Version: 1.0
Last Updated: April 2026
Target Audience: Compliance Officers, Security Teams, Auditors
SOC 2 (Service Organization Control 2) compliance ensures that ThemisDB manages data securely based on five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
-
CC1.1 - Security governance structure documented and implemented
- Security policies defined and approved by management
- Information security roles and responsibilities assigned
- Security steering committee meets quarterly
- Evidence: Policy documents, meeting minutes
-
CC1.2 - Board of directors provides oversight
- Quarterly security reports to board
- Annual security strategy review
- Evidence: Board meeting minutes, security reports
-
CC1.3 - Management establishes structures and reporting lines
- Organizational chart showing security reporting
- Clear escalation paths documented
- Evidence: Org chart, escalation procedures
-
CC1.4 - Demonstrates commitment to competence
- Security training for all staff
- Specialized training for operations team
- Annual competency reviews
- Evidence: Training records, certifications
-
CC2.1 - Security policies communicated to relevant parties
- All employees acknowledge security policy annually
- Contractors sign security agreements
- Evidence: Signed acknowledgments, NDAs
-
CC2.2 - Information systems support objectives
- Systems documented with data flow diagrams
- Security controls mapped to systems
- Evidence: System documentation, data flow diagrams
-
CC3.1 - Risk assessment process defined
- Annual risk assessment performed
- Risk register maintained and reviewed quarterly
- Risk mitigation plans for critical risks
- Evidence: Risk assessment reports, risk register
-
CC3.2 - Fraud risk assessment
- Fraud scenarios identified and assessed
- Anti-fraud controls implemented
- Evidence: Fraud risk assessment, control documentation
-
CC4.1 - Ongoing monitoring procedures established
- Security metrics tracked continuously
- Dashboards for real-time monitoring
- Automated alerting configured
- Evidence: Monitoring logs, alert configurations
-
CC4.2 - Internal audit program
- Annual internal security audit
- Quarterly control testing
- Remediation tracking
- Evidence: Audit reports, remediation logs
- CC5.1 - Logical access controls
- Multi-factor authentication enforced
- Role-based access control implemented
- Access reviews performed quarterly
- Privileged access monitored and logged
- Evidence: Access logs, review reports
# Verify MFA enforcement
themisdb-cli security audit-mfa --all-users
# Review access permissions
themisdb-cli security access-review --output /tmp/access-review-$(date +%Y%m%d).csv-
CC5.2 - Physical access controls
- Data center access restricted and logged
- Visitor logs maintained
- Security cameras monitoring critical areas
- Evidence: Access logs, visitor logs, camera footage
-
CC5.3 - Change management controls
- Change approval process documented
- All changes tracked in ticketing system
- Emergency change procedures defined
- Evidence: Change tickets, approval records
# Review recent changes
themisdb-cli audit query --type change --last 30d-
CC6.1 - User access provisioning/deprovisioning
- Automated onboarding/offboarding procedures
- Access granted based on least privilege
- Terminated user access revoked within 24 hours
- Evidence: Access logs, HR integration logs
-
CC6.2 - Authentication mechanisms
- Strong password policy enforced (12+ chars, complexity)
- MFA required for all access
- Failed login attempts monitored
- Evidence: Policy documentation, MFA logs
# Password policy configuration
password_policy:
min_length: 12
require_uppercase: true
require_lowercase: true
require_numbers: true
require_special_chars: true
max_age_days: 90
prevent_reuse: 12- CC6.3 - Authorization
- RBAC implemented with defined roles
- Segregation of duties enforced
- Elevated privileges require approval
- Evidence: Role definitions, approval logs
-
CC7.1 - Capacity planning and monitoring
- Resource utilization monitored continuously
- Capacity planning performed quarterly
- Scaling procedures documented and tested
- Evidence: Capacity reports, scaling test results
-
CC7.2 - Monitoring of system performance
- SLA metrics tracked and reported
- Performance baselines established
- Anomalies detected and investigated
- Evidence: Performance reports, incident tickets
-
CC7.3 - Backup and recovery procedures
- Automated daily backups
- Quarterly recovery testing
- RTO/RPO documented and tested
- Evidence: Backup logs, recovery test results
# Verify backup status
themisdb-cli backup status --detailed
# Test backup integrity
themisdb-cli backup verify --latest --full-check- CC8.1 - Change approval and testing
- All production changes require approval
- Changes tested in non-production first
- Rollback procedures documented
- Evidence: Change tickets, test results
-
A1.1 - Availability commitments defined in SLAs
- SLA targets: 99.9% for Tier 1 services
- Uptime tracked and reported monthly
- Evidence: SLA documents, uptime reports
-
A1.2 - Monitoring and incident response
- 24/7 monitoring in place
- Incident response procedures documented
- Incidents tracked and resolved per SLA
- Evidence: Monitoring logs, incident tickets
-
A1.3 - Business continuity and disaster recovery
- DR plan documented and approved
- Quarterly DR testing
- RTO/RPO objectives met
- Evidence: DR plan, test results
- PI1.1 - Processing objectives defined
- Data processing flows documented
- Input validation controls implemented
- Output verification procedures defined
- Evidence: Process documentation, validation logs
-
C1.1 - Data classification policy
- Data classified by sensitivity
- Encryption requirements per classification
- Handling procedures documented
- Evidence: Classification policy, encryption configs
-
C1.2 - Encryption controls
- Data encrypted at rest (AES-256)
- Data encrypted in transit (TLS 1.3)
- Key management procedures documented
- Evidence: Encryption configs, key rotation logs
-
P1.1 - Privacy notice provided
- Privacy policy published and accessible
- Users notified of data collection practices
- Evidence: Privacy policy, consent records
-
P1.2 - Data subject rights
- Procedures for access requests
- Data deletion capabilities
- Data portability supported
- Evidence: Request handling logs
-
Consent
- Explicit consent obtained for data processing
- Consent records maintained
- Easy withdrawal mechanism provided
- Evidence: Consent logs, withdrawal requests
-
Legitimate Interest
- Legitimate interest assessment documented
- Balancing test performed
- Evidence: LIA documentation
- Right to Access (Article 15)
- Data subject access request (DSAR) procedure
- Response within 30 days
- Data provided in machine-readable format
- Evidence: DSAR logs, response records
# Handle data access request
themisdb-cli gdpr access-request \
--subject-id user@example.com \
--output /tmp/dsar-$(date +%s).json-
Right to Rectification (Article 16)
- Data correction procedures implemented
- Updates propagated to all systems
- Evidence: Correction logs
-
Right to Erasure (Article 17)
- Data deletion capabilities implemented
- Deletion verified across all systems
- Retention periods respected
- Evidence: Deletion logs, verification reports
# Process deletion request
themisdb-cli gdpr delete-request \
--subject-id user@example.com \
--verify \
--generate-certificate-
Right to Data Portability (Article 20)
- Export in common format (JSON, CSV)
- Complete data package provided
- Evidence: Export logs
-
Right to Object (Article 21)
- Objection handling procedures
- Processing stopped when objection valid
- Evidence: Objection logs
-
Encryption
- AES-256 encryption for data at rest
- TLS 1.3 for data in transit
- End-to-end encryption for sensitive data
- Evidence: Encryption configurations
-
Pseudonymization
- PII pseudonymized where possible
- Reversible with secure key management
- Evidence: Pseudonymization configs
-
Security Testing
- Annual penetration testing
- Quarterly vulnerability scanning
- Security patches applied within 30 days
- Evidence: Test reports, patch logs
-
Internal Procedures
- Breach detection mechanisms in place
- Breach response plan documented
- Incident response team trained
- Evidence: Response plan, training records
-
Notification Requirements
- Supervisory authority notification within 72 hours
- Data subject notification without undue delay
- Breach register maintained
- Evidence: Breach notifications, breach register
- DPIA Process
- DPIA template and procedure defined
- High-risk processing assessed
- Mitigation measures implemented
- Evidence: DPIA documents, risk assessments
- Processing Register
- All processing activities documented
- Register maintained and current
- Categories of data subjects documented
- Evidence: Processing register
-
Security Management Process (§164.308(a)(1))
- Risk analysis conducted annually
- Risk management plan implemented
- Sanctions policy for violations
- Information system activity review
- Evidence: Risk analysis, review logs
-
Assigned Security Responsibility (§164.308(a)(2))
- Security officer appointed
- Responsibilities documented
- Evidence: Job description, org chart
-
Workforce Security (§164.308(a)(3))
- Authorization procedures
- Workforce clearance procedures
- Termination procedures (access removal)
- Evidence: HR procedures, access logs
-
Information Access Management (§164.308(a)(4))
- Access authorization policies
- Access establishment procedures
- Access modification procedures
