SOC2 Auditor Assessment

TSPRef	COSOprinciple	ControlCriteria	PointsOfFocus	ControlType	AssessmentObjectives	Assessment Summary	Date
CC1.1	Principle 1	The entity demonstrates a commitment to integrity and ethical values.	Sets the Tone at the Top; Establishes Standards of Conduct; Evaluates Adherence to Standards of Conduct; Addresses Deviations in a Timely Manner; Considers Contractors and Vendor Employees	Control Environment	Evaluate management's commitment to integrity and ethical behavior, including communication and enforcement mechanisms.	Description of Implementation: There is no available evidence demonstrating commitment to ethical values, tone at the top, or adherence to conduct standards. Assessment Decision: Not Implemented Rationale: No evidence, including code of conduct, training, or records of disciplinary actions, was found to support any required points of focus. Evidence: "No evidence found for this control." Gaps: Missing documentation on Code of Conduct, ethics training records, records of investigations, and measures for addressing deviations, as required by CC1.1.	2025-04-10
CC1.2	Principle 2	The board of directors demonstrates independence from management and exercises oversight.	Establishes Oversight Responsibilities; Applies Relevant Expertise; Operates Independently	Governance and Oversight	Confirm board independence and oversight of internal controls.	Description of Implementation: No documentation or artifacts were found supporting board independence, oversight responsibilities, or related governance policies. Assessment Decision: Not Implemented Rationale: There is no evidence showing board independence or oversight of internal controls, with all required documentation absent. Evidence: No evidence found for board meeting minutes, board independence documentation, or oversight responsibility charters. Gaps: Missing documentation for Establishes Oversight Responsibilities, Applies Relevant Expertise, and Operates Independently.	2025-04-10
CC1.3	Principle 3	Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.	Defines Roles and Responsibilities; Establishes Reporting Lines; Delegates Authority and Responsibilities	Organizational Structure	Evaluate clarity and appropriateness of organizational structure, roles, responsibilities, and authorities.	Description of Implementation: No documentation or evidence demonstrating defined roles and responsibilities, reporting lines, or delegated authority was identified. Assessment Decision: Not Implemented Rationale: There is no evidence provided that meets any required points of focus. Evidence: No evidence found for this control Gaps: Missing organization charts, job descriptions, and authority delegation documentation as required by the control.	2025-04-10
CC1.4	Principle 4	The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.	Establishes Policies and Practices; Evaluates Competence and Addresses Shortcomings; Attracts, Develops, and Retains Competent Individuals; Plans and Prepares for Succession	Human Resources	Assess effectiveness of processes for hiring, developing, retaining competent personnel, and succession planning.	Description of Implementation: No HR policies, training documentation, performance evaluations, or succession planning evidence was found. Assessment Decision: Not Implemented Rationale: Lacking all required HR documentation renders the process ineffective in attracting, developing, and retaining competent individuals. Evidence: No evidence found for this control. Gaps: Missing documentation on HR policies, employee training programs, performance reviews, and documented succession planning.	2025-04-10
CC1.5	Principle 5	The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.	Enforces Accountability Through Structures, Authorities, and Responsibilities; Establishes Performance Measures, Incentives, and Rewards; Evaluates Performance Measures and Rewards; Implements Appropriate Corrective Actions	Accountability	Evaluate how accountability for internal control responsibilities is defined, measured, and enforced.	Description of Implementation: The evidence provided focuses solely on technical vulnerability assessments and IT infrastructure recommendations, with no documentation related to accountability policies, performance evaluations, corrective actions, or performance measures for internal control responsibilities. Assessment Decision: Not Implemented Rationale: No evidence demonstrates accountability structures or performance measures tied to internal controls, leaving key requirements unaddressed. Evidence: Technical vulnerability assessments, network/system configuration reports, IT infrastructure recommendations. Gaps: Missing documentation for enforcing accountability through structures, authorities, responsibilities; absent evidence of performance evaluations, performance measures, incentives/disciplines; no corrective action records.	2025-04-10
