-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Fabien Bloume
committed
Jul 24, 2023
1 parent
b1280fb
commit 5984871
Showing
1 changed file
with
101 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,101 @@ | ||
| # SOC2 | ||
|
|
||
| ## Introduction | ||
|
|
||
| [SOC2](https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report) is an assessment program ran by the [AICPA](https://www.aicpa-cima.com/) | ||
|
|
||
| | SOC | Focus | Restricted Use | Report Content | | ||
| |:------:| :------------: |:------:| :---------:| | ||
| | SOC1 | Internal Controls for financial reporting | Restricted Use, Stakeholders require NDA | Specific detail on controls relevant to financial reporting | | ||
| | SOC2 | Internal Controls for Security, Availability, Confidentiality, Process Integrity, Privacy | Restricted Use, Stakeholders require NDA | Specific detail on each controls for the "Trust Criteria" in scope. | | ||
| | SOC2 | Internal Controls for Security, Availability, Confidentiality, Process Integrity, Privacy | Can be shared publicly unrestricted | General description | | ||
| ### Available assessments | ||
|
|
||
| There is three different SOC assessments : | ||
|
|
||
| - SOC for Service Organizations : Internal report on controls provided by the organization allowing users to assess risks. | ||
|
|
||
| - SOC for Cybersecurity : Reporting framework allowing organizations communicate effectiveness of cybersecurity risk management. | ||
|
|
||
| - SOC for Supply Chain : Internal controls report of controls for producing, manufacturing or distribution of goods. | ||
|
|
||
| ### Report types | ||
| #### Type 1 Report | ||
| - Focus on control design | ||
| - Shorter time to undertake assessment | ||
| - Can be undertaken prior to Type 2 | ||
| - Costs less than Type 2 report | ||
|
|
||
| #### Type 2 Report | ||
| - Focus on operational effectiveness | ||
| - Longer time to undertake assessment | ||
| - Must have at least 6 months evidence | ||
| - Costs more than Type 1 report | ||
|
|
||
| ### Benefits of Being Certified | ||
|
|
||
| - Customer demand | ||
| - Independent security assurance | ||
| - Competitive advantage | ||
| - Regulatory compliance | ||
| - Feedback on operational effectiveness | ||
|
|
||
| ### Example | ||
| [AWS SOC Compliance](https://aws.amazon.com/fr/compliance/soc-faqs/) | ||
|
|
||
| # SOC Trust Criterias | ||
|
|
||
| The first 5 Common Criterias come from the [COSO framework](https://www.coso.org/SitePages/Home.aspx) which represents 17 principles. | ||
| The 4 other Common Criterias (which are all mandatories) are SOC2 specific. | ||
| Additionally, Additional Criterias can be covered if chosen by the company requesting the audit. | ||
|
|
||
| ## Common criterias (CC) | ||
| ### CC1 - Control Environment | ||
| - CC1.1 - Demonstrate commitment to integrity & ethical values | ||
| - CC1.2 - Exercise oversight of internal controls | ||
| - CC1.3 - Establish structures & responsibility to meet objectives | ||
| - CC1.4 - Demonstrate commitment to competence | ||
| - CC1.5 - Enforce accountability | ||
| ### CC2 - Communication & Information | ||
| - CC2.1 - Use quality information to support controls | ||
| - CC2.2 - Communicate internally regarding controls | ||
| - CC2.3 - Communicate externally regarding controls | ||
| ### CC3 - Risk Assessment | ||
| - CC3.1 - Specify clear objectives | ||
| - CC3.2 - Identify and assess risk | ||
| - CC3.3 - Consider fraud risk | ||
| - CC3.4 - Identify and assess significant change | ||
| ### CC4 - Monitoring Activities | ||
| - CC4.1 - Evaluate components of internal controls | ||
| - CC4.2 - Communicate deficiencies in a timely manner | ||
| ### CC5 - Control Activities | ||
| - CC5.1 - Select control activities to mitigate risk | ||
| - CC5.2 - Select general controls over technology | ||
| - CC5.3 - Deploy controls through policies | ||
| ### CC6 - Logical & Physical Access | ||
| - CC6.1 - Protect information assets with logical access security controls | ||
| - CC6.2 - Authorize users before granting access, remove promptly | ||
| - CC6.3 - Apply least privilege and segregation of duties | ||
| - CC6.4 - Restrict physical access to authorized personnel | ||
| - CC6.5 - Remove sensitive data before relaxing physical controls | ||
| - CC6.6 - Implement logical access security measures | ||
| - СС6.7 - Restrict removal of information and protect in transit | ||
| - CC6.8 - Protect against installation of malicious software | ||
| ### CC7 - Logical & Physical Access | ||
| - CC7.1 - Identify changes in configuration and vulnerabilities | ||
| - CC7.2 - Monitor system for anomalies | ||
| - CC7.3 - Evaluate Security incidents | ||
| - CC7.4 - Respond to security incidents using a defined plan | ||
| - CC7.5 - Identify and implement activities to recover from incidents | ||
| ### CC8 - System Operations | ||
| - CC8.1 - Authorize, design, test, approves changes to meet objectives | ||
| ### CC9 - Risk Mitigation | ||
| - CC9.1- Identify and selects risk mitigation activities. | ||
| - CC9.2 - Assess and manage risk from vendors/partners | ||
|
|
||
| ## Additional criterias (AC) | ||
|
|
||
| - Availability | ||
| - Confidentiality | ||
| - Process Integrity | ||
| - Privacy |