From faos-ciso
<!-- AUTO-GENERATED by export-plugins.py — DO NOT EDIT -->
npx claudepluginhub frank-luongt/faos-skills-marketplace --plugin faos-cisoThis skill uses the workspace's default tool permissions.
Implements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates an organization's information systems against the Trust Services Criteria (TSC). A SOC 2 Type II report covers both the design and operating effectiveness of controls over a review period (typically 6-12 months).
SOC 2 is the de facto compliance standard for B2B SaaS companies. Enterprise customers increasingly require a clean SOC 2 Type II report before signing contracts, making it a critical business enabler alongside a security control.
Identify the systems, infrastructure, people, processes, and data flows that are in scope for the SOC 2 report. Scope typically includes:
Choose which of the five TSC categories to include. Security (Common Criteria) is always required. Additional categories should align with customer requirements and business operations.
| Category | When to Include |
|---|---|
| Security (CC) | Always required -- foundational to every SOC 2 |
| Availability | SLA commitments, uptime guarantees to customers |
| Processing Integrity | Financial transactions, data pipelines, calculations |
| Confidentiality | Handling confidential business data, NDA obligations |
| Privacy | Processing personal information (PII/PHI) |
For each criterion (CC1 through CC9 and supplemental criteria), document the specific controls your organization has in place. Each control should have:
Collect evidence that demonstrates each control operated effectively throughout the review period. Evidence categories include:
Engage a licensed CPA firm to perform the examination. Preparation includes:
Establishes the tone at the top and organizational commitment to integrity and security.
| Criterion | Key Controls |
|---|---|
| CC1.1 | Board/management oversight of security program |
| CC1.2 | Independence and competence of oversight bodies |
| CC1.3 | Management structure, reporting lines, authorities |
| CC1.4 | Commitment to attract, develop, retain competent personnel |
| CC1.5 | Individuals held accountable for internal control responsibilities |
Ensures quality information flows to support internal controls.
| Criterion | Key Controls |
|---|---|
| CC2.1 | Information required for controls is generated and used |
| CC2.2 | Internal communication of security policies and objectives |
| CC2.3 | External communication with relevant parties |
Identifies and manages risks that could prevent achieving objectives.
| Criterion | Key Controls |
|---|---|
| CC3.1 | Security objectives defined with sufficient clarity |
| CC3.2 | Risk identification and analysis across the entity |
| CC3.3 | Consideration of fraud risk |
| CC3.4 | Identification and assessment of significant changes |
Ongoing evaluation of internal controls.
| Criterion | Key Controls |
|---|---|
| CC4.1 | Monitoring to ascertain controls are functioning |
| CC4.2 | Deficiencies communicated and corrective action taken |
Policies and procedures that mitigate risks.
| Criterion | Key Controls |
|---|---|
| CC5.1 | Selection and development of control activities |
| CC5.2 | Technology general controls (ITGC) deployed |
| CC5.3 | Controls deployed through policies and procedures |
Controls over system access -- often the largest evidence collection area.
| Criterion | Key Controls |
|---|---|
| CC6.1 | Logical access security (authentication, SSO, MFA) |
| CC6.2 | User provisioning and deprovisioning |
| CC6.3 | Role-based access, least privilege enforcement |
| CC6.4 | Physical access restrictions to facilities and hardware |
| CC6.5 | Disposal of assets and data |
| CC6.6 | Protection against external threats (firewalls, WAF, DDoS) |
| CC6.7 | Restriction of data transmission (encryption in transit) |
| CC6.8 | Prevention and detection of unauthorized software |
Monitoring and incident management.
| Criterion | Key Controls |
|---|---|
| CC7.1 | Detection of configuration changes and vulnerabilities |
| CC7.2 | Monitoring for anomalies and security events |
| CC7.3 | Evaluation of detected events as incidents |
| CC7.4 | Incident response execution |
| CC7.5 | Incident recovery and restoration |
Controls over system changes.
| Criterion | Key Controls |
|---|---|
| CC8.1 | Change authorization, testing, and approval |
Vendor management and business risk transfer.
| Criterion | Key Controls |
|---|---|
| CC9.1 | Risk mitigation through business processes |
| CC9.2 | Vendor risk management and assessment |
"""
SOC 2 evidence collector -- automates periodic evidence gathering
from cloud infrastructure and identity providers.
"""
import json
import datetime
from pathlib import Path
import boto3
from google.cloud import asset_v1
class SOC2EvidenceCollector:
"""Collects and organizes SOC 2 evidence artifacts."""
def __init__(self, output_dir: str, review_period_start: str):
self.output_dir = Path(output_dir)
self.output_dir.mkdir(parents=True, exist_ok=True)
self.review_start = datetime.date.fromisoformat(review_period_start)
self.collection_date = datetime.date.today().isoformat()
def collect_aws_iam_evidence(self) -> dict:
"""CC6.1-CC6.3: Collect IAM configuration evidence."""
iam = boto3.client("iam")
# Credential report for MFA status
iam.generate_credential_report()
cred_report = iam.get_credential_report()
# Password policy
password_policy = iam.get_account_password_policy()
# List users and their MFA devices
users = iam.list_users()["Users"]
user_mfa = {}
for user in users:
mfa_devices = iam.list_mfa_devices(UserName=user["UserName"])
user_mfa[user["UserName"]] = {
"has_mfa": len(mfa_devices["MFADevices"]) > 0,
"created": user["CreateDate"].isoformat(),
"last_login": (
user.get("PasswordLastUsed", "never").isoformat()
if hasattr(user.get("PasswordLastUsed", ""), "isoformat")
else "never"
),
}
evidence = {
"criterion": "CC6.1",
"collected_at": self.collection_date,
"password_policy": password_policy["PasswordPolicy"],
"user_mfa_status": user_mfa,
"total_users": len(users),
"mfa_enabled_count": sum(
1 for u in user_mfa.values() if u["has_mfa"]
),
}
output_path = self.output_dir / f"cc6_1_iam_{self.collection_date}.json"
output_path.write_text(json.dumps(evidence, indent=2, default=str))
return evidence
def collect_encryption_evidence(self) -> dict:
"""CC6.7: Collect encryption-in-transit evidence."""
