SOC 2 Type II Evidence Collection¶
Runbook for periodic SOC 2 evidence collection. Pairs with ADR 0018.
Goal¶
Collect + archive the artifacts auditors need for SOC 2 Type II attestation. Monthly cadence; quarterly review by team lead; annual external audit.
Prerequisites¶
- Audit log retention ≥ 90 days (configured)
- Backup retention ≥ 1 year for compliance docs
- Team lead role (only role with audit log export permission)
Trust services criteria covered¶
| Criterion | Bench surface |
|---|---|
| CC1 — Control Environment | RBAC roles + GATEWAY auth |
| CC2 — Communication & Info | Audit log + dashboard transparency |
| CC3 — Risk Assessment | DOM mode classification + DDPB chain |
| CC4 — Monitoring | HID dashboard + Prometheus alerts |
| CC5 — Control Activities | CPOS 2PC + write-mode unlock |
| CC6 — Logical Access | GATEWAY + RELAY + vault isolation |
| CC7 — System Operations | Self-Upgrade audit + DR drill |
| CC8 — Change Management | CPOS + audit log + PR review |
| CC9 — Risk Mitigation | PIE-PA + DDPB + rollback |
Monthly procedure¶
Step 1 — Export audit log¶
gh release create audit-$(date +%Y-%m) \
--repo nollagluiz/AI_forSE \
--notes "SOC 2 monthly audit log export $(date +%Y-%m)" \
--target main \
--prerelease
curl -fsS https://dashboard.tlsstress.art/api/audit?since=30d \
-H "Authorization: Bearer $TLSSTRESS_AUDIT_TOKEN" \
| jq '.records' > audit-$(date +%Y-%m).json
gh release upload audit-$(date +%Y-%m) audit-$(date +%Y-%m).json
Step 2 — Verify hash chain integrity¶
node scripts/verify-audit-chain.mjs audit-$(date +%Y-%m).json
# expected: { valid: true, broken_at: null }
Step 3 — Export access review log¶
curl -fsS https://dashboard.tlsstress.art/api/audit?event=gateway_auth&since=30d \
> auth-$(date +%Y-%m).json
Step 4 — Export backup history¶
velero backup get --output json > backups-$(date +%Y-%m).json
Step 5 — Export change log (PRs merged)¶
gh pr list --state merged --search "merged:$(date -v-1m +%Y-%m)..$(date +%Y-%m)" \
--json number,title,mergedAt,author > prs-$(date +%Y-%m).json
Step 6 — Encrypt + archive¶
tar czf soc2-evidence-$(date +%Y-%m).tar.gz \
audit-*.json auth-*.json backups-*.json prs-*.json
# Encrypt with GPG (recipient: compliance team key)
gpg --encrypt --recipient compliance@tlsstress.art \
--output soc2-evidence-$(date +%Y-%m).tar.gz.gpg \
soc2-evidence-$(date +%Y-%m).tar.gz
# Archive to WORM bucket
aws s3 cp soc2-evidence-$(date +%Y-%m).tar.gz.gpg \
s3://tlsstress-art-compliance-worm/soc2/$(date +%Y-%m)/
# Local cleanup
shred -u soc2-evidence-$(date +%Y-%m).tar.gz
Step 7 — Log the collection¶
Open /admin/audit/compliance → create entry:
- Type: soc2-evidence-collection
- Period: $(date -v-1m +%Y-%m) to $(date +%Y-%m)
- Files: list of generated artifacts
- Storage: s3://tlsstress-art-compliance-worm/soc2/$(date +%Y-%m)/
- Signed by:
Quarterly review¶
Team lead opens last 3 months of evidence + verifies: - Hash chain unbroken for all 3 months - No gaps in WAL backup history - No unaccounted-for vault credential rotations - Sample PRs reviewed for compliance with change-mgmt policy
Annual audit¶
External auditor receives: - Last 12 months of encrypted evidence (decrypt key shared via separate channel) - Read-only access to bench audit log via auditor RBAC role - Sample interviews with operators
Success criteria¶
- Monthly collection completed within 7 days of period end
- All 5 export types present (audit / auth / backups / prs / DR drill)
- Hash chain verified intact
- Encrypted bundle stored in WORM bucket
- Collection logged in
/admin/audit/compliance - Team lead signature applied
Related¶
- ADR 0018
- Quarterly access review runbook
- Memory:
project_enterprise_compliance_track_2026_05_08