SOC II Type 2
SOC for Service Organizations: Trust Services Criteria - A type 2 report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls.
| Control | Description |
|---|---|
| CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
| CC6.2 | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. User system credentials are removed when user access is no longer authorized. |
| CC6.3 | The entity authorizes, modifies, or removes access to data and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties. |
| CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
| CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
| CC6.8 | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
| CC7.1 | To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
| CC7.2 | The entity monitors system components and their operation for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the ability to meet objectives; anomalies are analyzed to determine if they represent security events. |
| CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
| CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
| A1.1 | The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. |
| A1.2 | The entity authorizes, designs, develops, or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. |
| CC2.1 | The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
| CC5.1 | The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. |
To View the Compliance Programs available visit Compliance in your Aqua CSPM Console, and select Defaults or Custom to filter the programs displayed, you can also expand the program control details using the Expand Settings toggle.
Did you find it helpful? Yes No
Send feedbackSorry we couldn't be helpful. Help us improve this article with your feedback.