes that could significantly impact the system of internal control. soc2-threat-intel Threat Intelligence Monitoring The security team subscribes to news, feeds, forums and special interests groups to receive updates on threat intel and updates on applicable regulations and compliance.
§ Risk Assessment\n【CC3.4】 The entity identifies and assesses changes that could significantly impact the system of internal control. soc2-bcdr BCDR Objectives and Roles Management team develops contingency plans for assignment of responsibility for internal controls with clear objectives and roles.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-ism-reporting Review and Reporting Metrics are defined to measure the effectiveness of controls and they are reported to/reviewed by senior management.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-model-metrics Metrics, Measurements and Continuous Monitoring Metrics are defined to measure the effectiveness of controls and they are continuously monitored.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-audit-internal Manual Internal Auditing Activities The organization performs manual testing and reviews of systems, accounts and controls as needed. The audit may be performed by internal teams or external auditors.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-audit-request Audit Requests A process and channels have been established for internal teams and external entities (such as a customer) to request security reviews or audits.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-audit-review Review and Reporting of Audit Findings Results of each security assessment or audit are reviewed by security team, senior management, and other designated personnel.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-audit-tools Tools Used for Auditing and Security Assessments A set of tools are made available for the security and compliance personnel to conduct assessments, system scans, security testing and audits.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-audit-trails Audit Trails - System and Application Security Events Logging Standard Security events and logs from production systems and applications are captured as audit trails. Audit trails include sufficient data such as timestamp, user id, action taken to establish who did what, when, how.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-audit-trails-integrity Audit Trail Integrity - Security Controls and Log Retention Audit trails are protected against modification and unauthorized access.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-audit-training Audit Related Training, Education, Awareness and Responsibilities Employees and contractors are informed and trained on the organization's monitoring and auditing process.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-audit-types Types of System Audits The organization has defined auditing processes including system configuration monitoring, activity monitoring, access review, and controls compliance audit.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-vuln-scan Vulnerability Scanning and Infrastructure Security Testing Vulnerability scan is performed at least quarterly for all production systems.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-sdlc-pentest Application Penetration Testing Penetration testing is performed for each product at least annually and with major feature changes.
§ Monitoring Activities\n【CC4.1】 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. soc2-sdlc-bugbounty Responsible Disclosure and Bug Bounty Program Security team maintains an external/public bug bounty program to enable continuous security testing and vulnerability reporting across major external facing products.
§ Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. soc2-ism-reporting Review and Reporting Metrics are defined to measure the effectiveness of controls and they are reported to/reviewed by senior management.
§ Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. soc2-model-metrics Metrics, Measurements and Continuous Monitoring Metrics are defined to measure the effectiveness of controls and they are continuously monitored.
§ Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. soc2-audit-review Review and Reporting of Audit Findings Results of each security assessment or audit are reviewed by security team, senior management, and other designated personnel.
§ Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. soc2-audit-control-deficiency Remediation of Control Deficiencies Identified control deficiencies are communicated to parties responsible for taking corrective action. Remediation plans are proposed and monitored through resolution.
§ Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. soc2-vuln-remediation Security Findings Reporting, Tracking and Remediation All security vulnerability and findings (for both infrastructure and software) are prioritized and remediated based on its severity and impact, with a defined SLA.
§ Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. soc2-model-metrics Metrics, Measurements and Continuous Monitoring Metrics are defined to measure the effectiveness of controls and they are continuously monitored.
§ Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. soc2-ism-reporting Review and Reporting Metrics are defined to measure the effectiveness of controls and they are reported to/reviewed by senior management.
§ Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. soc2-ccm-monitor Configuration Monitoring and Auditing Monitoring software is used to monitor infrastructure and software for noncompliance with established configuration standards and security best practices.
§ Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. soc2-sdlc-monitor Production System Monitoring and Paging On call teams are set up to receive pager notifications when a failure or error occurs in production.
