SOC 2
Comply with SOC 2, which requires monthly testing of web applications (including APIs).
SOC 2 Evaluation
The Service Organization Controls (SOC 2) is based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). SOC 2 is not a certification but an external auditor’s evaluation. While there is no checklist or defined control set for SOC 2, there is criteria for which adequate controls must be designed. The criteria is tested independent of an attack surface, so all checks against the Trust Service Principles could apply for Mobile, Web, API, and Cloud type applications and/or assets.
SOC 2 With Data Theorem
Data Theorem helps your applications comply to third-party assessments when it comes to attestation for certain regulation standards. We will outline what we support and what is required for penetration test or vulnerability analysis when it comes to specific regulation standards. Data Theorem supports any recommended criteria, and your organizations can operate at ease knowing that you will be ready for any third-party reviews.
SOC2 Trust Service Principles & AICPA Definitions | DT Coverage |
Security: "Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives." | Protection for data at rest and data in transit, analysis of all attack surfaces includes but not limited to:
|
Availability: "Information and systems are available for operation and use to meet the entity’s objectives." | Disaster Recovery, performance monitoring, incident handling (DevOps). Automating security scanning as part of the cycle:
|
Processing Integrity: "System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives." | Per Company Process Set up, Not verified by DT |
Confidentiality: "Information designated as confidential is protected to meet the entity’s objectives." | Protection of Leaky Data and PII, Hacker Toolkits (Keys to the Kingdom, Hack & Extract), Alert and Remediation options. |
Privacy: "Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives." | Compliance with privacy policies and regulations (GAPP), Verify SOC2 along with any other privacy policies or regulations such as GDPR. |