CC2.1	Principle 13	The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.	Identifies Information Requirements; Captures Internal and External Sources of Data; Processes Relevant Data Into Information; Maintains Quality Throughout Processing; Considers Costs and Benefits	Information and Communication	Assess processes for identifying, capturing, processing, and maintaining quality information to support internal control.	Description of Implementation: The document outlines a comprehensive process that employs specialized assessment tools to capture and process varied data formats, and it details formal policies, governance, and standards (such as ISO 27000‑27001 and HIPAA) to ensure the generation and ongoing quality of information for internal control. Assessment Decision: Compliant (Fully Implemented) Rationale: The evidence clearly details data capture, processing procedures, and robust information management policies that fully align with the control’s requirements. Evidence: Orland Fire District-SIA-Final.pdf – Sections “A.1 Systems and Infrastructure Assessment Process” and “A.3 Policies, Standardization, Processes and Governance”; overall recommendations. Gaps: While data quality and standards adherence are evident, explicit cost-benefit analyses and continuous, formal data quality assessments could be more detailed.	2025-04-10
CC2.2	Principle 14	The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.	Communicates Internal Control Information; Communicates With the Board of Directors; Provides Separate Communication Lines; Selects Relevant Method of Communication	Information and Communication	Evaluate the effectiveness of internal communication channels and clarity of communicated internal control responsibilities.	Description of Implementation: There is no documented evidence of internal communications regarding internal control objectives and responsibilities. Assessment Decision: Not Implemented Rationale: No records, policies, or meeting minutes were provided to demonstrate compliance with the internal control communication requirements. Evidence: No evidence found for this control Gaps: Missing internal communication policies, meeting minutes, board communications, and other records that demonstrate communication of internal control responsibilities as outlined in the points of focus.	2025-04-10
CC2.3	Principle 15	The entity communicates with external parties regarding matters affecting the functioning of internal control.	Communicates to External Parties; Enables Inbound Communications; Communicates With the Board of Directors; Provides Separate Communication Lines; Selects Relevant Method of Communication	Information and Communication	Assess external communication mechanisms regarding internal control matters.	Description of Implementation: The evidence provided does not demonstrate any formal external communication policies, reports, or records pertaining to internal control, as evidenced by the reviewed document. Assessment Decision: Not Implemented Rationale: The document lacks any specifics on external communication mechanisms regarding internal control matters. Evidence: Orland Fire District-SIA-Final.pdf Gaps: Missing external communication policies, formal external reports/disclosures, and records of inbound communication as required.	2025-04-10
CC3.1	Principle 6	The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.	Operations Objectives; External Financial Reporting Objectives; External Nonfinancial Reporting Objectives; Internal Reporting Objectives; Compliance Objectives	Risk Assessment	Evaluate clarity in defining operations, external financial and nonfinancial reporting, internal reporting, and compliance objectives to effectively identify and assess associated risks.	Description of Implementation: The organization clearly outlines external compliance objectives and has initiated plans to establish documented operational and strategic objectives, as indicated by the listed regulatory frameworks and policy/recommendation sections. Assessment Decision: Partially Implemented Rationale: Although external compliance objectives are clearly identified, the operational and strategic objectives remain in the planning stage without fully documented implementation. Evidence: Orland Fire District‑SIA‑Final.pdf (Executive Summary, Section A.2, Section A.3, Recommendations Tables) Gaps: More evidence is needed for fully documented internal, external reporting, and operational objectives as per the control’s points of focus.	2025-04-10
CC3.2	Principle 7	The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.	Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels; Analyzes Internal and External Factors; Involves Appropriate Levels of Management; Estimates Significance of Risks; Determines How to Respond to Risks	Risk Assessment	Assess the entity’s comprehensive risk identification and analysis processes across all relevant organizational units and functions.	Description of Implementation: The organization uses specialized tools to scan and identify IT vulnerabilities, classifies these risks by severity, documents the findings with accompanying recommendations, and directs management to conduct a detailed risk and impact analysis. Assessment Decision: Partially Implemented Rationale: The evidence demonstrates technical risk identification and analysis, but it lacks explicit management meeting minutes and comprehensive documentation across all organizational levels. Evidence: "Orland Fire District-SIA-Final.pdf" – Sections A.1, A.2, A.7, Final Summary/Recommendations Table Gaps: Missing explicit management meeting minutes and evidence of risk analysis across all organizational levels (entity, subsidiary, division, operating unit) as required by the COSO Principle 7 and referenced points of focus.	2025-04-10
