SOC 2 Compliance
🔥 Vibe Prompt
"Prepare for SOC 2 Type II audit: controls for Security, Availability, Confidentiality."
SOC 2 Trust Services Criteria
| Criteria | Description | Example Controls |
|----------|-------------|------------------|
| Security | Protected against unauthorized access | Firewall, IAM, MFA, IDS |
| Availability | System available for operation | HA, backup, DR, monitoring |
| Confidentiality | Data classified and protected | Encryption, access control |
| Processing Integrity | Processing complete, accurate | Logging, validation, reconciliation |
| Privacy | PII collected, used, retained properly | Consent, GDPR, data lifecycle |
Key Controls (Security)
# Control: Access Review - quarterly review of all users
@app.route('/api/access/review', methods=['POST'])
@admin_required
def access_review():
# Generate access report
users = db.execute("SELECT id, email, role, last_login, created_at FROM users ORDER BY role, email")
# Mark inactive users (>90 days no login)
inactive = [u for u in users if u.last_login and (datetime.now() - u.last_login).days > 90]
# Send to security team
send_email(
to="security@company.com",
subject=f"Quarterly Access Review - {date.today().strftime('%Y-Q%m')}",
body=generate_access_report(users, inactive)
)
return jsonify({"users": len(users), "inactive": len(inactive)})
SOC 2 Evidence Collection
# Automated evidence collection
class SOC2Evidence:
def __init__(self):
self.evidence = []
def collect_security(self):
# Firewall rules
fw_rules = subprocess.run(["iptables", "-L", "-n"], capture_output=True, text=True).stdout
# Failed logins
failed = db.execute("SELECT COUNT(*) FROM auth_log WHERE success=false AND timestamp > NOW() - INTERVAL '24 hours'").fetchone()[0]
# MFA usage
mfa_users = db.execute("SELECT COUNT(*) FROM users WHERE mfa_enabled=true").fetchone()[0]
total_users = db.execute("SELECT COUNT(*) FROM users").fetchone()[0]
self.evidence.append({"type": "firewall_rules", "data": fw_rules, "timestamp": datetime.now()})
self.evidence.append({"type": "failed_logins_24h", "data": failed, "timestamp": datetime.now()})
self.evidence.append({"type": "mfa_adoption", "data": f"{mfa_users}/{total_users}", "timestamp": datetime.now()})
def collect_availability(self):
# Uptime
uptime = subprocess.run(["uptime"], capture_output=True, text=True).stdout
# Backup success
backup = db.execute("SELECT COUNT(*) FROM backup_log WHERE success=true AND timestamp > NOW() - INTERVAL '7 days'").fetchone()[0]
self.evidence.append({"type": "uptime", "data": uptime, "timestamp": datetime.now()})
self.evidence.append({"type": "backup_success_7d", "data": backup, "timestamp": datetime.now()})
def export(self):
return {
"company": "MyApp Inc.",
"period": f"{date.today() - timedelta(days=180)} to {date.today()}",
"evidence_count": len(self.evidence),
"items": self.evidence
}
Control Matrix Example
| Control ID | Control Name | Frequency | Owner | Evidence |
|------------|-------------|-----------|-------|----------|
| CC6.1 | Firewall rules review | Quarterly | Engineering | Firewall config backup |
| CC6.2 | Access termination | Within 24h | HR+IT | HR ticket → IAM deprovision |
| CC6.3 | MFA for admin | Always | Security | IAM MFA report |
| CC7.1 | Vulnerability scan | Weekly | Security | Nessus report |
| CC7.2 | IDS/IPS monitoring | 24/7 | Security | SIEM alerts |
| CC8.1 | Change management | Per change | Engineering | PR + approval in Jira |
| A1.1 | Backup monitoring | Daily | Engineering | Backup success report |
| A1.2 | DR test | Annually | Engineering | DR test report |
SOC 2 vs SOC 1 vs SOC 3
| Aspect | SOC 1 | SOC 2 | SOC 3 | |--------|-------|-------|-------| | Focus | Financial controls | Trust Services | Same as SOC 2 | | Audience | User auditor | Management, customers | General public | | Distribution | Restricted | Restricted | Public | | Report Type | Type I/II | Type I/II | Type II only |
Type I vs Type II
| Aspect | Type I | Type II | |--------|--------|---------| | Point in time | Controls designed properly | ✅ | ❌ | | Over period | Controls operating effectively | ❌ | ✅ | | Effort | 1-2 months | 6-12 months | | Cost | Lower | Higher | | Customer preference | Sometimes | Usually required |
Best Practices
- Start with SOC 2 Type I (design), then Type II (operating)
- Use automated evidence collection (saves months)
- Map controls to TSC criteria clearly
- Run control tests quarterly (not just at audit)
- Remediate findings within SLA (30/60/90 days)
- Use a GRC tool (Vanta, Drata, Secureframe)
- Involve engineering early in control design
SOC 2:服務組織的控制驗證
什麼是 SOC 2?
SOC 2(Service Organization Control 2)是由 AICPA(美國會計師協會)制定的稽核標準,專注於服務提供者的內部控制——適用於 SaaS、雲端服務、資料處理公司。
SOC 2 的五個信任原則
| 原則 | 說明 | 實作重點 | |:----|:----|:--------| | 安全性(Security) | 保護系統不受未授權存取 | 防火牆、IAM、存取控制 | | 可用性(Availability) | 系統在約定時間內可用 | 備援、備份、監控 | | 處理完整性(Processing Integrity) | 資料處理正確完整 | 資料驗證、稽核日誌 | | 機密性(Confidentiality) | 保護機密資訊 | 加密、存取控管 | | 隱私(Privacy) | 個人資料的收集和使用符合規範 | PII 保護、同意管理 |
SOC 2 Type I vs Type II
| 比較 | Type I | Type II | |:----|:------|:-------| | 評估範圍 | 設計是否適當 | 設計和運作都有效 | | 評估期間 | 單一時間點 | 6-12 個月 | | 難度 | 較低 | 較高 | | 業主認可度 | 較低 | 較高(大部分客戶要求 Type II) |
下一章預告:合規自動化
手動做合規很痛苦。下一章教你用 Terraform、CI/CD 自動化合規檢查。