The SOC 2 Type II certification project is/was mission-critical to the organization as it was a security compliance requirement by the biggest client for the organization. The SOC certification has five trust service principles. In the case of this project, the requirement was specific to the Security Trust Service Principal.
The security principle refers to the protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of the software, and improper alteration or disclosure of information.
The scope for the organization included controls that addressed administrative processes for the entire enterprise (e.g.; background screening, onboarding, offboarding, security training, board meetings, etc.) as well as specific technical controls for three distinct application product infrastructures. These three product infrastructures had separate development teams and unique technologies. The uniqueness of the products added considerably to the complexity of this project in preparing for meeting the stringent requirements of the SOC controls.
This project had three distinct and critical phases including:
- Readiness Assessment Phase
- Remediation Prepare Phase
- Audit Phase