SlideShare a Scribd company logo

SOC 2 Type 2 Checklist.pdf

โ€ข
โ€ข
infosec train
infosec train

๐Œ๐š๐ฌ๐ญ๐ž๐ซ๐ข๐ง๐  ๐’๐Ž๐‚๐Ÿ ๐‚๐จ๐ฆ๐ฉ๐ฅ๐ข๐š๐ง๐œ๐ž: Here's Your Essential Checklist for Seamless Auditing! Dive into the key elements needed for successful SOC2 compliance, and ensure a smoother audit process. Swipe Left to Learn More

Education
1 of 17
Download to read offline
www.infosectrain.com SOC 2 (Service Organization Control) Type 2 Checklist Part - 2
www.infosectrain.com CC6.0: Logical and Physical Access Control Control Activity Specified by Organization Control CC6.1: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Test Applied by Auditor Test Results The organization creates an access control policy and a user registration process to authorize individuals before granting them system access privileges. CC6.1.1 Examine and ensure that the organization developed an access control policy and a corresponding registration and authorization process for individuals. The organization restricts system access based on job roles or requires an approved access request form and manager's approval before granting access to relevant system components. CC6.1.2 Examine user access to system components and ensure that the manager approves it. The organization maintains a data classification policy to ensure that confidential information is securely protected and accessible only to authorized users. CC6.1.3 Examine the organization's data classification policy and ensure it secures confidential data, restricting access solely to authorized personnel. The organization limits access to encryption keys, which are considered privileged, to authorized users who have a legitimate business need. CC6.1.4 Examine the organization's cryptography policy to ensure that it confines privileged access to encryption keys to authorized users with valid business requirements. Remote access to the organization's production systems is exclusively permitted for authorized employees with a valid Multi-Factor Authentication (MFA) method. CC6.1.5 Examine the organization's production systems to ensure that only authorized employees with a valid Multi-Factor Authentication (MFA) method can access them remotely. CC6.0: Logical and Physical Access Control
www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization's access control policy specifies the protocols for adding, modifying, or revoking user access. CC6.2.1 Examine the organization's access control policy to ensure its existence, approval, and documentation of procedures for adding, modifying, and removing user access. The organization performs quarterly access assessments on system components within scope to guarantee proper access restrictions, with ongoing tracking of necessary changes until they are implemented. CC6.2.2 Examine access reviews for the relevant system parts to ensure appropriate access restrictions and monitor required changes until they are finalized. The organization uses termination checklists to make sure that access is promptly revoked for employees who have been terminated, meeting the defined Service Level Agreements (SLAs). CC6.2.3 Examine the termination checklist to ensure that access is promptly removed for employees who have been terminated. To access the production network, the organization mandates using either different usernames and passwords or authorized Secure Socket Shell (SSH) keys for authentication. CC6.2.4 Examine how the organization authenticates access to the production network and ensure it uses unique usernames and passwords or authorized Secure Socket Shell (SSH) keys. The firm ensures that users can access specific parts of the system based on their job role or by filling out a form and getting their manager's approval before getting in. CC6.2.5 Examine how users access the system to ensure it's either based on their job or by filling out a form and getting their manager's approval before they can access it. CC6.2: Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. CC6.0: Logical and Physical Access Control
www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization maintains a matrix that specifies which system parts staff members can access according to their roles. CC6.3.1 Examine the staff access matrix. When staff members leave the organization, access to the firm's systems is promptly revoked as part of the off boarding process. CC6.3.2 Examine the employee's access removal process to ensure that a termination checklist is followed and access is adequately revoked when an employee leaves. The organization ensures that access to the infrastructure provider's environment, specifically the production console, is limited to individuals who need it for their job tasks. CC6.3.3 Examine the infrastructure access and ensure it's restricted to individuals with job-related access requirements. The organization ensures that access to the production databases is granted only to individuals who need it to carry out their job responsibilities. CC6.3.4 Examine the production database access and ensure it is accessible to individuals who require it to carry out their job tasks. The organization conducts quarterly access audits for in-scope system components, ensuring proper access controls and tracking needed changes until completion. CC6.3.5 Examine access reviews for in-scope system components to ensure appropriate access restrictions and monitor necessary changes until completed. CC6.3: The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entityโ€™s objectives. CC6.0: Logical and Physical Access Control
www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization establishes procedures to authorize and manage physical access to its data centers, including granting, modifying, or terminating access, with authorization from control owners. CC6.4.1 Examine the system description to ensure that AWS is accountable for controlling access to the data center, allowing entry only to authorized personnel. The organization conducts annual assessments of data center access. CC6.4.2 Examine the system description to ensure that AWS is accountable for ensuring that only authorized personnel have access to the data center. The organization mandates that visitors must sign in, wear a designated visitor badge, and be accompanied by an authorized employee when entering the data center or secure zones. CC6.4.3 Examine the physical security policy to ensure the presence of documented visitor management procedures, including sign-in, badge-wearing, escorting if required, access approval, and sign-out. Also, examine the system description to ensure AWS manages physical security controls. The organization performs access assessments on in-scope system components every quarter to verify that access is adequately limited. Any necessary changes are documented and monitored until they are fully implemented. CC6.4.4 Examine a quarterly access review, ensuring the presence of regular access reviews and access modifications aligned with business needs. Additionally, examine the access control and termination policy to ensure that access restrictions follow the principle of least privilege, requiring approval and documentation for changes. CC6.4: The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entityโ€™s objectives. CC6.0: Logical and Physical Access Control
www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization follows best practices to eliminate or destroy electronic media holding confidential information, and it issues certificates of destruction for each disposed device. CC6.5.1 Examine a data disposal log in secureframe and ensure the data retention and disposal policy documents procedures comply with NIST guidelines. The organization employs termination checklists to guarantee that access is promptly revoked for employees who have been terminated in accordance with agreed service level agreements (SLAs). CC6.5.2 Examine the procedure for removing an employee's access to ensure that they adhere to a termination checklist and that access is correctly revoked when an employee leaves the organization. The organization follows industry best practices by removing or purging customer data containing confidential information from the application environment when customers discontinue their service. CC6.5.3 Examine the data retention and disposal policy for documented processes, including secure data retention and deletion within 30 days upon customer request, and ensure the presence of a disposal log in secureframe for secure data disposal. The organization establishes formal procedures to guide the secure retention and disposal of company and customer data. CC6.5.4 Examine data retention policy for secure data handling and ensure secureframe for data disposal logs. CC6.5: The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entityโ€™s objectives. CC6.0: Logical and Physical Access Control
www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization employs secure data transmission protocols to encrypt confidential and sensitive data when sending it across public networks. CC6.6.1 Examine the organization's secure data transmission protocols to ensure that they incorporate encryption for safeguarding confidential and sensitive data during transmission over public networks. The organization employs an intrusion detection system to continuously monitor its network and promptly identify potential security breaches. CC6.6.2 Examine the organization's intrusion detection system to ensure its setup for ongoing network monitoring, ensuring the early identification of potential security breaches. The organization documents network and system hardening standards, which align with industry best practices and undergo an annual review. CC6.6.3 Examine the organization's network and system hardening standards to ensure that they align with industry best practices and undergo a yearly review for compliance. The organization conducts annual reviews of its firewall rulesets and ensures that necessary changes are monitored until they are implemented. CC6.6.4 Examine the firewall rulesets to confirm that they undergo annual reviews and any necessary changes are observed until they are fully implemented. The organization includes regular maintenance and addressing identified vulnerabilities as part of its routine procedures for patching the infrastructure that supports the service. This practice helps fortify the security of the servers that underpin the service against potential threats. CC6.6.5 Examine the infrastructure supporting the service to ensure it undergoes routine maintenance and patching, addressing identified vulnerabilities to enhance server security against potential threats. CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries. CC6.0: Logical and Physical Access Control
www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization mandates encryption for all organization-owned endpoints to safeguard them from unauthorized access. CC6.7.1 Examine the encryption process to ensure its implementation across all endpoints, protecting unauthorized access. The organization ensures that user access to the organization's application is protected by utilizing the HTTPS protocol with the TLS algorithm and encryption methods that adhere to industry standards. CC6.7.2 Examine HTTPS (TLS algorithm) use and ensure that encryption techniques align with industry standards. The organization records production infrastructure assets and separates them from its staging and development assets. CC6.7.3 Examine the production infrastructure assets' records and ensure they have been clearly distinguished from the staging and development assets. The organization guarantees that customer data utilized in non-production environments receives an equivalent level of protection as that provided in the production environment. CC6.7.4 Examine that both production and non-production environments maintain equal protection for customer data. The organization possesses an encryption policy that is documented and accessible to all staff through the organization's intranet. CC6.7.5 Examine the encryption policy to ensure it has been provided to all organization staff through the firm's intranet. CC6.7: The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entityโ€™s objectives. CC6.0: Logical and Physical Access Control
