SOC 2 Compliance
๐ฅ Vibe Prompt
"Prepare for SOC 2 Type II audit: controls for Security, Availability, Confidentiality."
SOC 2 Trust Services Criteria
| Criteria | Description | Example Controls |
|----------|-------------|------------------|
| Security | Protected against unauthorized access | Firewall, IAM, MFA, IDS |
| Availability | System available for operation | HA, backup, DR, monitoring |
| Confidentiality | Data classified and protected | Encryption, access control |
| Processing Integrity | Processing complete, accurate | Logging, validation, reconciliation |
| Privacy | PII collected, used, retained properly | Consent, GDPR, data lifecycle |
Key Controls (Security)
# Control: Access Review - quarterly review of all users
@app.route('/api/access/review', methods=['POST'])
@admin_required
def access_review():
# Generate access report
users = db.execute("SELECT id, email, role, last_login, created_at FROM users ORDER BY role, email")
# Mark inactive users (>90 days no login)
inactive = [u for u in users if u.last_login and (datetime.now() - u.last_login).days > 90]
# Send to security team
send_email(
to="security@company.com",
subject=f"Quarterly Access Review - {date.today().strftime('%Y-Q%m')}",
body=generate_access_report(users, inactive)
)
return jsonify({"users": len(users), "inactive": len(inactive)})
SOC 2 Evidence Collection
# Automated evidence collection
class SOC2Evidence:
def __init__(self):
self.evidence = []
def collect_security(self):
# Firewall rules
fw_rules = subprocess.run(["iptables", "-L", "-n"], capture_output=True, text=True).stdout
# Failed logins
failed = db.execute("SELECT COUNT(*) FROM auth_log WHERE success=false AND timestamp > NOW() - INTERVAL '24 hours'").fetchone()[0]
# MFA usage
mfa_users = db.execute("SELECT COUNT(*) FROM users WHERE mfa_enabled=true").fetchone()[0]
total_users = db.execute("SELECT COUNT(*) FROM users").fetchone()[0]
self.evidence.append({"type": "firewall_rules", "data": fw_rules, "timestamp": datetime.now()})
self.evidence.append({"type": "failed_logins_24h", "data": failed, "timestamp": datetime.now()})
self.evidence.append({"type": "mfa_adoption", "data": f"{mfa_users}/{total_users}", "timestamp": datetime.now()})
def collect_availability(self):
# Uptime
uptime = subprocess.run(["uptime"], capture_output=True, text=True).stdout
# Backup success
backup = db.execute("SELECT COUNT(*) FROM backup_log WHERE success=true AND timestamp > NOW() - INTERVAL '7 days'").fetchone()[0]
self.evidence.append({"type": "uptime", "data": uptime, "timestamp": datetime.now()})
self.evidence.append({"type": "backup_success_7d", "data": backup, "timestamp": datetime.now()})
def export(self):
return {
"company": "MyApp Inc.",
"period": f"{date.today() - timedelta(days=180)} to {date.today()}",
"evidence_count": len(self.evidence),
"items": self.evidence
}
Control Matrix Example
| Control ID | Control Name | Frequency | Owner | Evidence |
|------------|-------------|-----------|-------|----------|
| CC6.1 | Firewall rules review | Quarterly | Engineering | Firewall config backup |
| CC6.2 | Access termination | Within 24h | HR+IT | HR ticket โ IAM deprovision |
| CC6.3 | MFA for admin | Always | Security | IAM MFA report |
| CC7.1 | Vulnerability scan | Weekly | Security | Nessus report |
| CC7.2 | IDS/IPS monitoring | 24/7 | Security | SIEM alerts |
| CC8.1 | Change management | Per change | Engineering | PR + approval in Jira |
| A1.1 | Backup monitoring | Daily | Engineering | Backup success report |
| A1.2 | DR test | Annually | Engineering | DR test report |
SOC 2 vs SOC 1 vs SOC 3
| Aspect | SOC 1 | SOC 2 | SOC 3 | |--------|-------|-------|-------| | Focus | Financial controls | Trust Services | Same as SOC 2 | | Audience | User auditor | Management, customers | General public | | Distribution | Restricted | Restricted | Public | | Report Type | Type I/II | Type I/II | Type II only |
Type I vs Type II
| Aspect | Type I | Type II | |--------|--------|---------| | Point in time | Controls designed properly | โ | โ | | Over period | Controls operating effectively | โ | โ | | Effort | 1-2 months | 6-12 months | | Cost | Lower | Higher | | Customer preference | Sometimes | Usually required |
Best Practices
- Start with SOC 2 Type I (design), then Type II (operating)
- Use automated evidence collection (saves months)
- Map controls to TSC criteria clearly
- Run control tests quarterly (not just at audit)
- Remediate findings within SLA (30/60/90 days)
- Use a GRC tool (Vanta, Drata, Secureframe)
- Involve engineering early in control design
What Is SOC 2?
