Reorganize brain: projects/ top level, rename filenames, update homepage
- Moved everything from ideas/passepartout/ to projects/passepartout/ - Moved legal structures to projects/flags/ - Created missing _index.org files for all subdirectories - Stripped redundant passepartout- prefix from filenames - Rewrote root _index.org as generalized brain index (projects + concepts) - Updated Hugo nav to Projects/Concepts - Updated build script section descriptions - Deleted stale ideas/passepartout-economics.md orphan
This commit is contained in:
Hermes
54
projects/passepartout/strategy/compliance/soc2.org
Normal file
54
projects/passepartout/strategy/compliance/soc2.org
Normal file
@@ -0,0 +1,54 @@
|
||||
:PROPERTIES:
|
||||
:ID: ed65031c-cbd2-4ad2-bd53-a67791e183cd
|
||||
:ID: auto-soc2
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: SOC 2 (System and Organization Controls 2)
|
||||
#+filetags: :passepartout:compliance:framework:soc2:
|
||||
|
||||
* SOC 2 (System and Organization Controls 2)
|
||||
|
||||
** What it is
|
||||
|
||||
An auditing standard developed by AICPA (American Institute of CPAs). Not a law.
|
||||
Certifies that a service organization's controls over security, availability,
|
||||
processing integrity, confidentiality, and privacy meet defined criteria.
|
||||
|
||||
Five Trust Service Criteria (TSC):
|
||||
- **Security** (mandatory): protection against unauthorized access (firewall,
|
||||
access control, intrusion detection)
|
||||
- **Availability** (optional): system available for operation and use as
|
||||
committed (uptime, redundancy, disaster recovery)
|
||||
- **Processing Integrity** (optional): system processing is complete, valid,
|
||||
accurate, timely, and authorized
|
||||
- **Confidentiality** (optional): information designated as confidential is
|
||||
protected as committed
|
||||
- **Privacy** (optional): personal information is collected, used, retained,
|
||||
disclosed, and disposed of in conformity with commitments
|
||||
|
||||
Two types:
|
||||
- **Type I:** controls are suitably designed at a specific point in time
|
||||
- **Type II:** controls operated effectively over a period (6-12 months)
|
||||
|
||||
** Who must comply
|
||||
|
||||
Any SaaS or cloud service provider whose enterprise customers require audited
|
||||
vendors. Table stakes for B2B — most enterprise procurement contracts require
|
||||
SOC 2 Type II.
|
||||
|
||||
** Penalties
|
||||
|
||||
No direct fines (not a law). But losing SOC 2 certification means losing
|
||||
enterprise customers. Misrepresentation of certification status is fraud.
|
||||
|
||||
** Why it matters for Passepartout
|
||||
|
||||
SOC 2 is the entry-level certification for the [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]]. A provider
|
||||
needs SOC 2 Type II to sell compute to enterprises whose procurement policy
|
||||
requires audited vendors. The gate stack itself maps directly to the Security
|
||||
criterion (access controls, audit trails) — the [[id:28c46769-c14b-42aa-ac7a-69d310157f8f][Passepartout]] instance's
|
||||
deterministic gate log serves as the evidence artifact for the audit. No
|
||||
separate logging SIEM needed. This is the prerequisite to the larger
|
||||
[[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] play — once enterprises trust the audit trail, they
|
||||
buy domain-specific gate packages for the same infrastructure.
|
||||
|
||||
Reference in New Issue
Block a user