SOC 2 Type II Essentials: Controls, Evidence, and Processes Quiz

Explore essential SOC 2 Type II compliance concepts, including evidence types, access controls, and security processes. Perfect for understanding basic terminology and requirements in security compliance audits.

1. Understanding Control Frequency

   What does the term 'control frequency' refer to in a SOC 2 Type II audit?

   1. How often a control must be performed (daily, weekly, monthly, per change, etc.)
   2. The severity of a risk addressed by a control
   3. How many people must approve a control
   4. Which department owns a control

   Explanation: Control frequency specifies how often a control activity is required to occur. The other options are incorrect: department ownership, risk severity, and approval count do not define frequency but relate to other aspects of control design or management.

2. Point-in-Time Evidence in Type II Audits

   What does 'point-in-time evidence' mean, and why is it not sufficient for SOC 2 Type II compliance?

   1. Evidence from one date only; Type II needs proof across the audit period
   2. Evidence collected only at year-end
   3. Evidence that is not documented
   4. Evidence that is verbally confirmed by employees only

   Explanation: Point-in-time evidence is only from a single date and is insufficient for SOC 2 Type II, which requires ongoing proof through the full audit period. The other choices either misrepresent the concept or ignore the time-based requirement central to Type II.

3. User Access Review Evidence

   Which of the following is an example of evidence for a periodic 'user access review'?

   1. System uptime logs
   2. Screenshots of the login page
   3. Periodic access review records showing who reviewed access and what changes were made
   4. Employee onboarding checklists

   Explanation: Access review records demonstrating who performed the review and any resulting changes directly prove that reviews occurred. Onboarding checklists, login page screenshots, and uptime logs do not confirm periodic user access reviews.

4. Principle of Least Privilege

   What does the security term 'least privilege' mean?

   1. Revoking access only after termination
   2. Giving users only the minimum access needed to do their job
   3. Providing access based on seniority
   4. Allowing all users the same high-level access

   Explanation: The principle of least privilege restricts user access to just what is necessary. Allowing blanket access, revoking access only on termination, or using seniority as a basis contradicts the concept's intent.

5. Type II Evidence for MFA Enforcement

   Which is an example of an appropriate Type II evidence set for 'MFA enforcement'?

   1. Company security policy document mentioning MFA
   2. Identity provider settings plus user list showing MFA enabled during the audit period
   3. A single screenshot of an MFA prompt
   4. Training slides about MFA best practices

   Explanation: To demonstrate ongoing MFA enforcement for Type II, you need both system settings and user lists showing MFA was enabled over the period. A policy document, training resources, or a single screenshot do not prove actual enforcement.

6. Purpose of Log Retention in SOC 2

   What does 'log retention' mean and why is it important for SOC 2 compliance?

   1. Saving logs as long as possible without any rules
   2. Archiving only financial transaction logs
   3. Keeping logs for a defined time so incidents and access can be investigated
   4. Deleting all logs weekly to free disk space

   Explanation: Log retention involves storing logs for a specified period, which enables audits and helps investigate incidents. The other options either don't define retention policy or only address specific or incorrect log types.

7. Incident Triage Meaning

   What is meant by 'incident triage' in the context of security operations?

   1. Ignoring low-priority incidents
   2. Reporting incidents to law enforcement immediately
   3. Repairing affected hardware
   4. Quickly classifying an incident by severity and deciding the next actions

   Explanation: Incident triage is about sorting and prioritizing incidents for a timely response. The other choices misunderstand triage or limit it to unrelated activities (external reporting or hardware repair).

8. Root Cause Analysis in Incident Management

   What is 'root cause analysis (RCA)' in relation to incident management?

   1. Isolating all affected servers
   2. Creating backup copies before incidents occur
   3. Informing all users of every incident
   4. Finding the real cause of an issue and preventing it from happening again

   Explanation: RCA is the process of identifying why an incident happened and how to prevent recurrence. Backups, server isolation, or blanket user notifications are other responses, not root cause analysis.

9. Purpose of Backup Restore Testing

   Why is 'backup restore testing' performed in SOC 2 compliance programs?

   1. To reduce the size of backup files
   2. To check staff attendance
   3. To prove backups can actually be restored successfully when needed
   4. To monitor internet speed

   Explanation: Backup restore testing ensures backup data can be recovered in practice, a core reliability requirement. The other options do not relate to the validation of backup restores.

10. Security Awareness Training Evidence

    Which is an example of evidence for 'security awareness training' during an audit period?

    1. A welcome email to new employees
    2. Publicly available cybersecurity news articles
    3. Screenshots of training platform's homepage
    4. Training completion records and dates for employees during the audit period

    Explanation: Completion records with dates directly show who received security awareness training. Welcome emails, news articles, or generic platform screenshots do not reliably document training status.