# Ensure SOC 2 compliance Cortex enables streamlined SOC 2 compliance by eliminating manual, spreadsheet-based tracking and connecting real time system data to control verification. To improve consistency across your compliance tracking: * You can [launch a SOC 2 Compliance Scorecard](#create-a-soc-2-scorecard). Cortex provides a prebuilt SOC 2 compliance [Scorecard](/standardize/scorecards.md) template that you can use to track audit-related controls and standards. * You can [launch an Initiative](#create-a-soc-2-initiative) associated with the Scorecard, which gives your engineers a deadline for when to complete certain goals. * [Use reports and Cortex MCP](#measuring-success) to better understand progress and next steps. ## Create a SOC 2 Scorecard ### Prerequisites Before using this Scorecard template: * Ensure you have configured integrations for: * Version control: [Azure DevOps](/ingesting-data-into-cortex/integrations/azuredevops.md), [Bitbucket](/ingesting-data-into-cortex/integrations/bitbucket.md), [GitHub](/ingesting-data-into-cortex/integrations/github.md), or [GitLab](/ingesting-data-into-cortex/integrations/gitlab.md). * [PagerDuty](/ingesting-data-into-cortex/integrations/pagerduty.md) * [Snyk](/ingesting-data-into-cortex/integrations/snyk.md) * This Scorecard uses Snyk for its vulnerability scanning rules, but the rules can be modified to check vulnerability data from [Checkmarx](/ingesting-data-into-cortex/integrations/checkmarx.md), [Mend](/ingesting-data-into-cortex/integrations/mend.md), [Semgrep](/ingesting-data-into-cortex/integrations/semgrep.md), [Veracode](/ingesting-data-into-cortex/integrations/veracode.md), or [Wiz](/ingesting-data-into-cortex/integrations/wiz.md). * See [CQL Explorer](https://app.getcortexapp.com/admin/queries) in your Cortex workspace for example queries for these integrations. * Ensure you have [created custom data fields](/ingesting-data-into-cortex/entities-overview/entities/custom-data.md) called `tls_enabled` and `last_risk_assessment_date`. ### Step 1: Create the Scorecard and configure its basic settings You can create a Scorecard in the Cortex UI, or you can add it to your workspace via GitOps or the Cortex API. {% tabs %} {% tab title="Cortex UI" %} #### Create Scorecard in the Cortex UI 1. On the [**Scorecards** page](https://app.getcortexapp.com/admin/scorecards) in your workspace, click **Create Scorecard**. 2. On the `SOC-2 Compliance` template, click **Use**. 3. Configure basic settings, including the Scorecard's name, unique identifier, description, and more. * Learn about configuring the basic settings in the [Creating a Scorecard documentation](https://app.gitbook.com/o/RD51qiGImxmmq8NjALb1/s/JW7pYRxS4dHS3Hv6wxve/standardize/scorecards/create). {% endtab %} {% tab title="GitOps or API" %} #### Create Scorecard via GitOps or API When following a [GitOps approach](/configure/gitops.md), you can add a Scorecard YAML file to your `.cortex/scorecards` directory in your version control repository. Note that GitOps must be enabled for Scorecards in your [GitOps settings](/configure/settings/gitops-settings.md). You could also use the [Cortex API,](/api/readme/scorecards.md) where you can submit a Scorecard definition in YAML.
SOC 2 Scorecard YAML Use the YAML file below to add this Scorecard to your workspace via the API or via a GitOps flow. ```yaml tag: soc-2 name: SOC 2 Compliance description: |- Ensure services meet SOC 2 requirements by tracking key security, operational, and maturity controls including ownership, TLS, vulnerability scans, and risk assessments. (Created from Scorecard template) draft: false notifications: enabled: false scoreDropNotificationsEnabled: false exemptions: enabled: true autoApprove: false userSpecificNotifications: false ladder: name: Default Ladder levels: - name: Foundational Security rank: 1 color: "#c38b5f" - name: Operational Compliance rank: 2 color: "#8c9298" - name: Advanced SOC 2 Maturity rank: 3 color: "#cda400" rules: - title: Pen test linked expression: links("pen-test").length > 0 identifier: 1ac74f97-0e8a-3d5c-bde2-f71890c34f6d weight: 1 level: Advanced SOC 2 Maturity failureMessage: "Add a link of type pen-test by following the instructions in [our\ \ docs](https://docs.cortex.io/ingesting-data-into-cortex/entities/external-docs#add-links-to-an-entity)." - title: On-call is set expression: oncall != null identifier: 2a2e6d7e-9ea1-3df6-a2a1-8db501126d53 weight: 1 level: Foundational Security failureMessage: "Add an on-call rotation by following the instructions in our docs\ \ for the [on-call integration](https://docs.cortex.io/ingesting-data-into-cortex/integrations#on-call)\ \ your team uses." - title: Service has ownership expression: ownership != null identifier: 2d3e1a5a-2012-3b28-b561-dd31c73117aa weight: 1 level: Foundational Security failureMessage: "Add an owner by following the instructions in [our docs](https://docs.cortex.io/ingesting-data-into-cortex/entities/ownership)." - title: Service included in Risk Assessment in last year expression: custom("last_risk_assessment_date").fromNow() > duration("P1Y") identifier: 66283efc-364e-3b29-9f00-9fb4bcc6e785 weight: 1 level: Advanced SOC 2 Maturity - title: TLS is enabled expression: custom("tls_enabled") == true identifier: 887c666a-09bd-3ab8-95e3-ff005e68563d weight: 1 level: Foundational Security - title: Branch protection is set on default branch expression: git.branchProtection("main") != null identifier: 97cab18c-cd5b-3c66-baf3-4da2291cd022 weight: 1 level: Foundational Security - title: Data retention policy linked expression: links("document").filter((link) => link.name.matches("data-retention*")).length > 0 identifier: 9ebf4ee6-5af6-369b-8bb3-67365be7900f weight: 1 level: Operational Compliance failureMessage: "Add a link of type document with a name that starts with data-retention\ \ by following the instructions in [our docs](https://docs.cortex.io/ingesting-data-into-cortex/entities/external-docs#add-links-to-an-entity)." - title: PR approval is required to merge expression: git.numOfRequiredApprovals() > 0 identifier: a148260a-81c3-3201-9692-de99fd08ed16 weight: 1 level: Foundational Security - title: Vuln scan passing (med & high) expression: "snyk.numOfIssues(severity=[\"HIGH\", \"CRITICAL\", \"MEDIUM\"]) <=\ \ 0" identifier: ce7d90a6-fa92-3bfb-9eaf-ab3bb3f1deb3 weight: 1 level: Operational Compliance - title: Unit testing in place expression: | git.workflowRuns().filter((run) => run.name.matchesIn("Unit Test")).length > 0 identifier: e5e9ecd2-683f-3b63-8da9-fdb807fbc736 weight: 1 level: Operational Compliance - title: "Vuln scan passing (low, med & high)" expression: "snyk.numOfIssues(severity=[\"HIGH\", \"CRITICAL\", \"MEDIUM\", \"LOW\"\ ]) <= 0" identifier: f7e0f628-cd94-3f08-aeb9-72b03565c5d7 weight: 1 level: Advanced SOC 2 Maturity filter: kind: GENERIC types: include: - service ```
{% endtab %} {% endtabs %} ### Step 2: Review and modify rules Cortex's templated rules are based on common industry standards:
Level 1: Foundational Security * On-call is set\ `oncall != null` * Service has ownership\ `ownership != null` * TLS is enabled\ `custom("tls_enabled") == true` * Branch protection is set on default branch\ `git.branchProtection("main") != null` * PR approval is required to merge\ `git.numOfRequiredApprovals() > 0`
Level 2: Operational Compliance * Data retention policy linked\ `links("document").filter((link) => link.name.matches("data-retention*")).length > 0` * Vulnerability scan passing (medium & high)\ `snyk.numOfIssues(severity=["HIGH", "CRITICAL", "MEDIUM"]) <= 0` * Unit testing in place\ `git.workflowRuns().filter((run) => run.name.matchesIn("Unit Test")).length > 0`
Level 3: Advanced SOC 2 Maturity * Pen test linked\ `links("pen-test").length > 0` * Service included in Risk Assessment in last year\ `custom("last_risk_assessment_date").fromNow() > duration("P1Y")` * Vulnerability scan passing (low, medium, & high)\ `snyk.numOfIssues(severity=["HIGH", "CRITICAL", "MEDIUM", "LOW"]) <= 0`
You can reorder, delete, and edit rules, add more rules to a level, and assign more points to a rule to signify its importance. Behind each rule is a [Cortex Query Language (CQL) ](/standardize/cql.md)query; you can edit the existing CQL or write your own queries to further refine your rules. ## Create a SOC 2 Initiative Follow the steps below to create an Initiative:
Create a SOC 2 Initiative To motivate change by a certain deadline, you can create an Initiative: 1. While viewing your SOC 2 Compliance Scorecard, click **Create Initiative** in the upper right. 2. Configure the Initiative fields, including a descriptive name so your team members understand the purpose of the Initiative. For example, `Ensure data retention policy is linked for all services`. * Make sure to enable notifications so users are notified if an entity they own is failing the Initiative's goal. 3. Save the Initiative. After the Initiative is published, entity owners will be notified if their entity is not meeting the goal. Learn more about [creating Initiatives in the docs](/improve/initiatives.md).
## Measuring success To understand progress of your Scorecard: * Ask [Cortex MCP,](/get-started/mcp.md) "How is my SOC 2 Scorecard doing?" The MCP will respond with information on the entities that are failing rules and suggested next steps. * Review reports: The [Bird's Eye report](/improve/reports/birds-eye.md) gives insight into how entities are performing against the Scorecard by visualizing the data as a heat map:
The bird's eye report shows Scorecard progress as a heatmap.
You can also review your Engineering Intelligence metrics for impact on key engineering metrics, such as: * **MTTR**: With best practices in place, such as on-call rotation and ownership, you should see faster incident response. * **Deployment frequency**: Improved governance reduces rework and manual gates. Once baselines are set, you may see deployment frequency increasing. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cortex.io/guides/compliance/soc2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.