acm = boto3.client("acm")
certs = acm.list_certificates(
CertificateStatuses=["ISSUED"]
)["CertificateSummaryList"]
evidence = {
"criterion": "CC6.7",
"collected_at": self.collection_date,
"tls_certificates": [
{
"domain": c["DomainName"],
"status": c["Status"],
"not_after": c.get("NotAfter", "").isoformat()
if hasattr(c.get("NotAfter", ""), "isoformat")
else "",
}
for c in certs
],
}
output_path = self.output_dir / f"cc6_7_encryption_{self.collection_date}.json"
output_path.write_text(json.dumps(evidence, indent=2, default=str))
return evidence
def collect_change_management_evidence(self) -> dict:
"""CC8.1: Collect change management evidence from GitHub."""
# Uses GitHub API -- requires GITHUB_TOKEN env var
import requests
import os
token = os.environ["GITHUB_TOKEN"]
org = os.environ["GITHUB_ORG"]
headers = {"Authorization": f"Bearer {token}"}
repos_resp = requests.get(
f"https://api.github.com/orgs/{org}/repos",
headers=headers,
params={"per_page": 100},
timeout=30,
)
repos = repos_resp.json()
branch_protections = {}
for repo in repos:
bp_resp = requests.get(
f"https://api.github.com/repos/{org}/{repo['name']}"
f"/branches/{repo['default_branch']}/protection",
headers=headers,
timeout=30,
)
if bp_resp.status_code == 200:
bp = bp_resp.json()
branch_protections[repo["name"]] = {
"required_reviews": bp.get(
"required_pull_request_reviews", {}
).get("required_approving_review_count", 0),
"dismiss_stale_reviews": bp.get(
"required_pull_request_reviews", {}
).get("dismiss_stale_reviews", False),
"require_status_checks": bp.get(
"required_status_checks") is not None,
}
evidence = {
"criterion": "CC8.1",
"collected_at": self.collection_date,
"repos_assessed": len(repos),
"branch_protections": branch_protections,
}
output_path = self.output_dir / f"cc8_1_change_mgmt_{self.collection_date}.json"
output_path.write_text(json.dumps(evidence, indent=2, default=str))
return evidence
def generate_collection_summary(self, results: list[dict]) -> None:
"""Generate a summary report of all collected evidence."""
summary = {
"collection_date": self.collection_date,
"review_period_start": self.review_start.isoformat(),
"artifacts_collected": len(results),
"criteria_covered": [r["criterion"] for r in results],
}
output_path = self.output_dir / f"collection_summary_{self.collection_date}.json"
output_path.write_text(json.dumps(summary, indent=2))
# Usage:
# collector = SOC2EvidenceCollector("./evidence/2026-q1", "2025-09-01")
# results = [
# collector.collect_aws_iam_evidence(),
# collector.collect_encryption_evidence(),
# collector.collect_change_management_evidence(),
# ]
# collector.generate_collection_summary(results)
soc2_control_mapping:
organization: "Acme SaaS Inc."
report_type: "Type II"
review_period: "2025-09-01 to 2026-02-28"
tsc_categories:
- Security
- Availability
- Confidentiality
control_matrix:
- criterion: CC6.1
description: "Logical access security"
controls:
- id: AC-001
title: "SSO with MFA enforcement"
owner: "IT Operations"
frequency: "Continuous"
evidence:
- "Okta MFA policy screenshot"
- "SSO configuration export"
- "Login audit logs (quarterly sample)"
tools: ["Okta", "AWS IAM"]
- id: AC-002
title: "Service account key rotation"
owner: "Platform Engineering"
frequency: "Every 90 days"
evidence:
- "Key rotation automation logs"
- "GCP service account key age report"
tools: ["GCP IAM", "Terraform"]
- criterion: CC6.2
description: "User provisioning and deprovisioning"
controls:
- id: AC-003
title: "Automated onboarding/offboarding via HRIS integration"
owner: "IT Operations"
frequency: "Per event"
evidence:
- "HRIS-to-Okta sync configuration"
- "Deprovisioning SLA report (target: 24h)"
- "Quarterly access review records"
tools: ["BambooHR", "Okta", "Jira"]
- criterion: CC7.2
description: "Monitoring for anomalies and security events"
controls:
- id: MON-001
title: "SIEM with alerting for security events"
owner: "Security Team"
frequency: "Continuous"
evidence:
- "SIEM alert rule inventory"
- "Monthly alert tuning records"
- "Sample incident tickets from alerts"
tools: ["Datadog SIEM", "PagerDuty"]
- criterion: CC8.1
description: "Change authorization, testing, and approval"
controls:
- id: CM-001
title: "PR-based code review with branch protection"
owner: "Engineering"
frequency: "Per change"
evidence:
- "GitHub branch protection settings"
- "Sample PRs showing review and approval"
- "CI/CD pipeline configuration"
tools: ["GitHub", "GitHub Actions"]
Scoping and Governance:
CC1-CC5 (Foundation Controls):
CC6 (Access Controls):
CC7 (System Operations):
CC8 (Change Management):
CC9 (Risk Mitigation):
Audit Readiness: