SOC 2 Compliance Implementation Framework
Enterprise-Grade Security Compliance Documentation
A comprehensive framework for achieving and maintaining SOC 2 Type II certification
π Table of Contents
Executive Summary
Purpose
This document establishes the comprehensive framework for implementing, maintaining, and demonstrating SOC 2 Type II compliance across our organization. It serves as the authoritative reference for all security controls, policies, procedures, and evidence collection requirements.
Scope
| Scope Element |
Description |
| Systems |
Production infrastructure, CI/CD pipelines, data processing systems |
| Data |
Customer PII, financial records, business confidential information |
| Personnel |
All employees, contractors, and third-party vendors with system access |
| Locations |
Primary data center, cloud infrastructure (AWS/GCP/Azure), remote offices |
Trust Services Criteria Coverage
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TRUST SERVICES CRITERIA β
βββββββββββββββββββ¬ββββββββββββββββββ¬ββββββββββββββββββββββββββββββ€
β SECURITY β β AVAILABILITY β β CONFIDENTIALITY β β
β (Required) β (Optional) β (Optional) β
βββββββββββββββββββ΄ββββββββββββββββββ΄ββββββββββββββββββββββββββββββ€
β PROCESSING INTEGRITY β β PRIVACY β β
β (Optional) β (Optional) β
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββ
Compliance Timeline
| Phase |
Duration |
Status |
| Gap Assessment |
4 weeks |
β
Complete |
| Control Implementation |
12 weeks |
β
Complete |
| Evidence Collection |
Ongoing |
π In Progress |
| Type I Audit |
2 weeks |
β
Complete |
| Type II Observation Period |
6-12 months |
π In Progress |
| Type II Audit |
4 weeks |
β³ Scheduled |
Project Overview
What is SOC 2?
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how well a service organization manages customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 2 Report Types
Type I Report
- Focus: Design of controls at a specific point in time
- Duration: Single point-in-time assessment
- Purpose: Validates that controls are properly designed
Type II Report
- Focus: Operating effectiveness over a period (6-12 months)
- Duration: Extended observation period
- Purpose: Demonstrates controls work consistently over time
Business Justification
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VALUE PROPOSITION β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β π Competitive Advantage β
β β’ Differentiation in enterprise sales β
β β’ Faster procurement cycles β
β β’ Reduced RFI/RFP burden β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β π Risk Reduction β
β β’ Systematic security improvements β
β β’ Reduced breach probability β
β β’ Lower cyber insurance premiums β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β π€ Customer Trust β
β β’ Third-party validation β
β β’ Transparent security practices β
β β’ Enhanced brand reputation β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Architecture & Infrastructure
System Architecture Overview
βββββββββββββββββββββββ
β CDN / WAF Layer β
β (Cloudflare) β
ββββββββββββ¬βββββββββββ
β
ββββββββββββΌβββββββββββ
β Load Balancer β
β (AWS ALB/NLB) β
ββββββββββββ¬βββββββββββ
β
ββββββββββββββββββββββββββΌβββββββββββββββββββββββββ
β β β
βββββββββββΌββββββββββ βββββββββββΌββββββββββ βββββββββββΌββββββββββ
β Application Tier β β Application Tier β β Application Tier β
β (EKS/ECS) β β (EKS/ECS) β β (EKS/ECS) β
βββββββββββ¬ββββββββββ βββββββββββ¬ββββββββββ βββββββββββ¬ββββββββββ
β β β
ββββββββββββββββββββββββββΌβββββββββββββββββββββββββ
β
ββββββββββββΌβββββββββββ
β Data Layer β
β (RDS/DynamoDB) β
ββββββββββββ¬βββββββββββ
β
ββββββββββββΌβββββββββββ
β Backup/DR β
β (S3/Glacier) β
βββββββββββββββββββββββ
Network Security Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VPC ARCHITECTURE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β PUBLIC SUBNET β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β β NAT GW β β Bastion β β ALB β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β PRIVATE SUBNET β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β β App Server β β App Server β β App Server β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β DATA SUBNET β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β β Primary DB β β Replica DB β β Cache β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Data Flow Diagram
ββββββββββββ HTTPS/TLS 1.3 ββββββββββββ Internal TLS ββββββββββββ
β Client β ββββββββββββββββββΊ β WAF β βββββββββββββββββΊ β App β
ββββββββββββ ββββββββββββ ββββββ¬ββββββ
β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββ Encrypted ββββββββββββ AES-256 ββββββββββββ
β API β ββββββββββββββββββΊ β Cache β βββββββββββββββββΊ β Database β
ββββββββββββ ββββββββββββ ββββββββββββ
β
βΌ
ββββββββββββββββ
β Encrypted β
β Backup (S3) β
ββββββββββββββββ
Trust Services Criteria Implementation
CC1: Control Environment
The control environment establishes the foundation for all other components of internal control, providing discipline and structure.
CC1.1 - COSO Principle 1: Commitment to Integrity and Ethical Values
| Control ID |
Control Description |
Owner |
Evidence |
| CC1.1.1 |
Code of Conduct policy established and communicated |
HR Director |
Policy document, acknowledgment records |
| CC1.1.2 |
Ethics training completed annually |
HR Director |
Training completion records |
| CC1.1.3 |
Whistleblower program implemented |
Compliance Officer |
Program documentation, incident logs |
CC1.2 - COSO Principle 2: Board of Directors Independence
| Control ID |
Control Description |
Owner |
Evidence |
| CC1.2.1 |
Board oversight of security program |
Board Chair |
Meeting minutes, security reports |
| CC1.2.2 |
Independent audit committee established |
Board Chair |
Committee charter, membership list |
CC1.3 - COSO Principle 3: Management Structure
| Control ID |
Control Description |
Owner |
Evidence |
| CC1.3.1 |
Security roles and responsibilities defined |
CISO |
Organizational chart, job descriptions |
| CC1.3.2 |
Reporting lines established |
CEO |
Org structure documentation |
CC1.4 - COSO Principle 4: Commitment to Competence
| Control ID |
Control Description |
Owner |
Evidence |
| CC1.4.1 |
Security competency requirements defined |
HR Director |
Job specifications |
| CC1.4.2 |
Ongoing training program |
Security Manager |
Training records, certifications |
CC1.5 - COSO Principle 5: Accountability
| Control ID |
Control Description |
Owner |
Evidence |
| CC1.5.1 |
Performance metrics tied to security |
HR Director |
Performance reviews |
| CC1.5.2 |
Security KPIs tracked and reported |
CISO |
Dashboard reports |
| Control ID |
Control Description |
Owner |
Evidence |
| CC2.1.1 |
Data classification scheme implemented |
Data Officer |
Classification policy |
| CC2.1.2 |
Information asset inventory maintained |
IT Manager |
Asset inventory |
CC2.2 - Internal Communication
| Control ID |
Control Description |
Owner |
Evidence |
| CC2.2.1 |
Security policies communicated |
CISO |
Distribution records |
| CC2.2.2 |
Security awareness program |
Security Manager |
Training materials |
CC2.3 - External Communication
| Control ID |
Control Description |
Owner |
Evidence |
| CC2.3.1 |
Privacy notice published |
Legal Counsel |
Website, contracts |
| CC2.3.2 |
Security commitments documented |
Sales Director |
SLAs, contracts |
CC3: Risk Assessment
CC3.1 - Risk Identification
| Control ID |
Control Description |
Owner |
Evidence |
| CC3.1.1 |
Annual risk assessment performed |
Risk Manager |
Risk assessment report |
| CC3.1.2 |
Risk register maintained |
Risk Manager |
Risk register |
| CC3.1.3 |
Threat intelligence program |
Security Analyst |
Intelligence reports |
CC3.2 - Risk Analysis
| Control ID |
Control Description |
Owner |
Evidence |
| CC3.2.1 |
Risk scoring methodology defined |
Risk Manager |
Methodology document |
| CC3.2.2 |
Impact analysis performed |
Risk Manager |
Impact assessments |
CC3.3 - Fraud Risk Assessment
| Control ID |
Control Description |
Owner |
Evidence |
| CC3.3.1 |
Fraud risk factors identified |
Internal Audit |
Fraud risk assessment |
| CC3.3.2 |
Anti-fraud controls implemented |
Finance Director |
Control documentation |
CC3.4 - Change Impact Assessment
| Control ID |
Control Description |
Owner |
Evidence |
| CC3.4.1 |
Change risk evaluation process |
Change Manager |
Change tickets |
| CC3.4.2 |
Regulatory change monitoring |
Compliance Officer |
Compliance calendar |
CC4: Monitoring Activities
CC4.1 - Ongoing Monitoring
| Control ID |
Control Description |
Owner |
Evidence |
| CC4.1.1 |
Continuous control monitoring |
Security Manager |
Monitoring dashboards |
| CC4.1.2 |
Automated compliance checks |
DevSecOps Lead |
Automation scripts |
CC4.2 - Separate Evaluations
| Control ID |
Control Description |
Owner |
Evidence |
| CC4.2.1 |
Internal audits performed |
Internal Audit |
Audit reports |
| CC4.2.2 |
Penetration testing conducted |
Security Manager |
Pentest reports |
CC5: Control Activities
CC5.1 - Selection of Control Activities
| Control ID |
Control Description |
Owner |
Evidence |
| CC5.1.1 |
Controls mapped to risks |
Risk Manager |
Control mapping |
| CC5.1.2 |
Control effectiveness evaluated |
Internal Audit |
Effectiveness reports |
CC5.2 - Technology General Controls
| Control ID |
Control Description |
Owner |
Evidence |
| CC5.2.1 |
SDLC controls implemented |
Dev Manager |
SDLC documentation |
| CC5.2.2 |
Infrastructure controls defined |
IT Director |
Infrastructure policies |
CC6: Logical and Physical Access Controls
CC6.1 - Logical Access Security
| Control ID |
Control Description |
Owner |
Evidence |
| CC6.1.1 |
Access control policy defined |
Security Manager |
Access policy document |
| CC6.1.2 |
Role-based access control (RBAC) |
IT Manager |
RBAC matrix |
| CC6.1.3 |
Least privilege principle enforced |
Security Manager |
Access reviews |
| CC6.1.4 |
Multi-factor authentication (MFA) |
IT Manager |
MFA configuration |
CC6.2 - Access Provisioning
| Control ID |
Control Description |
Owner |
Evidence |
| CC6.2.1 |
Formal access request process |
IT Manager |
Access request tickets |
| CC6.2.2 |
Manager approval required |
Department Heads |
Approval workflows |
| CC6.2.3 |
Quarterly access reviews |
Security Manager |
Review reports |
CC6.3 - Access Revocation
| Control ID |
Control Description |
Owner |
Evidence |
| CC6.3.1 |
Termination checklist |
HR Director |
Termination records |
| CC6.3.2 |
Same-day access removal |
IT Manager |
Deprovisioning logs |
CC6.4 - Physical Access
| Control ID |
Control Description |
Owner |
Evidence |
| CC6.4.1 |
Badge access system |
Facilities Manager |
Badge logs |
| CC6.4.2 |
Visitor management |
Facilities Manager |
Visitor logs |
| CC6.4.3 |
Data center security |
IT Director |
DC audit reports |
CC6.5 - Encryption
| Control ID |
Control Description |
Owner |
Evidence |
| CC6.5.1 |
Data encrypted at rest (AES-256) |
Security Architect |
Encryption configuration |
| CC6.5.2 |
Data encrypted in transit (TLS 1.3) |
Security Architect |
SSL certificates |
| CC6.5.3 |
Key management procedures |
Security Manager |
Key management policy |
CC7: System Operations
CC7.1 - Vulnerability Management
| Control ID |
Control Description |
Owner |
Evidence |
| CC7.1.1 |
Vulnerability scanning (weekly) |
Security Analyst |
Scan reports |
| CC7.1.2 |
Penetration testing (annual) |
Security Manager |
Pentest reports |
| CC7.1.3 |
Patch management process |
IT Manager |
Patch records |
CC7.2 - Security Monitoring
| Control ID |
Control Description |
Owner |
Evidence |
| CC7.2.1 |
SIEM implementation |
SOC Manager |
SIEM alerts/reports |
| CC7.2.2 |
24/7 security monitoring |
SOC Manager |
SOC shift schedules |
| CC7.2.3 |
Intrusion detection/prevention |
Security Architect |
IDS/IPS logs |
CC7.3 - Incident Detection
| Control ID |
Control Description |
Owner |
Evidence |
| CC7.3.1 |
Security event correlation |
SOC Manager |
Correlation rules |
| CC7.3.2 |
Anomaly detection |
Security Analyst |
Alert configurations |
CC7.4 - Incident Response
| Control ID |
Control Description |
Owner |
Evidence |
| CC7.4.1 |
Incident response plan |
Security Manager |
IR plan document |
| CC7.4.2 |
IR team defined |
CISO |
Team roster |
| CC7.4.3 |
Incident classification |
SOC Manager |
Classification matrix |
CC7.5 - Incident Recovery
| Control ID |
Control Description |
Owner |
Evidence |
| CC7.5.1 |
Recovery procedures documented |
IT Director |
Recovery runbooks |
| CC7.5.2 |
Post-incident reviews |
Security Manager |
PIR reports |
CC8: Change Management
| Control ID |
Control Description |
Owner |
Evidence |
| CC8.1.1 |
Change management policy |
Change Manager |
CM policy |
| CC8.1.2 |
Change request process |
Change Manager |
Change tickets |
| CC8.1.3 |
Testing requirements |
QA Manager |
Test results |
| CC8.1.4 |
Rollback procedures |
DevOps Lead |
Rollback documentation |
| CC8.1.5 |
Emergency change process |
Change Manager |
Emergency change logs |
CC9: Risk Mitigation
CC9.1 - Risk Mitigation Activities
| Control ID |
Control Description |
Owner |
Evidence |
| CC9.1.1 |
Risk treatment plans |
Risk Manager |
Treatment plans |
| CC9.1.2 |
Business continuity planning |
BC Manager |
BCP document |
| CC9.1.3 |
Disaster recovery planning |
IT Director |
DR plan |
CC9.2 - Vendor Risk Management
| Control ID |
Control Description |
Owner |
Evidence |
| CC9.2.1 |
Vendor risk assessments |
Vendor Manager |
Assessment reports |
| CC9.2.2 |
Vendor due diligence |
Procurement |
Due diligence records |
| CC9.2.3 |
Contract security requirements |
Legal Counsel |
Contract templates |
Control Framework
Control Categories
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CONTROL FRAMEWORK β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββ β
β β PREVENTIVE β β DETECTIVE β β CORRECTIVE β β
β β CONTROLS β β CONTROLS β β CONTROLS β β
β ββββββββββββββββββββ€ ββββββββββββββββββββ€ ββββββββββββββββββββ€ β
β β β’ Access Control β β β’ Log Monitoring β β β’ IR Procedures β β
β β β’ Encryption β β β’ SIEM Alerts β β β’ Patch Mgmt β β
β β β’ Firewalls β β β’ Vuln Scanning β β β’ Recovery Plans β β
β β β’ MFA β β β’ Auditing β β β’ Remediation β β
β β β’ Policies β β β’ File Integrity β β β’ Root Cause β β
β ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Control Implementation Status
| Category |
Total Controls |
Implemented |
In Progress |
Planned |
| CC1 - Control Environment |
12 |
12 |
0 |
0 |
| CC2 - Communication |
8 |
8 |
0 |
0 |
| CC3 - Risk Assessment |
10 |
9 |
1 |
0 |
| CC4 - Monitoring |
6 |
6 |
0 |
0 |
| CC5 - Control Activities |
8 |
7 |
1 |
0 |
| CC6 - Access Controls |
15 |
15 |
0 |
0 |
| CC7 - System Operations |
14 |
13 |
1 |
0 |
| CC8 - Change Management |
5 |
5 |
0 |
0 |
| CC9 - Risk Mitigation |
6 |
6 |
0 |
0 |
| TOTAL |
84 |
81 |
3 |
0 |
Policies & Procedures
Required Policy Framework
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β POLICY HIERARCHY β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββ β
β β Information Security β β
β β Master Policy β β
β βββββββββββββ¬ββββββββββββββ β
β β β
β ββββββββββββββββββββββββΌβββββββββββββββββββββββ β
β β β β β
β ββββββββΌβββββββ ββββββββΌβββββββ ββββββββΌβββββββ β
β β Domain β β Domain β β Domain β β
β β Policies β β Policies β β Policies β β
β ββββββββ¬βββββββ ββββββββ¬βββββββ ββββββββ¬βββββββ β
β β β β β
β ββββββββΌβββββββ ββββββββΌβββββββ ββββββββΌβββββββ β
β β Standards β β Standards β β Standards β β
β ββββββββ¬βββββββ ββββββββ¬βββββββ ββββββββ¬βββββββ β
β β β β β
β ββββββββΌβββββββ ββββββββΌβββββββ ββββββββΌβββββββ β
β β Procedures β β Procedures β β Procedures β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Policy Documentation Matrix
| Policy Name |
Version |
Owner |
Last Review |
Next Review |
TSC Mapping |
| Information Security Policy |
3.0 |
CISO |
2024-01-15 |
2025-01-15 |
All |
| Acceptable Use Policy |
2.1 |
IT Director |
2024-02-01 |
2025-02-01 |
CC1, CC6 |
| Access Control Policy |
2.5 |
Security Manager |
2024-01-20 |
2025-01-20 |
CC6 |
| Data Classification Policy |
2.0 |
Data Officer |
2024-03-01 |
2025-03-01 |
CC2, CC6 |
| Encryption Policy |
2.2 |
Security Architect |
2024-02-15 |
2025-02-15 |
CC6 |
| Incident Response Policy |
3.1 |
SOC Manager |
2024-01-10 |
2025-01-10 |
CC7 |
| Change Management Policy |
2.0 |
Change Manager |
2024-02-20 |
2025-02-20 |
CC8 |
| Business Continuity Policy |
2.3 |
BC Manager |
2024-01-25 |
2025-01-25 |
CC9, A1 |
| Vendor Management Policy |
1.5 |
Vendor Manager |
2024-03-10 |
2025-03-10 |
CC9 |
| Privacy Policy |
2.4 |
Privacy Officer |
2024-02-28 |
2025-02-28 |
P1-P8 |
| Password Policy |
2.1 |
Security Manager |
2024-01-05 |
2025-01-05 |
CC6 |
| Remote Access Policy |
2.0 |
IT Director |
2024-03-05 |
2025-03-05 |
CC6 |
| Backup Policy |
1.8 |
IT Manager |
2024-02-10 |
2025-02-10 |
A1 |
| SDLC Policy |
2.2 |
Dev Manager |
2024-01-30 |
2025-01-30 |
CC5, CC8 |
| Physical Security Policy |
1.5 |
Facilities Manager |
2024-03-15 |
2025-03-15 |
CC6 |
Key Policy Summaries
Purpose: Establish the organizationβs approach to information security and define the framework for protecting information assets.
Key Requirements:
- Annual security awareness training for all employees
- Risk assessments conducted at least annually
- Security incidents reported within 24 hours
- Third-party access requires security review
- Data classified according to sensitivity
Access Control Policy
Purpose: Define requirements for granting, modifying, and revoking access to systems and data.
Key Requirements:
- All access follows least privilege principle
- Manager approval required for access requests
- Multi-factor authentication for all remote access
- Quarterly access reviews conducted
- Terminated access removed within 24 hours
Incident Response Policy
Purpose: Establish procedures for detecting, responding to, and recovering from security incidents.
Key Requirements:
- Incident classification within 1 hour of detection
- Executive notification for critical incidents
- Post-incident review within 5 business days
- Evidence preservation requirements
- External notification requirements (regulatory, customer)
Technical Implementation
Security Technology Stack
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SECURITY TECHNOLOGY STACK β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β IDENTITY & ACCESS NETWORK SECURITY DATA PROTECTION β
β βββββββββββββββββββ βββββββββββββββββββ ββββββββββββββββββββ
β β β’ Okta (IdP) β β β’ Cloudflare β β β’ AWS KMS ββ
β β β’ AWS IAM β β β’ AWS WAF β β β’ HashiCorp ββ
β β β’ Privileged β β β’ VPC/Security β β Vault ββ
β β Access Mgmt β β Groups β β β’ TLS 1.3 ββ
β βββββββββββββββββββ βββββββββββββββββββ ββββββββββββββββββββ
β β
β MONITORING & LOGGING ENDPOINT SECURITY VULNERABILITY β
β βββββββββββββββββββ βββββββββββββββββββ ββββββββββββββββββββ
β β β’ Splunk SIEM β β β’ CrowdStrike β β β’ Qualys ββ
β β β’ CloudTrail β β β’ Jamf (macOS) β β β’ Snyk ββ
β β β’ Datadog β β β’ Intune β β β’ Dependabot ββ
β β β’ PagerDuty β β β’ DLP β β β’ Tenable ββ
β βββββββββββββββββββ βββββββββββββββββββ ββββββββββββββββββββ
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Infrastructure as Code Security
# Example: Terraform Security Configuration
# terraform/modules/security/main.tf
resource "aws_kms_key" "encryption_key" {
description = "KMS key for data encryption"
deletion_window_in_days = 30
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${var.account_id}:root"
}
Action = "kms:*"
Resource = "*"
}
]
})
tags = {
Environment = var.environment
Compliance = "SOC2"
ManagedBy = "Terraform"
}
}
resource "aws_security_group" "app_sg" {
name = "${var.environment}-app-sg"
description = "Security group for application tier"
vpc_id = var.vpc_id
# Ingress: Only allow HTTPS from load balancer
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = [aws_security_group.alb_sg.id]
description = "HTTPS from ALB"
}
# Egress: Controlled outbound access
egress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTPS outbound"
}
tags = {
Name = "${var.environment}-app-sg"
Compliance = "SOC2"
}
}
CI/CD Security Pipeline
# .github/workflows/security-pipeline.yml
name: Security Pipeline
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run SAST (Semgrep)
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/secrets
p/owasp-top-ten
- name: Run Dependency Check
uses: snyk/actions/node@master
env:
SNYK_TOKEN: $
with:
args: --severity-threshold=high
- name: Container Scan (Trivy)
uses: aquasecurity/trivy-action@master
with:
image-ref: $
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Infrastructure Scan (Checkov)
uses: bridgecrewio/checkov-action@master
with:
directory: terraform/
framework: terraform
output_format: sarif
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
compliance-check:
runs-on: ubuntu-latest
needs: security-scan
steps:
- name: SOC2 Compliance Validation
run: |
# Validate encryption requirements
./scripts/validate-encryption.sh
# Validate access controls
./scripts/validate-access-controls.sh
# Validate logging configuration
./scripts/validate-logging.sh
- name: Generate Compliance Report
run: |
./scripts/generate-compliance-report.sh
- name: Upload Compliance Artifacts
uses: actions/upload-artifact@v3
with:
name: compliance-report
path: reports/compliance-*.pdf
Logging Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LOGGING ARCHITECTURE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββ β
β β Apps β β Network β β Database β β Cloud β β
β β Logs β β Logs β β Logs β β Logs β β
β βββββββ¬βββββββ βββββββ¬βββββββ βββββββ¬βββββββ βββββββ¬βββββββ β
β β β β β β
β βββββββββββββββββ΄ββββββββββββββββ΄ββββββββββββββββ β
β β β
β βββββββββββββΌββββββββββββ β
β β Log Aggregator β β
β β (Fluentd/Vector) β β
β βββββββββββββ¬ββββββββββββ β
β β β
β ββββββββββββββββββββΌβββββββββββββββββββ β
β β β β β
β ββββββββΌβββββββ ββββββββΌβββββββ ββββββββΌβββββββ β
β β Splunk β β S3 Archive β β Alerting β β
β β (SIEM) β β (Long-term)β β (PagerDuty)β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Log Retention Policy:
βββ Security Logs: 1 year (hot) + 6 years (archive)
βββ Application Logs: 90 days (hot) + 1 year (archive)
βββ Access Logs: 1 year (hot) + 6 years (archive)
βββ Audit Logs: 1 year (hot) + 7 years (archive)
Encryption Standards
| Data State |
Encryption Method |
Key Size |
Key Management |
| At Rest (Database) |
AES-256-GCM |
256-bit |
AWS KMS |
| At Rest (Files) |
AES-256 |
256-bit |
AWS KMS |
| At Rest (Backups) |
AES-256 |
256-bit |
AWS KMS |
| In Transit (External) |
TLS 1.3 |
256-bit |
ACM |
| In Transit (Internal) |
mTLS |
256-bit |
HashiCorp Vault |
| In Transit (API) |
TLS 1.3 |
256-bit |
ACM |
| Secrets |
AES-256-GCM |
256-bit |
HashiCorp Vault |
Risk Management
Risk Assessment Framework
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β RISK ASSESSMENT PROCESS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β IDENTIFY βββββΆβ ANALYZE βββββΆβ EVALUATE β β
β β Risks β β Risks β β Risks β β
β βββββββββββββββ βββββββββββββββ ββββββββ¬βββββββ β
β β β
β βββββββββββββββ βββββββββββββββ ββββββββΌβββββββ β
β β MONITOR ββββββ RESPOND ββββββ PRIORITIZE β β
β β Risks β β to Risks β β Risks β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Risk Scoring Matrix
IMPACT
ββββββββββ¬βββββββββ¬βββββββββ¬βββββββββ¬βββββββββ
β Very β β β β Very β
β Low β Low β Medium β High β High β
β (1) β (2) β (3) β (4) β (5) β
βββββββββββββΌβββββββββΌβββββββββΌβββββββββΌβββββββββΌβββββββββ€
βVery High β 5 β 10 β 15 β 20 β 25 β
β (5) β LOW β MED β HIGH β CRIT β CRIT β
βββββββββββββΌβββββββββΌβββββββββΌβββββββββΌβββββββββΌβββββββββ€
β High β 4 β 8 β 12 β 16 β 20 β
Lβ (4) β LOW β MED β HIGH β HIGH β CRIT β
IβββββββββββββΌβββββββββΌβββββββββΌβββββββββΌβββββββββΌβββββββββ€
Kβ Medium β 3 β 6 β 9 β 12 β 15 β
Eβ (3) β LOW β LOW β MED β HIGH β HIGH β
LβββββββββββββΌβββββββββΌβββββββββΌβββββββββΌβββββββββΌβββββββββ€
Iβ Low β 2 β 4 β 6 β 8 β 10 β
Hβ (2) β LOW β LOW β LOW β MED β MED β
OβββββββββββββΌβββββββββΌβββββββββΌβββββββββΌβββββββββΌβββββββββ€
OβVery Low β 1 β 2 β 3 β 4 β 5 β
Dβ (1) β LOW β LOW β LOW β LOW β LOW β
βββββββββββββ΄βββββββββ΄βββββββββ΄βββββββββ΄βββββββββ΄βββββββββ
Top Risks Register
| Risk ID |
Risk Description |
Likelihood |
Impact |
Score |
Treatment |
Owner |
Status |
| R-001 |
Unauthorized data access |
Medium (3) |
Very High (5) |
15 |
Mitigate |
CISO |
Active |
| R-002 |
Ransomware attack |
Medium (3) |
Very High (5) |
15 |
Mitigate |
Security Mgr |
Active |
| R-003 |
Third-party breach |
Medium (3) |
High (4) |
12 |
Transfer |
Vendor Mgr |
Active |
| R-004 |
Insider threat |
Low (2) |
High (4) |
8 |
Mitigate |
HR Director |
Active |
| R-005 |
DDoS attack |
Medium (3) |
Medium (3) |
9 |
Mitigate |
IT Director |
Active |
| R-006 |
Data loss |
Low (2) |
Very High (5) |
10 |
Mitigate |
IT Manager |
Active |
| R-007 |
Compliance violation |
Low (2) |
High (4) |
8 |
Avoid |
Compliance |
Active |
| R-008 |
Key person dependency |
Medium (3) |
Medium (3) |
9 |
Mitigate |
HR Director |
Active |
Risk Treatment Strategies
| Strategy |
Description |
Example |
| Avoid |
Eliminate the risk by removing the cause |
Discontinue use of legacy systems |
| Mitigate |
Reduce likelihood or impact through controls |
Implement MFA, encryption |
| Transfer |
Shift risk to third party |
Cyber insurance, outsourcing |
| Accept |
Acknowledge and monitor low-priority risks |
Document acceptance decision |
Audit Preparation
Audit Timeline
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AUDIT TIMELINE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β WEEK -8 WEEK -4 WEEK -2 WEEK 0 WEEK +2 β
β β β β β β β
β βΌ βΌ βΌ βΌ βΌ β
β ββββββββ ββββββββ ββββββββ ββββββββ ββββββββ β
β βPrep β βEvidenceβ βReadinessβ β Audit β βReportβ β
β βStart β ββββΆ βCollectβ ββββΆβReview βββββΆβ Week β ββββΆβReviewβ β
β ββββββββ ββββββββ ββββββββ ββββββββ ββββββββ β
β β
β Activities: Activities: Activities: Activities: Activities: β
β β’ Scope β’ Pull logs β’ Dry run β’ Interviews β’ Review β
β β’ Planning β’ Compile β’ Gap fixes β’ Walkthroughsβ’ Remediate β
β β’ Team prep β’ Organize β’ Final prep β’ Testing β’ Sign-off β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Evidence Requirements by Control Category
| Control Category |
Evidence Types |
Collection Frequency |
Responsible Party |
| CC1 - Control Environment |
Policies, org charts, training records |
Quarterly |
HR, Compliance |
| CC2 - Communication |
Policy acknowledgments, meeting minutes |
Quarterly |
Compliance |
| CC3 - Risk Assessment |
Risk assessments, risk register |
Annually |
Risk Manager |
| CC4 - Monitoring |
Audit reports, monitoring dashboards |
Monthly |
Internal Audit |
| CC5 - Control Activities |
SDLC docs, approval workflows |
Per change |
Dev Manager |
| CC6 - Access Controls |
Access reviews, provisioning tickets |
Quarterly |
IT Manager |
| CC7 - System Operations |
Vuln scans, incident reports, SIEM logs |
Weekly/Monthly |
Security Team |
| CC8 - Change Management |
Change tickets, approval records |
Per change |
Change Manager |
| CC9 - Risk Mitigation |
Vendor assessments, BCP/DR tests |
Annually |
Risk Manager |
Auditor Request List (Sample)
## Standard Auditor Requests
### Governance & Organization
- [ ] Organizational chart with security reporting lines
- [ ] Board/management meeting minutes discussing security
- [ ] Security committee charter and meeting minutes
- [ ] Job descriptions for security-related roles
### Policies & Procedures
- [ ] All security policies (current versions)
- [ ] Policy acknowledgment records
- [ ] Policy exception process and log
- [ ] Annual policy review evidence
### Access Management
- [ ] User access listing for in-scope systems
- [ ] Access provisioning tickets (sample)
- [ ] Access review documentation
- [ ] Terminated user access removal evidence
- [ ] Privileged access listing
### Change Management
- [ ] Change management policy
- [ ] Sample of change tickets
- [ ] Emergency change documentation
- [ ] CAB meeting minutes
### Incident Management
- [ ] Incident response plan
- [ ] Incident log for audit period
- [ ] Sample incident documentation
- [ ] Post-incident review reports
### Vulnerability Management
- [ ] Vulnerability scan reports (monthly)
- [ ] Penetration test reports
- [ ] Remediation tracking documentation
- [ ] Patch management records
### Business Continuity
- [ ] Business continuity plan
- [ ] Disaster recovery plan
- [ ] BCP/DR test results
- [ ] Backup verification records
### Vendor Management
- [ ] Critical vendor listing
- [ ] Vendor risk assessments
- [ ] Vendor SOC reports
- [ ] Contract security requirements
Continuous Monitoring
Monitoring Dashboard Metrics
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SECURITY MONITORING DASHBOARD β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β
β β VULNERABILITIES β β INCIDENTS MTD β β CONTROL STATUS β β
β β βββββ β β βββββ β β βββββ β β
β β β 12β Critical β β β 3 β P1 β β β97%β Effectiveβ β
β β βββββ β β βββββ β β βββββ β β
β β βββββ β β βββββ β β βββββ β β
β β β 47β High β β β 8 β P2 β β β 3%β Remediateβ β
β β βββββ β β βββββ β β βββββ β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β
β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β
β β PATCH COMPLIANCEβ β ACCESS REVIEWS β β TRAINING COMPL. β β
β β βββββ β β βββββ β β βββββ β β
β β β94%β Servers β β β100%β Completeβ β β 98%β Completeβ β
β β βββββ β β βββββ β β βββββ β β
β β βββββ β β βββββ β β βββββ β β
β β β91%β Workstns β β β Q1 β Current β β β 2% β Overdue β β
β β βββββ β β βββββ β β βββββ β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Automated Compliance Checks
# compliance_monitor.py - Automated Compliance Checking
import boto3
from datetime import datetime, timedelta
import json
class SOC2ComplianceMonitor:
"""Automated SOC2 compliance monitoring system."""
def __init__(self):
self.checks = []
self.findings = []
def check_encryption_at_rest(self) -> dict:
"""CC6.5.1 - Verify all S3 buckets have encryption enabled."""
s3 = boto3.client('s3')
buckets = s3.list_buckets()['Buckets']
non_compliant = []
for bucket in buckets:
try:
encryption = s3.get_bucket_encryption(Bucket=bucket['Name'])
except s3.exceptions.ClientError:
non_compliant.append(bucket['Name'])
return {
'control': 'CC6.5.1',
'status': 'PASS' if not non_compliant else 'FAIL',
'total_buckets': len(buckets),
'non_compliant': non_compliant,
'timestamp': datetime.utcnow().isoformat()
}
def check_mfa_enabled(self) -> dict:
"""CC6.1.4 - Verify MFA is enabled for all IAM users."""
iam = boto3.client('iam')
users = iam.list_users()['Users']
non_compliant = []
for user in users:
mfa = iam.list_mfa_devices(UserName=user['UserName'])
if not mfa['MFADevices']:
non_compliant.append(user['UserName'])
return {
'control': 'CC6.1.4',
'status': 'PASS' if not non_compliant else 'FAIL',
'total_users': len(users),
'non_compliant': non_compliant,
'timestamp': datetime.utcnow().isoformat()
}
def check_cloudtrail_enabled(self) -> dict:
"""CC7.2.1 - Verify CloudTrail is enabled in all regions."""
ct = boto3.client('cloudtrail')
trails = ct.describe_trails()['trailList']
multi_region = any(t.get('IsMultiRegionTrail') for t in trails)
logging_enabled = all(
ct.get_trail_status(Name=t['Name'])['IsLogging']
for t in trails
)
return {
'control': 'CC7.2.1',
'status': 'PASS' if multi_region and logging_enabled else 'FAIL',
'multi_region_trail': multi_region,
'logging_enabled': logging_enabled,
'timestamp': datetime.utcnow().isoformat()
}
def check_access_key_rotation(self, max_age_days: int = 90) -> dict:
"""CC6.2.3 - Verify access keys are rotated within policy."""
iam = boto3.client('iam')
users = iam.list_users()['Users']
non_compliant = []
cutoff = datetime.utcnow() - timedelta(days=max_age_days)
for user in users:
keys = iam.list_access_keys(UserName=user['UserName'])
for key in keys['AccessKeyMetadata']:
if key['CreateDate'].replace(tzinfo=None) < cutoff:
non_compliant.append({
'user': user['UserName'],
'key_id': key['AccessKeyId'],
'age_days': (datetime.utcnow() -
key['CreateDate'].replace(tzinfo=None)).days
})
return {
'control': 'CC6.2.3',
'status': 'PASS' if not non_compliant else 'FAIL',
'max_age_days': max_age_days,
'non_compliant': non_compliant,
'timestamp': datetime.utcnow().isoformat()
}
def run_all_checks(self) -> dict:
"""Execute all compliance checks."""
