SOC 2: Security (Common Criteria)

Establish and communicate standards of conduct, ethical expectations, and security-related behaviors so personnel understand acceptable practices and accountability expectations.

Ensure the board or equivalent governance body provides independent oversight of management's design and operation of controls, including periodic review of security and risk reporting.

Define authority, responsibility, and reporting structures that support effective internal control over security, including segregation of duties and escalation paths.

Recruit, train, and retain personnel with sufficient competence for control responsibilities, and align role expectations with security and compliance requirements.

Assign control ownership and evaluate performance against security objectives so control operation is measurable, monitored, and enforced.

Define measurable security objectives aligned to service commitments, legal obligations, and business strategy to guide risk assessment and control design.

Perform periodic risk assessments to identify threats, vulnerabilities, and impacts, then prioritize treatment activities based on likelihood, severity, and business criticality.

Evaluate potential fraud, misuse, or malicious behavior that could affect systems or data and incorporate preventive and detective controls into the risk response plan.

Select and design controls that mitigate identified risks to acceptable levels, considering control precision, frequency, and whether controls are manual, automated, or hybrid.

Implement designed controls through policy, process, and technology, then validate that controls operate as intended before relying on them for assurance.

Document control policies, standards, and procedures with clear ownership and expected evidence so operators can consistently execute required activities.

Assess internal and external changes (technology, organization, regulation, threat landscape) for control impact and update controls promptly to remain effective.

Run ongoing and periodic evaluations of control operation, including automated monitoring and management review, to identify control failures early.

Track control deficiencies, determine root causes, assign remediation owners, and escalate unresolved high-risk findings to accountable leadership.

Implement corrective actions for identified gaps and validate remediation effectiveness before closing findings in the control issue register.

Capture, process, and retain complete and accurate control-relevant information so decision-makers can monitor risk and control status reliably.

Provision, approve, review, and revoke access according to least privilege and job responsibility, including timely deprovisioning and periodic recertification.

Communicate security expectations, policy changes, and incident obligations internally so personnel can perform assigned control activities consistently.

Restrict logical and physical access to systems and data resources through approved authorization mechanisms and periodic validation of access appropriateness.

Enforce strong authentication controls, secure credential lifecycle practices, and safeguards for privileged identities and shared accounts.

Authorize access and system actions based on defined roles and approved entitlements, preventing unauthorized activity through technical and procedural constraints.

Harden infrastructure and endpoint configurations, deploy protective controls, and monitor security posture to reduce exploitable weaknesses.

Protect data in transit and at rest through encryption and transmission safeguards, ensuring confidentiality and integrity requirements are consistently applied.

Operate systems using defined operational procedures, monitor critical events, and respond to anomalies to maintain controlled and secure processing conditions.

Require formal approval, testing, and controlled deployment of changes with rollback planning to prevent unauthorized or destabilizing modifications.

Identify, assess, and remediate vulnerabilities in a risk-based timeframe while incorporating threat intelligence into defensive and remediation priorities.

Implement event logging and detection mechanisms that identify potential security incidents across systems, applications, and infrastructure boundaries.

Analyze detected events to determine severity, scope, and business impact, and triage incidents for timely containment and response.

Execute documented incident response procedures for containment, eradication, and recovery, including role-based coordination and evidence preservation.

Communicate incident status and required notifications to internal stakeholders, customers, and regulators based on established notification criteria.

Perform root-cause analysis and lessons-learned reviews after incidents, then update controls, playbooks, and training to reduce recurrence risk.

Evaluate and monitor third-party vendors and business partners for security and control risk, including onboarding due diligence and ongoing assurance reviews.

Continuously align control operations to changing risks and commitments, ensuring mitigation activities remain effective as business and technical conditions evolve.