mirror of
https://github.com/strongdm/comply
synced 2024-11-22 07:34:54 +00:00
soc2: fixup minor typos
This commit is contained in:
parent
c5a1bd804b
commit
22f1657411
@ -75,7 +75,7 @@ TODO: Finalize these lists
|
|||||||
|
|
||||||
# Remediations
|
# Remediations
|
||||||
|
|
||||||
{{.Name}} uses the outcomes of the aforementioned controls and procedures to identify shortcomings in the existing control environment. Once identified, these shortcomes are remediated by improving existing controls and procedures, and creating new controls and procedures as needed.
|
{{.Name}} uses the outcomes of the aforementioned controls and procedures to identify shortcomings in the existing control environment. Once identified, these shortcomings are remediated by improving existing controls and procedures, and creating new controls and procedures as needed.
|
||||||
|
|
||||||
# Communications
|
# Communications
|
||||||
|
|
||||||
@ -87,7 +87,7 @@ TODO: Finalize these lists
|
|||||||
|
|
||||||
- Slack
|
- Slack
|
||||||
- Email
|
- Email
|
||||||
- Github ticketing
|
- GitHub ticketing
|
||||||
|
|
||||||
## External
|
## External
|
||||||
|
|
||||||
|
@ -66,7 +66,7 @@ a. When classifying information, the level of confidentiality is determined by:
|
|||||||
+-------------------+------------------+---------------------------+---------------------------+
|
+-------------------+------------------+---------------------------+---------------------------+
|
||||||
| Restricted | Restricted | Unauthorized access to | Information is available |
|
| Restricted | Restricted | Unauthorized access to | Information is available |
|
||||||
| | | information may cause | to a specific group of |
|
| | | information may cause | to a specific group of |
|
||||||
| | | considerable damage to | employees and authhorized |
|
| | | considerable damage to | employees and authorized |
|
||||||
| | | the business and/or | third parties. |
|
| | | the business and/or | third parties. |
|
||||||
| | | the organization's | |
|
| | | the organization's | |
|
||||||
| | | reputation. | |
|
| | | reputation. | |
|
||||||
|
@ -22,7 +22,7 @@ a. This policy defines the policies and rules governing data centers and secure
|
|||||||
|
|
||||||
# Policy
|
# Policy
|
||||||
|
|
||||||
a. The following locations are classified by the organization as secure areas and are goverened by this policy:
|
a. The following locations are classified by the organization as secure areas and are governed by this policy:
|
||||||
|
|
||||||
i. [list all data center locations and secure areas under the organization’s control]
|
i. [list all data center locations and secure areas under the organization’s control]
|
||||||
|
|
||||||
|
@ -8,6 +8,7 @@ majorRevisions:
|
|||||||
- date: Jun 1 2018
|
- date: Jun 1 2018
|
||||||
comment: Initial document
|
comment: Initial document
|
||||||
---
|
---
|
||||||
|
|
||||||
# Purpose and Scope
|
# Purpose and Scope
|
||||||
|
|
||||||
a. The purpose of this policy is to define the organization’s procedures to recover Information Technology (IT) infrastructure and IT services within set deadlines in the case of a disaster or other disruptive incident. The objective of this plan is to complete the recovery of IT infrastructure and IT services within a set Recovery Time Objective (RTO).
|
a. The purpose of this policy is to define the organization’s procedures to recover Information Technology (IT) infrastructure and IT services within set deadlines in the case of a disaster or other disruptive incident. The objective of this plan is to complete the recovery of IT infrastructure and IT services within a set Recovery Time Objective (RTO).
|
||||||
|
@ -17,7 +17,7 @@ Appendix A: Retention Periods
|
|||||||
|
|
||||||
a. This data retention policy defines the objectives and requirements for data retention within the organization.
|
a. This data retention policy defines the objectives and requirements for data retention within the organization.
|
||||||
|
|
||||||
a. This policy covers all data within the organization’s custody or control, irregardless of the medium the data is stored in (electronic form, paper form, etc.) Within this policy, the medium which holds data is referred to as information, no matter what form it is in.
|
a. This policy covers all data within the organization’s custody or control, regardless of the medium the data is stored in (electronic form, paper form, etc.) Within this policy, the medium which holds data is referred to as information, no matter what form it is in.
|
||||||
|
|
||||||
a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information the organization owns or controls (hereinafter referred to as “users”). This policy must be made readily available to all users.
|
a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information the organization owns or controls (hereinafter referred to as “users”). This policy must be made readily available to all users.
|
||||||
|
|
||||||
|
@ -87,13 +87,13 @@ Table 3: Description of Consequence Levels and Criteria
|
|||||||
| Moderate | 1 | Either existing security controls have most provided an |
|
| Moderate | 1 | Either existing security controls have most provided an |
|
||||||
| | | adequate level of protection or the probability of the risk |
|
| | | adequate level of protection or the probability of the risk |
|
||||||
| | | being realized is moderate. Some minor incidents may have |
|
| | | being realized is moderate. Some minor incidents may have |
|
||||||
| | | occured. New incidents are possible, but not highly likely. |
|
| | | occurred. New incidents are possible, but not highly likely. |
|
||||||
+-----------------+-----------------+--------------------------------------------------------------+
|
+-----------------+-----------------+--------------------------------------------------------------+
|
||||||
| | | |
|
| | | |
|
||||||
+-----------------+-----------------+--------------------------------------------------------------+
|
+-----------------+-----------------+--------------------------------------------------------------+
|
||||||
| High | 2 | Either existing security controls are not in place or |
|
| High | 2 | Either existing security controls are not in place or |
|
||||||
| | | ineffective; there is a high probability of the risk being |
|
| | | ineffective; there is a high probability of the risk being |
|
||||||
| | | realized. Incidents have a high likelihood of occuring in the|
|
| | | realized. Incidents have a high likelihood of occurring in the|
|
||||||
| | | future. |
|
| | | future. |
|
||||||
+-----------------+-----------------+--------------------------------------------------------------+
|
+-----------------+-----------------+--------------------------------------------------------------+
|
||||||
| | | |
|
| | | |
|
||||||
|
@ -154,7 +154,7 @@ C1.2:
|
|||||||
PI1.1:
|
PI1.1:
|
||||||
family: PI1
|
family: PI1
|
||||||
name: Processing Integrity Monitoring
|
name: Processing Integrity Monitoring
|
||||||
description: The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including de nitions of data processed and product and service speci cations, to support the use of products and services
|
description: The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service speci cations, to support the use of products and services
|
||||||
PI1.2:
|
PI1.2:
|
||||||
family: PI1
|
family: PI1
|
||||||
name: Processing Integrity Accuracy
|
name: Processing Integrity Accuracy
|
||||||
@ -166,11 +166,11 @@ PI1.3:
|
|||||||
PI1.4:
|
PI1.4:
|
||||||
family: PI1
|
family: PI1
|
||||||
name: Processing Integrity Outputs
|
name: Processing Integrity Outputs
|
||||||
description: The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with speci cations to meet the entity’s objectives
|
description: The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives
|
||||||
PI1.5:
|
PI1.5:
|
||||||
family: PI1
|
family: PI1
|
||||||
name: Processing Integrity Backups
|
name: Processing Integrity Backups
|
||||||
description: The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system speci cations to meet the entity’s objectives
|
description: The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives
|
||||||
P1.1:
|
P1.1:
|
||||||
family: P1
|
family: P1
|
||||||
name: Privacy Notification
|
name: Privacy Notification
|
||||||
|
Loading…
Reference in New Issue
Block a user