Ensure SOC 2 compliance

Cortex enables streamlined SOC 2 compliance by eliminating manual, spreadsheet-based tracking and connecting real time system data to control verification.

To improve consistency across your compliance tracking:

You can launch a SOC 2 Compliance Scorecard. Cortex provides a prebuilt SOC 2 compliance Scorecard template that you can use to track audit-related controls and standards.
You can launch an Initiative associated with the Scorecard, which gives your engineers a deadline for when to complete certain goals.
Use reports and Cortex MCP to better understand progress and next steps.

Cortex customer Workleap used Cortex to build compliance into daily workflows, replace manual audits, and decommissioned developer surveys — saving 100+ hours per campaign. Learn more in the case study: Transforming Workleap's SOC 2 compliance with Cortex.

Create a SOC 2 Scorecard

Prerequisites

Before using this Scorecard template:

Ensure you have configured integrations for:
- Version control: Azure DevOps, Bitbucket, GitHub, or GitLab.
- PagerDuty
- Snyk
  - This Scorecard uses Snyk for its vulnerability scanning rules, but the rules can be modified to check vulnerability data from Checkmarx, Mend, Semgrep, Veracode, or Wiz.
    See CQL Explorer in your Cortex workspace for example queries for these integrations.
Ensure you have created custom data fields called tls_enabled and last_risk_assessment_date.

Step 1: Create the Scorecard and configure its basic settings

You can create a Scorecard in the Cortex UI, or you can add it to your workspace via GitOps or the Cortex API.

Create Scorecard in the Cortex UI

On the Scorecards page in your workspace, click Create Scorecard.
On the SOC-2 Compliance template, click Use.
Configure basic settings, including the Scorecard's name, unique identifier, description, and more.
- Learn about configuring the basic settings in the Creating a Scorecard documentation.

Create Scorecard via GitOps or API

When following a GitOps approach, you can add a Scorecard YAML file to your .cortex/scorecards directory in your version control repository. Note that GitOps must be enabled for Scorecards in your GitOps settings.

You could also use the Cortex API, where you can submit a Scorecard definition in YAML.

SOC 2 Scorecard YAML

Use the YAML file below to add this Scorecard to your workspace via the API or via a GitOps flow.

tag: soc-2
name: SOC 2 Compliance
description: |-
  Ensure services meet SOC 2 requirements by tracking key security, operational, and maturity controls including ownership, TLS, vulnerability scans, and risk assessments.

  (Created from Scorecard template)
draft: false
notifications:
  enabled: false
  scoreDropNotificationsEnabled: false
exemptions:
  enabled: true
  autoApprove: false
  userSpecificNotifications: false
ladder:
  name: Default Ladder
  levels:
  - name: Foundational Security
    rank: 1
    color: "#c38b5f"
  - name: Operational Compliance
    rank: 2
    color: "#8c9298"
  - name: Advanced SOC 2 Maturity
    rank: 3
    color: "#cda400"
rules:
- title: Pen test linked
  expression: links("pen-test").length > 0
  identifier: 1ac74f97-0e8a-3d5c-bde2-f71890c34f6d
  weight: 1
  level: Advanced SOC 2 Maturity
  failureMessage: "Add a link of type pen-test by following the instructions in [our\
    \ docs](https://docs.cortex.io/ingesting-data-into-cortex/entities/external-docs#add-links-to-an-entity)."
- title: On-call is set
  expression: oncall != null
  identifier: 2a2e6d7e-9ea1-3df6-a2a1-8db501126d53
  weight: 1
  level: Foundational Security
  failureMessage: "Add an on-call rotation by following the instructions in our docs\
    \ for the [on-call integration](https://docs.cortex.io/ingesting-data-into-cortex/integrations#on-call)\
    \ your team uses."
- title: Service has ownership
  expression: ownership != null
  identifier: 2d3e1a5a-2012-3b28-b561-dd31c73117aa
  weight: 1
  level: Foundational Security
  failureMessage: "Add an owner by following the instructions in [our docs](https://docs.cortex.io/ingesting-data-into-cortex/entities/ownership)."
- title: Service included in Risk Assessment in last year
  expression: custom("last_risk_assessment_date").fromNow() > duration("P1Y")
  identifier: 66283efc-364e-3b29-9f00-9fb4bcc6e785
  weight: 1
  level: Advanced SOC 2 Maturity
- title: TLS is enabled
  expression: custom("tls_enabled") == true
  identifier: 887c666a-09bd-3ab8-95e3-ff005e68563d
  weight: 1
  level: Foundational Security
- title: Branch protection is set on default branch
  expression: git.branchProtection("main") != null
  identifier: 97cab18c-cd5b-3c66-baf3-4da2291cd022
  weight: 1
  level: Foundational Security
- title: Data retention policy linked
  expression: links("document").filter((link) => link.name.matches("data-retention*")).length
    > 0
  identifier: 9ebf4ee6-5af6-369b-8bb3-67365be7900f
  weight: 1
  level: Operational Compliance
  failureMessage: "Add a link of type document with a name that starts with data-retention\
    \ by following the instructions in [our docs](https://docs.cortex.io/ingesting-data-into-cortex/entities/external-docs#add-links-to-an-entity)."
- title: PR approval is required to merge
  expression: git.numOfRequiredApprovals() > 0
  identifier: a148260a-81c3-3201-9692-de99fd08ed16
  weight: 1
  level: Foundational Security
- title: Vuln scan passing (med & high)
  expression: "snyk.numOfIssues(severity=[\"HIGH\", \"CRITICAL\", \"MEDIUM\"]) <=\
    \ 0"
  identifier: ce7d90a6-fa92-3bfb-9eaf-ab3bb3f1deb3
  weight: 1
  level: Operational Compliance
- title: Unit testing in place
  expression: |
    git.workflowRuns().filter((run) => run.name.matchesIn("Unit Test")).length > 0
  identifier: e5e9ecd2-683f-3b63-8da9-fdb807fbc736
  weight: 1
  level: Operational Compliance
- title: "Vuln scan passing (low, med & high)"
  expression: "snyk.numOfIssues(severity=[\"HIGH\", \"CRITICAL\", \"MEDIUM\", \"LOW\"\
    ]) <= 0"
  identifier: f7e0f628-cd94-3f08-aeb9-72b03565c5d7
  weight: 1
  level: Advanced SOC 2 Maturity
filter:
  kind: GENERIC
  types:
    include:
    - service

Step 2: Review and modify rules

Cortex's templated rules are based on common industry standards:

Level 1: Foundational Security

On-call is set oncall != null
Service has ownership ownership != null
TLS is enabled custom("tls_enabled") == true
Branch protection is set on default branch git.branchProtection("main") != null
PR approval is required to merge git.numOfRequiredApprovals() > 0

Level 2: Operational Compliance

Data retention policy linked links("document").filter((link) => link.name.matches("data-retention*")).length > 0
Vulnerability scan passing (medium & high) snyk.numOfIssues(severity=["HIGH", "CRITICAL", "MEDIUM"]) <= 0
Unit testing in place git.workflowRuns().filter((run) => run.name.matchesIn("Unit Test")).length > 0

Level 3: Advanced SOC 2 Maturity

Pen test linked links("pen-test").length > 0
Service included in Risk Assessment in last year custom("last_risk_assessment_date").fromNow() > duration("P1Y")
Vulnerability scan passing (low, medium, & high) snyk.numOfIssues(severity=["HIGH", "CRITICAL", "MEDIUM", "LOW"]) <= 0

You can reorder, delete, and edit rules, add more rules to a level, and assign more points to a rule to signify its importance. Behind each rule is a Cortex Query Language (CQL) query; you can edit the existing CQL or write your own queries to further refine your rules.

Create a SOC 2 Initiative

Follow the steps below to create an Initiative:

Create a SOC 2 Initiative

To motivate change by a certain deadline, you can create an Initiative:

While viewing your SOC 2 Compliance Scorecard, click Create Initiative in the upper right.
Configure the Initiative fields, including a descriptive name so your team members understand the purpose of the Initiative. For example, Ensure data retention policy is linked for all services.
- Make sure to enable notifications so users are notified if an entity they own is failing the Initiative's goal.
Save the Initiative.

After the Initiative is published, entity owners will be notified if their entity is not meeting the goal.

Learn more about creating Initiatives in the docs.

Measuring success

To understand progress of your Scorecard:

Ask Cortex MCP, "How is my SOC 2 Scorecard doing?" The MCP will respond with information on the entities that are failing rules and suggested next steps.
Review reports: The Bird's Eye report gives insight into how entities are performing against the Scorecard by visualizing the data as a heat map:

You can also review your Engineering Intelligence metrics for impact on key engineering metrics, such as:

MTTR: With best practices in place, such as on-call rotation and ownership, you should see faster incident response.
Deployment frequency: Improved governance reduces rework and manual gates. Once baselines are set, you may see deployment frequency increasing.

Last updated 23 days ago

Was this helpful?