CC3.3	Principle 8	The entity considers the potential for fraud in assessing risks to the achievement of objectives.	Considers Various Types of Fraud; Assesses Incentives and Pressures; Assesses Opportunities; Assesses Attitudes and Rationalizations	Risk Assessment	Evaluate how the entity identifies and assesses fraud risks, including types, incentives, opportunities, and attitudes toward fraud.	Description of Implementation: No evidence of fraud risk assessment, anti‑fraud policies and procedures, or management discussions regarding fraud risk was identified in the reviewed document. Assessment Decision: Not Implemented Rationale: The evidence reviewed does not address any fraud risk considerations as required by the control. Evidence: Orland Fire District‑SIA‑Final.pdf (no reference to fraud risk considerations) Gaps: Missing evidence on fraud risk assessments, anti‑fraud policies, and management discussions related to incentives, opportunities, and attitudes toward fraud.	2025-04-10
CC3.4	Principle 9	The entity identifies and assesses changes that could significantly impact the system of internal control.	Assesses Changes in the External Environment; Assesses Changes in the Business Model; Assesses Changes in Leadership	Risk Assessment	Evaluate processes used by the entity to identify and assess significant changes affecting internal controls, including external environment, business model, and leadership changes.	Description of Implementation: No documentation or evidence was provided that addresses change management, leadership transitions, or business model analysis. Assessment Decision: Not Implemented Rationale: The provided file lacks any required documentation on assessing changes impacting internal controls. Evidence: Orland Fire District-SIA-Final.pdf (executive summary, recommendations, detailed assessment sections) Gaps: Missing change management documentation; missing leadership transition plans; missing business model analysis records.	2025-04-10
CC4.1	Principle 16	The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.	Considers a Mix of Ongoing and Separate Evaluations; Considers Rate of Change; Establishes Baseline Understanding; Uses Knowledgeable Personnel; Integrates With Business Processes; Adjusts Scope and Frequency	Monitoring Activities	Assess how effectively the entity evaluates internal controls through ongoing and periodic assessments to ensure controls function as intended.	Description of Implementation: The organization employs specialized tools for ongoing and periodic vulnerability scans, with documented results and categorized findings. It integrates these evaluations with business processes by updating policies and procedures, reflecting a systematic approach to monitoring internal controls. Assessment Decision: Compliant (Fully Implemented) Rationale: The evidence shows both ongoing and separate evaluations with control testing, documentation, and integration with business processes, fully aligning with the SOC control requirements. Evidence: Orland Fire District-SIA-Final.pdf (A.1 Systems and Infrastructure Assessment Process, A.8 Appendixes, detailed tables and recommendations) Gaps: Limited explicit reference to establishing baseline understanding and adjusting scope/frequency based on rate of change; additional documentation on knowledgeable personnel assignments could strengthen the overall evidence.	2025-04-10
CC4.2	Principle 17	The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.	Assesses Results; Communicates Deficiencies; Monitors Corrective Actions	Monitoring Activities	Evaluate processes for timely evaluation, communication, and monitoring of corrective actions related to internal control deficiencies.	Description of Implementation: The organization’s SIA report evaluates internal control deficiencies, communicates them to senior management, and provides specific corrective action recommendations with assigned severity levels and responsibilities. Assessment Decision: Compliant (Fully Implemented) Rationale: Evidence from the SIA report meets all required points of deficiency evaluation, communication, and corrective action planning per SOC2 Control CC4.2. Evidence: Orland Fire District‑SIA‑Final.pdf (Executive Summary, Sections A.1, A.2, A.3, A.9, and the “2.0 Recommendations” section). Gaps: While evaluation and communication are well documented, additional evidence of ongoing monitoring (e.g., corrective action tracking logs) could further strengthen the control.	2025-04-10
CC5.1	Principle 10	The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.	Integrates With Risk Assessment; Determines Relevant Business Processes; Considers Entity-Specific Factors; Evaluates a Mix of Control Activity Types; Considers at What Level Activities Are Applied; Addresses Segregation of Duties	Control Activities	Assess selection, development, and implementation of control activities to adequately mitigate risks identified.	Description of Implementation: The organization utilizes specialized assessment tools, formal policy recommendations, and risk-to-control mapping tables to select and develop control activities mitigating IT risks. However, explicit documentation regarding segregation of duties is not evident. Assessment Decision: Partially Implemented Rationale: The evidence covers most control activities and risk mappings, but lacks specific segregation of duties documentation essential per SOC2 CC5.1. Evidence: Orland Fire District-SIA-Final.pdf, Section A.1, Section A.3, Table sections in pages 9–16 Gaps: Missing explicit segregation of duties control documentation per the “Addresses Segregation of Duties” point of focus.	2025-04-10
CC5.2	Principle 11	The entity selects and develops general control activities over technology to support the achievement of objectives.	Identifies Technology Dependencies; Establishes Relevant Technology Infrastructure Controls; Establishes Relevant Security Management Processes; Establishes Relevant Technology Acquisition, Development, and Maintenance Controls	Control Activities (Technology)	Assess if general technology controls align with technology dependencies, infrastructure, security, and development activities.	Description of Implementation: The organization uses specialized assessment tools to document technology dependencies, vulnerabilities, and infrastructure deficiencies and provides remediation recommendations. However, formalized IT acquisition, development, and maintenance procedures and updated security management processes are still in progress. Assessment Decision: Partially Implemented Rationale: Evidence shows efforts in identifying dependencies and risks with remediation recommendations, but critical elements for formalized policies and procedures remain incomplete. Evidence: Orland Fire District‑SIA‑Final.pdf – Sections A.1, A.2, A.3, A.4, and A.5 Gaps: Lacks fully developed IT acquisition/development procedures and updated infrastructure/security management processes as required by the COSO focus areas.	2025-04-10
CC5.3	Principle 12	The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.	Establishes Policies and Procedures to Support Deployment of Management’s Directives; Establishes Responsibility and Accountability for Executing Policies and Procedures; Performs in a Timely Manner; Takes Corrective Action; Performs Using Competent Personnel; Periodically Reassesses Policies and Procedures	Control Activities	Evaluate how effectively control activities are established, deployed, and maintained through policies and procedures.	Description of Implementation: The evidence indicates that the organization recognizes the need for documented policies and procedures, with recommendations provided for updating IT policies, security standards, and formalizing certain controls. However, actual implementation and record-keeping appear to be pending. Assessment Decision: Partially Implemented Rationale: Recommendations exist for policy updates and controls, but complete documentation, execution records, and corrective action logs are not yet evident. Evidence: Orland Fire District-SIA-Final.pdf – Sections A.2, A.3; Tables and recommendation comments Gaps: Lacks complete documentation of policies/procedures, evidence of timely execution, corrective action logs, and periodic reassessment per the control criteria.	2025-04-10
CC6.1	Common Criteria	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.	Identifies and Manages the Inventory of Information Assets; Restricts Logical Access; Identifies and Authenticates Users; Considers Network Segmentation; Manages Points of Access; Implements Secure Authentication Methods; Identifies and Manages Credentials; Manages Credentials for Infrastructure and Software; Uses Encryption to Protect Data; Protects Encryption Keys; Identifies Information Assets Requiring Protection; Establishes Relevant Technology Infrastructure Controls; Establishes Relevant Security Management Processes	Logical Access and Security Controls	Verify the implementation of logical access controls, infrastructure security, encryption practices, and protection of credentials and information assets.	Description of Implementation: The evidence shows that logical access security controls are recognized via documented policies and recommendations for secure authentication, credential management, network segmentation, and workstation configuration. However, deficiencies such as plaintext credential storage and outdated network diagrams remain unaddressed. Assessment Decision: Partially Implemented Rationale: While the organization has recognized and planned key controls, critical implementation steps—like credential encryption and current network segmentation—are not yet in place. Evidence: “Orland Fire District‐SIA‐Final.pdf” – Sections A.3, A.4, A.5 Gaps: Lacks encryption for stored credentials, updated network segmentation diagrams, and full implementation of secure authentication processes per the control’s points of focus.	2025-04-10
