SOC for Service Organizations: Trust Services Criteria - A type 2 report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls.


ControlDescription
CC6.1The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
CC6.2Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. User system credentials are removed when user access is no longer authorized.
CC6.3The entity authorizes, modifies, or removes access to data and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties.
CC6.6The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
CC6.7The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
CC6.8The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
CC7.1To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
CC7.2The entity monitors system components and their operation for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the ability to meet objectives; anomalies are analyzed to determine if they represent security events.
CC7.3The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
A1.1The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
A1.2The entity authorizes, designs, develops, or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.
CC2.1The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
CC5.1The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.


To View the Compliance Programs available visit Compliance in your Aqua CSPM Console, and select Defaults or Custom to filter the programs displayed, you can also expand the program control details using the Expand Settings toggle.