§ Monitoring Activities\n【CC4.2】 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. soc2-compliance-monitor Continuous Compliance Monitoring Compliance status is tracked and monitored using an enterprise compliance tool.
§ Control Activities\n【CC5.1】 The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. soc2-risk-assess Risk Assessment and Analysis Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted.
§ Control Activities\n【CC5.1】 The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. soc2-risk-mgmt Risk Management Process The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval.
§ Control Activities\n【CC5.1】 The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. soc2-risk-mitigation Risk Mitigation and Monitoring A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk.
§ Control Activities\n【CC5.1】 The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. soc2-risk-registry Risk Registry Risks identified from each risk assessment are documented and maintained.
§ Control Activities\n【CC5.2】 The entity also selects and develops general control activities over technology to support the achievement of objectives. soc2-risk-assess Risk Assessment and Analysis Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted.
§ Control Activities\n【CC5.2】 The entity also selects and develops general control activities over technology to support the achievement of objectives. soc2-risk-mgmt Risk Management Process The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval.
§ Control Activities\n【CC5.2】 The entity also selects and develops general control activities over technology to support the achievement of objectives. soc2-risk-mitigation Risk Mitigation and Monitoring A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk.
§ Control Activities\n【CC5.2】 The entity also selects and develops general control activities over technology to support the achievement of objectives. soc2-risk-registry Risk Registry Risks identified from each risk assessment are documented and maintained.
§ Control Activities\n【CC5.3】 The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. soc2-ism-scope Information Security Program and Scope The organization has an established security program with appropriate controls that are aligned to the organization's objectives and risk posture.
§ Control Activities\n【CC5.3】 The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. soc2-ism-policies Understanding the Policies and Controls/Procedures The organization's security program maintains documentation of high level policies and lower level controls and procedures. The policies and procedures cover the design, development, implementation, operation, maintenance and monitoring of in-scope systems.
§ Control Activities\n【CC5.3】 The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. soc2-policy-mgmt Policy Management Process A formal process is in place to maintain and update security policies, controls and procedures. Policies, controls and procedures are reviewed at least annually.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-asset-digital Digital Asset Inventory All digital and software-defined assets, such as virtual instances and code repositories, are discovered and maintained in an asset inventory system.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-aws Temporary Access to AWS Accounts and Resources Access to AWS cloud infrastructure is configured single sign on roles and temporary trusts. No persistent end-user access is configured.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-customer Platform Customer Access to Systems Customers are granted access to their accounts and data only after successful authentication and authorization through the appropriate applications, either through the web interface or API.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-mfa Multi-factor Authentication Multi-factor authentication (MFA) is required for all users with access to business critical systems.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-password Password Management Strong password management policy is in place.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-phi Access to PHI/ePHI Access to PHI/ePHI is restricted to only individuals with business need and protected by strong access control.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-rbac Role Based Access Control (RBAC) Access to systems and applications are provisioned based on a user's role / group.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-service Service Accounts Service accounts and application credentials are securely managed.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-sso Centralized Access Control and Single Sign On Access to business systems and applications is centrally managed via single sign on (SSO) when possible.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-standards Standards for Access Provisioning The organization incorporates security best practices and standards for provisioning access including unqiue user identification, automatic logoff, and least-privileged access.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-vpn VPN Remote Access Remote access to private and internal systems are configured via encrypted VPN channels.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-wifi Office Network and Wifi Access Office networks, including wireless access, are protected for internal business use only. Guest wireless access is provided on a separate logical network.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-prod Production Access and Secrets Management Production keys and secrets are securely stored and protected.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-access-prod-data Production Data Access Access to production data is highly restricted. Access is reviewed and approved on a case-by-case basis. MFA is required.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-threat-firewall Firewall Protection Firewall protection is enabled across network, host, and application layer.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-threat-nids Network Intrusion Detection Network layer intrusion detection system is implemented.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-threat-hids Host Intrusion Detection Host instrusion detection and malicious activity monitoring agents are installed on endpoint hosts and servers.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-threat-webapp Web Application Protection Web application firewall and denial-of-service protection is enabled for external facing applications.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-data-lifecycle Data Inventory and Lifecycle Management Data is tagged according to its classification, and its lifecycle is defined. Transient and temporary data (or cache) is purged immediately after use.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-data-protection Data Protection Implementation and Processes Data is protected according to its classification and storage capability, including encryption, access control, partitioning/separation, backup/recovery, and monitoring.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-data-protection-at-rest Protecting Data At Rest Sensitive and confidential data is encrypted when stored.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-data-protection-in-transit Protecting Data In Transit Sensitive and confidential data is encrypted when transmitted across networks.
