Spaces:
Sleeping
Sleeping
Create SOC_CONTROL_MAPPING.md
Browse files- SOC_CONTROL_MAPPING.md +70 -0
SOC_CONTROL_MAPPING.md
ADDED
|
@@ -0,0 +1,70 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# SOC-Style Control Mapping
|
| 2 |
+
|
| 3 |
+
This document maps application controls to SOC 2–inspired trust principles.
|
| 4 |
+
|
| 5 |
+
---
|
| 6 |
+
|
| 7 |
+
## CC1 — Control Environment
|
| 8 |
+
|
| 9 |
+
| Control | Implementation |
|
| 10 |
+
|------|------|
|
| 11 |
+
| Ethical use | Explicit AI opt-in |
|
| 12 |
+
| Governance | Feature flags & policies |
|
| 13 |
+
| Accountability | Maintainer ownership |
|
| 14 |
+
|
| 15 |
+
---
|
| 16 |
+
|
| 17 |
+
## CC2 — Communication & Information
|
| 18 |
+
|
| 19 |
+
| Control | Implementation |
|
| 20 |
+
|------|------|
|
| 21 |
+
| Transparency | Disclosures in UI |
|
| 22 |
+
| Documentation | README + policies |
|
| 23 |
+
| User awareness | Warnings & tips |
|
| 24 |
+
|
| 25 |
+
---
|
| 26 |
+
|
| 27 |
+
## CC3 — Risk Assessment
|
| 28 |
+
|
| 29 |
+
| Risk | Mitigation |
|
| 30 |
+
|----|----|
|
| 31 |
+
| Data misuse | Public-only scope |
|
| 32 |
+
| AI misuse | Disclosure & hashing |
|
| 33 |
+
| Surveillance | No automation |
|
| 34 |
+
|
| 35 |
+
---
|
| 36 |
+
|
| 37 |
+
## CC6 — Logical Access Controls
|
| 38 |
+
|
| 39 |
+
| Control | Implementation |
|
| 40 |
+
|------|------|
|
| 41 |
+
| Auth | None required |
|
| 42 |
+
| Privilege escalation | Not applicable |
|
| 43 |
+
| Isolation | Session-only memory |
|
| 44 |
+
|
| 45 |
+
---
|
| 46 |
+
|
| 47 |
+
## CC7 — System Operations
|
| 48 |
+
|
| 49 |
+
| Control | Implementation |
|
| 50 |
+
|------|------|
|
| 51 |
+
| Logging | None (privacy-preserving) |
|
| 52 |
+
| Persistence | None |
|
| 53 |
+
| Monitoring | User-visible actions only |
|
| 54 |
+
|
| 55 |
+
---
|
| 56 |
+
|
| 57 |
+
## CC8 — Change Management
|
| 58 |
+
|
| 59 |
+
| Control | Implementation |
|
| 60 |
+
|------|------|
|
| 61 |
+
| Feature flags | ENABLE_* gates |
|
| 62 |
+
| Phase governance | Phase-4 policy |
|
| 63 |
+
| Rollback | Kill-switch support |
|
| 64 |
+
|
| 65 |
+
---
|
| 66 |
+
|
| 67 |
+
## Summary
|
| 68 |
+
|
| 69 |
+
The application aligns with **low-risk SOC 2 principles** by intentionally
|
| 70 |
+
minimizing data handling, persistence, and automation.
|