CC6.2	Common Criteria	Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users.	Controls Access Credentials to Protected Assets; Removes Access to Protected Assets When Appropriate; Reviews Appropriateness of Access Credentials; Implements Least Privilege Access	Logical and Physical Access	Verify user registration, authorization processes, credential management, and removal of system access for users when no longer needed.	Description of Implementation: The evidence does not provide any documentation regarding user registration, authorization processes, credential issuance logs, access removal logs, or access reviews. Assessment Decision: Not Implemented Rationale: The provided report lacks any evidence of user registration or authorization processes, credential management, and removal procedures. Evidence: Orland Fire District-SIA-Final.pdf Gaps: Missing documentation for controls on access credentials to protected assets, removal of access when appropriate, periodic access reviews, and enforcement of least privilege.	2025-04-10
CC6.3	Common Criteria	The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.	Creates or Modifies Access Based on Authorization; Removes Access When No Longer Required; Reviews Access Appropriateness Regularly; Implements the Principle of Least Privilege; Segregates Duties to Reduce Risk	Logical and Physical Access	Assess effectiveness of processes to authorize, modify, or remove access based on roles, least privilege, and segregation of duties principles.	Description of Implementation: The evidence shows that the organization reviews inactive accounts, recommends disabling or removing dormant user accesses, and enforces password policies to support least privilege practices. However, formal role‐based access documentation and segregation of duties procedures are not explicitly provided. Assessment Decision: Partially Implemented Rationale: While periodic reviews and corrective recommendations are in place, explicit role‐based access controls and segregation of duties documentation are missing. Evidence: Orland Fire District‑SIA‑Final.pdf (Sections A.5 and A.9) Gaps: Lacks formal role-based access documentation and defined segregation of duties procedures as required by the control’s points of focus.	2025-04-10
CC6.4	Common Criteria	The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.	Creates or Modifies Physical Access Based on Authorization; Removes Physical Access When No Longer Required; Reviews Physical Access Appropriateness Regularly	Physical Access Controls	Evaluate the processes to authorize, grant, review, and revoke physical access to facilities and sensitive information assets.	Description of Implementation: The provided evidence does not demonstrate any procedures or records for managing physical access controls, including authorization, access logs, or periodic reviews. Assessment Decision: Not Implemented Rationale: No documentation or records were found to support physical access authorization, review, or revocation processes as required by SOC2 CC6.4. Evidence: Orland Fire District‑SIA‑Final.pdf, Section A.6 “Physical Environment” (page 16) Gaps: Lacking evidence for “Creates or Modifies Physical Access Based on Authorization,” “Removes Physical Access When No Longer Required,” and “Reviews Physical Access Appropriateness Regularly.”	2025-04-10
CC6.5	Common Criteria	The entity diminishes logical and physical protections on data, software, and other protected assets only after their usefulness ends and secure disposal occurs.	Identifies Data and Software for Disposal; Removes Data and Software From Entity Control; Renders Data and Software Unreadable Prior to Disposal	Logical and Physical Access	Evaluate procedures ensuring logical and physical protections are discontinued only after securely rendering data and software unreadable.	Description of Implementation: The organization has not provided any documented procedures or records regarding data/software disposal or sanitization indicating that logical and physical protections are discontinued only after secure removal. Assessment Decision: Not Implemented Rationale: No evidence of policies, procedures, or records for secure data/software disposal was found within the provided documentation. Evidence: Orland Fire District-SIA-Final.pdf Gaps: Missing policies for identifying assets for disposal, procedures for data/software removal, and methods to render data/software unreadable prior to disposal.	2025-04-10
CC6.6	Common Criteria	The entity implements logical access security measures to protect against threats from sources outside its system boundaries.	Restricts Access; Protects Identification and Authentication Credentials; Requires Additional Authentication or Credentials for External Access; Implements Boundary Protection Systems (firewalls, DMZs, intrusion detection systems) and Monitors for Unauthorized Access	Logical Access Control	Verify logical access controls, boundary protection, and credential management to defend against external system threats.	Description of Implementation: The organization has documented the need for firewalls and acknowledges the absence of IDS/IPS, with identified vulnerabilities related to credential management. However, there is no evidence showing implementation of external authentication procedures or additional protective measures. Assessment Decision: Partially Implemented Rationale: Evidence indicates some controls (firewall use) but lacks robust IDS/IPS implementation and proper credentials and remote authentication protections. Evidence: Orland Fire District-SIA-Final.pdf – Internet (Public) and Internal WAN/LAN Infrastructure section; vulnerability assessment commentary. Gaps: Missing implementation of IDS/IPS, additional authentication measures for external access, and comprehensive remote access and credential protection procedures.	2025-04-10
CC6.7	Common Criteria	The entity restricts physical and logical access to information assets and systems to authorized personnel.	Restricts Ability to Perform Transmission (Data Loss Prevention); Protects Data in Transit; Protects Data on Removable Media; Protects Mobile Devices	Logical and Physical Access	Evaluate the effectiveness of controls restricting and protecting data transmission, removable media, and mobile devices from unauthorized access or data loss.	Description of Implementation: The organization enforces logical access controls (e.g., password vault recommendations, screen locks, account lockouts) and addresses data-in-transit encryption concerns (e.g., SSL/TLS recommendations). However, formal data loss prevention policies and specific procedures for removable media and mobile devices are not provided. Assessment Decision: Partially Implemented Rationale: Logical access and encryption controls are evidenced, but DLP, removable media, and mobile device protections are inadequately addressed. Evidence: “Orland Fire District‐SIA‐Final.pdf” – Sections A.3, A.5, Data Communications Management, External Vulnerabilities Summary, A.9 Gaps: Missing explicit evidence for data loss prevention systems, and detailed procedures for protecting removable media and mobile devices.	2025-04-10
CC6.8	Common Criteria	The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.	Restricts Application and Software Installation; Detects Unauthorized Changes to Software and Configuration Parameters; Uses a Defined Change Control Process; Uses Antivirus and Anti-Malware Software; Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software	Logical and Physical Access Controls	Evaluate the implementation and effectiveness of controls to prevent, detect, and respond to unauthorized or malicious software introductions.	Description of Implementation: The organization uses vulnerability scanning tools and has recommendations for automated security processes; however, essential antivirus and anti‐malware software remain uninstalled and outdated, indicating only partial implementation of the intended controls. Assessment Decision: Partially Implemented Rationale: While scanning procedures and change management recommendations exist, critical deficiencies in antivirus/anti‐malware deployment undermine full compliance with CC6.8. Evidence: Orland Fire District‐SIA‐Final.pdf – Sections “A.1 Systems and Infrastructure Assessment Process” and “A.9 Orland Fire Notes and Observations” Gaps: Missing implementation of antivirus and anti‐malware software; lack of robust, automated malware scanning procedures; and absence of fully defined and enforced change control processes.	2025-04-10
CC7.1	Common Criteria	To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations and (2) susceptibilities to newly discovered vulnerabilities.	Uses Defined Configuration Standards; Monitors Infrastructure and Software; Implements Change-Detection Mechanisms (e.g., file integrity monitoring tools); Detects Unknown or Unauthorized Components; Conducts Vulnerability Scans and Remediates Identified Deficiencies	System Operations and Monitoring	Evaluate processes and tools used for configuration monitoring, change detection, vulnerability scanning, and identification/remediation of security issues.	Description of Implementation: The evidence shows that the organization uses multiple vulnerability scanning tools (e.g., Nessus, Rapidfire, Wireshark, Microsoft Baseline Security Analyzer) to assess network configurations and vulnerabilities, categorizes findings by severity, and recommends automated monitoring for continuous detection and remediation. Assessment Decision: Compliant (Fully Implemented) Rationale: The evidence covers key control aspects—including defined configuration baselines, continuous vulnerability scans, and remediation methods—which align with CC7.1 requirements. Evidence: "Orland Fire District-SIA-Final.pdf" – Sections “A.1 Systems and Infrastructure Assessment Process” (pages 5–7); Executive Summary and detailed assessment sections (pages 3–8); tables and recommendation sections (page 35). Gaps: Explicit file integrity monitoring records and standalone documentation of defined configuration standards are not clearly presented.	2025-04-10
CC7.2	Common Criteria	The entity monitors system components for anomalies impacting objectives, analyzing anomalies to determine if they represent security events.	Implements Detection Policies, Procedures, and Tools; Designs Detection Measures for Physical Barrier Compromise, Unauthorized Actions by Authorized Personnel, Use of Compromised Credentials, and Unauthorized External Access; Enables Logging of Unusual Activities	System Operations and Monitoring	Evaluate policies, tools, and processes implemented to monitor systems, detect anomalies, analyze potential security events, and respond accordingly.	Description of Implementation: The organization employs vulnerability scanning and network traffic analytical tools, and has documented recommendations for automated monitoring; however, critical detection components such as centralized logging and intrusion detection systems are missing, indicating partial implementation of the control. Assessment Decision: Partially Implemented Rationale: While some detection tools and processes are in place, key components like a SYSLOG server and IDS/IPS are notably absent, leaving gaps in comprehensive anomaly detection. Evidence: Orland Fire District‑SIA‑Final.pdf – Sections “A.1 Systems and Infrastructure Assessment Process,” “A.4 Internet (Public) and Internal WAN/LAN (Private) Infrastructure,” and recommendation sections. Gaps: Lacks centralized logging infrastructure and an intrusion detection/prevention system as required by the control's points of focus.	2025-04-10
CC7.3	Common Criteria	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents), and takes actions accordingly.	Responds to Security Incidents; Communicates and Reviews Detected Security Events; Periodically Evaluates the Effectiveness of Incident Response Procedures	System Operations and Monitoring	Assess the entity’s effectiveness in identifying, analyzing, responding to, and reviewing security incidents and related communications.	Description of Implementation: The evidence reviewed does not provide any incident response plans, security event communication logs, incident analysis documentation, or records of periodic reviews of incident response procedures. Assessment Decision: Not Implemented Rationale: No documentation or references were found that meet any key evidence requirements for evaluating and responding to security events per the SOC control details. Evidence: Orland Fire District‐SIA‐Final.pdf (no relevant sections found) Gaps: Responds to Security Incidents; Communicates and Reviews Detected Security Events; Periodically Evaluates the Effectiveness of Incident Response Procedures.	2025-04-10
CC7.4	Common Criteria	The entity responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate.	Assigns Roles and Responsibilities; Contains Security Incidents; Mitigates Ongoing Security Incidents; Ends Threats Posed by Security Incidents; Restores Operations; Develops and Implements Communication Protocols for Security Incidents; Obtains Understanding of Nature of Incident and Determines Containment Strategy; Remediates Identified Vulnerabilities; Communicates Remediation Activities; Evaluates the Effectiveness of Incident Response; Periodically Evaluates Incidents	Incident Response Management	Evaluate the entity’s incident-response processes for clearly defined roles, containment, mitigation, remediation, communication, restoration of operations, and periodic effectiveness reviews.	Description of Implementation: The provided document lacks any defined incident-response program and does not present evidence of roles, containment procedures, remediation activities, or communication protocols to manage and respond to security incidents. Assessment Decision: Not Implemented Rationale: The evidence does not include a defined incident-response program or supporting documentation for any incident response activities. Evidence: Orland Fire District‑SIA‑Final.pdf (disaster recovery testing, vulnerability assessments, configuration and process recommendations) Gaps: Missing documentation for assigned roles and responsibilities, incident containment and remediation logs, communication protocols, and periodic effectiveness reviews as required by the control’s points of focus.	2025-04-10
