SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf

www.infosectrain.com
SOC 2
(Service Organization Control)
Type 2 Checklist Part - 2

CC6.0: Logical and Physical Access Control
Control Activity Specified by Organization
Control
CC6.1: The entity implements logical access security software, infrastructure, and
architectures over protected information assets to protect them from security events to
meet the entity's objectives.
Test Applied by Auditor Test Results
The organization creates an access control policy and a user
registration process to authorize individuals before granting them
system access privileges.
CC6.1.1
Examine and ensure that the organization developed an access
control policy and a corresponding registration and authorization
process for individuals.
The organization restricts system access based on job roles or
requires an approved access request form and manager's
approval before granting access to relevant system components.
CC6.1.2
Examine user access to system components and ensure that the
manager approves it.
The organization maintains a data classification policy to ensure
that confidential information is securely protected and accessible
only to authorized users.
CC6.1.3
Examine the organization's data classification policy and ensure it
secures confidential data, restricting access solely to authorized
personnel.
The organization limits access to encryption keys, which are
considered privileged, to authorized users who have a legitimate
business need.
CC6.1.4
Examine the organization's cryptography policy to ensure that it
confines privileged access to encryption keys to authorized users
with valid business requirements.
Remote access to the organization's production systems is
exclusively permitted for authorized employees with a valid
Multi-Factor Authentication (MFA) method.
CC6.1.5
Examine the organization's production systems to ensure that only
authorized employees with a valid Multi-Factor Authentication
(MFA) method can access them remotely.

Control Test Applied by Auditor Test Results
The organization's access control policy specifies the protocols
for adding, modifying, or revoking user access.
CC6.2.1
Examine the organization's access control policy to ensure its
existence, approval, and documentation of procedures for adding,
modifying, and removing user access.
The organization performs quarterly access assessments on
system components within scope to guarantee proper access
restrictions, with ongoing tracking of necessary changes until
they are implemented.
CC6.2.2
Examine access reviews for the relevant system parts to ensure
appropriate access restrictions and monitor required changes until
they are finalized.
The organization uses termination checklists to make sure that
access is promptly revoked for employees who have been
terminated, meeting the defined Service Level Agreements (SLAs).
CC6.2.3
Examine the termination checklist to ensure that access is
promptly removed for employees who have been terminated.
To access the production network, the organization mandates
using either different usernames and passwords or authorized
Secure Socket Shell (SSH) keys for authentication.
CC6.2.4
Examine how the organization authenticates access to the
production network and ensure it uses unique usernames and
passwords or authorized Secure Socket Shell (SSH) keys.
The firm ensures that users can access specific parts of the
system based on their job role or by filling out a form and getting
their manager's approval before getting in.
CC6.2.5
Examine how users access the system to ensure it's either based
on their job or by filling out a form and getting their manager's
approval before they can access it.
CC6.2: Prior to issuing system credentials and granting system access, the entity registers
and authorizes new internal and external users whose access is administered by the entity.
For those users whose access is administered by the entity, user system credentials are
removed when user access is no longer authorized.

The organization maintains a matrix that specifies which system
parts staff members can access according to their roles.
CC6.3.1
Examine the staff access matrix.
When staff members leave the organization, access to the firm's
systems is promptly revoked as part of the off boarding process.
CC6.3.2
Examine the employee's access removal process to ensure that a
termination checklist is followed and access is adequately revoked
when an employee leaves.
The organization ensures that access to the infrastructure provider's
environment, specifically the production console, is limited to
individuals who need it for their job tasks.
CC6.3.3
Examine the infrastructure access and ensure it's restricted to
individuals with job-related access requirements.
The organization ensures that access to the production
databases is granted only to individuals who need it to carry out
their job responsibilities.
CC6.3.4
Examine the production database access and ensure it is
accessible to individuals who require it to carry out their job tasks.
The organization conducts quarterly access audits for in-scope
system components, ensuring proper access controls and
tracking needed changes until completion.
CC6.3.5
Examine access reviews for in-scope system components to
ensure appropriate access restrictions and monitor necessary
changes until completed.
CC6.3: The entity authorizes, modifies, or removes access to data, software, functions, and
other protected information assets based on roles, responsibilities, or the system design
and changes, giving consideration to the concepts of least privilege and segregation of
duties, to meet the entity’s objectives.

The organization establishes procedures to authorize and
manage physical access to its data centers, including granting,
modifying, or terminating access, with authorization from control
owners.
CC6.4.1
Examine the system description to ensure that AWS is accountable
for controlling access to the data center, allowing entry only to
authorized personnel.
The organization conducts annual assessments of data center
access.
CC6.4.2
Examine the system description to ensure that AWS is accountable
for ensuring that only authorized personnel have access to the data
center.
The organization mandates that visitors must sign in, wear a
designated visitor badge, and be accompanied by an authorized
employee when entering the data center or secure zones.
CC6.4.3
Examine the physical security policy to ensure the presence of
documented visitor management procedures, including sign-in,
badge-wearing, escorting if required, access approval, and sign-out.
Also, examine the system description to ensure AWS manages
physical security controls.
The organization performs access assessments on in-scope
system components every quarter to verify that access is
adequately limited. Any necessary changes are documented and
monitored until they are fully implemented.
CC6.4.4
Examine a quarterly access review, ensuring the presence of
regular access reviews and access modifications aligned with
business needs. Additionally, examine the access control and
termination policy to ensure that access restrictions follow the
principle of least privilege, requiring approval and documentation
for changes.
CC6.4: The entity restricts physical access to facilities and protected information assets
(for example, data center facilities, backup media storage, and other sensitive locations) to
authorized personnel to meet the entity’s objectives.

The organization follows best practices to eliminate or destroy
electronic media holding confidential information, and it issues
certificates of destruction for each disposed device.
CC6.5.1
Examine a data disposal log in secureframe and ensure the data
retention and disposal policy documents procedures comply with
NIST guidelines.
The organization employs termination checklists to guarantee
that access is promptly revoked for employees who have been
terminated in accordance with agreed service level agreements
(SLAs).
CC6.5.2
Examine the procedure for removing an employee's access to
ensure that they adhere to a termination checklist and that access
is correctly revoked when an employee leaves the organization.
The organization follows industry best practices by removing or
purging customer data containing confidential information from the
application environment when customers discontinue their service.
CC6.5.3
Examine the data retention and disposal policy for documented
processes, including secure data retention and deletion within 30
days upon customer request, and ensure the presence of a disposal
log in secureframe for secure data disposal.
The organization establishes formal procedures to guide the
secure retention and disposal of company and customer data.
CC6.5.4
Examine data retention policy for secure data handling and ensure
secureframe for data disposal logs.
CC6.5: The entity discontinues logical and physical protections over physical assets only
after the ability to read or recover data and software from those assets has been diminished
and is no longer required to meet the entity’s objectives.

The organization employs secure data transmission protocols to
encrypt confidential and sensitive data when sending it across
public networks.
CC6.6.1
Examine the organization's secure data transmission protocols to
ensure that they incorporate encryption for safeguarding
confidential and sensitive data during transmission over public
networks.
The organization employs an intrusion detection system to
continuously monitor its network and promptly identify potential
security breaches.
CC6.6.2
Examine the organization's intrusion detection system to ensure its
setup for ongoing network monitoring, ensuring the early
identification of potential security breaches.
The organization documents network and system hardening
standards, which align with industry best practices and undergo an
annual review.
CC6.6.3
Examine the organization's network and system hardening standards
to ensure that they align with industry best practices and undergo a
yearly review for compliance.
The organization conducts annual reviews of its firewall rulesets
and ensures that necessary changes are monitored until they are
implemented.
CC6.6.4
Examine the firewall rulesets to confirm that they undergo annual
reviews and any necessary changes are observed until they are
fully implemented.
The organization includes regular maintenance and addressing
identified vulnerabilities as part of its routine procedures for
patching the infrastructure that supports the service. This
practice helps fortify the security of the servers that underpin the
service against potential threats.
CC6.6.5
Examine the infrastructure supporting the service to ensure it
undergoes routine maintenance and patching, addressing
identified vulnerabilities to enhance server security against
potential threats.
CC6.6: The entity implements logical access security measures to protect against threats
from sources outside its system boundaries.

