The Definitive Guide to SOC 2 Policy Frameworks

By Blog, SOC 2

If this is your first time pursuing SOC 2 certification, you will quickly find that documentation is the cornerstone of a successful audit.  Writing clear, concise policies is especially critical, and if you don’t currently have a policy structure in place, it can be difficult to figure out which policies you need.  In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual policy and links to more information.

 

  • Access Onboarding and Termination Policy - this policy aims to minimize the risk of data exposure by enforcing the principle of least privilege.
  • Business Continuity Policy - a business continuity policy defines a plan employees need to follow to keep the business running after a disruptive event.  Specifically, the policy details the infrastructure, backup strategy and recovery procedures you need to address potential threats.
  • Confidentiality Policy - the confidentiality policy defines how you will handle confidential information - whether it be pertaining to your clients, partners or the company itself.  Because your clients and partners will expect you to keep their data secure, a confidentiality policy will demand the same of your employees as well.
  • Cyber Risk Management Policy - this policy helps you identify security incidents that could occur based on incidents that have already happened, and then create a plan to prevent and remediate those incidents.  
  • Data Center Security Policy - the data center security policy details measures you will take to prevent unauthorized physical access to your company’s data centers and equipment.
  • Data Classification Policy - this policy ensures sensitive data is handled appropriately according to the risk it poses to the organization.  
  • Disaster Recovery Policy - both this policy and the business continuity policy help prepare your company to endure - and recover from - a disaster.  Specifically, the disaster recovery policy details the minimum necessary functions your business needs to survive.
  • Encryption Policy - this policy dictates the proper use of encryption in your organization. 
  • Information Security Policy - the information security policy answers many of the big questions people may ask, such as, “Why are we becoming so structured and process-focused on everything related to security?” 
  • IT Vendor Management Policy - this policy identifies which vendors put your business at risk and then defines controls to minimize those risks.
  • Log Management and Review Policy - the log management and review policy defines what logs you will collect, what details are captured in the logs, and what systems will be configured for logging.
  • Office Physical Security Policy - this policy defines the controls, monitoring and removal of physical access to your company’s facilities.
  • Password Policy - the password policy establishes the requirements of user account passwords, and also the way your organization will select and securely manage them.
  • Remote Access Policy - this policy will define who can work remotely, the type of connectivity used, and how that connectivity will be protected, logged and monitored.
  • Removable Media / Cloud Storage / BYOD Policy - this policy lays out expectations around the use of removable media, cloud storage and BYOD - including PIN/password requirements and how devices will be handled when employees leave the organization.
  • Software Development Lifecycle Policy - the SDLC policy ensures your software is built as securely as possible, is tested regularly, and that all development work complies with regulatory guidelines and business needs.
  • System Changes Policy - this policy ensures that key system changes are properly logged, documented and communicated across your organization so you can more effectively debug issues and respond to incidents as they arise.
  • Workstation Security Policy - the workstation security policy defines rules that help reduce your organization’s risk of data loss through workstation use.

 

SOC 1, SOC 2, and SOC 3 reports should be seen as an annual investment into your company.  Aside from the numerous security benefits, a SOC audit will improve your organization’s performance and productivity, and build trust with clients as well.  All of these benefits will make your company stand out - especially over competitors who are not SOC certified.  

New call-to-action

Tagged under: