Reading 01 - Foodisthebest/401-Reading-Notes GitHub Wiki

Readings: Strategic Policy Development

Below you will find reading materials and additional resources that support today’s topic and the upcoming lecture.

Review the Submission Instructions for guidance on completing and submitting this assignment.

Reading

The Ultimate Guide to SOC 2 Compliance

This reading relates to Module 1 since this module is focused on governance, risk, and compliance. SOC2 Compliance is directly focused on risk compliance itself.

How would you convince your future company to pursue SOC2 compliance?

  • SOC2 compliance is focused on five principals: security, availability, processing integrity, confidentiality, and privacy. These are some of goals encompassed in cybersecurity. In this day and age, all documentation and personal information is stored in the cyber world, even if there is a physical copy of a piece of information. A company can't compete if it doesn't value SOC2 compliance, and in some cases, it's illegal for a company to mishandle data, especially if it falls under HIPPA or GDPR regulations. Data breaches are becoming a daily occurrence, and ignoring SOC2 compliance will eventually lead to consumer mistrust.

What are the five SOC2 Trust Principles?

  1. Security
  2. Availability
  3. Processing integrity
  4. Confidentiality
  5. Privacy

How would your explain the three levels of the SOC2 pyramid in an analogy your friends or former colleagues would understand?

  • The top level is Proof that you documented everything. It's the cheese on top. The middle level is How you did everything; how will you eat these nachos? The base level is What you did; what type of meat (or lack of) you're eating would be the base of the nachos.

Additional Materials

Videos

Security Audits - CompTIA Security+ SY0-401: 2.3

Things I Want to Know More About

Why isn't the government involved in SOC2 Compliance? On one hand I'm glad it's not because that gives more privacy and confidentiality in a way, but at the time same, this is PII and people's social security numbers have been stolen and their names used illegally. PII is a governmental responsibility, and these corporations have clearly demonstrated that they feel they're above the law in protecting people's information. They offer no compensation when people get houses or cars taken out under their names, despite most of these data breaches happening to multi-billion companies.