SOC 3
Definition
SOC 3 is a report designed to meet the needs of users who want assurance about the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 report. It provides a high-level summary of the service organization’s system and the suitability of the design and operating effectiveness of its controls, without the detailed information found in a SOC 2 report.
Secure Settings Example
# Example of a secure SOC 3 policy statement for a cloud service provider
security_policy:
access_control:
- principle_of_least_privilege: true
- multi_factor_authentication: enforced
data_protection:
- encryption_in_transit: TLS 1.2 or higher
- encryption_at_rest: AES-256
monitoring:
- continuous_monitoring: enabled
- anomaly_detection: implemented
Insecure Settings Example
# Example of an insecure SOC 3 policy statement for a cloud service provider
security_policy:
access_control:
- principle_of_least_privilege: false
- multi_factor_authentication: not_required
data_protection:
- encryption_in_transit: none
- encryption_at_rest: none
monitoring:
- continuous_monitoring: disabled
- anomaly_detection: not_implemented