Assess your knowledge of SOC 2 Type II compliance concepts, including controls, evidence, and best practices for security and integrity. This quiz covers control mapping, preventive and detective controls, environment separation, and more.
What is a 'control mapping' during SOC 2 preparation?
Explanation: Control mapping means linking every SOC 2 requirement to a company's specific policies, processes, or controls to ensure full coverage. The other options are incorrect: ignoring controls risks non-compliance, documenting only failures is insufficient, and creating training material is important but not control mapping.
Which of the following is a common example of a 'preventive control' in SOC 2?
Explanation: Multi-factor authentication (MFA) is a preventive control because it aims to stop unauthorized access before it occurs. Log review is detective, incident response is corrective, and backup verification is related to availability, not directly preventive.
What is a common example of a 'detective control' in SOC 2 compliance?
Explanation: Detective controls, like alerts or monitoring, help identify issues after they occur. Password rotation and encryption are preventive controls, and disaster recovery drills are part of availability and incident response, not detective controls.
Which activity best illustrates a 'corrective control' in SOC 2 frameworks?
Explanation: Corrective controls are actions taken to fix identified problems, such as patching vulnerabilities and removing access after an incident. Requiring long passwords and monitoring are preventive/detective, while risk assessments are risk management processes.
What is 'ticket evidence' and where is it most commonly used in SOC 2 compliance?
Explanation: Ticket evidence involves using support or IT tickets to show proof that required actions (like access changes or issue resolution) were completed. Invoices, feedback forms, and satisfaction surveys are not used as evidence for SOC 2 controls.
What does a 'reconciliation' check achieve in SOC 2 processing integrity controls?
Explanation: Reconciliation checks involve comparing records or outputs to confirm that data processing was done correctly and fully. The other options represent access management and encryption controls, not reconciliation.
What does 'environment separation' (dev, stage, prod) mean and why is it vital for SOC 2?
Explanation: Separation of development, staging, and production environments limits the chance that buggy or untested code will impact live systems. Using same credentials, merging environments, or only limiting access are not best practices for SOC 2.
What is meant by 'vulnerability management' in SOC 2 compliance?
Explanation: Vulnerability management is the ongoing process of discovering, ranking, and remediating weaknesses. The distractors are important practices but are not comprehensive vulnerability management.
Which of the following is typically included as 'patch management' evidence for SOC 2 audits?
Explanation: Auditors review patch schedules and implementation records as evidence that patches are managed properly. User training, budgets, and customer surveys do not demonstrate patch management.
What best describes an 'access provisioning workflow' in SOC 2?
Explanation: Access provisioning workflows document each step in granting access, ensuring proper authorization and tracking. The other answers are important controls but do not describe the access request workflow process.