SOC2®

Summary

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems used by the organization to process users' data, as well as the confidentiality and privacy of the information processed by these systems. The version used in this section is 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (last revisions made in March 2020).

Definitions

Definition	Requirements
CC2_3. Communication and information	318. Notify third parties of changes
CC5_1. Control activities	062. Define standard configurations
CC5_2. Control activities	062. Define standard configurations
CC6_1. Logical and physical access controls	228. Authenticate using standard protocols 231. Implement a biometric verification component 264. Request authentication
CC6_2. Logical and physical access controls	034. Manage user accounts 095. Define users with privileges 114. Deny access with inactive credentials 122. Validate credential ownership
CC6_3. Logical and physical access controls	186. Use the principle of least privilege 341. Use the principle of deny by default
CC6_4. Logical and physical access controls	231. Implement a biometric verification component
CC6_5. Logical and physical access controls	144. Remove inactive accounts periodically
CC6_6. Logical and physical access controls	115. Filter malicious emails 253. Restrict network access 257. Access based on user credentials
CC6_7. Logical and physical access controls	181. Transmit data using secure protocols
CC6_8. Logical and physical access controls	115. Filter malicious emails 155. Application free of malicious code
C1_1. Additional criteria for confidentiality	185. Encrypt sensitive information 300. Mask sensitive data 375. Remove sensitive data from client-side applications
C1_2. Additional criteria for confidentiality	183. Delete sensitive data securely 210. Delete information from mobile devices
P1_1. Additional criteria for privacy (related to notice and communication of objectives related to privacy)	186. Use the principle of least privilege
P2_1. Additional criteria for privacy (related to choice and consent)	310. Request user consent
P3_1. Additional criteria for privacy (related to collection)	360. Remove unnecessary sensitive information
P3_2. Additional criteria for privacy (related to collection)	310. Request user consent
P4_1. Additional criteria for privacy (related to use, retention, and disposal)	189. Specify the purpose of data collection 310. Request user consent 314. Provide processing confirmation 315. Provide processed data information
P4_2. Additional criteria for privacy (related to use, retention, and disposal)	229. Request access credentials 300. Mask sensitive data
P4_3. Additional criteria for privacy (related to use, retention, and disposal)	183. Delete sensitive data securely 317. Allow erasure requests 318. Notify third parties of changes 360. Remove unnecessary sensitive information
P5_2. Additional criteria for privacy (related to access)	316. Allow rectification requests
P6_1. Additional criteria for privacy (related to disclosure and notification)	189. Specify the purpose of data collection 310. Request user consent
P6_2. Additional criteria for privacy (related to disclosure and notification)	079. Record exact occurrence time of events 311. Demonstrate user consent
P6_3. Additional criteria for privacy (related to disclosure and notification)	079. Record exact occurrence time of events
P6_5. Additional criteria for privacy (related to disclosure and notification)	318. Notify third parties of changes

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.