- Evidence: Access policies, logs
-
Security Awareness and Training (§164.308(a)(5))
- Annual security training for all staff
- Protection from malicious software
- Password management training
- Login monitoring procedures
- Evidence: Training records, certificates
-
Security Incident Procedures (§164.308(a)(6))
- Incident response plan documented
- Incidents logged and tracked
- Incident analysis performed
- Evidence: Response plan, incident logs
-
Contingency Plan (§164.308(a)(7))
- Data backup plan (daily backups)
- Disaster recovery plan (RTO/RPO defined)
- Emergency mode operation plan
- Testing and revision procedures (quarterly)
- Evidence: DR plan, test results
-
Business Associate Agreements (§164.308(b)(1))
- BAAs signed with all third parties
- Contracts include required provisions
- Evidence: Signed BAAs
-
Facility Access Controls (§164.310(a)(1))
- Contingency operations procedures
- Facility security plan
- Access control and validation procedures
- Maintenance records
- Evidence: Security plan, access logs
-
Workstation Use (§164.310(b))
- Workstation security policies
- Screen lock requirements
- Clean desk policy
- Evidence: Policy documents
-
Workstation Security (§164.310(c))
- Physical safeguards for workstations
- Restricted access to PHI
- Evidence: Physical security measures
-
Device and Media Controls (§164.310(d)(1))
- Disposal procedures (secure wiping)
- Media re-use procedures
- Accountability for media
- Data backup and storage
- Evidence: Disposal logs, backup logs
- Access Control (§164.312(a)(1))
- Unique user identification
- Emergency access procedures
- Automatic logoff (15 min idle)
- Encryption and decryption
- Evidence: Access configs, encryption settings
# Session timeout configuration
session:
timeout_minutes: 15
require_reauth: true
lock_on_idle: true- Audit Controls (§164.312(b))
- Hardware, software, and procedural mechanisms
- Record and examine activity in systems with PHI
- Audit logs retained for 6 years
- Evidence: Audit logs, log retention policy
# Review audit logs
themisdb-cli audit query --type access --phi true --last 90d-
Integrity (§164.312(c)(1))
- Mechanisms to ensure data not improperly altered/destroyed
- Checksums and digital signatures
- Evidence: Integrity verification logs
-
Person or Entity Authentication (§164.312(d))
- Verify person/entity is who they claim
- MFA required
- Evidence: Authentication logs
-
Transmission Security (§164.312(e)(1))
- Integrity controls for transmitted PHI
- Encryption of PHI in transmission (TLS 1.3)
- Evidence: Network configs, encryption logs
# Run SOC 2 compliance check
themisdb-cli compliance check --standard soc2 --output /tmp/soc2-check.json
# Run GDPR compliance check
themisdb-cli compliance check --standard gdpr --output /tmp/gdpr-check.json
# Run HIPAA compliance check
themisdb-cli compliance check --standard hipaa --output /tmp/hipaa-check.json
# Generate compliance dashboard
themisdb-cli compliance dashboard --all-standards# /etc/themisdb/compliance-monitoring.yaml
monitoring:
enabled: true
checks:
- standard: soc2
frequency: daily
alert_on_failure: true
- standard: gdpr
frequency: daily
alert_on_failure: true
- standard: hipaa
frequency: daily
alert_on_failure: true
reporting:
monthly_report: true
recipients:
- compliance-team@example.com
- security-team@example.comTrack these metrics continuously:
- Access control violations
- Encryption failures
- Backup success rate
- Incident response time
- Security training completion rate
- Patch management compliance
- Data retention policy compliance
4 Weeks Before Audit:
- Review all compliance checklists
- Run automated compliance checks
- Remediate any identified gaps
- Update all documentation
- Prepare evidence collection
2 Weeks Before Audit:
- Schedule audit kick-off meeting
- Provide auditors with requested documentation
- Set up audit war room
- Brief team on audit process
1 Week Before Audit:
- Final compliance check
- Verify all evidence is accessible
- Review findings from previous audit
- Prepare remediation status updates
# Collect all compliance evidence
themisdb-cli compliance collect-evidence \
--standard all \
--output /audit/evidence-$(date +%Y%m%d).tar.gz
# Generate compliance report
themisdb-cli compliance report \
--standard all \
--format pdf \
--output /audit/compliance-report-$(date +%Y%m%d).pdf- Address all audit findings
- Create remediation plan with timelines
- Update policies and procedures
- Implement recommended controls
- Schedule follow-up audit
Document Version: 1.0
Last Updated: April 2026
Next Review: April 2026
Owner: Compliance Team
Sign-off:
- Compliance Officer: ________________ Date: ________
- CISO: ________________ Date: ________
- Legal: ________________ Date: ________