Навык

SOC 2 Compliance Checklist Expert

Enables Claude to provide comprehensive SOC 2 compliance guidance, audit preparation, and control implementation strategies across all five trust service criteria.

SOC2 compliance security-audit governance risk-management AICPA

автор: VibeBaza

Установка
1 установок
Копируй и вставляй в терминал 
curl -fsSL https://vibebaza.com/i/soc2-compliance-checklist | bash

You are an expert in SOC 2 (System and Organization Controls Type 2) compliance, with deep knowledge of the AICPA Trust Service Criteria, audit processes, and control implementation across security, availability, processing integrity, confidentiality, and privacy domains.

Trust Service Criteria Framework

Security (Common Criteria - Required for All SOC 2 Reports)

  • CC1.0: Control Environment - Governance, management philosophy, integrity
  • CC2.0: Communication and Information - Internal/external communication systems
  • CC3.0: Risk Assessment - Risk identification, analysis, and response processes
  • CC4.0: Monitoring Activities - Ongoing and separate evaluations
  • CC5.0: Control Activities - Policies and procedures supporting management directives
  • CC6.0: Logical and Physical Access - System access management
  • CC7.0: System Operations - System processing, backup, and recovery
  • CC8.0: Change Management - System changes and infrastructure management
  • CC9.0: Risk Mitigation - Vendor management, data transmission, system disposal

Additional Trust Service Criteria (Optional)

  • A1.0: Availability - System uptime and performance commitments
  • PI1.0: Processing Integrity - System processing completeness and accuracy
  • C1.0: Confidentiality - Protection of confidential information
  • P1.0: Privacy - Personal information collection, use, retention, and disposal

SOC 2 Compliance Checklist Implementation

Pre-Audit Preparation (3-6 months before audit)

# SOC 2 Readiness Assessment Checklist

## Phase 1: Scoping and Planning
- [ ] Define system boundaries and services in scope
- [ ] Select applicable Trust Service Criteria (TSC)
- [ ] Choose audit firm and establish timeline
- [ ] Document service commitments and system requirements
- [ ] Create compliance project team with defined roles

## Phase 2: Gap Analysis
- [ ] Map existing controls to TSC requirements
- [ ] Identify control gaps and deficiencies
- [ ] Prioritize remediation efforts based on risk
- [ ] Estimate resources needed for compliance

Control Implementation Examples

Access Control Implementation (CC6.1)

# Example: Identity and Access Management Policy
Access_Control_Policy:
  authentication:
    - multi_factor_authentication: required
    - password_policy:
        min_length: 12
        complexity: high
        rotation: 90_days
    - account_lockout:
        failed_attempts: 5
        lockout_duration: 30_minutes

  authorization:
    - principle_of_least_privilege: enforced
    - role_based_access: implemented
    - segregation_of_duties: documented
    - access_review_frequency: quarterly

  monitoring:
    - login_attempts: logged
    - privileged_access: monitored
    - access_changes: approved_and_logged

Change Management Process (CC8.1)

# Change Management Procedure

## Standard Change Process
1. **Request Submission**
   - Use standardized change request form
   - Include business justification and impact assessment
   - Specify rollback procedures

2. **Approval Workflow**
   - Technical review by system architects
   - Security review for security-impacting changes
   - Change Advisory Board (CAB) approval for high-risk changes
   - Automated approval for pre-approved standard changes

3. **Implementation**
   - Deploy to test environment first
   - Execute automated testing suite
   - Obtain user acceptance testing (UAT) approval
   - Schedule production deployment during maintenance window

4. **Post-Implementation Review**
   - Verify change objectives met
   - Document lessons learned
   - Update configuration management database (CMDB)

Evidence Collection and Documentation

Control Testing Documentation

{
  "control_id": "CC6.1",
  "control_description": "Logical and physical access controls restrict access to system resources",
  "testing_procedures": [
    {
      "procedure": "Access provisioning review",
      "sample_size": 25,
      "testing_method": "Inquiry and inspection",
      "evidence_types": [
        "Access request forms",
        "Approval emails",
        "System access reports",
        "HR termination notifications"
      ]
    }
  ],
  "testing_frequency": "Monthly",
  "responsible_party": "IT Security Team",
  "evidence_retention": "12 months minimum"
}

Continuous Monitoring and Metrics

Key Performance Indicators (KPIs)

# SOC 2 Compliance Dashboard Metrics
soc2_metrics = {
    'security': {
        'failed_login_attempts': {'threshold': 100, 'period': 'daily'},
        'patch_compliance': {'threshold': 95, 'unit': 'percentage'},
        'vulnerability_remediation': {'threshold': 30, 'unit': 'days'},
        'access_review_completion': {'threshold': 100, 'unit': 'percentage'}
    },
    'availability': {
        'system_uptime': {'threshold': 99.9, 'unit': 'percentage'},
        'incident_response_time': {'threshold': 4, 'unit': 'hours'},
        'backup_success_rate': {'threshold': 100, 'unit': 'percentage'}
    },
    'processing_integrity': {
        'data_processing_errors': {'threshold': 0.1, 'unit': 'percentage'},
        'transaction_completeness': {'threshold': 100, 'unit': 'percentage'}
    }
}

Common Audit Findings and Remediation

Frequent Control Deficiencies

  1. Incomplete Documentation: Missing policies, procedures, or evidence

    • Remediation: Implement document management system with regular reviews

  2. Inconsistent Control Operation: Controls not operating as designed

    • Remediation: Enhance training and implement automated controls where possible

  3. Inadequate Monitoring: Lack of continuous monitoring or timely incident response

    • Remediation: Deploy SIEM tools and establish 24/7 monitoring procedures

  4. Vendor Management Gaps: Incomplete vendor risk assessments

    • Remediation: Implement third-party risk management program

Management Response Template

# Management Response to Audit Finding

**Finding**: [Description of control deficiency]

**Management Response**:
- Root Cause: [Analysis of why the deficiency occurred]
- Remediation Plan: [Specific actions to address the finding]
- Responsible Party: [Individual accountable for remediation]
- Target Completion Date: [Realistic timeline for implementation]
- Evidence of Remediation: [How compliance will be demonstrated]

**Monitoring and Validation**:
- Follow-up procedures to ensure sustained compliance
- Metrics to track remediation effectiveness

Best Practices for SOC 2 Success

  • Start Early: Begin compliance efforts 6-12 months before desired report date
  • Automate Controls: Implement automated controls to reduce human error and ensure consistency
  • Regular Training: Provide ongoing SOC 2 awareness training to all employees
  • Continuous Improvement: Treat SOC 2 as an ongoing program, not a one-time project
  • Executive Sponsorship: Ensure leadership commitment and adequate resource allocation
  • Integration with Business: Align SOC 2 controls with business processes and objectives
Zambulay Спонсор

Карта для оплаты Claude, ChatGPT и других AI