The organization mandates encryption for all organization-owned
endpoints to safeguard them from unauthorized access.
CC6.7.1
Examine the encryption process to ensure its implementation across all
endpoints, protecting unauthorized access.
The organization ensures that user access to the organization's
application is protected by utilizing the HTTPS protocol with the TLS
algorithm and encryption methods that adhere to industry standards.
CC6.7.2
Examine HTTPS (TLS algorithm) use and ensure that encryption techniques
align with industry standards.
The organization records production infrastructure assets and separates
them from its staging and development assets.
CC6.7.3
Examine the production infrastructure assets' records and ensure they
have been clearly distinguished from the staging and development assets.
The organization guarantees that customer data utilized in non-production
environments receives an equivalent level of protection as that provided in
the production environment.
CC6.7.4
Examine that both production and non-production environments
maintain equal protection for customer data.
The organization possesses an encryption policy that is documented and
accessible to all staff through the organization's intranet.
CC6.7.5
Examine the encryption policy to ensure it has been provided to all
organization staff through the firm's intranet.
CC6.7: The entity restricts the transmission, movement, and removal of information to
authorized internal and external users and processes, and protects it during transmission,
movement, or removal to meet the entity’s objectives.

The organization installs anti-malware technology in environments
often vulnerable to malicious attacks, ensuring regular updates,
comprehensive logging, and deployment on all applicable systems.
CC6.8.1
Examine the organization's anti-malware technology to ensure it is
set up for regular updates, maintains complete logs, and is
installed on all applicable systems.
The organization establishes a structured Systems Development Life
Cycle (SDLC) methodology that regulates the development,
acquisition, implementation, modifications (including emergency
changes) and maintenance of information systems and associated
technology needs.
CC6.8.2
Examine the organization's SDLC methodology to ensure it oversees
information system development, acquisition, implementation,
modifications, and maintenance, including related technology needs.
The organization routinely applies patches to the infrastructure
supporting the service, addressing identified vulnerabilities, as a
proactive measure to fortify the security of the servers that underpin
the service against potential threats.
CC6.8.3
Examine the service's infrastructure to ensure routine patching and
vulnerability-based updates are applied to secure the supporting
servers against security threats.
CC6.8: The entity implements controls to prevent or detect and act upon the introduction of
unauthorized or malicious software to meet the entity’s objectives.

The organization mandates that changes to the software and
infrastructure components of the service must undergo
authorization, formal documentation, testing, review, and approval
processes before being implemented in the production
environment.
CC7.1.1
Examine the software and infrastructure components changes to
ensure they go through authorization, formal documentation,
testing, review, and approval before going into the production
environment.
The organization's formal policies specify the requirements for
IT/Engineering functions, encompassing vulnerability
management and system monitoring.
CC7.1.2
Examine the organization's standard policies to delineate the
criteria for IT-related operations, including vulnerability
management and system monitoring.
The organization conducts host-based vulnerability scans on all
external-facing systems quarterly, focusing on identifying and
addressing critical and high vulnerabilities.
CC7.1.3
Examine the vulnerability scans to ensure they occurred quarterly for
all external-facing systems and found that critical and high
vulnerabilities were actively monitored and remediated.
The organization conducts annual risk assessments that identify
threats and changes (environmental, regulatory, and
technological) affecting service commitments and formally
assessed risks, including fraud's potential impact on objectives.
CC7.1.4
Examine the organization's risk assessment documentation, ensure
annual assessments, identify threats and service commitment
changes, and formally evaluate risks, including fraud's potential
impact on objectives.
CC7.0: System Operations
CC7.1: To meet its objectives, the entity uses detection and monitoring procedures to
identify (1) changes to configurations that result in the introduction of new vulnerabilities,
and (2) susceptibilities to newly discovered vulnerabilities.

The organization employs an intrusion detection system to monitor its
network and promptly identify potential security breaches
continuously.
CC7.2.1
Examine the utilization and configuration of IDS, ensuring its role in
threat detection, continuous monitoring, and identifying security
breaches.
The organization employs a log management tool to detect events
affecting its ability to meet security objectives.
CC7.2.2
Examine log evidence through a screenshot, ensuring the maintenance
of event logs to support attaining security objectives.
The organization conducts annual penetration testing, with the
development of a remediation plan and timely implementation of
changes to address vulnerabilities within SLAs.
CC7.2.3
Examine that penetration tests are conducted, identified vulnerabilities are
tracked for remediation, and annual third-party penetration tests are in
place as per the vulnerability and patch management policy.
The organization ensures the servers supporting the service are
fortified against security threats by incorporating routine maintenance
and addressing identified vulnerabilities through infrastructure
patching.
CC7.2.4
Examine that penetration tests are conducted with vulnerability tracking
for remediation and ensure that patches are regularly installed as part of
routine maintenance to enhance system resilience against
vulnerabilities and threats.
The organization conducts host-based vulnerability scans on
external-facing systems quarterly, focusing on monitoring and addressing
critical and high vulnerabilities.
CC7.2.5
Examine secureframe to verify the execution of vulnerability scans,
assign severity ratings to findings, and track these findings for
remediation.
CC7.2: The entity monitors system components and the operation of those components for
anomalies that are indicative of malicious acts, natural disasters, and errors affecting the
entity's ability to meet its objectives; anomalies are analyzed to determine whether they
represent security events.

The organization employs a continuous monitoring system, to monitor
and communicate the status of the information security program to the
Information Security Officer and other relevant parties.
CC7.3.1
Examine the continuous monitoring system and ensure it consistently
tracks and reports on the information security program's status.
The organization mandates quarterly audits of employee endpoints to
verify that they are running the operating system's current or the
second most recent version.
CC7.3.2
Examine the operating system version and ensure that it is current and
up to date.
The organization's infrastructure is set up to produce audit events for
security-related actions of interest, which are then assessed and
scrutinized for any unusual or suspicious behavior.
CC7.3.3
Examine the internal audit logs to ensure that the organization utilizes a
continuous monitoring system, for tracking and delivering updates on the
status of the information security program.
The organization maintains constant surveillance of its production
assets, enabling prompt alerts and immediate response when required.
CC7.3.4
Examine the production assets to ensure that their alerting system
operates promptly.
The organization identifies vulnerabilities within the firm's platform
through annual penetration testing conducted by a certified third-party
service provider.
CC7.3.5
Examine and ensure that the organization performs the annual
penetration testing exercise.
CC7.3: The entity evaluates security events to determine whether they could or have
resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes
actions to prevent or address such failures.

The organization adheres to its security incident response policy
and procedures, ensuring that security and privacy incidents are
logged, monitored, resolved, and reported to the affected or
relevant parties under management's guidance.
CC7.4.1
Examine security and privacy incidents in the organization to
ensure they are correctly logged, monitored, resolved, and reported
to appropriate parties by management, following the company's
security incident response policy and procedures.
The organization performs annual testing of its incident response
plan as a minimum requirement.
CC7.4.2
Examine the organization's incident response plan to ensure that it
undergoes testing on an annual basis as a minimum requirement.
The organization has documented security and privacy incident
response policies and procedures communicated to authorized
personnel.
CC7.4.3
Examine the organization's security policies to ensure that
established security and privacy incident response policies and
processes are in place, as well as that they are communicated to
authorized users.
The organization regularly patches its service-supporting
infrastructure to support server security against threats,
addressing routine maintenance and identified vulnerabilities.
CC7.4.4
Examine the service-supporting infrastructure to ensure patching
for regular maintenance and identified vulnerabilities, enhancing
server security against potential threats.
The organization conducts host-based vulnerability scans on all
external-facing systems at a minimum frequency of quarterly
intervals, with a specific focus on tracking and addressing critical
and high vulnerabilities.
CC7.4.5
Examine the vulnerability scans to ensure they occur at a minimum
quarterly frequency for all external-facing systems and that critical
and high vulnerabilities are monitored and remediated as
necessary.
CC7.4: The entity responds to identified security incidents by executing a defined incident
response program to understand, contain, remediate, and communicate security incidents,
as appropriate.

CC8.0: Change Management
Control
CC8.1: The entity authorizes, designs, develops or acquires, configures, documents, tests,
approves, and implements changes to infrastructure, data, software, and procedures to meet its
objectives.
The organization mandates that any modifications to software
and infrastructure components of the service must undergo
before they can be implemented in the production environment.
CC8.1.1
Examine the organization's modifications to software and
infrastructure components and ensure that they undergo
before implementation in the production environment.
The organization follows a formal SDLC methodology that
oversees the entire lifecycle of information systems and related
technology, including development, acquisition, implementation,
changes (including emergencies), and maintenance.
CC8.1.2
Examine the organization's SDLC methodology, ensuring it
oversees information system development, acquisition,
implementation, modifications, and maintenance.
The organization routinely patches its service-supporting
infrastructure to bolster server security against potential security
threats, addressing regular maintenance and identified
vulnerabilities.
CC8.1.3
Examine the organization's service-supporting infrastructure, ensure
patches are applied for routine maintenance, and address identified
vulnerabilities to enhance server security against potential threats.
The organization conducts annual penetration testing and
implements changes to remediate vulnerabilities according to
SLAs.
CC8.1.4
Examine the organization's penetration testing to ensure it occurs
at least once a year.
Access to migrate changes to the production environment is
exclusively granted to authorized personnel within the
organization.
CC8.1.5
Examine access rights for migrating production environment
changes and ensure that only authorized personnel within the
organization have privileged access.
CC8.0: Change Management

CC9.0: Risk Mitigation
Control
CC9.1: The entity identifies, selects,and develops risk mitigation activities for risks arising
from potential business disruptions.
The organization establishes business continuity and disaster
recovery plans that include communication strategies to ensure
information security continuity in case key personnel become
unavailable.
CC9.1.1
Examine the plans to ensure the organization outlines
communication strategies for maintaining information security
continuity if key personnel are unavailable.
The organization performs annual risk assessments that identify
threats and changes, formally assess service commitments risks,
and consider fraud's potential impact on objectives.
CC9.1.2
Examine the organization's risk assessment documentation to
ensure it includes annual assessments, identification of threats
and changes to service commitments with formal risk assessment,
and consideration of fraud's potential impact on objectives.
The organization establishes a documented risk management
program that covers threat identification, risk significance rating,
and mitigation strategies.
CC9.1.3
Examine the organization's risk management program to ensure it
covers threat identification, risk assessment, and mitigation
strategies.

Control
CC9.2: The entity assesses and manages risks associated with vendors and business partners.
The organization has formal agreements with vendors and
relevant third parties encompassing confidentiality and privacy
commitments tailored to the entity's requirements.
CC9.2.1
Examine the organization's written agreements with vendors and
related third parties, ensuring they incorporate confidentiality and
privacy commitments tailored explicitly to the entity.
The organization has a vendor management program that
includes a critical third-party vendor inventory, security and
privacy requirements for vendors, and annual reviews of essential
vendors.
CC9.2.2
Examine the organization's vendor management program to ensure
that it establishes a structured process for documenting and
managing vendor relationships.

Found this useful?
To Get More Insights Through our FREE
Course | Workshops | eBooks | White Paper
Checklists | Mock Tests
Press the Icon &

SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf

More Related Content

What's hot

Similar to SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf

More from infosecTrain

Recently uploaded

SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf