SOC 2 Compliance

๐Ÿ”ฅ Vibe Prompt

"Prepare for SOC 2 Type II audit: controls for Security, Availability, Confidentiality."

SOC 2 Trust Services Criteria

| Criteria | Description | Example Controls |
|----------|-------------|------------------|
| Security  | Protected against unauthorized access | Firewall, IAM, MFA, IDS |
| Availability | System available for operation | HA, backup, DR, monitoring |
| Confidentiality | Data classified and protected | Encryption, access control |
| Processing Integrity | Processing complete, accurate | Logging, validation, reconciliation |
| Privacy | PII collected, used, retained properly | Consent, GDPR, data lifecycle |

Key Controls (Security)

# Control: Access Review - quarterly review of all users
@app.route('/api/access/review', methods=['POST'])
@admin_required
def access_review():
    # Generate access report
    users = db.execute("SELECT id, email, role, last_login, created_at FROM users ORDER BY role, email")
    
    # Mark inactive users (>90 days no login)
    inactive = [u for u in users if u.last_login and (datetime.now() - u.last_login).days > 90]
    
    # Send to security team
    send_email(
        to="security@company.com",
        subject=f"Quarterly Access Review - {date.today().strftime('%Y-Q%m')}",
        body=generate_access_report(users, inactive)
    )
    
    return jsonify({"users": len(users), "inactive": len(inactive)})

SOC 2 Evidence Collection

# Automated evidence collection
class SOC2Evidence:
    def __init__(self):
        self.evidence = []
    
    def collect_security(self):
        # Firewall rules
        fw_rules = subprocess.run(["iptables", "-L", "-n"], capture_output=True, text=True).stdout
        
        # Failed logins
        failed = db.execute("SELECT COUNT(*) FROM auth_log WHERE success=false AND timestamp > NOW() - INTERVAL '24 hours'").fetchone()[0]
        
        # MFA usage
        mfa_users = db.execute("SELECT COUNT(*) FROM users WHERE mfa_enabled=true").fetchone()[0]
        total_users = db.execute("SELECT COUNT(*) FROM users").fetchone()[0]
        
        self.evidence.append({"type": "firewall_rules", "data": fw_rules, "timestamp": datetime.now()})
        self.evidence.append({"type": "failed_logins_24h", "data": failed, "timestamp": datetime.now()})
        self.evidence.append({"type": "mfa_adoption", "data": f"{mfa_users}/{total_users}", "timestamp": datetime.now()})
    
    def collect_availability(self):
        # Uptime
        uptime = subprocess.run(["uptime"], capture_output=True, text=True).stdout
        
        # Backup success
        backup = db.execute("SELECT COUNT(*) FROM backup_log WHERE success=true AND timestamp > NOW() - INTERVAL '7 days'").fetchone()[0]
        
        self.evidence.append({"type": "uptime", "data": uptime, "timestamp": datetime.now()})
        self.evidence.append({"type": "backup_success_7d", "data": backup, "timestamp": datetime.now()})
    
    def export(self):
        return {
            "company": "MyApp Inc.",
            "period": f"{date.today() - timedelta(days=180)} to {date.today()}",
            "evidence_count": len(self.evidence),
            "items": self.evidence
        }

Control Matrix Example

| Control ID | Control Name | Frequency | Owner | Evidence |
|------------|-------------|-----------|-------|----------|
| CC6.1 | Firewall rules review | Quarterly | Engineering | Firewall config backup |
| CC6.2 | Access termination | Within 24h | HR+IT | HR ticket โ†’ IAM deprovision |
| CC6.3 | MFA for admin | Always | Security | IAM MFA report |
| CC7.1 | Vulnerability scan | Weekly | Security | Nessus report |
| CC7.2 | IDS/IPS monitoring | 24/7 | Security | SIEM alerts |
| CC8.1 | Change management | Per change | Engineering | PR + approval in Jira |
| A1.1 | Backup monitoring | Daily | Engineering | Backup success report |
| A1.2 | DR test | Annually | Engineering | DR test report |

