SOC 2 Infrastructure Management (A1.2)

Overview:
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

Action Items:
1) Create a data archival and backup policy and related procedures and publish on the company intranet for employees to access and review.
2) Create a disaster recovery and business continuity policy and plan and publish to the company intranet for employees to access and review.
3) Inspect documented policies and procedures to determine that documented policies and procedures are in place to guide personnel in performing data backups and data restoration activities.
4) Inspect the automated backup system configurations to determine that the automated backup system is in place to perform scheduled backups of production databases on a daily basis.
5) Inspect the backup configurations to determine that the automated backup system is configured to notify IT personnel via e-mail regarding the failure of backup jobs.
6) Inspect the data replication configurations to determine that data is replicated across geographically separate availability zones or regions.
7) Inspect the business continuity and disaster recovery plan to determine that a disaster recovery plan is in place to guide personnel in the steps for recovering the operation of information systems.

Related Documents:
1) Data archival and backup policy
2) Automated backup system configurations
3) Evidence that validates IT personnel are alerted when system backups fail
4) Data replication configurations
5) Disaster recovery and business continuity plan

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Identifies Environmental Threats—As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water.
2) Designs Detection Measures—Detection measures are implemented to identify anomalies that could result from environmental threat events.
3) Implements and Maintains Environmental Protection Mechanisms— Management implements and maintains environmental protection mechanisms to prevent and mitigate against environmental events.
4) Implements Alerts to Analyze Anomalies—Management implements alerts that are communicated to personnel for analysis to identify environmental threat events.
5) Responds to Environmental Threat Events—Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator back-up subsystem).
6) Communicates and Reviews Detected Environmental Threat Events—Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system, and actions are taken, if necessary.
7) Determines Data Requiring Backup—Data is evaluated to determine whether backup is required.
8) Performs Data Backup—Procedures are in place for backing up data, monitoring to detect back-up failures, and initiating corrective action when such failures occur.
9) Addresses Offsite Storage—Back-up data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.
10) Implements Alternate Processing Infrastructure—Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable.