SOC2 Checklist and Tips
The guidelines and examples below provide a comprehensive approach to achieving SOC2 compliance across technology, people, vendor risk management, customers, and risk management domains. Keep in mind that compliance is an ongoing process, and regular reviews and updates are crucial to maintaining a robust security posture.
Technology
Apply Device Encryption:
- Guidance: Enable full disk encryption on all devices, including laptops and mobile devices.
- Example: Utilize BitLocker for Windows devices and FileVault for macOS. Implement centralized management through Mobile Device Management (MDM) for better control and reporting.
Enforce Strong Password Policy + MFA:
- Guidance: Utilize complex passwords and Multi-Factor Authentication (MFA) across all platforms.
- Example: Set a password policy requiring a combination of uppercase, lowercase, numbers, and special characters. Enable MFA for cloud services, SaaS applications, and local resources.
Configure Firewall Rules:
- Guidance: Define and implement firewall rules for both cloud providers and local office networks.
- Example: Use security groups in cloud providers and configure firewalls in the office to restrict unauthorized access.
Configure Encryption Key Management:
- Guidance: Implement a robust key management strategy for IAM keys, Key Management Service (KMS), and other encryption procedures.
- Example: Rotate encryption keys regularly and store them securely. Limit access to key management systems.
Configure Infrastructure Uptime Monitoring:
- Guidance: Set up automated monitoring with alerts and track uptime Service Level Agreements (SLA).
- Example: Use tools like Prometheus or AWS CloudWatch to monitor infrastructure health. Configure alerts for critical events.
Configure Logs Across Infrastructure:
- Guidance: Enable comprehensive logging, including audit logs, application logs, audit trail logs, and access logs.
- Example: Implement centralized logging solutions such as ELK Stack or Splunk to aggregate logs for analysis.
Configure Automated Monitoring of Logs:
- Guidance: Set up automated log monitoring with alerts for predefined stakeholders.
- Example: Use tools like AWS CloudWatch Alarms or Elasticsearch Watcher to monitor logs and trigger alerts.
Document Detailed System Description:
- Guidance: Create and maintain detailed system descriptions with architecture diagrams.
- Example: Use Confluence, a wiki, or Google Drive to store architecture diagrams and system documentation, ensuring they are accessible to relevant teams.
Configure Database and Server Disk Storage Encryption:
- Guidance: Implement encryption for databases and server disk storage. Automate offsite backups and ensure they are encrypted.
- Example: Use Transparent Data Encryption (TDE) for databases and solutions like AWS Backup for automated encrypted offsite backups.
Configure Bucket Storage Encryption (S3):
- Guidance: Enable encryption at rest for bucket storage in services like Amazon S3.
- Example: Utilize S3 default encryption settings or implement server-side encryption.
Ensure Restricted Access Permissions:
- Guidance: Implement the principle of least privilege and justify any privileged access.
- Example: Use IAM policies, apply permissions via groups/roles, and regularly review and update access controls.
Configure CI/CD Controls and Restrictions:
- Guidance: Implement controls in your CI/CD pipeline, including branch protection, code reviews, and automated testing.
- Example: Use tools like Jenkins, GitLab CI, or GitHub Actions to enforce code quality and security checks.
Deploy Centralized Anti-Malware Solution:
- Guidance: Implement an Endpoint Detection and Response (EDR) solution across endpoints and servers.
- Example: Use solutions like CrowdStrike, Carbon Black, or Microsoft Defender for comprehensive endpoint security.
Maintain Inventory of IT Assets:
- Guidance: Keep an up-to-date inventory of endpoints, servers, and network devices.
- Example: Use tools like Snipe-IT or Lansweeper to track and manage IT assets.
Enforce Encryption in Transit:
- Guidance: Use TLS v1.2 or better for encrypting data in transit.
- Example: Regularly test and verify encryption strength using tools like SSL Labs.
Segregate Prod, Dev, and Test Environments:
- Guidance: Maintain separate environments with distinct accounts, users, and data.
- Example: Use different AWS accounts or virtual networks for production and development environments.
Perform Periodic Penetration Tests:
- Guidance: Conduct penetration tests at least once a year, record findings, assign owners, and remediate vulnerabilities.
- Example: Engage with third-party penetration testing services and use tools like OWASP ZAP for automated testing.
Restrict and Protect Access:
- Guidance: Implement firewalls, VPNs, and enforce HTTPS-only access. Enable delete protection where applicable.
- Example: Use AWS Security Groups, Zero Trust Access policies, and block public access where not needed.
Deploy a WAF to Protect Web Applications:
- Guidance: Implement a Web Application Firewall (WAF) to protect against common web application attacks.
- Example: Use services like AWS WAF or third-party solutions to filter and monitor HTTP traffic.
Link PRs to Tickets:
- Guidance: Connect code changes to corresponding tickets for traceability.
- Example: Use integrations between version control systems (e.g., GitHub) and issue tracking tools (e.g., Jira) to link pull requests to specific tickets.
Configure Ongoing Vulnerability Scans:
- Guidance: Regularly scan for vulnerabilities in source code, dependencies, web applications, docker images, cloud services, network, and endpoints.
- Example: Utilize tools like Nessus, Qualys, or GitLab CI/CD for continuous vulnerability scanning. Document and prioritize findings for resolution.
People
Security Policies:
- Guidance: Periodically review, approve, and ensure employees acknowledge security policies.
- Example: Use a secure internal portal or Google Drive to share policies, and track employee acknowledgments.
BOD Meetings:
- Guidance: Hold quarterly Board of Directors (BOD) meetings and document minutes.
- Example: Use Google Drive to store meeting minutes and calendar invitations for scheduling.
Organizational Chart:
- Guidance: Periodically update the organizational chart without employee names.
- Example: Share an anonymized organizational chart via a secure internal portal.
Job Descriptions:
- Guidance: Publish detailed job descriptions publicly.
- Example: Display job descriptions on the company website's career page or LinkedIn.
Executive Management Meetings:
- Guidance: Hold quarterly executive management meetings and document minutes.
- Example: Store meeting minutes in Google Drive and send calendar invitations for scheduling.
NDAs/Confidentiality Agreements:
- Guidance: Ensure employees sign NDAs, storing them in Google Drive by employee.
- Example: Use a standardized NDA template and track signings digitally.
Employee Onboarding/Offboarding Checklist:
- Guidance: Prepare and follow a checklist for employee onboarding/offboarding.
- Example: Use a shared document to ensure HR, IT, and hiring managers follow a standardized process.
Record IT Access Requests/Revokes:
- Guidance: Record and store all IT access request and revocation tickets.
- Example: Use a ticketing system or shared document to track access requests and changes.
Security Awareness Training:
- Guidance: Conduct annual security awareness training for all employees.
- Example: Utilize online training platforms or hire third-party trainers to educate employees on security best practices.
Secure Development Training:
- Guidance: Conduct annual secure development training for R&D employees.
- Example: Provide training on secure coding practices, OWASP Top 10, and common vulnerabilities in software development.
Employee Background/Reference Checks:
- Guidance: Conduct background and reference checks, storing summaries in Google Drive.
- Example: Use standardized interview and reference check templates, documenting findings.
InfoSec Policy with Roles and Responsibilities:
- Guidance: Establish and follow an information security policy with clear roles and responsibilities.
- Example: Clearly define responsibilities for access control, incident response, and security monitoring in the policy.
Performance Reviews:
- Guidance: Ensure all managers conduct annual performance reviews and document them.
- Example: Use standardized performance review forms and schedule regular feedback sessions.
Vendor Risk Management (3rd Party Risk)
Vendor Onboarding/Offboarding Checklist:
- Guidance: Prepare and follow a checklist for onboarding/offboarding vendors.
- Example: Include steps for assessing security practices and compliance during vendor onboarding.
Vendor NDAs:
- Guidance: Ensure all vendors sign NDAs, storing them by vendor in Google Drive.
- Example: Use a standardized NDA template and require vendors to sign before engagement.
Vendor Risk Management Policy:
- Guidance: Establish and follow a vendor risk management policy.
- Example: Include criteria for assessing vendor security, data protection, and compliance in the policy.
Periodic Vendor Risk Assessment:
- Guidance: Conduct annual vendor risk assessments, combining automated scans and manual assessments.
- Example: Use third-party services and questionnaires to evaluate vendors' security postures.
Customers
Store Signed SLA Agreements:
- Guidance: Maintain copies of signed Service Level Agreement (SLA) agreements.
- Example: Store SLAs in a secure location and ensure easy retrieval for reference.
Public Customer Support Channels:
- Guidance: Publish public customer support channels and store all support tickets.
- Example: Use ticketing systems like Freshdesk or Zendesk and ensure timely response and resolution.
Service Interruption Notifications:
- Guidance: Prepare templates for service interruption notifications and store sent notifications.
- Example: Use a standardized template and ensure clear communication during service interruptions.
Release Notes Communication:
- Guidance: Communicate release notes to customers via the website or email.
- Example: Include a change log highlighting new features, improvements, and bug fixes.
Uptime Status Page:
- Guidance: Share an uptime status page on the website for transparency.
- Example: Use tools like Statuspage or custom solutions to display real-time system status.
Share System Description with Customers:
- Guidance: Share system descriptions and architecture diagrams with customers.
- Example: Include this information in marketing collateral or provide access to customers upon request.
Risk Management (1st Party Risk)
Risk Management Policy:
- Guidance: Prepare and follow a comprehensive risk management policy.
- Example: Define risk tolerance, risk assessment methodologies, and mitigation strategies in the policy.
Periodic Risk Assessments:
- Guidance: Conduct annual risk assessments to identify and evaluate potential risks.
- Example: Use risk assessment tools and methodologies to quantify and prioritize risks.
Risk Assessment Meetings:
- Guidance: Hold annual risk assessment meetings with executive management.
- Example: Use these meetings to review and update risk profiles, mitigation plans, and risk ownership.
User Access Reviews:
- Guidance: Conduct quarterly user access reviews across cloud providers, CI/CD tools, and SaaS applications.
- Example: Use automated tools and manual checks to ensure access permissions align with job roles.
Access Control Policy:
- Guidance: Prepare and follow an access control policy.
- Example: Define procedures for granting, modifying, and revoking access privileges, and ensure they align with business needs.
Physical Security Policy:
- Guidance: Establish and follow a physical security policy, including CCTV monitoring and access restrictions.
- Example: Implement access card systems, visitor logs, and restricted access zones within physical facilities.
SDLC Procedure:
- Guidance: Prepare and follow a Software Development Life Cycle (SDLC) procedure.
- Example: Define stages, roles, and security checkpoints within the SDLC to ensure secure coding practices.
Cyber Insurance:
- Guidance: Purchase cyber insurance to transfer some 1st and 3rd party risks.
- Example: Work with insurance providers to customize coverage based on identified risks and potential financial impact.