<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

A Definitive Guide to SOC 2 Policies

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

If this is your first time pursuing SOC 2 certification, you will quickly find that documentation is the cornerstone of a successful audit.  Writing clear, concise policies is especially critical, and if you don’t currently have a policy structure in place, it can be difficult to figure out which policies you need.  

In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual policy and links to more information.

  • Access Onboarding and Termination Policy - this policy aims to minimize the risk of data exposure by enforcing the principle of least privilege.
  • Business Continuity Policy - a business continuity policy defines a plan employees need to follow to keep the business running after a disruptive event.  Specifically, the policy details the infrastructure, backup strategy and recovery procedures you need to address potential threats.
  • Change Management Policy - this policy ensures that key system changes are properly logged, documented and communicated across your organization so you can more effectively debug issues and respond to incidents as they arise.
  • Confidentiality Policy - the confidentiality policy defines how you will handle confidential information - whether it be pertaining to your clients, partners or the company itself.  Because your clients and partners will expect you to keep their data secure, a confidentiality policy will demand the same of your employees as well.
  • Cyber Risk Management Policy - this policy helps you identify security incidents that could occur based on incidents that have already happened, and then create a plan to prevent and remediate those incidents.  
  • Data Center Security Policy - the data center security policy details measures you will take to prevent unauthorized physical access to your company’s data centers and equipment.
  • Data Classification Policy - this policy ensures sensitive data is handled appropriately according to the risk it poses to the organization.  
  • Disaster Recovery Policy - both this policy and the business continuity policy help prepare your company to endure - and recover from - a disaster.  Specifically, the disaster recovery policy details the minimum necessary functions your business needs to survive.
  • Encryption Policy - this policy dictates the proper use of encryption in your organization.
  • Information Security Policy - the information security policy answers many of the big questions people may ask, such as, “Why are we becoming so structured and process-focused on everything related to security?”
  • IT Vendor Management Policy - this policy identifies which vendors put your business at risk and then defines controls to minimize those risks.
  • Log Management and Review Policy - the log management and review policy defines what logs you will collect, what details are captured in the logs, and what systems will be configured for logging.
  • Office Physical Security Policy - this policy defines the controls, monitoring and removal of physical access to your company’s facilities.
  • Password Policy - the password policy establishes the requirements of user account passwords, and also the way your organization will select and securely manage them.
  • Remote Access Policy - this policy will define who can work remotely, the type of connectivity used, and how that connectivity will be protected, logged and monitored.
  • Removable Media / Cloud Storage / BYOD Policy - this policy lays out expectations around the use of removable media, cloud storage and BYOD - including PIN/password requirements and how devices will be handled when employees leave the organization.
  • Software Development Lifecycle Policy - the SDLC policy ensures your software is built as securely as possible, is tested regularly, and that all development work complies with regulatory guidelines and business needs.
  • Workstation Security Policy - the workstation security policy defines rules that help reduce your organization’s risk of data loss through workstation use.
🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Course.

SOC 1, SOC 2, and SOC 3 reports should be seen as an annual investment into your company.  Aside from the numerous security benefits, a SOC audit will improve your organization’s performance and productivity and build trust with clients as well. All of these benefits will make your company stand out - especially over competitors who are not SOC certified.

To learn more about how StrongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

ISO 27001 vs SOC 2
ISO 27001 vs. SOC 2: Understanding the Difference
SOC 2 and ISO 27001 both provide companies with strategic frameworks and standards to measure their security controls and systems against. But what’s the difference between SOC 2 vs. ISO 27001? In this article, we’ll provide an ISO 27001 and SOC 2 comparison, including what they are, what they have in common, which one is right for you, and how you can use these certifications to improve your overall cybersecurity posture.
Answering auditor questions in a SOC 2 review
Answering Auditors’ Questions in a SOC 2 Review
We recently completed our own SOC 2 audit, so we thought we’d review how we dogfooded our own product. We’ll share tips and tricks to make the audit process a little easier, whether you’re wrapping up your own or about to dive into the coming year’s audit. Here are the questions auditors asked us during our own SOC 2 audit and the commands and strongDM tooling we used to gather the evidence they requested.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
Software Development Lifecycle (SDLC) Policy
Software Development Life Cycle (SDLC) Policy
A software development lifecycle (SDLC) policy helps your company not suffer a similar fate by ensuring software goes through a testing process, is built as securely as possible, and that all development work is compliant as it relates to any regulatory guidelines and business needs.‍Here are some primary topics your software development lifecycle policy and software development methodology should cover