www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization installs anti-malware technology in environments often vulnerable to malicious attacks, ensuring regular updates, comprehensive logging, and deployment on all applicable systems. CC6.8.1 Examine the organization's anti-malware technology to ensure it is set up for regular updates, maintains complete logs, and is installed on all applicable systems. The organization establishes a structured Systems Development Life Cycle (SDLC) methodology that regulates the development, acquisition, implementation, modifications (including emergency changes) and maintenance of information systems and associated technology needs. CC6.8.2 Examine the organization's SDLC methodology to ensure it oversees information system development, acquisition, implementation, modifications, and maintenance, including related technology needs. The organization routinely applies patches to the infrastructure supporting the service, addressing identified vulnerabilities, as a proactive measure to fortify the security of the servers that underpin the service against potential threats. CC6.8.3 Examine the service's infrastructure to ensure routine patching and vulnerability-based updates are applied to secure the supporting servers against security threats. CC6.8: The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entityโ€™s objectives. CC6.0: Logical and Physical Access Control
www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization mandates that changes to the software and infrastructure components of the service must undergo authorization, formal documentation, testing, review, and approval processes before being implemented in the production environment. CC7.1.1 Examine the software and infrastructure components changes to ensure they go through authorization, formal documentation, testing, review, and approval before going into the production environment. The organization's formal policies specify the requirements for IT/Engineering functions, encompassing vulnerability management and system monitoring. CC7.1.2 Examine the organization's standard policies to delineate the criteria for IT-related operations, including vulnerability management and system monitoring. The organization conducts host-based vulnerability scans on all external-facing systems quarterly, focusing on identifying and addressing critical and high vulnerabilities. CC7.1.3 Examine the vulnerability scans to ensure they occurred quarterly for all external-facing systems and found that critical and high vulnerabilities were actively monitored and remediated. The organization conducts annual risk assessments that identify threats and changes (environmental, regulatory, and technological) affecting service commitments and formally assessed risks, including fraud's potential impact on objectives. CC7.1.4 Examine the organization's risk assessment documentation, ensure annual assessments, identify threats and service commitment changes, and formally evaluate risks, including fraud's potential impact on objectives. CC7.0: System Operations CC7.1: To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. CC7.0: System Operations
www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization employs an intrusion detection system to monitor its network and promptly identify potential security breaches continuously. CC7.2.1 Examine the utilization and configuration of IDS, ensuring its role in threat detection, continuous monitoring, and identifying security breaches. The organization employs a log management tool to detect events affecting its ability to meet security objectives. CC7.2.2 Examine log evidence through a screenshot, ensuring the maintenance of event logs to support attaining security objectives. The organization conducts annual penetration testing, with the development of a remediation plan and timely implementation of changes to address vulnerabilities within SLAs. CC7.2.3 Examine that penetration tests are conducted, identified vulnerabilities are tracked for remediation, and annual third-party penetration tests are in place as per the vulnerability and patch management policy. The organization ensures the servers supporting the service are fortified against security threats by incorporating routine maintenance and addressing identified vulnerabilities through infrastructure patching. CC7.2.4 Examine that penetration tests are conducted with vulnerability tracking for remediation and ensure that patches are regularly installed as part of routine maintenance to enhance system resilience against vulnerabilities and threats. The organization conducts host-based vulnerability scans on external-facing systems quarterly, focusing on monitoring and addressing critical and high vulnerabilities. CC7.2.5 Examine secureframe to verify the execution of vulnerability scans, assign severity ratings to findings, and track these findings for remediation. CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. CC7.0: System Operations
www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization employs a continuous monitoring system, to monitor and communicate the status of the information security program to the Information Security Officer and other relevant parties. CC7.3.1 Examine the continuous monitoring system and ensure it consistently tracks and reports on the information security program's status. The organization mandates quarterly audits of employee endpoints to verify that they are running the operating system's current or the second most recent version. CC7.3.2 Examine the operating system version and ensure that it is current and up to date. The organization's infrastructure is set up to produce audit events for security-related actions of interest, which are then assessed and scrutinized for any unusual or suspicious behavior. CC7.3.3 Examine the internal audit logs to ensure that the organization utilizes a continuous monitoring system, for tracking and delivering updates on the status of the information security program. The organization maintains constant surveillance of its production assets, enabling prompt alerts and immediate response when required. CC7.3.4 Examine the production assets to ensure that their alerting system operates promptly. The organization identifies vulnerabilities within the firm's platform through annual penetration testing conducted by a certified third-party service provider. CC7.3.5 Examine and ensure that the organization performs the annual penetration testing exercise. CC7.3: The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. CC7.0: System Operations
www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization adheres to its security incident response policy and procedures, ensuring that security and privacy incidents are logged, monitored, resolved, and reported to the affected or relevant parties under management's guidance. CC7.4.1 Examine security and privacy incidents in the organization to ensure they are correctly logged, monitored, resolved, and reported to appropriate parties by management, following the company's security incident response policy and procedures. The organization performs annual testing of its incident response plan as a minimum requirement. CC7.4.2 Examine the organization's incident response plan to ensure that it undergoes testing on an annual basis as a minimum requirement. The organization has documented security and privacy incident response policies and procedures communicated to authorized personnel. CC7.4.3 Examine the organization's security policies to ensure that established security and privacy incident response policies and processes are in place, as well as that they are communicated to authorized users. The organization regularly patches its service-supporting infrastructure to support server security against threats, addressing routine maintenance and identified vulnerabilities. CC7.4.4 Examine the service-supporting infrastructure to ensure patching for regular maintenance and identified vulnerabilities, enhancing server security against potential threats. The organization conducts host-based vulnerability scans on all external-facing systems at a minimum frequency of quarterly intervals, with a specific focus on tracking and addressing critical and high vulnerabilities. CC7.4.5 Examine the vulnerability scans to ensure they occur at a minimum quarterly frequency for all external-facing systems and that critical and high vulnerabilities are monitored and remediated as necessary. CC7.4: The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. CC7.0: System Operations
www.infosectrain.com CC8.0: Change Management Control Activity Specified by Organization Control CC8.1: The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. Test Applied by Auditor Test Results The organization mandates that any modifications to software and infrastructure components of the service must undergo authorization, formal documentation, testing, review, and approval before they can be implemented in the production environment. CC8.1.1 Examine the organization's modifications to software and infrastructure components and ensure that they undergo authorization, formal documentation, testing, review, and approval before implementation in the production environment. The organization follows a formal SDLC methodology that oversees the entire lifecycle of information systems and related technology, including development, acquisition, implementation, changes (including emergencies), and maintenance. CC8.1.2 Examine the organization's SDLC methodology, ensuring it oversees information system development, acquisition, implementation, modifications, and maintenance. The organization routinely patches its service-supporting infrastructure to bolster server security against potential security threats, addressing regular maintenance and identified vulnerabilities. CC8.1.3 Examine the organization's service-supporting infrastructure, ensure patches are applied for routine maintenance, and address identified vulnerabilities to enhance server security against potential threats. The organization conducts annual penetration testing and implements changes to remediate vulnerabilities according to SLAs. CC8.1.4 Examine the organization's penetration testing to ensure it occurs at least once a year. Access to migrate changes to the production environment is exclusively granted to authorized personnel within the organization. CC8.1.5 Examine access rights for migrating production environment changes and ensure that only authorized personnel within the organization have privileged access. CC8.0: Change Management
www.infosectrain.com CC9.0: Risk Mitigation Control Activity Specified by Organization Control CC9.1: The entity identifies, selects,and develops risk mitigation activities for risks arising from potential business disruptions. Test Applied by Auditor Test Results The organization establishes business continuity and disaster recovery plans that include communication strategies to ensure information security continuity in case key personnel become unavailable. CC9.1.1 Examine the plans to ensure the organization outlines communication strategies for maintaining information security continuity if key personnel are unavailable. The organization performs annual risk assessments that identify threats and changes, formally assess service commitments risks, and consider fraud's potential impact on objectives. CC9.1.2 Examine the organization's risk assessment documentation to ensure it includes annual assessments, identification of threats and changes to service commitments with formal risk assessment, and consideration of fraud's potential impact on objectives. The organization establishes a documented risk management program that covers threat identification, risk significance rating, and mitigation strategies. CC9.1.3 Examine the organization's risk management program to ensure it covers threat identification, risk assessment, and mitigation strategies. CC9.0: Risk Mitigation
www.infosectrain.com CC9.0: Risk Mitigation Control Activity Specified by Organization Control CC9.2: The entity assesses and manages risks associated with vendors and business partners. Test Applied by Auditor Test Results The organization has formal agreements with vendors and relevant third parties encompassing confidentiality and privacy commitments tailored to the entity's requirements. CC9.2.1 Examine the organization's written agreements with vendors and related third parties, ensuring they incorporate confidentiality and privacy commitments tailored explicitly to the entity. The organization has a vendor management program that includes a critical third-party vendor inventory, security and privacy requirements for vendors, and annual reviews of essential vendors. CC9.2.2 Examine the organization's vendor management program to ensure that it establishes a structured process for documenting and managing vendor relationships. CC9.0: Risk Mitigation
www.infosectrain.com Found this useful? To Get More Insights Through our FREE Course | Workshops | eBooks | White Paper Checklists | Mock Tests Press the Icon &

Recommended

LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001
LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001
LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001CarlosMartinSantos1
ย 
Dit yvol3iss33
Dit yvol3iss33Dit yvol3iss33
Dit yvol3iss33Rick Lemieux
ย 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
ย 
OverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docxOverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docxaman341480
ย 
Security Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxSecurity Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxkenjordan97598
ย 
Security Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxSecurity Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxbagotjesusa
ย 
A Project to Automate Inventory Management in a Fast Food, Cas.docx
A Project to Automate Inventory Management in a Fast Food, Cas.docxA Project to Automate Inventory Management in a Fast Food, Cas.docx
A Project to Automate Inventory Management in a Fast Food, Cas.docxransayo
ย 
Dit yvol5iss38
Dit yvol5iss38Dit yvol5iss38
Dit yvol5iss38Rick Lemieux
ย 

Recommended

LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001
LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001
LISTA DE CHECKLIST DE NORMATIVA HIPAA-ISO 27001CarlosMartinSantos1
ย 
Dit yvol3iss33
Dit yvol3iss33Dit yvol3iss33
Dit yvol3iss33Rick Lemieux
ย 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
ย 
OverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docxOverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docxaman341480
ย 
Security Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxSecurity Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxkenjordan97598
ย 
Security Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxSecurity Audits of Electronic Health I.docx
Security Audits of Electronic Health I.docxbagotjesusa
ย 
A Project to Automate Inventory Management in a Fast Food, Cas.docx
A Project to Automate Inventory Management in a Fast Food, Cas.docxA Project to Automate Inventory Management in a Fast Food, Cas.docx
A Project to Automate Inventory Management in a Fast Food, Cas.docxransayo
ย 
Dit yvol5iss38
Dit yvol5iss38Dit yvol5iss38
Dit yvol5iss38Rick Lemieux
ย 
SOC Certification.pdf
SOC Certification.pdfSOC Certification.pdf
SOC Certification.pdfSIS Certifications Pvt Ltd
ย 
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015AFCEA International
ย 
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdfSOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdfInfosec train
ย 
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdfSOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdfinfosecTrain
ย 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM csandit
ย 
SOC 2 Type 2 Checklist - Part 1 - V2.pdf
SOC 2 Type 2 Checklist - Part 1 - V2.pdfSOC 2 Type 2 Checklist - Part 1 - V2.pdf
SOC 2 Type 2 Checklist - Part 1 - V2.pdfInfosectrain3
ย 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STakishaPeck109
ย 
Importance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization SecurityImportance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization SecurityNexlar Security
ย 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iiiAshish Desai
ย 
PSI Pharmaway 1.0
PSI Pharmaway 1.0PSI Pharmaway 1.0
PSI Pharmaway 1.0Dash Way
ย 
RAINBOW BOOK - Orange book
RAINBOW BOOK - Orange bookRAINBOW BOOK - Orange book
RAINBOW BOOK - Orange bookFelipe Prado
ย 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
ย 
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challengessidraasif9090
ย 
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...PECB
ย 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NETSupriya G
ย 
Viewfinity Product Overview
Viewfinity Product OverviewViewfinity Product Overview
Viewfinity Product Overviewakeophila
ย 
Access Control and Maintenance.pptx
Access Control and Maintenance.pptxAccess Control and Maintenance.pptx
Access Control and Maintenance.pptxKinetic Potential
ย 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdfroguelogics
ย 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdfroguelogics
ย 
CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationInfosec
ย 
CRISC Domains Mind Map InfosecTrain .pdf
CRISC Domains Mind Map InfosecTrain .pdfCRISC Domains Mind Map InfosecTrain .pdf
CRISC Domains Mind Map InfosecTrain .pdfinfosec train
ย 
Everything about APT29. pdf InfosecTrain
Everything about APT29. pdf InfosecTrainEverything about APT29. pdf InfosecTrain
Everything about APT29. pdf InfosecTraininfosec train
ย 