§ Logical And Physical Access Controls\n【CC6.1】 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. soc2-employee-acceptable-use Acceptable Use of End-user Computing Acceptable use policy is in place to guide the organization's personnel on the proper use of information assets and their roles and responsibilities.
§ Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. soc2-access-change Access Establishment, Modification and Termination Changes to pre-established access (configured as part of onboarding) must be requested and approved by the employee's manager or security team prior to granting access. Non-standard access is revoked when no longer needed.
§ Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. soc2-access-review Access Reviews User access permissions are reviewed as part of ongoing security monitoring and whenever an employee's role changes.
§ Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. soc2-audit-internal Manual Internal Auditing Activities The organization performs manual testing and reviews of systems, accounts and controls as needed. The audit may be performed by internal teams or external auditors.
§ Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. soc2-audit-types Types of System Audits The organization has defined auditing processes including system configuration monitoring, activity monitoring, access review, and controls compliance audit.
§ Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. soc2-employee-exiting Employee Exiting/Termination Procedures Employee exiting is coordinated between HR, IT and Security to ensure proper access termination and return of equipment.
§ Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. soc2-employee-onboarding Employee Onboarding Procedures Employee onboarding is coordinated between HR, IT and Security to ensure the appropriate training, access provisioning and system configurations are in place for each new hire.
§ Logical And Physical Access Controls\n【CC6.2】 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. soc2-vendor-ssa Software and Systems Acquisition Process A list of approved software applications and system vendors are in place, with approval process defined for additional acquisition requests.
§ Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. soc2-access-standards Standards for Access Provisioning The organization incorporates security best practices and standards for provisioning access including unqiue user identification, automatic logoff, and least-privileged access.
§ Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. soc2-access-change Access Establishment, Modification and Termination Changes to pre-established access (configured as part of onboarding) must be requested and approved by the employee's manager or security team prior to granting access. Non-standard access is revoked when no longer needed.
§ Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. soc2-access-phi Access to PHI/ePHI Access to PHI/ePHI is restricted to only individuals with business need and protected by strong access control.
§ Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. soc2-access-rbac Role Based Access Control (RBAC) Access to systems and applications are provisioned based on a user's role / group.
§ Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. soc2-access-service Service Accounts Service accounts and application credentials are securely managed.
§ Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. soc2-access-prod-data Production Data Access Access to production data is highly restricted. Access is reviewed and approved on a case-by-case basis. MFA is required.
§ Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. soc2-ccm-aws Provisioning AWS Accounts AWS configuration is maintained as code and provisioned via automated code deploys.
§ Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. soc2-data-protection Data Protection Implementation and Processes Data is protected according to its classification and storage capability, including encryption, access control, partitioning/separation, backup/recovery, and monitoring.
§ Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. soc2-employee-exiting Employee Exiting/Termination Procedures Employee exiting is coordinated between HR, IT and Security to ensure proper access termination and return of equipment.
§ Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. soc2-model-principles Security Principles The organization incorporates best practices such as least-privilege or zero-trust in its security operating model.
§ Logical And Physical Access Controls\n【CC6.3】 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. soc2-sdlc-iaaa Access Control of the Application (Identification, Authentication, Authorization, Accounting) All external facing applications are required to have appropriate access control implementation to protect non-public user data.
§ Logical And Physical Access Controls\n【CC6.4】 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. soc2-physical Physical Security
§ Logical And Physical Access Controls\n【CC6.4】 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. soc2-physical-datacenter Data Center Security Data center security is ensured by the cloud service provider.
§ Logical And Physical Access Controls\n【CC6.4】 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. soc2-employee-exiting Employee Exiting/Termination Procedures Employee exiting is coordinated between HR, IT and Security to ensure proper access termination and return of equipment.
§ Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. soc2-asset-physical Physical Asset Inventory All physical computing and information processing assets, such as laptops and workstations, are maintained in an asset inventory system.
§ Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. soc2-data-deletion Data Deletion Procedures Data is retained for designated periods of time according to regulatory and/or contractual requirements, and deleted when the retention period expires.
§ Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. soc2-data-handling Data Handling Process Data is handled according to its classification, including defined requirements for labeling, encryption, access control, retention and other applicable processes.
§ Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. soc2-data-lifecycle Data Inventory and Lifecycle Management Data is tagged according to its classification, and its lifecycle is defined. Transient and temporary data (or cache) is purged immediately after use.
§ Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. soc2-mdm-disposal Media Disposal Process Media containing critical / sensitive data (such as PII or ePHI) is disposed securely.
§ Logical And Physical Access Controls\n【CC6.5】 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. soc2-mdm-usb Use of USB Flash Drive and External Storage Device Use of USB flash drive or similar removable storage device to store sensitive and critical data is prohibited and must be handled on an exception basis approved by security.
§ Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. soc2-access-aws Temporary Access to AWS Accounts and Resources Access to AWS cloud infrastructure is configured single sign on roles and temporary trusts. No persistent end-user access is configured.
§ Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. soc2-access-mfa Multi-factor Authentication Multi-factor authentication (MFA) is required for all users with access to business critical systems.
§ Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. soc2-access-service Service Accounts Service accounts and application credentials are securely managed.
§ Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. soc2-access-standards Standards for Access Provisioning The organization incorporates security best practices and standards for provisioning access including unqiue user identification, automatic logoff, and least-privileged access.
§ Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. soc2-access-vpn VPN Remote Access Remote access to private and internal systems are configured via encrypted VPN channels.
§ Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. soc2-access-wifi Office Network and Wifi Access Office networks, including wireless access, are protected for internal business use only. Guest wireless access is provided on a separate logical network.
§ Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. soc2-data-protection-in-transit Protecting Data In Transit Sensitive and confidential data is encrypted when transmitted across networks.
§ Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. soc2-sdlc-iaaa Access Control of the Application (Identification, Authentication, Authorization, Accounting) All external facing applications are required to have appropriate access control implementation to protect non-public user data.
§ Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. soc2-threat-firewall Firewall Protection Firewall protection is enabled across network, host, and application layer.
§ Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. soc2-threat-hids Host Intrusion Detection Host instrusion detection and malicious activity monitoring agents are installed on endpoint hosts and servers.
§ Logical And Physical Access Controls\n【CC6.6】 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. soc2-threat-nids Network Intrusion Detection Network layer intrusion detection system is implemented.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-access-vpn VPN Remote Access Remote access to private and internal systems are configured via encrypted VPN channels.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-access-prod-data Production Data Access Access to production data is highly restricted. Access is reviewed and approved on a case-by-case basis. MFA is required.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-data-classification Data Classification Model Data classification model is defined to differentiate public, non-public, confidental/sensitive and critical data or information asset.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-data-handling Data Handling Process Data is handled according to its classification, including defined requirements for labeling, encryption, access control, retention and other applicable processes.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-data-lifecycle Data Inventory and Lifecycle Management Data is tagged according to its classification, and its lifecycle is defined. Transient and temporary data (or cache) is purged immediately after use.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-data-protection Data Protection Implementation and Processes Data is protected according to its classification and storage capability, including encryption, access control, partitioning/separation, backup/recovery, and monitoring.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-data-protection-at-rest Protecting Data At Rest Sensitive and confidential data is encrypted when stored.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-data-protection-in-transit Protecting Data In Transit Sensitive and confidential data is encrypted when transmitted across networks.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-data-protection-in-use Protecting Data In Use Audit trail is enabled to monitor data access when in use.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-employee-acceptable-use Acceptable Use of End-user Computing Acceptable use policy is in place to guide the organization's personnel on the proper use of information assets and their roles and responsibilities.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-mdm-byod Support and Management of BYOD Devices BYOD devices are not allowed to connect to production environments containing critical data.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-mdm-disposal Media Disposal Process Media containing critical / sensitive data (such as PII or ePHI) is disposed securely.
§ Logical And Physical Access Controls\n【CC6.7】 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. soc2-mdm-usb Use of USB Flash Drive and External Storage Device Use of USB flash drive or similar removable storage device to store sensitive and critical data is prohibited and must be handled on an exception basis approved by security.
§ Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. soc2-ccm-config Configuration Management Processes Configuration management processes are in place to provision systems and environments according to approved security standards.
§ Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. soc2-ccm-provision-endpoint User Endpoint Security Controls and Configuration End-user computing systems are configured with required baseline security controls including disk encyrption, unique user account and strong password policy, host firewall, screenlock protection, auto-update of security patches, and endpoint security agent for configuration monitoring and malware protection.
§ Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. soc2-ccm-provision-server Server Hardening Guidelines and Processes Server systems are provisioned using pre-approved configurations or images approved by the security team.
§ Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. soc2-mdm-byod Support and Management of BYOD Devices BYOD devices are not allowed to connect to production environments containing critical data.
§ Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. soc2-sdlc-dev Software Development Process A secure software development process, coding standards, and release strategy is established to ensure security is built-in to the products and applications.
§ Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. soc2-sdlc-scm Source Code Management Source code management system with version control is used to maintain software codes
§ Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. soc2-sdlc-foss Free and Open Source Software (FOSS) Security A code analysis tool is in place to analyze open source components for potential security vulnerabilities and licensing issues.
§ Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. soc2-threat-malware Malware Protection Malware protection agent is installed and activated at all times on endpoint devices.
§ Logical And Physical Access Controls\n【CC6.8】 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. soc2-vendor-ssa Software and Systems Acquisition Process A list of approved software applications and system vendors are in place, with approval process defined for additional acquisition requests.
§ System Operations\n【CC7.1】 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. soc2-ccm-config Configuration Management Processes Configuration management processes are in place to provision systems and environments according to approved security standards.
§ System Operations\n【CC7.1】 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. soc2-ccm-monitor Configuration Monitoring and Auditing Monitoring software is used to monitor infrastructure and software for noncompliance with established configuration standards and security best practices.
§ System Operations\n【CC7.1】 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. soc2-vuln-scan Vulnerability Scanning and Infrastructure Security Testing Vulnerability scan is performed at least quarterly for all production systems.
§ System Operations\n【CC7.1】 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. soc2-sdlc-pentest Application Penetration Testing Penetration testing is performed for each product at least annually and with major feature changes.
§ System Operations\n【CC7.1】 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. soc2-sdlc-bugbounty Responsible Disclosure and Bug Bounty Program Security team maintains an external/public bug bounty program to enable continuous security testing and vulnerability reporting across major external facing products.
§ System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. soc2-ccm-monitor Configuration Monitoring and Auditing Monitoring software is used to monitor infrastructure and software for noncompliance with established configuration standards and security best practices.
§ System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. soc2-audit-internal Manual Internal Auditing Activities The organization performs manual testing and reviews of systems, accounts and controls as needed. The audit may be performed by internal teams or external auditors.
