General Policies

Source~~Source:~~: https://secureframe.com/hub/soc-2/policies-and-procedures

All SOC 2 examinations involve an auditor review of your organization’s policies.

Policies must be documented, formally reviewed, and accepted by employees.

Each policy supports an element of the overall security and approach to handling customer data.

All Policies Must follow and include details for which an Auditor looks for.

[OPS] Acceptable Use Policy: – Defines ~~the ways in which the~~ network, ~~website or system may be used. Can also define which devices~~system, and ~~types~~device ofusage rules, removable ~~media can be used,~~media, password requirements, ~~and~~issuance/return ~~how~~of ~~devices will be issued and returned.~~devices.
[TECH] Access Control Policy: – Defines who will have access to company systems and how often ~~those access~~ permissions will be reviewed.
[TECH] Business Continuity Plan: – Defines how employees will respond to ~~a disruption~~disruptions to keep ~~the~~ business ~~running smoothly.~~running.
[TECH] Change Management Policy :– Defines how system changes will be documented and ~~communicated across your organization.~~communicated.
[OPS] Confidentiality Policy :– Defines ~~how~~handling ~~your organization will handle~~of confidential information about clients, partners, or the ~~company itself.~~company.
[OPS] Code of Conduct Policy :– Defines ~~the~~expected ~~policies~~behavior ~~both~~of employees and employers ~~must adhere to. This includes how people should interact with one another~~ at work.
[TECH] [OPS] Data Classification Policy :– Defines ~~how~~classification ~~you will classify~~of sensitive data ~~according to the level of~~by risk ~~it poses to your organization.~~level.
[TECH] Disaster Recovery Policy :– Defines how ~~your company will~~to recover from adisasters ~~disastrous~~and ~~event.~~maintain ~~It also includes the minimum necessary functions your organization needs to continue~~minimal operations.
[TECH] Encryption Policy :– Defines ~~the type of~~which data ~~your~~is ~~organization will encrypt~~encrypted and ~~how it’s encrypted.~~how.
[TECH] Incident Response Plan :– Defines roles and responsibilities ~~in response to~~during a ~~data~~ breach ~~and during the ensuing~~or investigation.
[TECH] [OPS] Information Security Policy :– Defines ~~your~~overall approach to information security and ~~why~~reasons ~~you’re~~for ~~putting processes and policies in place.~~processes.
[TECH] Information, Software, and System Backup Policy: – Defines how ~~information from~~ business ~~applications~~application ~~will~~data beis stored tofor ~~ensure data recoverability.~~recovery.
[TECH] Logging and Monitoring Policy: – Defines which logs ~~you’ll~~are ~~collect~~collected, monitored, and ~~monitor. Also covers what’s captured in those logs, and which~~how systems ~~will be~~are configured for logging.
[OPS] Physical Security Policy: – Defines how ~~you will monitor and secure~~ physical access tois ~~your company’s location. What will you do to prevent unauthorized physical access to data centers~~monitored and ~~equipment?~~secured at company locations.
[TECH] Password Policy –: Defines ~~the requirements for using~~ strong ~~passwords,~~password, ~~password managers,~~manager, and ~~password~~expiration ~~expirations.~~requirements.
[TECH] [OPS] Remote Access Policy: – Defines who ~~is authorized to~~can work ~~remotely.~~remotely, ~~Also~~connection ~~defines what type of connectivity they will use~~types, and ~~how~~protection ~~that connection will be protected and monitored.~~measures.
[TECH] [OPS] Risk Assessment and Risk Mitigation Plan: – Defines ~~security~~potential threats ~~that could occur~~ and ~~the~~preventive ~~action plan to prevent those incidents.~~actions.
[TECH] Software Development Lifecycle Policy –: Defines ~~how~~secure ~~you~~build, ~~will ensure your software is built securely, tested regularly,~~testing, and ~~complies~~compliance ~~with~~for ~~regulatory requirements.~~software.
[TECH] [OPS] Vendor Management Policy: – Defines vendors that may introduce ~~risk,~~risk ~~as well as~~and controls ~~put in place~~ to ~~minimize those risks.~~mitigate.
[TECH] [OPS] Workstation Security Policy: – Defines how ~~you will~~to secure ~~your employees’~~employee workstations ~~to reduce the risk of data~~against loss and unauthorized access.