CC1 – Control Environment
Organizational Policies and Governance
SpecNavi maintains formally approved security, risk, and acceptable use policies that define management’s expectations for protecting systems and data.
Code of Conduct
A written code of conduct sets ethical and professional standards for personnel. Employees and applicable contractors acknowledge the code as a condition of engagement.
Confidentiality Obligations
Employees and applicable contractors sign confidentiality or non‑disclosure agreements as part of onboarding to protect customer and company information.
Roles and Responsibilities
Security‑relevant roles and responsibilities are defined, documented, and communicated to ensure accountability for the design and operation of controls.
Personnel Screening and Performance
Appropriate background or reference checks are performed where permitted by law and aligned with role risk. Employee performance is reviewed periodically under established HR processes.
CC2 – Communication and Information
Policy Communication
Security, privacy, and acceptable use policies are communicated to relevant personnel at onboarding and upon material updates.
Customer‑Facing Documentation
Service descriptions, security overviews, and other external resources (e.g., documentation, user guides, knowledge base) are maintained to inform customers of key security controls and expectations.
System Change Communications
Material system changes, maintenance activities, and incidents that may affect customers are communicated through appropriate channels.
Data‑Flow Documentation
Data‑flow diagrams are maintained and updated as needed to depict the flow of customer and account data across systems and services.
CC3 – Risk Assessment
Risk Assessment Program
Information security risk assessments are performed at least annually, and upon significant changes, to identify and evaluate risks to systems, data, and supporting processes.
Risk Management Policy
A documented risk management policy defines the methodology for identifying, assessing, prioritizing, and treating information security risks.
Vendor and Third‑Party Risk
A vendor management program and vendor inventory are maintained, including services provided, data access, and security posture. Vendor risks are assessed and monitored on an ongoing basis.
CC4 – Monitoring of Controls
Control Monitoring
Management monitors the design and operating effectiveness of key security controls through periodic reviews, metrics, and independent assessments.
Independent Security Oversight
Independent third‑party assessments or audits are performed periodically to evaluate the effectiveness of the control environment and support SOC 2 readiness.
Issue Tracking and Remediation
Identified control gaps and security findings are tracked to closure within defined timelines based on risk and severity.
CC5 – Control Activities
Access Granting and Reviews
Access to systems and data is granted based on the principle of least privilege and requires documented approval. User access is reviewed at least annually to confirm appropriateness and ensure terminated users do not retain access.
Account Inventory and Dormant Accounts
An inventory of user accounts for critical and high‑risk systems and vendors is maintained. Dormant or inactive accounts are periodically identified and disabled or removed.
Password and Authentication Controls
A password management policy is enforced via technical controls, including strong password requirements and non‑reuse where supported. Multi‑factor authentication (MFA) is required for access to critical services and infrastructure, subject to documented exceptions.
Secure Development Lifecycle
A documented software development lifecycle (SDLC) includes security considerations such as code review, testing, and segregation of duties. Code changes are introduced via pull requests and reviewed prior to merging into production branches.
Change Management
Infrastructure and system changes are authorized, tested as appropriate, and logged to maintain traceability and support audit and incident investigation needs.
CC6 – Logical and Physical Access Controls
Logical Access Management
Logical access to production systems and environments is restricted to authorized personnel. Role‑based access controls are used to align permissions with job responsibilities.
Production Environment Protection
Access to production deployment environments and production databases is limited to authorized roles. Unique authentication (e.g., dedicated credentials or keys) is enforced for production database access.
Endpoint Security
Supported endpoints (e.g., laptops, workstations, mobile devices) are protected with anti‑malware, host‑based firewalls, and encryption of local storage where feasible. Mobile Device Management (MDM) is used to secure and manage applicable devices.
Physical Security
Physical access to facilities and equipment that support production systems is restricted to authorized personnel through physical security mechanisms and procedures.
CC7 – System Operations
Logging and Monitoring
Security‑relevant events from critical systems, applications, and infrastructure are logged. A centralized log management solution is used to collect, retain, and analyze logs.
Audit Log Management
An audit log management process defines which events are logged, log retention, protection, and monitoring procedures to support incident detection and investigations.
Infrastructure Monitoring
Infrastructure performance and availability are monitored to detect anomalies and conditions that could impact security, availability, or reliability.
Incident Response
An incident response policy defines roles, responsibilities, escalation paths, and procedures for detecting, responding to, and recovering from security incidents.
CC8 – Change Management
Infrastructure and Application Changes
Changes to infrastructure and applications are managed through documented processes that include planning, testing where appropriate, approval, and logging.
Production Deployment Controls
Only authorized personnel may deploy changes to production. Segregation of duties is enforced where feasible between development, review, and deployment activities.
Communication of Changes
Relevant customers are notified of material changes that may affect service availability, functionality, or security through designated communication channels.
CC9 – Risk Mitigation
Data Management and Retention
A data management and retention policy defines retention periods for customer and operational data, as well as secure disposal methods at end of life.
Encryption at Rest and in Transit
Sensitive data is encrypted at rest on managed storage systems and in transit over internal and external networks using industry‑standard cryptographic protocols.
Business Continuity and Disaster Recovery
Business continuity and disaster recovery (BC/DR) policies define strategies for sustaining operations and restoring services following disruptive events.
Backups and Recovery
Automated backups are configured for critical systems and high‑risk data. Backup and recovery data are logically separated from production environments, and restoration procedures are defined and tested periodically.
Vulnerability Management and Testing
A vulnerability management program includes regular vulnerability scanning, timely patching, and remediation of identified weaknesses. Independent penetration testing of relevant systems is performed at least annually, and findings are tracked to resolution.
Security Awareness and Training
Security awareness training is provided at least annually to personnel and addresses topics such as phishing, password hygiene, and handling of sensitive data, supporting ongoing risk mitigation.
This CC1–CC9 mapping is intended to support SOC 2 auditors and enterprise security due diligence by describing how SpecNavi’s controls align with the AICPA Security Trust Services Criteria (Common Criteria). Source: Secureframe