SOC 2 Compliance

🔥 Vibe Prompt

"Prepare for SOC 2 Type II audit: controls for Security, Availability, Confidentiality."

SOC 2 Trust Services Criteria

| Criteria | Description | Example Controls |
|----------|-------------|------------------|
| Security  | Protected against unauthorized access | Firewall, IAM, MFA, IDS |
| Availability | System available for operation | HA, backup, DR, monitoring |
| Confidentiality | Data classified and protected | Encryption, access control |
| Processing Integrity | Processing complete, accurate | Logging, validation, reconciliation |
| Privacy | PII collected, used, retained properly | Consent, GDPR, data lifecycle |

Key Controls (Security)

# Control: Access Review - quarterly review of all users
@app.route('/api/access/review', methods=['POST'])
@admin_required
def access_review():
    # Generate access report
    users = db.execute("SELECT id, email, role, last_login, created_at FROM users ORDER BY role, email")
    
    # Mark inactive users (>90 days no login)
    inactive = [u for u in users if u.last_login and (datetime.now() - u.last_login).days > 90]
    
    # Send to security team
    send_email(
        to="security@company.com",
        subject=f"Quarterly Access Review - {date.today().strftime('%Y-Q%m')}",
        body=generate_access_report(users, inactive)
    )
    
    return jsonify({"users": len(users), "inactive": len(inactive)})

SOC 2 Evidence Collection

# Automated evidence collection
class SOC2Evidence:
    def __init__(self):
        self.evidence = []
    
    def collect_security(self):
        # Firewall rules
        fw_rules = subprocess.run(["iptables", "-L", "-n"], capture_output=True, text=True).stdout
        
        # Failed logins
        failed = db.execute("SELECT COUNT(*) FROM auth_log WHERE success=false AND timestamp > NOW() - INTERVAL '24 hours'").fetchone()[0]
        
        # MFA usage
        mfa_users = db.execute("SELECT COUNT(*) FROM users WHERE mfa_enabled=true").fetchone()[0]
        total_users = db.execute("SELECT COUNT(*) FROM users").fetchone()[0]
        
        self.evidence.append({"type": "firewall_rules", "data": fw_rules, "timestamp": datetime.now()})
        self.evidence.append({"type": "failed_logins_24h", "data": failed, "timestamp": datetime.now()})
        self.evidence.append({"type": "mfa_adoption", "data": f"{mfa_users}/{total_users}", "timestamp": datetime.now()})
    
    def collect_availability(self):
        # Uptime
        uptime = subprocess.run(["uptime"], capture_output=True, text=True).stdout
        
        # Backup success
        backup = db.execute("SELECT COUNT(*) FROM backup_log WHERE success=true AND timestamp > NOW() - INTERVAL '7 days'").fetchone()[0]
        
        self.evidence.append({"type": "uptime", "data": uptime, "timestamp": datetime.now()})
        self.evidence.append({"type": "backup_success_7d", "data": backup, "timestamp": datetime.now()})
    
    def export(self):
        return {
            "company": "MyApp Inc.",
            "period": f"{date.today() - timedelta(days=180)} to {date.today()}",
            "evidence_count": len(self.evidence),
            "items": self.evidence
        }

Control Matrix Example

| Control ID | Control Name | Frequency | Owner | Evidence |
|------------|-------------|-----------|-------|----------|
| CC6.1 | Firewall rules review | Quarterly | Engineering | Firewall config backup |
| CC6.2 | Access termination | Within 24h | HR+IT | HR ticket → IAM deprovision |
| CC6.3 | MFA for admin | Always | Security | IAM MFA report |
| CC7.1 | Vulnerability scan | Weekly | Security | Nessus report |
| CC7.2 | IDS/IPS monitoring | 24/7 | Security | SIEM alerts |
| CC8.1 | Change management | Per change | Engineering | PR + approval in Jira |
| A1.1 | Backup monitoring | Daily | Engineering | Backup success report |
| A1.2 | DR test | Annually | Engineering | DR test report |

SOC 2 vs SOC 1 vs SOC 3

| Aspect | SOC 1 | SOC 2 | SOC 3 | |--------|-------|-------|-------| | Focus | Financial controls | Trust Services | Same as SOC 2 | | Audience | User auditor | Management, customers | General public | | Distribution | Restricted | Restricted | Public | | Report Type | Type I/II | Type I/II | Type II only |

Type I vs Type II

| Aspect | Type I | Type II | |--------|--------|---------| | Point in time | Controls designed properly | ✅ | ❌ | | Over period | Controls operating effectively | ❌ | ✅ | | Effort | 1-2 months | 6-12 months | | Cost | Lower | Higher | | Customer preference | Sometimes | Usually required |

Best Practices

  • Start with SOC 2 Type I (design), then Type II (operating)
  • Use automated evidence collection (saves months)
  • Map controls to TSC criteria clearly
  • Run control tests quarterly (not just at audit)
  • Remediate findings within SLA (30/60/90 days)
  • Use a GRC tool (Vanta, Drata, Secureframe)
  • Involve engineering early in control design


SOC 2:服務組織的控制驗證

什麼是 SOC 2?

SOC 2(Service Organization Control 2)是由 AICPA(美國會計師協會)制定的稽核標準,專注於服務提供者的內部控制——適用於 SaaS、雲端服務、資料處理公司。

SOC 2 的五個信任原則

| 原則 | 說明 | 實作重點 | |:----|:----|:--------| | 安全性(Security) | 保護系統不受未授權存取 | 防火牆、IAM、存取控制 | | 可用性(Availability) | 系統在約定時間內可用 | 備援、備份、監控 | | 處理完整性(Processing Integrity) | 資料處理正確完整 | 資料驗證、稽核日誌 | | 機密性(Confidentiality) | 保護機密資訊 | 加密、存取控管 | | 隱私(Privacy) | 個人資料的收集和使用符合規範 | PII 保護、同意管理 |

SOC 2 Type I vs Type II

| 比較 | Type I | Type II | |:----|:------|:-------| | 評估範圍 | 設計是否適當 | 設計和運作都有效 | | 評估期間 | 單一時間點 | 6-12 個月 | | 難度 | 較低 | 較高 | | 業主認可度 | 較低 | 較高(大部分客戶要求 Type II) |

下一章預告:合規自動化

手動做合規很痛苦。下一章教你用 Terraform、CI/CD 自動化合規檢查。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!