The SOC 2 framework comprises five Trust Services Criteria (TSCs): Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security TSC is also known as the Common Criteria, as it is required for all SOC 2 reports. Your organization may choose to add any of the other four criteria based on customer demand and what makes sense for your product/service.
The Strike Graph platform maps controls across all five TSCs, allowing you to efficiently expand the scope of your SOC 2 without adding new complexities to your cybersecurity practice. The Strike Graph solution also comes with an audit-proven library of controls that cover all TSCs and can be used as-is or customized to best align with your organization.
Security
The Security TSC is the foundation of a SOC 2 report. For this TSC, you will not only share your IT security controls, but you will also be required to share more operational or governance types of controls. This TSC is a substantial effort and will involve not only your IT development and IT infrastructure folks, but also Human Resources, upper management, operations, and sales (to name a few).
The Security TSC is further broken into 33 Common Criteria (CC). You can see the Common Criteria by opening the SOC 2 framework tree from the Compliance Dashboard.
The 33 Common Criteria have a 2-digit code, for example: “CC1.1” or “CC5.1”.
Criteria include 'points of focus,' which can be considered strong suggestions of how to meet the applicable 'parent' criteria.
In Strike Graph, points of focus have a 3-digit code, for example: “CC1.1.1” or “CC.1.1.5”.
Note: Strike Graph maps controls to the point of focus level. Companies are not required to identify a control for every single point of focus item. We recommend that for CC.1.1 - CC.5.1, companies have adequate 'control coverage’. This means you should identify the most relevant controls to 'meet the spirit' of the Common Criteria. From CC.6.1 - CC.9, we do suggest trying to address each point of focus (your controls can be used more than once!)
Availability
Does your service/product/offering require 24/7 uptime? Are you contractually required to adhere to an uptime metric like four 9’s, for example? This TSC is not too tricky to pursue and your IT Infrastructure team will be the primary internal resource to provide the controls and evidence. If you don't have any specific contractual requirements, then determine whether the following would differentiate you from your competitors:
You have capacity management controls in place that assist in maintaining, monitoring, and evaluating your system.
You have solid processes in place to monitor your system performance and uptime, and to handle exceptions.
You test your recovery plan annually.
Processing Integrity
Do you manipulate data in such a way that your customer relies on you for an accurate and complete data output? Examples here include payroll services, billing services, and tax processing. You will tackle this TSC if you manipulate data on behalf of your customers, and they expect that the end result will be consistent, accurate, and timely.
This TSC is a bit trickier for some organizations to pursue and will likely involve folks from a back-end product design team, database admins, and the IT team. At a high level, you will need to demonstrate the controls you have in place for how data or database elements are collected (the inputs), manipulated (or processed), and delivered (the outputs). This TSC will also cover how the relevant data is stored and maintained.
Confidentiality
Do your customers and users expect to have exclusive access to the data that you hold? A good example is photo storage services - users can expect that the photos stored in the service will not be seen by anyone else. Another example is a corporate document storage service: company files should only be accessed by individuals in the company (or by those who have been granted special permission). Your IT Team can expect to play a key role in attaining this TSC. If segregation of data will be a selling point for your organization, then you should tackle this TSC.
Privacy
Do you handle, store, or transmit any personal data? Personal data includes any data that can be used alone or in combination to identify a specific person. You may have heard of the concept of Personally Identifiable Information or PII - this TSC covers all of that information. Think: name, home address, personal or work email, phone number, image (photo of face - yes this counts!), social security number, or other government ID number. There are more examples, so make sure you understand all of the data you are storing or working with before you tackle this one.
You may also want to tackle the Privacy TSC if you have plans to take your product out of the USA. Other countries have very specific privacy laws and regulations and treat PII much more stringently than in the USA. Getting this TSC under your belt will help you prepare to expand internationally. This TSC is extensive and will take time to both prepare for and operationalize. Expect to include your IT team, customer support teams, and legal counsel in this effort.