§ System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. soc2-audit-trails Audit Trails - System and Application Security Events Logging Standard Security events and logs from production systems and applications are captured as audit trails. Audit trails include sufficient data such as timestamp, user id, action taken to establish who did what, when, how.
§ System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. soc2-audit-types Types of System Audits The organization has defined auditing processes including system configuration monitoring, activity monitoring, access review, and controls compliance audit.
§ System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. soc2-events-analysis Security Event Analysis The security team monitors system security events and logs via a combination of automated tools and manual reviews.
§ System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. soc2-threat-nids Network Intrusion Detection Network layer intrusion detection system is implemented.
§ System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. soc2-threat-hids Host Intrusion Detection Host instrusion detection and malicious activity monitoring agents are installed on endpoint hosts and servers.
§ System Operations\n【CC7.2】 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. soc2-threat-siem Centralized Security Information and Event Management Security events are logged and alerts are centrally aggregated for review and remediation.
§ System Operations\n【CC7.3】 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. soc2-ir-sirt Security Incident Response Team (SIRT) Incident response team is established and assigned corresponding responsibilities.
§ System Operations\n【CC7.3】 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. soc2-ir-process Incident Management Process Incident response / escalation policies and processes are in place for incident reporting, triage, eradication, recovery, and postmortem analysis.
§ System Operations\n【CC7.3】 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. soc2-ir-playbook Incident Categories and Playbooks Incident playbooks are created with detailed technical procedures to guide personnel in incident handling according to the incident classification and severity.
§ System Operations\n【CC7.3】 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. soc2-ir-records Incident Tracking and Records Each incident is tracked with applicable attributes and notes, and the incident records are stored in an approved ticketing system.
§ System Operations\n【CC7.3】 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. soc2-vuln-remediation Security Findings Reporting, Tracking and Remediation All security vulnerability and findings (for both infrastructure and software) are prioritized and remediated based on its severity and impact, with a defined SLA.
§ System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. soc2-ir-playbook Incident Categories and Playbooks Incident playbooks are created with detailed technical procedures to guide personnel in incident handling according to the incident classification and severity.
§ System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. soc2-ir-process Incident Management Process Incident response / escalation policies and processes are in place for incident reporting, triage, eradication, recovery, and postmortem analysis.
§ System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. soc2-ir-sirt Security Incident Response Team (SIRT) Incident response team is established and assigned corresponding responsibilities.
§ System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. soc2-breach-customer Platform Customer Responsibilities in a Possible Breach Customer responsibilities are defined in the case of a breach related to or resulted from customer activities.
§ System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. soc2-breach-investigate Breach Investigation and Notification Process Investigation and notification process is in place to handle suspected and/or confirmed data breaches.
§ System Operations\n【CC7.4】 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. soc2-breach-letter Sample Notification Letter to Customers in Case of Breach Communication template is in place for external notification of a breach.
§ System Operations\n【CC7.5】 The entity identifies, develops, and implements activities to recover from identified security incidents. soc2-ccm-emergency Emergency Change An emergency change process is in place for break-glass procedure. Details of any emergency change are retroactively documented and approved.
§ System Operations\n【CC7.5】 The entity identifies, develops, and implements activities to recover from identified security incidents. soc2-ir-playbook Incident Categories and Playbooks Incident playbooks are created with detailed technical procedures to guide personnel in incident handling according to the incident classification and severity.
§ System Operations\n【CC7.5】 The entity identifies, develops, and implements activities to recover from identified security incidents. soc2-ir-process Incident Management Process Incident response / escalation policies and processes are in place for incident reporting, triage, eradication, recovery, and postmortem analysis.
§ System Operations\n【CC7.5】 The entity identifies, develops, and implements activities to recover from identified security incidents. soc2-ir-tabletop Tabletop Exercise Tabletop exercises and/or simulated incident drills are performed at least annually to validate and update the incident response process.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-ccm-aws Provisioning AWS Accounts AWS configuration is maintained as code and provisioned via automated code deploys.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-ccm-aws-deploy Deploying Changes to AWS Cloud infrastructure changes and software code deploys follow a defined change request process with automated and/or manual reviews and approvals.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-ccm-config Configuration Management Processes Configuration management processes are in place to provision systems and environments according to approved security standards.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-ccm-emergency Emergency Change An emergency change process is in place for break-glass procedure. Details of any emergency change are retroactively documented and approved.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-ccm-network Configuration and Management of Network Controls Network devices are configured to remove vendor default security configurations. Network layer security controls are in place to enable traffic filtering/monitoring for applicable environments.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-ccm-patch Patch Management Procedures Operating systems on both end-user computing devices and server systems are required to maintain up-to-date security patches in an automated process.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-ccm-prodcm Production Deploy / Code Promotion Processes Code deploys to production require an approved change ticket with sufficent details about the code change.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-ccm-provision-endpoint User Endpoint Security Controls and Configuration End-user computing systems are configured with required baseline security controls including disk encyrption, unique user account and strong password policy, host firewall, screenlock protection, auto-update of security patches, and endpoint security agent for configuration monitoring and malware protection.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-ccm-provision-mgmt Configuration and Provisioning of Management Systems System management tools are provisioned following the same requirements and configurations as any production system.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-ccm-provision-prod Production Systems Provisioning Provisioning of any production system or resource requires a change request that is reviewed and approved by both engineering and security.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-ccm-provision-server Server Hardening Guidelines and Processes Server systems are provisioned using pre-approved configurations or images approved by the security team.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-sdlc-appsec-req High Level Application Security Requirements Application security requirements are defined following OWASP Top Ten best practices.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-sdlc-design Secure Design and Application Threat Modeling Security considerations are mandatory as part of new system design and feature development. Threat modeling is jointly performed by security and development teams as needed.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-sdlc-dev Software Development Process A secure software development process, coding standards, and release strategy is established to ensure security is built-in to the products and applications.
§ Change Management\n【CC8.1】 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. soc2-sdlc-scm Source Code Management Source code management system with version control is used to maintain software codes
§ Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. soc2-risk-mgmt Risk Management Process The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval.
§ Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. soc2-risk-assess Risk Assessment and Analysis Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted.
§ Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. soc2-risk-mitigation Risk Mitigation and Monitoring A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk.
§ Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. soc2-risk-registry Risk Registry Risks identified from each risk assessment are documented and maintained.
§ Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. soc2-risk-insurance Cyber Liability Insurance The organization holds cyber liability insurance with sufficient coverage based on its risk profile
§ Risk Mitigation\n【CC9.1】 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. soc2-bcdr BCDR Objectives and Roles Management team develops contingency plans for assignment of responsibility for internal controls with clear objectives and roles.
§ Risk Mitigation\n【CC9.2】 The entity assesses and manages risks associated with vendors and business partners. soc2-compliance-mgmt Compliance Program Management The organization has a program and defined process to manage compliance to applicable regulatory requirements and contractual obligations.
§ Risk Mitigation\n【CC9.2】 The entity assesses and manages risks associated with vendors and business partners. soc2-vendor-contracts Vendor Contractual Agreements Third party vendors are required to sign applicale contractual agreements, such as BAA (for HIPAA), DPA (for GDPR), SLA (for service providers), accepting their responsibilities to meet applicable data protection and privacy requirements.
§ Risk Mitigation\n【CC9.2】 The entity assesses and manages risks associated with vendors and business partners. soc2-vendor-vtr Vendor Risk Assessment Risk assessments are conducted prior to engaging a new technology vendor.
§ Risk Mitigation\n【CC9.2】 The entity assesses and manages risks associated with vendors and business partners. soc2-sdlc-outsourcing Outsourced Software Development Software development performed by contractors or outsourced vendors follow the same secure development standards and requirements.

Share Tweet Send
0 Comments
Loading...