SOC 2 - Trust Services Criteria (2017)55
SOC2
Requirements in this framework
- COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values
- COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks
- COSO Principle 11: The entity selects and develops general control activities over technology
- COSO Principle 12: The entity deploys control activities through policies and procedures
- COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control
- COSO Principle 14: The entity internally communicates information necessary to support the functioning of internal control
- COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control
- COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations
- COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner
- COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control
- COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities
- COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals
- COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities
- COSO Principle 6: The entity specifies objectives with sufficient clarity to enable identification and assessment of risks
- COSO Principle 7: The entity identifies risks to the achievement of its objectives and analyzes risks
- COSO Principle 8: The entity considers the potential for fraud in assessing risks
- COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control
- Prior to issuing credentials and granting access, the entity registers and authorizes new users
- The entity assesses and manages risks associated with vendors and business partners
- The entity authorizes, designs, develops or acquires, configures, documents, tests, approves changes
- The entity authorizes, designs, develops, implements, operates, approves, maintains, and monitors environmental protections
- The entity authorizes, modifies, or removes access to data, software, functions, and services
- The entity collects personal information only for the purposes identified in the notice
- The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information
- The entity corrects, amends, or appends personal information based on information provided by data subjects
- The entity discloses personal information to third parties with the explicit consent of data subjects
- The entity discontinues logical and physical protections over physical assets
- The entity disposes of confidential information to meet the entity's objectives
- The entity evaluates security events to determine whether they could or have resulted in failures
- The entity grants identified and authenticated data subjects the ability to access their stored personal information
- The entity identifies and maintains confidential information
- The entity identifies, develops, and implements activities to recover from security incidents
- The entity identifies, selects, and develops risk mitigation activities for risks arising from business disruptions
- The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software
- The entity implements logical access security measures to protect against threats from sources outside its system boundaries
- The entity implements logical access security software, infrastructure, and architectures
- The entity implements policies and procedures over system inputs to provide reasonable assurance
- The entity implements policies and procedures over system outputs
- The entity implements policies and procedures over system processing
- The entity implements policies and procedures to store inputs, items in processing, and outputs
- The entity implements procedures to receive, address, resolve, and communicate the resolution of inquiries and complaints
- The entity limits the use of personal information to purposes identified in the notice
- The entity maintains, monitors, and evaluates current processing capacity
- The entity monitors system components and the operation of those components for anomalies
- The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives
- The entity provides data subjects with an accounting of personal information disclosed to third parties
- The entity provides for data backup, recovery, and offsite storage
- The entity provides notice to data subjects about privacy practices
- The entity responds to identified security incidents by executing a defined incident response program
- The entity restricts physical access to facilities and protected information assets
- The entity restricts the transmission, movement, and removal of information to authorized users and processes
- The entity retains personal information consistent with its objectives
- The entity retains personal information consistent with its objectives
- The entity securely disposes of personal information
- To meet its objectives, the entity uses detection and monitoring procedures to identify anomalies