SOC 2 Trust Services Criteria
The entity demonstrates a commitment to integrity and ethical values. This includes establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner.
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. This includes establishing oversight responsibilities, applying relevant expertise, and operating independently.
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. This includes considering all structures, establishing reporting lines, and defining responsibilities.
The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. This includes establishing policies and practices, evaluating competence, attracting and retaining qualified talent, and planning for succession.
The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. This includes enforcing accountability through structures, processes, and standards.
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. This includes identifying information requirements, capturing internal and external sources, processing relevant data, maintaining quality, and considering costs and benefits.
The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. This includes communicating information, communicating between management and the board, and providing separate communication lines.
The entity communicates with external parties regarding matters affecting the functioning of internal control. This includes communicating to external parties, enabling inbound communications, communicating with the board, providing separate communication lines, and selecting relevant communication methods.
The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. This includes operations objectives, external financial reporting objectives, external nonfinancial reporting objectives, and internal reporting objectives.
The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. This includes identifying risks at the entity and subsidiary levels, analyzing internal and external factors, involving appropriate levels of management, estimating significance, and determining how to respond.
The entity considers the potential for fraud in assessing risks to the achievement of objectives. This includes considering various types of fraud, assessing incentives and pressures, opportunities, and attitudes and rationalizations.
The entity identifies and assesses changes that could significantly impact the system of internal control. This includes assessing changes in the external environment, changes in the business model, and changes in leadership.
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. This includes considering a mix of evaluations, considering rate of change, establishing baseline understanding, using trained personnel, integrating with business processes, adjusting scope and frequency, and objectively evaluating results.
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. This includes assessing results, communicating deficiencies, and monitoring corrective actions.
The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. This includes integrating with risk assessment, considering entity-specific factors, determining relevant business processes, evaluating a mix of control activity types, considering at what level to apply controls, addressing segregation of duties, and acting on assessments.
The entity selects and develops general control activities over technology to support the achievement of objectives. This includes determining the dependency between the use of technology in business processes and general technology controls, establishing relevant technology infrastructure control activities, establishing relevant security management process control activities, establishing relevant technology acquisition, development, and maintenance process control activities.
The entity deploys control activities through policies that establish what is expected and procedures that put policies into action. This includes establishing policies and procedures, establishing responsibility and accountability, performing in a timely manner, taking corrective actions, performing using competent personnel, and reassessing policies and procedures.
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. This includes identifying and managing the inventory of information assets, restricting logical access to authorized users, managing identification and authentication credentials, and implementing security measures to prevent unauthorized access.
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. This includes establishing a process for approving access provisioning, establishing user credentials, and communicating credentials to new users.
The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on approved authorization from data owners or authorized custodians. This includes utilizing role-based access controls, reviewing access roles and rules, and implementing controls to prevent users from acting outside their assigned roles.
The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity's objectives. This includes managing physical access, identifying and authenticating users, and removing physical access when access is no longer required.
The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity's objectives. This includes managing information asset removal, managing asset removal authorization, and tracking removed assets.
The entity implements logical access security measures to protect against threats from sources outside its system boundaries. This includes restricting access to information assets from outside the boundaries, encrypting data in transit, using multi-factor authentication, and managing points of access.
The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. This includes restricting the transmission of data, managing the movement of data, and applying encryption to transmitted data.
The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. This includes restricting the installation of unauthorized or malicious software, detecting and preventing the introduction of malicious software, and addressing detected malicious software.
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. This includes using defined configuration standards, monitoring infrastructure and software, implementing change-detection mechanisms, and detecting unknown or unauthorized components.
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. This includes implementing detection policies, procedures, and tools.
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. This includes identifying roles and responsibilities, analyzing security events, and determining how to respond.
The entity responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate. This includes assigning roles and responsibilities, containing security incidents, mitigating ongoing security incidents, ending security incidents, and communicating security incidents.
The entity identifies, develops, and implements activities to recover from identified security incidents and communicates recovery activities to appropriate staff and management. This includes restoring the affected environment, communicating to relevant parties, and incorporating lessons learned.
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its change management objectives. This includes managing changes throughout the SDLC, including testing and approving changes, preventing unauthorized changes, and maintaining a record of system changes.
The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. This includes considering strategies to mitigate risks identified during the risk assessment process, including consideration of risks related to business relationships and service providers.
The entity assesses and manages risks associated with vendors and business partners. This includes establishing requirements for vendors and business partners, assessing vendor and business partner risks, and responding to those risks.
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its availability commitments and system requirements.
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its availability commitments and system requirements.
The entity tests recovery plan procedures supporting system recovery to meet its availability commitments and system requirements. This includes testing business continuity and disaster recovery plans and procedures.
The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. This includes identifying information requiring protection under confidentiality requirements, and implementing controls to maintain and protect confidential information.
The entity disposes of confidential information to meet the entity's objectives related to confidentiality. This includes disposing of confidential information in accordance with confidentiality requirements and retention schedules.