soc2-compliance
npx machina-cli add skill BagelHole/DevOps-Security-Agent-Skills/soc2-compliance --openclawSOC 2 Compliance
Implement SOC 2 Trust Services Criteria for certification.
Trust Services Criteria
criteria:
security:
- Access controls
- Change management
- Risk assessment
- Incident response
availability:
- System monitoring
- Disaster recovery
- Capacity planning
- SLA management
processing_integrity:
- Input validation
- Processing completeness
- Output accuracy
confidentiality:
- Data classification
- Encryption
- Access restrictions
privacy:
- Data collection notice
- Consent management
- Data retention
Key Controls
controls:
CC6.1_logical_access:
- MFA enforcement
- Role-based access
- Access reviews
CC7.2_monitoring:
- Log aggregation
- Alert thresholds
- Incident tracking
CC8.1_change_management:
- Change requests
- Approval workflows
- Testing requirements
Evidence Collection
# Access review export
aws iam generate-credential-report
aws iam get-credential-report
# Audit logs
aws cloudtrail lookup-events --start-time $(date -d '30 days ago' --iso)
Best Practices
- Continuous compliance monitoring
- Annual risk assessments
- Regular control testing
- Documentation maintenance
Source
git clone https://github.com/BagelHole/DevOps-Security-Agent-Skills/blob/main/compliance/frameworks/soc2-compliance/SKILL.mdView on GitHub Overview
This skill guides implementing the SOC 2 Trust Services Criteria to achieve certification. It covers the core criteria—security, availability, and processing integrity—and aligns controls for confidentiality and privacy. It emphasizes continuous monitoring, evidence collection, and governance to meet auditor expectations.
How This Skill Works
Identify the applicable criteria, map them to concrete controls (e.g., MFA, access reviews, monitoring, change management) and configure them across security, availability, and processing integrity. Collect and maintain evidence such as credential reports and audit logs, then organize ongoing monitoring, incident response, and DR/capacity planning to create an auditable control environment aligned with SOC 2.
When to Use It
- At the start of a SOC 2 certification project or during readiness assessment.
- When implementing access controls like MFA and RBAC to satisfy security criteria.
- When establishing system monitoring, log management, and incident response for availability criteria.
- During the setup of formal change management with approvals and testing for processing integrity.
- When assembling evidence and artifacts for auditor review and readiness reporting.
Quick Start
- Step 1: Map SOC 2 criteria to your current controls and identify gaps.
- Step 2: Implement core controls (MFA, access reviews, monitoring, change management) and set up evidence collection.
- Step 3: Compile evidence, perform a readiness review, and prepare for auditor questions.
Best Practices
- Continuous compliance monitoring to detect drift and gaps.
- Annual risk assessments to refresh control priorities.
- Regular control testing and remediation cycles.
- Documentation maintenance, including policies, procedures, and evidence catalogs.
- Maintain a centralized evidence repository with versioning and access controls.
Example Use Cases
- Enforce MFA, RBAC, and regular access reviews to satisfy CC6.1_logical_access.
- Implement centralized log aggregation, alerting, and incident tracking for CC7.2_monitoring.
- Apply formal change management with change requests, approvals, and testing per CC8.1_change_management.
- Generate credential reports and review CloudTrail logs as part of evidence collection.
- Classify data, apply encryption, and enforce data retention practices to address confidentiality and privacy.