results = {
'encryption': self.check_encryption_at_rest(),
'mfa': self.check_mfa_enabled(),
'cloudtrail': self.check_cloudtrail_enabled(),
'key_rotation': self.check_access_key_rotation()
}
passed = sum(1 for r in results.values() if r['status'] == 'PASS')
total = len(results)
return {
'summary': {
'passed': passed,
'failed': total - passed,
'total': total,
'compliance_rate': f"{(passed/total)*100:.1f}%"
},
'details': results,
'generated_at': datetime.utcnow().isoformat()
}
if __name__ == '__main__':
monitor = SOC2ComplianceMonitor()
report = monitor.run_all_checks()
print(json.dumps(report, indent=2, default=str))
Incident Response
Incident Response Plan Overview
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INCIDENT RESPONSE LIFECYCLE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β
β βPREPARATIONββββββΆβDETECTION ββββββΆβCONTAINMENTβββββΆβERADICATIONβ β
β ββββββββββββ ββββββββββββ ββββββββββββ ββββββ¬ββββββ β
β β² β β
β β ββββββββββββ ββββββββββββ β β
β βββββββββββββ LESSONS βββββββ RECOVERY ββββββββββββ β
β β LEARNED β ββββββββββββ β
β ββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Incident Classification Matrix
| Severity |
Description |
Response Time |
Notification |
Examples |
| P1 - Critical |
Active breach, data exfiltration |
15 minutes |
Executive, Legal, Customers |
Ransomware, active intrusion |
| P2 - High |
Significant threat, potential breach |
1 hour |
CISO, Security Team |
Malware detection, compromised credentials |
| P3 - Medium |
Contained threat, policy violation |
4 hours |
Security Manager |
Failed attack, phishing attempt |
| P4 - Low |
Minor issue, informational |
24 hours |
Security Analyst |
Vulnerability disclosure, suspicious activity |
Incident Response Team
| Role |
Primary |
Backup |
Contact |
| Incident Commander |
CISO |
Security Manager |
ir-commander@company.com |
| Technical Lead |
Security Architect |
Senior Engineer |
ir-tech@company.com |
| Communications Lead |
PR Director |
Marketing VP |
ir-comms@company.com |
| Legal Counsel |
General Counsel |
External Counsel |
ir-legal@company.com |
| Executive Sponsor |
CTO |
CEO |
ir-exec@company.com |
Incident Response Playbook (Ransomware)
## Ransomware Incident Response Playbook
### Phase 1: Detection & Initial Response (0-15 minutes)
1. [ ] Confirm ransomware indicators (encrypted files, ransom note)
2. [ ] Alert Incident Commander immediately
3. [ ] Activate IR team via PagerDuty
4. [ ] Begin incident documentation
### Phase 2: Containment (15-60 minutes)
1. [ ] Isolate affected systems from network
2. [ ] Disable affected user accounts
3. [ ] Block known malicious IPs/domains
4. [ ] Preserve forensic evidence (memory dumps, disk images)
5. [ ] Identify patient zero and attack vector
### Phase 3: Eradication (1-24 hours)
1. [ ] Remove malware from all affected systems
2. [ ] Reset credentials for affected accounts
3. [ ] Patch exploited vulnerabilities
4. [ ] Scan all systems for indicators of compromise
5. [ ] Verify eradication completeness
### Phase 4: Recovery (24-72 hours)
1. [ ] Restore systems from clean backups
2. [ ] Verify data integrity
3. [ ] Monitor for reinfection
4. [ ] Gradually restore network connectivity
5. [ ] Validate business operations
### Phase 5: Post-Incident (72+ hours)
1. [ ] Conduct post-incident review (within 5 days)
2. [ ] Update IR procedures based on lessons learned
3. [ ] Brief executive team and board
4. [ ] File regulatory notifications if required
5. [ ] Update threat intelligence
Vendor Management
Vendor Risk Assessment Framework
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VENDOR RISK ASSESSMENT PROCESS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββ β
β β VENDOR ββββΆβ RISK ββββΆβ DUE ββββΆβ CONTRACT β β
β βIDENTIFICATION β TIERING β β DILIGENCE β β NEGOTIATIONβ β
β ββββββββββββββ ββββββββββββββ ββββββββββββββ βββββββ¬βββββββ β
β β β
β ββββββββββββββ ββββββββββββββ ββββββββββββββ β β
β β ANNUAL βββββ ONGOING βββββ ONBOARDING βββββββββββ β
β β REVIEW β β MONITORING β β β β
β ββββββββββββββ ββββββββββββββ ββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Vendor Tiering Criteria
| Tier |
Risk Level |
Data Access |
Criteria |
Assessment Frequency |
| Tier 1 |
Critical |
Customer PII, Financial |
Cloud infrastructure, payment processors |
Annual + continuous |
| Tier 2 |
High |
Internal sensitive data |
SaaS applications, HR systems |
Annual |
| Tier 3 |
Medium |
Limited internal data |
Productivity tools, analytics |
Biennial |
| Tier 4 |
Low |
No sensitive data |
Office supplies, facilities |
Initial only |
Critical Vendor Inventory
| Vendor |
Service |
Tier |
SOC Report |
Last Assessment |
Next Assessment |
| AWS |
Cloud Infrastructure |
1 |
SOC 2 Type II |
2024-03-15 |
2025-03-15 |
| Okta |
Identity Provider |
1 |
SOC 2 Type II |
2024-02-20 |
2025-02-20 |
| Datadog |
Monitoring |
2 |
SOC 2 Type II |
2024-04-10 |
2025-04-10 |
| GitHub |
Source Control |
2 |
SOC 2 Type II |
2024-01-25 |
2025-01-25 |
| Slack |
Communication |
2 |
SOC 2 Type II |
2024-05-01 |
2025-05-01 |
| Salesforce |
CRM |
2 |
SOC 2 Type II |
2024-03-01 |
2025-03-01 |
| Stripe |
Payments |
1 |
SOC 2 Type II, PCI DSS |
2024-02-15 |
2025-02-15 |
Vendor Security Requirements
## Minimum Vendor Security Requirements
### Tier 1 Vendors (Critical)
- [ ] SOC 2 Type II report (current within 12 months)
- [ ] Penetration test results (annual)
- [ ] Business continuity/disaster recovery plan
- [ ] Incident response plan
- [ ] Encryption at rest and in transit
- [ ] MFA for all administrative access
- [ ] Background checks for personnel
- [ ] Right to audit clause
- [ ] Cyber insurance ($5M minimum)
- [ ] Data processing agreement (DPA)
### Tier 2 Vendors (High)
- [ ] SOC 2 Type II report OR completed security questionnaire
- [ ] Encryption in transit (minimum)
- [ ] MFA for administrative access
- [ ] Incident notification requirements
- [ ] Data processing agreement (if applicable)
### Tier 3 Vendors (Medium)
- [ ] Security questionnaire completion
- [ ] Basic security controls verification
- [ ] Contractual security requirements
### Tier 4 Vendors (Low)
- [ ] Standard terms review
- [ ] No additional security requirements
Evidence Collection
Evidence Collection Matrix
| Control Area |
Evidence Type |
Source System |
Collection Method |
Frequency |
| Access Control |
User listings |
Okta, AWS IAM |
API export |
Monthly |
| Access Control |
Access reviews |
ServiceNow |
Ticket export |
Quarterly |
| Access Control |
Termination evidence |
Workday, Okta |
Report + logs |
Per event |
| Change Management |
Change tickets |
Jira |
API export |
Per change |
| Change Management |
Approval records |
Jira |
Workflow export |
Per change |
| Vulnerability Mgmt |
Scan reports |
Qualys |
Automated export |
Weekly |
| Vulnerability Mgmt |
Pentest reports |
External vendor |
Manual upload |
Annual |
| Incident Response |
Incident tickets |
PagerDuty |
API export |
Per incident |
| Logging |
Log samples |
Splunk |
Query export |
Monthly |
| Training |
Completion records |
LMS |
Report export |
Quarterly |
| Policy |
Acknowledgments |
DocuSign |
Report export |
Annual |
| Backup |
Verification tests |
AWS Backup |
Automated report |
Weekly |
Evidence Repository Structure
evidence/
βββ 2024/
β βββ Q1/
β β βββ CC1-Control-Environment/
β β β βββ org-chart-2024-01.pdf
β β β βββ security-training-completion.xlsx
β β β βββ policy-acknowledgments.pdf
β β βββ CC6-Access-Controls/
β β β βββ user-access-review-Q1.xlsx
β β β βββ terminated-users-jan.pdf
β β β βββ terminated-users-feb.pdf
β β β βββ terminated-users-mar.pdf
β β β βββ privileged-access-list.xlsx
β β βββ CC7-System-Operations/
β β β βββ vuln-scan-jan.pdf
β β β βββ vuln-scan-feb.pdf
β β β βββ vuln-scan-mar.pdf
β β β βββ incident-log-Q1.xlsx
β β β βββ patching-records-Q1.xlsx
β β βββ CC8-Change-Management/
β β βββ change-tickets-sample.pdf
β β βββ cab-meeting-minutes.pdf
β βββ Q2/
β βββ Q3/
β βββ Q4/
βββ policies/
β βββ information-security-policy-v3.0.pdf
β βββ access-control-policy-v2.5.pdf
β βββ ...
βββ annual/
β βββ risk-assessment-2024.pdf
β βββ pentest-report-2024.pdf
β βββ bcp-dr-test-2024.pdf
β βββ vendor-assessments/
βββ README.md
Evidence Automation Script
# evidence_collector.py - Automated Evidence Collection
import boto3
import requests
from datetime import datetime
import os
import json
class EvidenceCollector:
"""Automated SOC2 evidence collection system."""
def __init__(self, output_dir: str = './evidence'):
self.output_dir = output_dir
self.timestamp = datetime.utcnow().strftime('%Y-%m-%d')
def collect_iam_users(self) -> str:
"""CC6.1 - Collect IAM user listing."""
iam = boto3.client('iam')
users = iam.list_users()['Users']
user_data = []
for user in users:
groups = iam.list_groups_for_user(UserName=user['UserName'])
policies = iam.list_attached_user_policies(UserName=user['UserName'])
mfa = iam.list_mfa_devices(UserName=user['UserName'])
user_data.append({
'username': user['UserName'],
'created': user['CreateDate'].isoformat(),
'last_activity': user.get('PasswordLastUsed', 'Never').isoformat()
if hasattr(user.get('PasswordLastUsed'), 'isoformat')
else 'Never',
'groups': [g['GroupName'] for g in groups['Groups']],
'policies': [p['PolicyName'] for p in policies['AttachedPolicies']],
'mfa_enabled': len(mfa['MFADevices']) > 0
})
filename = f"{self.output_dir}/CC6/iam-users-{self.timestamp}.json"
self._save_json(user_data, filename)
return filename
def collect_cloudtrail_events(self, days: int = 30) -> str:
"""CC7.2 - Collect CloudTrail audit events sample."""
ct = boto3.client('cloudtrail')
events = ct.lookup_events(
LookupAttributes=[
{'AttributeKey': 'EventName', 'AttributeValue': 'ConsoleLogin'}
],
MaxResults=50
)
filename = f"{self.output_dir}/CC7/cloudtrail-logins-{self.timestamp}.json"
self._save_json(events['Events'], filename)
return filename
def collect_security_groups(self) -> str:
"""CC6.4 - Collect security group configurations."""
ec2 = boto3.client('ec2')
sgs = ec2.describe_security_groups()['SecurityGroups']
filename = f"{self.output_dir}/CC6/security-groups-{self.timestamp}.json"
self._save_json(sgs, filename)
return filename
def collect_encryption_status(self) -> str:
"""CC6.5 - Collect encryption configuration evidence."""
s3 = boto3.client('s3')
rds = boto3.client('rds')
# S3 bucket encryption
buckets = s3.list_buckets()['Buckets']
s3_encryption = []
for bucket in buckets:
try:
enc = s3.get_bucket_encryption(Bucket=bucket['Name'])
s3_encryption.append({
'bucket': bucket['Name'],
'encrypted': True,
'algorithm': enc['ServerSideEncryptionConfiguration']
})
except:
s3_encryption.append({
'bucket': bucket['Name'],
'encrypted': False
})
# RDS encryption
instances = rds.describe_db_instances()['DBInstances']
rds_encryption = [{
'instance': i['DBInstanceIdentifier'],
'encrypted': i['StorageEncrypted'],
'kms_key': i.get('KmsKeyId', 'N/A')
} for i in instances]
evidence = {
's3_encryption': s3_encryption,
'rds_encryption': rds_encryption,
'collected_at': self.timestamp
}
filename = f"{self.output_dir}/CC6/encryption-status-{self.timestamp}.json"
self._save_json(evidence, filename)
return filename
def _save_json(self, data: dict, filename: str):
"""Save data to JSON file."""
os.makedirs(os.path.dirname(filename), exist_ok=True)
with open(filename, 'w') as f:
json.dump(data, f, indent=2, default=str)
def run_collection(self) -> dict:
"""Run all evidence collection tasks."""
results = {
'iam_users': self.collect_iam_users(),
'cloudtrail': self.collect_cloudtrail_events(),
'security_groups': self.collect_security_groups(),
'encryption': self.collect_encryption_status()
}
manifest = {
'collection_date': self.timestamp,
'files': results
}
self._save_json(manifest, f"{self.output_dir}/manifest-{self.timestamp}.json")
return manifest
if __name__ == '__main__':
collector = EvidenceCollector()
results = collector.run_collection()
print(json.dumps(results, indent=2))
Metrics & KPIs
Security Metrics Dashboard
| Metric |
Target |
Current |
Trend |
Status |
| Mean Time to Detect (MTTD) |
< 24 hours |
4.2 hours |
β |
π’ |
| Mean Time to Respond (MTTR) |
< 4 hours |
2.1 hours |
β |
π’ |
| Mean Time to Remediate (MTTR) |
< 30 days |
18 days |
β |
π’ |
| Critical Vulnerabilities |
0 |
0 |
β |
π’ |
| High Vulnerabilities |
< 10 |
7 |
β |
π’ |
| Patch Compliance (Critical) |
100% in 72h |
98% |
β |
π‘ |
| Patch Compliance (High) |
100% in 14d |
94% |
β |
π‘ |
| Security Training Completion |
100% |
98% |
β |
π‘ |
| Phishing Test Failure Rate |
< 5% |
3.2% |
β |
π’ |
| Access Review Completion |
100% |
100% |
β |
π’ |
| Privileged Access Reviews |
100% |
100% |
β |
π’ |
| MFA Adoption |
100% |
100% |
β |
π’ |
| Vendor Assessments Current |
100% |
95% |
β |
π‘ |
| Control Effectiveness |
> 95% |
97% |
β |
π’ |
| Audit Findings (Open) |
0 Critical |
0 |
β |
π’ |
Compliance Scorecard
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β COMPLIANCE SCORECARD β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Overall Compliance Score: 96.4% β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββ 96.4% β
β β
β By Trust Services Criteria: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Security (CC) βββββββββββββββββββββββββββββββββββ 97% β β
β β Availability (A) βββββββββββββββββββββββββββββββββββ 95% β β
β β Confidentiality (C) βββββββββββββββββββββββββββββββββββ 98% β β
β β Processing Int. (PI) βββββββββββββββββββββββββββββββββββ 94% β β
β β Privacy (P) βββββββββββββββββββββββββββββββββββ 97% β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Control Status: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Effective: 81 controls ββββββββββββββββββββββββββββ 96% β β
β β In Remediation: 3 controls ββ 4% β β
β β Not Tested: 0 controls 0% β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Executive Reporting Template
## Monthly Security & Compliance Report
### Period: [Month Year]
#### Executive Summary
- Overall compliance posture: **Strong (96.4%)**
- Critical findings: **0**
- Incidents this period: **3 (all P3/P4)**
- Audit readiness: **On Track**
#### Key Metrics
| Metric | This Month | Last Month | Change |
|--------|------------|------------|--------|
| Security Incidents | 3 | 5 | β 40% |
| Vulnerabilities Remediated | 142 | 118 | β 20% |
| Phishing Test Pass Rate | 96.8% | 95.2% | β 1.6% |
| Control Effectiveness | 97% | 96% | β 1% |
#### Notable Activities
1. Completed quarterly access review
2. Conducted tabletop DR exercise
3. Remediated 12 high vulnerabilities
4. Updated incident response playbooks
#### Upcoming Activities
1. Annual penetration test (Week 2)
2. SOC 2 Type II audit kickoff (Week 3)
3. Security awareness training refresh
#### Action Items for Leadership
- [ ] Approve updated security budget
- [ ] Review and sign updated policies
Compliance Roadmap
Implementation Timeline
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SOC 2 COMPLIANCE ROADMAP β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β PHASE 1: FOUNDATION (Months 1-3) β
β ββββββββββββββββββββββββββββββββ β
β βββ Month 1: Gap Assessment & Scoping β
β β βββ Define scope and boundaries β
β β βββ Select Trust Services Criteria β
β β βββ Conduct gap assessment β
β β βββ Develop remediation roadmap β
β βββ Month 2: Policy Development β
β β βββ Draft/update security policies β
β β βββ Define roles and responsibilities β
β β βββ Establish governance structure β
β βββ Month 3: Control Design β
β βββ Design control framework β
β βββ Map controls to TSC β
β βββ Define evidence requirements β
β β
β PHASE 2: IMPLEMENTATION (Months 4-6) β
β ββββββββββββββββββββββββββββββββββββ β
β βββ Month 4: Technical Controls β
β β βββ Implement access controls β
β β βββ Deploy monitoring solutions β
β β βββ Configure encryption β
β βββ Month 5: Process Controls β
β β βββ Implement change management β
β β βββ Establish incident response β
β β βββ Deploy vulnerability management β
β βββ Month 6: Administrative Controls β
β βββ Conduct security training β
β βββ Implement vendor management β
β βββ Establish risk management β
β β
β PHASE 3: TYPE I AUDIT (Months 7-8) β
β ββββββββββββββββββββββββββββββββββ β
β βββ Month 7: Audit Preparation β
β β βββ Collect evidence β
β β βββ Conduct internal audit β
β β βββ Remediate gaps β
β βββ Month 8: Type I Audit β
β βββ Auditor fieldwork β
β βββ Management responses β
β βββ Report issuance β
β β
β PHASE 4: OBSERVATION PERIOD (Months 9-14) β
β ββββββββββββββββββββββββββββββββββββββββββ β
β βββ Continuous control operation β
β βββ Evidence collection β
β βββ Internal monitoring β
β βββ Gap remediation β
β β
β PHASE 5: TYPE II AUDIT (Months 15-16) β
β ββββββββββββββββββββββββββββββββββββ β
β βββ Month 15: Audit Preparation β
β β βββ Evidence compilation β
β β βββ Readiness assessment β
β β βββ Final remediation β
β βββ Month 16: Type II Audit β
β βββ Auditor testing β
β βββ Control effectiveness validation β
β βββ Final report issuance β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Maturity Model
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SECURITY MATURITY MODEL β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Level 5: OPTIMIZING ββββββββ
β β’ Continuous improvement β ββ
β β’ Predictive security β ββ
β β’ Industry leadership β ββ
β β ββ
β Level 4: MANAGED βββ CURRENT STATE βββββββ€ ββ
β β’ Metrics-driven β β ββ
β β’ Proactive security β β ββ
β β’ Automated controls β β ββ
β β β ββ
β Level 3: DEFINED βββββββ€ β ββ
β β’ Documented processes β β β ββ
β β’ Consistent execution β β β ββ
β β’ Regular training β β β ββ
β β β β ββ
β Level 2: DEVELOPING βββββββ€ β β ββ
β β’ Basic policies β β β β ββ
β β’ Reactive security β β β β ββ
β β’ Ad-hoc processes β β β β ββ
β β β β β ββ
β Level 1: INITIAL βββββββ€ β β β ββ
β β’ No formal program β β β β β ββ
β β’ Minimal awareness β β β β β ββ
β β β β β β ββ
β ββββββββββββββββββββββββββββββββββββββββ΄ββββββ΄ββββββ΄ββββββ΄ββββββ΄βββββββ
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Appendices
Appendix A: Glossary of Terms
| Term |
Definition |
| AICPA |
American Institute of Certified Public Accountants |
| CAB |
Change Advisory Board |
| CISO |
Chief Information Security Officer |
| COSO |
Committee of Sponsoring Organizations |
| DLP |
Data Loss Prevention |
| DPA |
Data Processing Agreement |
| IDS/IPS |
Intrusion Detection/Prevention System |
| MFA |
Multi-Factor Authentication |
| MTTR |
Mean Time to Respond/Remediate |
| RBAC |
Role-Based Access Control |
| SDLC |
Software Development Lifecycle |
| SIEM |
Security Information and Event Management |
| SOC |
System and Organization Controls |
| TSC |
Trust Services Criteria |
| WAF |
Web Application Firewall |
Appendix B: Regulatory Mapping
| SOC 2 Control |
ISO 27001 |
NIST CSF |
GDPR |
HIPAA |
| CC6.1 (Access Control) |
A.9 |
PR.AC |
Art. 32 |
Β§164.312(a) |
| CC6.5 (Encryption) |
A.10 |
PR.DS |
Art. 32 |
Β§164.312(a)(2)(iv) |
| CC7.1 (Vulnerability Mgmt) |
A.12.6 |
ID.RA |
Art. 32 |
Β§164.308(a)(1)(ii)(A) |
| CC7.4 (Incident Response) |
A.16 |
RS.RP |
Art. 33 |
Β§164.308(a)(6) |
| CC8.1 (Change Mgmt) |
A.14.2 |
PR.IP |
Art. 32 |
Β§164.308(a)(8) |
Appendix C: Document Control
| Version |
Date |
Author |
Changes |
| 1.0 |
2024-01-15 |
Security Team |
Initial release |
| 1.5 |
2024-04-20 |
Security Team |
Added vendor management section |
| 2.0 |
2024-07-01 |
Security Team |
Comprehensive update for Type II |
Appendix D: Approval History
| Document |
Approver |
Title |
Date |
Signature |
| SOC 2 Framework |
Jane Smith |
CISO |
2024-07-01 |
____ |
| Information Security Policy |
John Doe |
CEO |
2024-07-01 |
____ |
| Risk Assessment |
Jane Smith |
CISO |
2024-06-15 |
____ |
| Role |
Name |
Email |
Phone |
| CISO |
[Name] |
ciso@company.com |
+1-XXX-XXX-XXXX |
| Security Manager |
[Name] |
security@company.com |
+1-XXX-XXX-XXXX |
| Compliance Officer |
[Name] |
compliance@company.com |
+1-XXX-XXX-XXXX |
| Audit Liaison |
[Name] |
audit@company.com |
+1-XXX-XXX-XXXX |
Document Classification: Internal Use Only
Β© 2024 SPZ Technologies. All Rights Reserved.
| Last Updated: July 2025 |
Next Review: January 2026 |