More Related Content

Similar to SOC 2 Type 2 Checklist.pdf

Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015AFCEA International
ย 
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdfSOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdfInfosec train
ย 
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdfSOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdfinfosecTrain
ย 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM csandit
ย 
SOC 2 Type 2 Checklist - Part 1 - V2.pdf
SOC 2 Type 2 Checklist - Part 1 - V2.pdfSOC 2 Type 2 Checklist - Part 1 - V2.pdf
SOC 2 Type 2 Checklist - Part 1 - V2.pdfInfosectrain3
ย 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STakishaPeck109
ย 
Importance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization SecurityImportance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization SecurityNexlar Security
ย 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iiiAshish Desai
ย 
PSI Pharmaway 1.0
PSI Pharmaway 1.0PSI Pharmaway 1.0
PSI Pharmaway 1.0Dash Way
ย 
RAINBOW BOOK - Orange book
RAINBOW BOOK - Orange bookRAINBOW BOOK - Orange book
RAINBOW BOOK - Orange bookFelipe Prado
ย 
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challengessidraasif9090
ย 
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...PECB
ย 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NETSupriya G
ย 
Viewfinity Product Overview
Viewfinity Product OverviewViewfinity Product Overview
Viewfinity Product Overviewakeophila
ย 
Access Control and Maintenance.pptx
Access Control and Maintenance.pptxAccess Control and Maintenance.pptx
Access Control and Maintenance.pptxKinetic Potential
ย 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdfroguelogics
ย 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdfroguelogics
ย 
CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationInfosec
ย 

Similar to SOC 2 Type 2 Checklist.pdf (20)

SOC Certification.pdf
SOC Certification.pdfSOC Certification.pdf
SOC Certification.pdf
ย 
Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015Network Security & Assured Networks: TechNet Augusta 2015
Network Security & Assured Networks: TechNet Augusta 2015
ย 
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdfSOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
ย 
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdfSOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
ย 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ย 
SOC 2 Type 2 Checklist - Part 1 - V2.pdf
SOC 2 Type 2 Checklist - Part 1 - V2.pdfSOC 2 Type 2 Checklist - Part 1 - V2.pdf
SOC 2 Type 2 Checklist - Part 1 - V2.pdf
ย 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, S
ย 
Importance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization SecurityImportance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization Security
ย 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iii
ย 
PSI Pharmaway 1.0
PSI Pharmaway 1.0PSI Pharmaway 1.0
PSI Pharmaway 1.0
ย 
RAINBOW BOOK - Orange book
RAINBOW BOOK - Orange bookRAINBOW BOOK - Orange book
RAINBOW BOOK - Orange book
ย 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
ย 
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challenges
ย 
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
Best Practices for Access Reviews - How to Reduce Risks and Improve Operation...
ย 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NET
ย 
Viewfinity Product Overview
Viewfinity Product OverviewViewfinity Product Overview
Viewfinity Product Overview
ย 
Access Control and Maintenance.pptx
Access Control and Maintenance.pptxAccess Control and Maintenance.pptx
Access Control and Maintenance.pptx
ย 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
ย 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
ย 
CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organization
ย 

More from infosec train

CRISC Domains Mind Map InfosecTrain .pdf
CRISC Domains Mind Map InfosecTrain .pdfCRISC Domains Mind Map InfosecTrain .pdf
CRISC Domains Mind Map InfosecTrain .pdfinfosec train
ย 
Everything about APT29. pdf InfosecTrain
Everything about APT29. pdf InfosecTrainEverything about APT29. pdf InfosecTrain
Everything about APT29. pdf InfosecTraininfosec train
ย 
Top 10 Cyber Attacks 2024.pdf InfosecTrain
Top 10 Cyber Attacks 2024.pdf InfosecTrainTop 10 Cyber Attacks 2024.pdf InfosecTrain
Top 10 Cyber Attacks 2024.pdf InfosecTraininfosec train
ย 
Cloud Storage vs. Local Storage.pdf InfosecTrain
Cloud Storage vs. Local Storage.pdf InfosecTrainCloud Storage vs. Local Storage.pdf InfosecTrain
Cloud Storage vs. Local Storage.pdf InfosecTraininfosec train
ย 
Threat- Hunting-Tips .pdf InfosecTrain
Threat- Hunting-Tips .pdf InfosecTrainThreat- Hunting-Tips .pdf InfosecTrain
Threat- Hunting-Tips .pdf InfosecTraininfosec train
ย 
AXIS Bank Credit Card Fraud.pdf infosectrain
AXIS Bank Credit Card Fraud.pdf infosectrainAXIS Bank Credit Card Fraud.pdf infosectrain
AXIS Bank Credit Card Fraud.pdf infosectraininfosec train
ย 
Interpreting the Malicious Mind Motive Behind Cyberattacks.pdf
Interpreting the Malicious Mind Motive Behind Cyberattacks.pdfInterpreting the Malicious Mind Motive Behind Cyberattacks.pdf
Interpreting the Malicious Mind Motive Behind Cyberattacks.pdfinfosec train
ย 
Cybersecurity Expert Training InfosecTrain.pdf
Cybersecurity Expert Training InfosecTrain.pdfCybersecurity Expert Training InfosecTrain.pdf
Cybersecurity Expert Training InfosecTrain.pdfinfosec train
ย 
๐ƒ๐š๐ญ๐š ๐๐ซ๐ข๐ฏ๐š๐œ๐ฒ ๐‚๐ก๐š๐ฅ๐ฅ๐ž๐ง๐ ๐ž๐ฌ & ๐’๐จ๐ฅ๐ฎ๐ญ๐ข๐จ๐ง๐ฌ!.pdf
๐ƒ๐š๐ญ๐š ๐๐ซ๐ข๐ฏ๐š๐œ๐ฒ ๐‚๐ก๐š๐ฅ๐ฅ๐ž๐ง๐ ๐ž๐ฌ & ๐’๐จ๐ฅ๐ฎ๐ญ๐ข๐จ๐ง๐ฌ!.pdf๐ƒ๐š๐ญ๐š ๐๐ซ๐ข๐ฏ๐š๐œ๐ฒ ๐‚๐ก๐š๐ฅ๐ฅ๐ž๐ง๐ ๐ž๐ฌ & ๐’๐จ๐ฅ๐ฎ๐ญ๐ข๐จ๐ง๐ฌ!.pdf
๐ƒ๐š๐ญ๐š ๐๐ซ๐ข๐ฏ๐š๐œ๐ฒ ๐‚๐ก๐š๐ฅ๐ฅ๐ž๐ง๐ ๐ž๐ฌ & ๐’๐จ๐ฅ๐ฎ๐ญ๐ข๐จ๐ง๐ฌ!.pdfinfosec train
ย 
CEH v12 Certification Training Guide.pdf
CEH v12 Certification Training Guide.pdfCEH v12 Certification Training Guide.pdf
CEH v12 Certification Training Guide.pdfinfosec train
ย 
GRC Online Training by InfosecTrain.pdf
GRC Online Training by InfosecTrain.pdfGRC Online Training by InfosecTrain.pdf
GRC Online Training by InfosecTrain.pdfinfosec train
ย 
PMP Certification Training Course.pdf
PMP Certification Training Course.pdfPMP Certification Training Course.pdf
PMP Certification Training Course.pdfinfosec train
ย 
upcoming batches of InfosecTrain .pdf 01
upcoming batches of InfosecTrain .pdf 01upcoming batches of InfosecTrain .pdf 01
upcoming batches of InfosecTrain .pdf 01infosec train
ย 
Best SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdfBest SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdfinfosec train
ย 
NIST CHECKLIST by InfosecTrain.pdf InfosecTrain
NIST CHECKLIST by InfosecTrain.pdf InfosecTrainNIST CHECKLIST by InfosecTrain.pdf InfosecTrain
NIST CHECKLIST by InfosecTrain.pdf InfosecTraininfosec train
ย 
PCI-DSS(Payment Card Industry Data Security Standard) Training .pdf
PCI-DSS(Payment Card Industry Data Security Standard) Training .pdfPCI-DSS(Payment Card Industry Data Security Standard) Training .pdf
PCI-DSS(Payment Card Industry Data Security Standard) Training .pdfinfosec train
ย 
Types of Data Privacy by InfosecTrain.pdf
Types of Data Privacy by InfosecTrain.pdfTypes of Data Privacy by InfosecTrain.pdf
Types of Data Privacy by InfosecTrain.pdfinfosec train
ย 
CEH v12 Online Certification Training.pdf
CEH v12 Online Certification Training.pdfCEH v12 Online Certification Training.pdf
CEH v12 Online Certification Training.pdfinfosec train
ย 
Privacy Impact Assessment vs Risk Assessment vs Business Impact Assessment.pdf
Privacy Impact Assessment vs Risk Assessment vs Business Impact Assessment.pdfPrivacy Impact Assessment vs Risk Assessment vs Business Impact Assessment.pdf
Privacy Impact Assessment vs Risk Assessment vs Business Impact Assessment.pdfinfosec train
ย 
Antivirus vs Firewall Deep Expansion.pdf
Antivirus vs Firewall Deep Expansion.pdfAntivirus vs Firewall Deep Expansion.pdf
Antivirus vs Firewall Deep Expansion.pdfinfosec train
ย 

More from infosec train (20)

CRISC Domains Mind Map InfosecTrain .pdf
CRISC Domains Mind Map InfosecTrain .pdfCRISC Domains Mind Map InfosecTrain .pdf
CRISC Domains Mind Map InfosecTrain .pdf
ย 
Everything about APT29. pdf InfosecTrain
Everything about APT29. pdf InfosecTrainEverything about APT29. pdf InfosecTrain
Everything about APT29. pdf InfosecTrain
ย 
Top 10 Cyber Attacks 2024.pdf InfosecTrain
Top 10 Cyber Attacks 2024.pdf InfosecTrainTop 10 Cyber Attacks 2024.pdf InfosecTrain
Top 10 Cyber Attacks 2024.pdf InfosecTrain
ย 
Cloud Storage vs. Local Storage.pdf InfosecTrain
Cloud Storage vs. Local Storage.pdf InfosecTrainCloud Storage vs. Local Storage.pdf InfosecTrain
Cloud Storage vs. Local Storage.pdf InfosecTrain
ย 
Threat- Hunting-Tips .pdf InfosecTrain
Threat- Hunting-Tips .pdf InfosecTrainThreat- Hunting-Tips .pdf InfosecTrain
Threat- Hunting-Tips .pdf InfosecTrain
ย 
AXIS Bank Credit Card Fraud.pdf infosectrain
AXIS Bank Credit Card Fraud.pdf infosectrainAXIS Bank Credit Card Fraud.pdf infosectrain
AXIS Bank Credit Card Fraud.pdf infosectrain
ย 
Interpreting the Malicious Mind Motive Behind Cyberattacks.pdf
Interpreting the Malicious Mind Motive Behind Cyberattacks.pdfInterpreting the Malicious Mind Motive Behind Cyberattacks.pdf
Interpreting the Malicious Mind Motive Behind Cyberattacks.pdf
ย 
Cybersecurity Expert Training InfosecTrain.pdf
Cybersecurity Expert Training InfosecTrain.pdfCybersecurity Expert Training InfosecTrain.pdf
Cybersecurity Expert Training InfosecTrain.pdf
ย 
๐ƒ๐š๐ญ๐š ๐๐ซ๐ข๐ฏ๐š๐œ๐ฒ ๐‚๐ก๐š๐ฅ๐ฅ๐ž๐ง๐ ๐ž๐ฌ & ๐’๐จ๐ฅ๐ฎ๐ญ๐ข๐จ๐ง๐ฌ!.pdf
๐ƒ๐š๐ญ๐š ๐๐ซ๐ข๐ฏ๐š๐œ๐ฒ ๐‚๐ก๐š๐ฅ๐ฅ๐ž๐ง๐ ๐ž๐ฌ & ๐’๐จ๐ฅ๐ฎ๐ญ๐ข๐จ๐ง๐ฌ!.pdf๐ƒ๐š๐ญ๐š ๐๐ซ๐ข๐ฏ๐š๐œ๐ฒ ๐‚๐ก๐š๐ฅ๐ฅ๐ž๐ง๐ ๐ž๐ฌ & ๐’๐จ๐ฅ๐ฎ๐ญ๐ข๐จ๐ง๐ฌ!.pdf
๐ƒ๐š๐ญ๐š ๐๐ซ๐ข๐ฏ๐š๐œ๐ฒ ๐‚๐ก๐š๐ฅ๐ฅ๐ž๐ง๐ ๐ž๐ฌ & ๐’๐จ๐ฅ๐ฎ๐ญ๐ข๐จ๐ง๐ฌ!.pdf
ย 
CEH v12 Certification Training Guide.pdf
CEH v12 Certification Training Guide.pdfCEH v12 Certification Training Guide.pdf
CEH v12 Certification Training Guide.pdf
ย 
GRC Online Training by InfosecTrain.pdf
GRC Online Training by InfosecTrain.pdfGRC Online Training by InfosecTrain.pdf
GRC Online Training by InfosecTrain.pdf
ย 
PMP Certification Training Course.pdf
PMP Certification Training Course.pdfPMP Certification Training Course.pdf
PMP Certification Training Course.pdf
ย 
upcoming batches of InfosecTrain .pdf 01
upcoming batches of InfosecTrain .pdf 01upcoming batches of InfosecTrain .pdf 01
upcoming batches of InfosecTrain .pdf 01
ย 
Best SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdfBest SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdf
ย 
NIST CHECKLIST by InfosecTrain.pdf InfosecTrain
NIST CHECKLIST by InfosecTrain.pdf InfosecTrainNIST CHECKLIST by InfosecTrain.pdf InfosecTrain
NIST CHECKLIST by InfosecTrain.pdf InfosecTrain
ย 
PCI-DSS(Payment Card Industry Data Security Standard) Training .pdf
PCI-DSS(Payment Card Industry Data Security Standard) Training .pdfPCI-DSS(Payment Card Industry Data Security Standard) Training .pdf
PCI-DSS(Payment Card Industry Data Security Standard) Training .pdf
ย 
Types of Data Privacy by InfosecTrain.pdf
Types of Data Privacy by InfosecTrain.pdfTypes of Data Privacy by InfosecTrain.pdf
Types of Data Privacy by InfosecTrain.pdf
ย 
CEH v12 Online Certification Training.pdf
CEH v12 Online Certification Training.pdfCEH v12 Online Certification Training.pdf
CEH v12 Online Certification Training.pdf
ย 
Privacy Impact Assessment vs Risk Assessment vs Business Impact Assessment.pdf
Privacy Impact Assessment vs Risk Assessment vs Business Impact Assessment.pdfPrivacy Impact Assessment vs Risk Assessment vs Business Impact Assessment.pdf
Privacy Impact Assessment vs Risk Assessment vs Business Impact Assessment.pdf
ย 
Antivirus vs Firewall Deep Expansion.pdf
Antivirus vs Firewall Deep Expansion.pdfAntivirus vs Firewall Deep Expansion.pdf
Antivirus vs Firewall Deep Expansion.pdf
ย 