SOC 2 (Service Organization Control) is an auditing standard for service organizations that store customer data in the cloud.
Trust Service Criteria
| Criteria | What It Ensures | |----------|----------------| | Security | Protected against unauthorized access | | Availability | System is available for operation | | Processing Integrity | Processing is complete, valid, accurate | | Confidentiality | Data is restricted to authorized access | | Privacy | Personal data is collected, used, retained properly |
SOC 2 vs ISO 27001
| Aspect | ISO 27001 | SOC 2 | |--------|-----------|-------| | Focus | ISMS (process) | Trust Service Criteria (controls) | | Report type | Certificate | Type I (point in time) / Type II (over period) | | Duration | 6-12 months setup | 6-12 months for Type II | | Best for | Any organization | SaaS, cloud service providers | | Renewal | Annual surveillance | Annual re-certification |
The 5 Trust Service Criteria
Security (Common Criteria)
| Control | Implementation | |---------|---------------| | Access control | MFA, role-based access, least privilege | | Firewall | Network segmentation, WAF | | Intrusion detection | SIEM, anomaly detection | | Encryption | AES-256 at rest, TLS 1.3 in transit | | Incident response | Documented IR plan, regular drills |
Availability
| Control | Implementation | |---------|---------------| | Redundancy | Multi-AZ deployment, failover testing | | Monitoring | Uptime monitoring, automated alerts | | Capacity planning | Auto-scaling, regular capacity reviews | | Backup | Daily backups, tested restoration quarterly | | SLA | Published availability SLA with penalties |
Processing Integrity
| Control | Implementation | |---------|---------------| | Input validation | Pydantic schemas, API validation | | Error handling | Graceful error handling, retry logic | | Audit trail | Complete transaction logging | | Reconciliation | Periodic data reconciliation |
SOC 2 Evidence Collection
# evidence-checklist.yaml
security:
- Access reviews: Quarterly, documented
- Security training: Annual, tracked per employee
- Vulnerability scans: Weekly, remediated within SLA
availability:
- Uptime monitoring: 24/7, < 5 minute alert
- Incident reports: Every incident documented
- DR test: Annual, with report
confidentiality:
- Data classification: Labels applied to all data
- Encryption at rest: AES-256, for all customer data
- Encryption in transit: TLS 1.3, enforced
privacy:
- Privacy policy: Published, reviewed annually
- Data retention: Documented schedule, automated deletion
- Consent records: Stored for each data subject
Summary
SOC 2 audits service organizations against five trust criteria: security, availability, processing integrity, confidentiality, and privacy. Type II reports provide the highest assurance.
Key takeaways: | Five criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy | | SOC 2 Type I: controls designed properly at a point in time | | SOC 2 Type II: controls operating effectively over 6-12 months | | Common criteria (Security) is mandatory, others are optional | | Evidence: access reviews, training records, vulnerability scans, incident reports | | SOC 2 is the standard for SaaS companies handling customer data | | Continuous monitoring and evidence collection is essential |
Next Chapter: PCI DSS
The next chapter covers PCI DSS for payment card data security.