SOC 2 vs SOC 1 vs SOC 3

| Aspect | SOC 1 | SOC 2 | SOC 3 | |--------|-------|-------|-------| | Focus | Financial controls | Trust Services | Same as SOC 2 | | Audience | User auditor | Management, customers | General public | | Distribution | Restricted | Restricted | Public | | Report Type | Type I/II | Type I/II | Type II only |

Type I vs Type II

| Aspect | Type I | Type II | |--------|--------|---------| | Point in time | Controls designed properly | โœ… | โŒ | | Over period | Controls operating effectively | โŒ | โœ… | | Effort | 1-2 months | 6-12 months | | Cost | Lower | Higher | | Customer preference | Sometimes | Usually required |

Best Practices

  • Start with SOC 2 Type I (design), then Type II (operating)
  • Use automated evidence collection (saves months)
  • Map controls to TSC criteria clearly
  • Run control tests quarterly (not just at audit)
  • Remediate findings within SLA (30/60/90 days)
  • Use a GRC tool (Vanta, Drata, Secureframe)
  • Involve engineering early in control design

What Is SOC 2?

SOC 2 (Service Organization Control) is an auditing standard for service organizations that store customer data in the cloud.

Trust Service Criteria

| Criteria | What It Ensures | |----------|----------------| | Security | Protected against unauthorized access | | Availability | System is available for operation | | Processing Integrity | Processing is complete, valid, accurate | | Confidentiality | Data is restricted to authorized access | | Privacy | Personal data is collected, used, retained properly |

SOC 2 vs ISO 27001

| Aspect | ISO 27001 | SOC 2 | |--------|-----------|-------| | Focus | ISMS (process) | Trust Service Criteria (controls) | | Report type | Certificate | Type I (point in time) / Type II (over period) | | Duration | 6-12 months setup | 6-12 months for Type II | | Best for | Any organization | SaaS, cloud service providers | | Renewal | Annual surveillance | Annual re-certification |

The 5 Trust Service Criteria

Security (Common Criteria)

| Control | Implementation | |---------|---------------| | Access control | MFA, role-based access, least privilege | | Firewall | Network segmentation, WAF | | Intrusion detection | SIEM, anomaly detection | | Encryption | AES-256 at rest, TLS 1.3 in transit | | Incident response | Documented IR plan, regular drills |

Availability

| Control | Implementation | |---------|---------------| | Redundancy | Multi-AZ deployment, failover testing | | Monitoring | Uptime monitoring, automated alerts | | Capacity planning | Auto-scaling, regular capacity reviews | | Backup | Daily backups, tested restoration quarterly | | SLA | Published availability SLA with penalties |

Processing Integrity

| Control | Implementation | |---------|---------------| | Input validation | Pydantic schemas, API validation | | Error handling | Graceful error handling, retry logic | | Audit trail | Complete transaction logging | | Reconciliation | Periodic data reconciliation |

SOC 2 Evidence Collection

# evidence-checklist.yaml
security:
  - Access reviews: Quarterly, documented
  - Security training: Annual, tracked per employee
  - Vulnerability scans: Weekly, remediated within SLA

availability:
  - Uptime monitoring: 24/7, < 5 minute alert
  - Incident reports: Every incident documented
  - DR test: Annual, with report

confidentiality:
  - Data classification: Labels applied to all data
  - Encryption at rest: AES-256, for all customer data
  - Encryption in transit: TLS 1.3, enforced

privacy:
  - Privacy policy: Published, reviewed annually
  - Data retention: Documented schedule, automated deletion
  - Consent records: Stored for each data subject

Summary

SOC 2 audits service organizations against five trust criteria: security, availability, processing integrity, confidentiality, and privacy. Type II reports provide the highest assurance.

Key takeaways: | Five criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy | | SOC 2 Type I: controls designed properly at a point in time | | SOC 2 Type II: controls operating effectively over 6-12 months | | Common criteria (Security) is mandatory, others are optional | | Evidence: access reviews, training records, vulnerability scans, incident reports | | SOC 2 is the standard for SaaS companies handling customer data | | Continuous monitoring and evidence collection is essential |

Next Chapter: PCI DSS

The next chapter covers PCI DSS for payment card data security.

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!