Recently uploaded

ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
ย 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
ย 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
ย 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
ย 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
ย 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationAadityaSharma884161
ย 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
ย 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
ย 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
ย 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
ย 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
ย 
HแปŒC TแปT TIแบพNG ANH 11 THEO CHฦฏฦ NG TRรŒNH GLOBAL SUCCESS ฤรP รN CHI TIแบพT - Cแบข Nฤ‚...
HแปŒC TแปT TIแบพNG ANH 11 THEO CHฦฏฦ NG TRรŒNH GLOBAL SUCCESS ฤรP รN CHI TIแบพT - Cแบข Nฤ‚...HแปŒC TแปT TIแบพNG ANH 11 THEO CHฦฏฦ NG TRรŒNH GLOBAL SUCCESS ฤรP รN CHI TIแบพT - Cแบข Nฤ‚...
HแปŒC TแปT TIแบพNG ANH 11 THEO CHฦฏฦ NG TRรŒNH GLOBAL SUCCESS ฤรP รN CHI TIแบพT - Cแบข Nฤ‚...Nguyen Thanh Tu Collection
ย 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
ย 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
ย 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
ย 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
ย 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
ย 

Recently uploaded (20)

TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
ย 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ย 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
ย 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
ย 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
ย 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
ย 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint Presentation
ย 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
ย 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
ย 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
ย 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
ย 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
ย 
HแปŒC TแปT TIแบพNG ANH 11 THEO CHฦฏฦ NG TRรŒNH GLOBAL SUCCESS ฤรP รN CHI TIแบพT - Cแบข Nฤ‚...
HแปŒC TแปT TIแบพNG ANH 11 THEO CHฦฏฦ NG TRรŒNH GLOBAL SUCCESS ฤรP รN CHI TIแบพT - Cแบข Nฤ‚...HแปŒC TแปT TIแบพNG ANH 11 THEO CHฦฏฦ NG TRรŒNH GLOBAL SUCCESS ฤรP รN CHI TIแบพT - Cแบข Nฤ‚...
HแปŒC TแปT TIแบพNG ANH 11 THEO CHฦฏฦ NG TRรŒNH GLOBAL SUCCESS ฤรP รN CHI TIแบพT - Cแบข Nฤ‚...
ย 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
ย 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
ย 
Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"
ย 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
ย 
Model Call Girl in Tilak Nagar Delhi reach out to us at ๐Ÿ”9953056974๐Ÿ”
Model Call Girl in Tilak Nagar Delhi reach out to us at ๐Ÿ”9953056974๐Ÿ”Model Call Girl in Tilak Nagar Delhi reach out to us at ๐Ÿ”9953056974๐Ÿ”
Model Call Girl in Tilak Nagar Delhi reach out to us at ๐Ÿ”9953056974๐Ÿ”
ย 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
ย 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
ย 

SOC 2 Type 2 Checklist.pdf

  • 1. www.infosectrain.com SOC 2 (Service Organization Control) Type 2 Checklist Part - 2
  • 2. www.infosectrain.com CC6.0: Logical and Physical Access Control Control Activity Specified by Organization Control CC6.1: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Test Applied by Auditor Test Results The organization creates an access control policy and a user registration process to authorize individuals before granting them system access privileges. CC6.1.1 Examine and ensure that the organization developed an access control policy and a corresponding registration and authorization process for individuals. The organization restricts system access based on job roles or requires an approved access request form and manager's approval before granting access to relevant system components. CC6.1.2 Examine user access to system components and ensure that the manager approves it. The organization maintains a data classification policy to ensure that confidential information is securely protected and accessible only to authorized users. CC6.1.3 Examine the organization's data classification policy and ensure it secures confidential data, restricting access solely to authorized personnel. The organization limits access to encryption keys, which are considered privileged, to authorized users who have a legitimate business need. CC6.1.4 Examine the organization's cryptography policy to ensure that it confines privileged access to encryption keys to authorized users with valid business requirements. Remote access to the organization's production systems is exclusively permitted for authorized employees with a valid Multi-Factor Authentication (MFA) method. CC6.1.5 Examine the organization's production systems to ensure that only authorized employees with a valid Multi-Factor Authentication (MFA) method can access them remotely. CC6.0: Logical and Physical Access Control
  • 3. www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization's access control policy specifies the protocols for adding, modifying, or revoking user access. CC6.2.1 Examine the organization's access control policy to ensure its existence, approval, and documentation of procedures for adding, modifying, and removing user access. The organization performs quarterly access assessments on system components within scope to guarantee proper access restrictions, with ongoing tracking of necessary changes until they are implemented. CC6.2.2 Examine access reviews for the relevant system parts to ensure appropriate access restrictions and monitor required changes until they are finalized. The organization uses termination checklists to make sure that access is promptly revoked for employees who have been terminated, meeting the defined Service Level Agreements (SLAs). CC6.2.3 Examine the termination checklist to ensure that access is promptly removed for employees who have been terminated. To access the production network, the organization mandates using either different usernames and passwords or authorized Secure Socket Shell (SSH) keys for authentication. CC6.2.4 Examine how the organization authenticates access to the production network and ensure it uses unique usernames and passwords or authorized Secure Socket Shell (SSH) keys. The firm ensures that users can access specific parts of the system based on their job role or by filling out a form and getting their manager's approval before getting in. CC6.2.5 Examine how users access the system to ensure it's either based on their job or by filling out a form and getting their manager's approval before they can access it. CC6.2: Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. CC6.0: Logical and Physical Access Control
  • 4. www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization maintains a matrix that specifies which system parts staff members can access according to their roles. CC6.3.1 Examine the staff access matrix. When staff members leave the organization, access to the firm's systems is promptly revoked as part of the off boarding process. CC6.3.2 Examine the employee's access removal process to ensure that a termination checklist is followed and access is adequately revoked when an employee leaves. The organization ensures that access to the infrastructure provider's environment, specifically the production console, is limited to individuals who need it for their job tasks. CC6.3.3 Examine the infrastructure access and ensure it's restricted to individuals with job-related access requirements. The organization ensures that access to the production databases is granted only to individuals who need it to carry out their job responsibilities. CC6.3.4 Examine the production database access and ensure it is accessible to individuals who require it to carry out their job tasks. The organization conducts quarterly access audits for in-scope system components, ensuring proper access controls and tracking needed changes until completion. CC6.3.5 Examine access reviews for in-scope system components to ensure appropriate access restrictions and monitor necessary changes until completed. CC6.3: The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entityโ€™s objectives. CC6.0: Logical and Physical Access Control
  • 5. www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization establishes procedures to authorize and manage physical access to its data centers, including granting, modifying, or terminating access, with authorization from control owners. CC6.4.1 Examine the system description to ensure that AWS is accountable for controlling access to the data center, allowing entry only to authorized personnel. The organization conducts annual assessments of data center access. CC6.4.2 Examine the system description to ensure that AWS is accountable for ensuring that only authorized personnel have access to the data center. The organization mandates that visitors must sign in, wear a designated visitor badge, and be accompanied by an authorized employee when entering the data center or secure zones. CC6.4.3 Examine the physical security policy to ensure the presence of documented visitor management procedures, including sign-in, badge-wearing, escorting if required, access approval, and sign-out. Also, examine the system description to ensure AWS manages physical security controls. The organization performs access assessments on in-scope system components every quarter to verify that access is adequately limited. Any necessary changes are documented and monitored until they are fully implemented. CC6.4.4 Examine a quarterly access review, ensuring the presence of regular access reviews and access modifications aligned with business needs. Additionally, examine the access control and termination policy to ensure that access restrictions follow the principle of least privilege, requiring approval and documentation for changes. CC6.4: The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entityโ€™s objectives. CC6.0: Logical and Physical Access Control
  • 6. www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization follows best practices to eliminate or destroy electronic media holding confidential information, and it issues certificates of destruction for each disposed device. CC6.5.1 Examine a data disposal log in secureframe and ensure the data retention and disposal policy documents procedures comply with NIST guidelines. The organization employs termination checklists to guarantee that access is promptly revoked for employees who have been terminated in accordance with agreed service level agreements (SLAs). CC6.5.2 Examine the procedure for removing an employee's access to ensure that they adhere to a termination checklist and that access is correctly revoked when an employee leaves the organization. The organization follows industry best practices by removing or purging customer data containing confidential information from the application environment when customers discontinue their service. CC6.5.3 Examine the data retention and disposal policy for documented processes, including secure data retention and deletion within 30 days upon customer request, and ensure the presence of a disposal log in secureframe for secure data disposal. The organization establishes formal procedures to guide the secure retention and disposal of company and customer data. CC6.5.4 Examine data retention policy for secure data handling and ensure secureframe for data disposal logs. CC6.5: The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entityโ€™s objectives. CC6.0: Logical and Physical Access Control
  • 7. www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization employs secure data transmission protocols to encrypt confidential and sensitive data when sending it across public networks. CC6.6.1 Examine the organization's secure data transmission protocols to ensure that they incorporate encryption for safeguarding confidential and sensitive data during transmission over public networks. The organization employs an intrusion detection system to continuously monitor its network and promptly identify potential security breaches. CC6.6.2 Examine the organization's intrusion detection system to ensure its setup for ongoing network monitoring, ensuring the early identification of potential security breaches. The organization documents network and system hardening standards, which align with industry best practices and undergo an annual review. CC6.6.3 Examine the organization's network and system hardening standards to ensure that they align with industry best practices and undergo a yearly review for compliance. The organization conducts annual reviews of its firewall rulesets and ensures that necessary changes are monitored until they are implemented. CC6.6.4 Examine the firewall rulesets to confirm that they undergo annual reviews and any necessary changes are observed until they are fully implemented. The organization includes regular maintenance and addressing identified vulnerabilities as part of its routine procedures for patching the infrastructure that supports the service. This practice helps fortify the security of the servers that underpin the service against potential threats. CC6.6.5 Examine the infrastructure supporting the service to ensure it undergoes routine maintenance and patching, addressing identified vulnerabilities to enhance server security against potential threats. CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries. CC6.0: Logical and Physical Access Control
  • 8. www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization mandates encryption for all organization-owned endpoints to safeguard them from unauthorized access. CC6.7.1 Examine the encryption process to ensure its implementation across all endpoints, protecting unauthorized access. The organization ensures that user access to the organization's application is protected by utilizing the HTTPS protocol with the TLS algorithm and encryption methods that adhere to industry standards. CC6.7.2 Examine HTTPS (TLS algorithm) use and ensure that encryption techniques align with industry standards. The organization records production infrastructure assets and separates them from its staging and development assets. CC6.7.3 Examine the production infrastructure assets' records and ensure they have been clearly distinguished from the staging and development assets. The organization guarantees that customer data utilized in non-production environments receives an equivalent level of protection as that provided in the production environment. CC6.7.4 Examine that both production and non-production environments maintain equal protection for customer data. The organization possesses an encryption policy that is documented and accessible to all staff through the organization's intranet. CC6.7.5 Examine the encryption policy to ensure it has been provided to all organization staff through the firm's intranet. CC6.7: The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entityโ€™s objectives. CC6.0: Logical and Physical Access Control
