SOC 1
Definition
SOC 1, or System and Organization Controls 1, is a framework developed by the American Institute of Certified Public Accountants (AICPA) for evaluating the internal controls of a service organization that are relevant to a client’s financial reporting. It focuses on the controls at a service organization that are likely to be relevant to an audit of a client’s financial statements. SOC 1 reports are intended for use by the management of the service organization, user entities, and auditors.
Secure Settings Example
# Example of a secure SOC 1 policy implementation in a cloud service provider
audit_policy:
- control_id: "1.1"
description: "Ensure all financial data processing is logged and monitored"
implementation:
- enable_logging: true
- log_retention_days: 365
- access_control:
- role: "auditor"
permissions: "read-only"
- monitoring_tools:
- enabled: true
- tool_name: "CloudWatch"
Insecure Settings Example
# Example of an insecure SOC 1 policy implementation
audit_policy:
- control_id: "1.1"
description: "Financial data processing logging"
implementation:
- enable_logging: false # Logging is disabled
- log_retention_days: 0 # No retention policy
- access_control:
- role: "auditor"
permissions: "full-access" # Excessive permissions
- monitoring_tools:
- enabled: false # Monitoring tools are disabled