Overview

SOC 2 Compliance

Implementation

SOC 2 Security Controls SOC 2 Implementation

Control Requirements

SOC 2 Control Relationships

Change Management

CM-01: Source Code Access Review CM-03: Production Change Monitoring and Audit Logging CM-04: Change Communication and Stakeholder Approval CM-09: Weekly Security Change Review Meetings CM-11: Production Deployment Access Control CM-12: Management Approval for Production Changes CM-13: Formal Change Management Methodology CM-15: Data De-identification for Non-Production Environments CM-16: Monthly Production Change Review CM-17: Vulnerability Detection Before Production Release CM-18: Version Control and Source Code Access Management

Communications & Monitoring

COM-02: Centralized Logging Solution COM-03: Malware Scanning for Transferred Assets COM-04: Intrusion Detection and Prevention Systems COM-05: Quarterly Firewall Review COM-10: Firewall Deployment and Maintenance COM-06: Network Diagrams Availability COM-07: Unauthorized Network Access Monitoring COM-08: Quarterly Internal Network Scans COM-09: Annual External Scanning by Third Party

Backup & Disaster Recovery

BDR-04: Business Continuity and Disaster Recovery Plan BDR-05: Backup Tool Access Control BDR-06: Data Retention and Destruction BDR-07: Data Retention and Destruction Standards BDR-08: Daily Incremental Backups BDR-09: Backup Encryption

Data Security

DS-01: Removable Media Encryption DS-03: Laptop Hard Drive Encryption DS-04: Mobile Device Management DS-05: Physical Media Disposal and DLP DS-06: Data Classification Policy

Incident Response

IR-01: Monthly Incident Review IR-02: Incident Management Process

Policies & Procedures

PP-19: Anonymous Incident Reporting Hotline PP-20: IT Job Descriptions and Responsibilities

Risk Assessment

RA-01: Internal Control Audits RA-02: Annual Risk Assessment with Fraud Risk RA-03: Annual Risk Assessment of Laws and Regulations

Logical Security

LS-01: Database Encryption at Rest LS-04: External User Account Management LS-05: Direct Database Access Restrictions LS-06: Password Vault for Administrator Accounts LS-07: Encryption Key Management LS-10: External User Access Review LS-14: Administrative Access Restrictions LS-16: Encrypted Data Transmission LS-19: Access Termination LS-21: Password Parameters Configuration LS-22: Manager Approval for Access Requests LS-24: Quarterly Access Reviews LS-25: Valid User IDs and Passwords Required LS-26: Multi-Factor Authentication or VPN for Remote Access

Third-Party Management

TPM-01: Third-Party Communication Protocols TPM-02: Vendor Compliance Remediation TPM-03: Annual Third-Party Risk Assessment TPM-04: Standard Vendor Agreements

Control Requirements

DS-04: Mobile Device Management

MDM software deployment for mobile device protection and control

Control Description

Mobile device management software is deployed to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets (need to define what protections are in place, e.g., remote wipe, passcodes, encryption).

Plain Meaning

This control requires organizations to implement mobile device management (MDM) software to protect and control mobile devices that access company data. The MDM solution must provide specific protections like remote wipe capabilities, passcode enforcement, and encryption.

Implementation

1. MDM Protection Requirements

Required Protections

Remote Wipe: Ability to erase device data remotely
Passcode Enforcement: Strong password requirements
Encryption: Device and data encryption
App Management: Control over installed applications
Network Access: VPN and secure network connections
Location Tracking: Device location monitoring

Device Types to Protect

Company-issued laptops
Smartphones (iOS/Android)
Tablets
Personal devices (BYOD)

Key Success Factors

Comprehensive Coverage: All mobile devices must be enrolled in MDM
Remote Wipe Capability: Ability to erase data from lost/stolen devices
Passcode Enforcement: Strong password requirements across all devices
Encryption: Device and data encryption enabled
Monitoring: Regular compliance checking and reporting

Common Pitfalls to Avoid

Incomplete Enrollment: Not all devices enrolled in MDM
No Remote Wipe: Unable to erase data from lost devices
Weak Passcodes: Insufficient password requirements
No Monitoring: Compliance not regularly checked

Related Controls

DS-01: Removable media encryption
DS-03: Laptop hard drive encryption
DS-05: Physical media disposal

Related Links

MDM Solutions

Microsoft Intune
Jamf Pro
VMware Workspace ONE

Security Resources

MDM Best Practices
BYOD Security
IBM Mobile Security Overview

Compliance Tools

Device Compliance
App Protection
Remote Wipe

DS-03: Laptop Hard Drive Encryption

Enforce hard drive encryption for laptop access to company network

DS-05: Physical Media Disposal and DLP

Secure disposal of physical media or DLP implementation for data protection

On this page

Control Description

1. MDM Protection Requirements

Key Success Factors

Common Pitfalls to Avoid

Related Controls

Security Resources

Compliance Tools