  • 9. www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization installs anti-malware technology in environments often vulnerable to malicious attacks, ensuring regular updates, comprehensive logging, and deployment on all applicable systems. CC6.8.1 Examine the organization's anti-malware technology to ensure it is set up for regular updates, maintains complete logs, and is installed on all applicable systems. The organization establishes a structured Systems Development Life Cycle (SDLC) methodology that regulates the development, acquisition, implementation, modifications (including emergency changes) and maintenance of information systems and associated technology needs. CC6.8.2 Examine the organization's SDLC methodology to ensure it oversees information system development, acquisition, implementation, modifications, and maintenance, including related technology needs. The organization routinely applies patches to the infrastructure supporting the service, addressing identified vulnerabilities, as a proactive measure to fortify the security of the servers that underpin the service against potential threats. CC6.8.3 Examine the service's infrastructure to ensure routine patching and vulnerability-based updates are applied to secure the supporting servers against security threats. CC6.8: The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entityโ€™s objectives. CC6.0: Logical and Physical Access Control
  • 10. www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization mandates that changes to the software and infrastructure components of the service must undergo authorization, formal documentation, testing, review, and approval processes before being implemented in the production environment. CC7.1.1 Examine the software and infrastructure components changes to ensure they go through authorization, formal documentation, testing, review, and approval before going into the production environment. The organization's formal policies specify the requirements for IT/Engineering functions, encompassing vulnerability management and system monitoring. CC7.1.2 Examine the organization's standard policies to delineate the criteria for IT-related operations, including vulnerability management and system monitoring. The organization conducts host-based vulnerability scans on all external-facing systems quarterly, focusing on identifying and addressing critical and high vulnerabilities. CC7.1.3 Examine the vulnerability scans to ensure they occurred quarterly for all external-facing systems and found that critical and high vulnerabilities were actively monitored and remediated. The organization conducts annual risk assessments that identify threats and changes (environmental, regulatory, and technological) affecting service commitments and formally assessed risks, including fraud's potential impact on objectives. CC7.1.4 Examine the organization's risk assessment documentation, ensure annual assessments, identify threats and service commitment changes, and formally evaluate risks, including fraud's potential impact on objectives. CC7.0: System Operations CC7.1: To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. CC7.0: System Operations
  • 11. www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization employs an intrusion detection system to monitor its network and promptly identify potential security breaches continuously. CC7.2.1 Examine the utilization and configuration of IDS, ensuring its role in threat detection, continuous monitoring, and identifying security breaches. The organization employs a log management tool to detect events affecting its ability to meet security objectives. CC7.2.2 Examine log evidence through a screenshot, ensuring the maintenance of event logs to support attaining security objectives. The organization conducts annual penetration testing, with the development of a remediation plan and timely implementation of changes to address vulnerabilities within SLAs. CC7.2.3 Examine that penetration tests are conducted, identified vulnerabilities are tracked for remediation, and annual third-party penetration tests are in place as per the vulnerability and patch management policy. The organization ensures the servers supporting the service are fortified against security threats by incorporating routine maintenance and addressing identified vulnerabilities through infrastructure patching. CC7.2.4 Examine that penetration tests are conducted with vulnerability tracking for remediation and ensure that patches are regularly installed as part of routine maintenance to enhance system resilience against vulnerabilities and threats. The organization conducts host-based vulnerability scans on external-facing systems quarterly, focusing on monitoring and addressing critical and high vulnerabilities. CC7.2.5 Examine secureframe to verify the execution of vulnerability scans, assign severity ratings to findings, and track these findings for remediation. CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. CC7.0: System Operations
  • 12. www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization employs a continuous monitoring system, to monitor and communicate the status of the information security program to the Information Security Officer and other relevant parties. CC7.3.1 Examine the continuous monitoring system and ensure it consistently tracks and reports on the information security program's status. The organization mandates quarterly audits of employee endpoints to verify that they are running the operating system's current or the second most recent version. CC7.3.2 Examine the operating system version and ensure that it is current and up to date. The organization's infrastructure is set up to produce audit events for security-related actions of interest, which are then assessed and scrutinized for any unusual or suspicious behavior. CC7.3.3 Examine the internal audit logs to ensure that the organization utilizes a continuous monitoring system, for tracking and delivering updates on the status of the information security program. The organization maintains constant surveillance of its production assets, enabling prompt alerts and immediate response when required. CC7.3.4 Examine the production assets to ensure that their alerting system operates promptly. The organization identifies vulnerabilities within the firm's platform through annual penetration testing conducted by a certified third-party service provider. CC7.3.5 Examine and ensure that the organization performs the annual penetration testing exercise. CC7.3: The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. CC7.0: System Operations
  • 13. www.infosectrain.com Control Activity Specified by Organization Control Test Applied by Auditor Test Results The organization adheres to its security incident response policy and procedures, ensuring that security and privacy incidents are logged, monitored, resolved, and reported to the affected or relevant parties under management's guidance. CC7.4.1 Examine security and privacy incidents in the organization to ensure they are correctly logged, monitored, resolved, and reported to appropriate parties by management, following the company's security incident response policy and procedures. The organization performs annual testing of its incident response plan as a minimum requirement. CC7.4.2 Examine the organization's incident response plan to ensure that it undergoes testing on an annual basis as a minimum requirement. The organization has documented security and privacy incident response policies and procedures communicated to authorized personnel. CC7.4.3 Examine the organization's security policies to ensure that established security and privacy incident response policies and processes are in place, as well as that they are communicated to authorized users. The organization regularly patches its service-supporting infrastructure to support server security against threats, addressing routine maintenance and identified vulnerabilities. CC7.4.4 Examine the service-supporting infrastructure to ensure patching for regular maintenance and identified vulnerabilities, enhancing server security against potential threats. The organization conducts host-based vulnerability scans on all external-facing systems at a minimum frequency of quarterly intervals, with a specific focus on tracking and addressing critical and high vulnerabilities. CC7.4.5 Examine the vulnerability scans to ensure they occur at a minimum quarterly frequency for all external-facing systems and that critical and high vulnerabilities are monitored and remediated as necessary. CC7.4: The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. CC7.0: System Operations
  • 14. www.infosectrain.com CC8.0: Change Management Control Activity Specified by Organization Control CC8.1: The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. Test Applied by Auditor Test Results The organization mandates that any modifications to software and infrastructure components of the service must undergo authorization, formal documentation, testing, review, and approval before they can be implemented in the production environment. CC8.1.1 Examine the organization's modifications to software and infrastructure components and ensure that they undergo authorization, formal documentation, testing, review, and approval before implementation in the production environment. The organization follows a formal SDLC methodology that oversees the entire lifecycle of information systems and related technology, including development, acquisition, implementation, changes (including emergencies), and maintenance. CC8.1.2 Examine the organization's SDLC methodology, ensuring it oversees information system development, acquisition, implementation, modifications, and maintenance. The organization routinely patches its service-supporting infrastructure to bolster server security against potential security threats, addressing regular maintenance and identified vulnerabilities. CC8.1.3 Examine the organization's service-supporting infrastructure, ensure patches are applied for routine maintenance, and address identified vulnerabilities to enhance server security against potential threats. The organization conducts annual penetration testing and implements changes to remediate vulnerabilities according to SLAs. CC8.1.4 Examine the organization's penetration testing to ensure it occurs at least once a year. Access to migrate changes to the production environment is exclusively granted to authorized personnel within the organization. CC8.1.5 Examine access rights for migrating production environment changes and ensure that only authorized personnel within the organization have privileged access. CC8.0: Change Management
  • 15. www.infosectrain.com CC9.0: Risk Mitigation Control Activity Specified by Organization Control CC9.1: The entity identifies, selects,and develops risk mitigation activities for risks arising from potential business disruptions. Test Applied by Auditor Test Results The organization establishes business continuity and disaster recovery plans that include communication strategies to ensure information security continuity in case key personnel become unavailable. CC9.1.1 Examine the plans to ensure the organization outlines communication strategies for maintaining information security continuity if key personnel are unavailable. The organization performs annual risk assessments that identify threats and changes, formally assess service commitments risks, and consider fraud's potential impact on objectives. CC9.1.2 Examine the organization's risk assessment documentation to ensure it includes annual assessments, identification of threats and changes to service commitments with formal risk assessment, and consideration of fraud's potential impact on objectives. The organization establishes a documented risk management program that covers threat identification, risk significance rating, and mitigation strategies. CC9.1.3 Examine the organization's risk management program to ensure it covers threat identification, risk assessment, and mitigation strategies. CC9.0: Risk Mitigation
  • 16. www.infosectrain.com CC9.0: Risk Mitigation Control Activity Specified by Organization Control CC9.2: The entity assesses and manages risks associated with vendors and business partners. Test Applied by Auditor Test Results The organization has formal agreements with vendors and relevant third parties encompassing confidentiality and privacy commitments tailored to the entity's requirements. CC9.2.1 Examine the organization's written agreements with vendors and related third parties, ensuring they incorporate confidentiality and privacy commitments tailored explicitly to the entity. The organization has a vendor management program that includes a critical third-party vendor inventory, security and privacy requirements for vendors, and annual reviews of essential vendors. CC9.2.2 Examine the organization's vendor management program to ensure that it establishes a structured process for documenting and managing vendor relationships. CC9.0: Risk Mitigation
  • 17. www.infosectrain.com Found this useful? To Get More Insights Through our FREE Course | Workshops | eBooks | White Paper Checklists | Mock Tests Press the Icon &