CC7.5	Common Criteria	The entity identifies, develops, and implements activities to recover from identified security incidents.	Restores the Affected Environment; Communicates Information About the Event (Internally and Externally); Determines Root Cause of the Event; Implements Changes to Prevent and Detect Recurrences; Improves Response and Recovery Procedures; Implements Incident-Recovery Plan Testing (including threat scenarios, availability impacts, key personnel availability, and continuity plan revisions)	Incident Response and Recovery	Evaluate the effectiveness of incident recovery activities, including restoration processes, root-cause analysis, prevention improvements, and testing of recovery plans.	Description of Implementation: The organization has documented a Disaster Recovery plan and backup procedures, with recommendations for live testing and documented scenarios. However, explicit evidence of root-cause analysis and established communication protocols is missing. Assessment Decision: Partially Implemented Rationale: Evidence shows some recovery activities are in place, but lacks complete testing, communication protocols, and formal root-cause analysis documentation. Evidence: Orland Fire District‑SIA‑Final.pdf – Sections A.3 (Policies, Standardization, Processes and Governance) and A.5 (Server/Workstation Environment). Gaps: Missing explicit root-cause analysis records; detailed communication protocols for incident events; complete testing results of the recovery plan and backup verification procedures.	2025-04-10
CC8.1	Common Criteria	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.	Manages Changes Throughout the System Life Cycle; Authorizes Changes; Designs and Develops Changes; Documents Changes; Tracks System Changes; Configures Software; Tests System Changes; Approves System Changes; Deploys System Changes; Identifies and Evaluates System Changes; Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents; Creates Baseline Configuration of IT Technology; Provides for Changes Necessary in Emergency Situations	Change Management	Assess the effectiveness of the entity’s change management process throughout the system life cycle, including authorization, design, documentation, testing, approval, deployment, and emergency change handling.	Description of Implementation: The evidence shows that formalized change management practices are recommended and addressed in documented policies and procedures, including authorization, design, testing, and approval processes. However, actual implementation records such as change logs, testing documentation, and baseline configurations are not shown. Assessment Decision: Partially Implemented Rationale: While recommendations for change management are in place, there’s insufficient evidence of the actual records and process execution required by SOC2 CC8.1. Evidence: Orland Fire District‑SIA‑Final.pdf – Section A.2 and concluding recommendations table Gaps: Missing documented change authorization records, test and deployment logs, baseline configuration documents, incident remediation, and emergency change records as per the control’s points of focus.	2025-04-10
CC9.1	Common Criteria	The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.	Considers Mitigation of Risks of Business Disruption (planned policies, procedures, communications, monitoring processes, alternative processing solutions); Considers the Use of Insurance to Mitigate Financial Impact Risks	Risk Mitigation & Business Continuity	Evaluate the entity’s processes to identify, develop, and implement policies, procedures, communications, monitoring activities, and alternative processing solutions to mitigate and recover from business disruptions, including financial impact considerations through insurance.	Description of Implementation: Orland Fire has developed a Disaster Recovery plan and documented risk mitigation activities for business disruptions. However, the plan remains untested, and key supporting elements, such as alternative processing solutions and insurance documentation, are incomplete. Assessment Decision: Partially Implemented Rationale: A Disaster Recovery plan exists but remains untested, and critical elements like alternative processing solutions, offsite backup execution, and insurance coverage details are missing. Evidence: Orland Fire District‑SIA‑Final.pdf (Sections A.3, A.5, Recommendations Table) Gaps: Testing and validation of the Disaster Recovery plan, evidence of effective communication and monitoring protocols, implementation of alternative processing solutions, and formal insurance coverage documentation.	2025-04-10
CC9.2	Common Criteria	The entity assesses and manages risks associated with vendors and business partners.	Establishes Requirements for Vendor and Business Partner Engagements (scope of services, roles, compliance requirements, service levels); Assesses Vendor and Business Partner Risks; Assigns Responsibility and Accountability for Managing Vendors and Business Partners; Establishes Communication Protocols; Establishes Exception Handling Procedures; Assesses Vendor and Business Partner Performance; Addresses Issues Identified in Assessments; Implements Procedures for Terminating Relationships	Vendor Risk Management	Evaluate the entity's processes for managing vendor and business partner risks, including engagement requirements, performance assessments, communication, exception handling, issue resolution, and termination procedures.	Description of Implementation: The evidence indicates that the organization advises using vendor support contracts to validate infrastructure design and configuration. However, the documentation only provides a recommendation rather than a comprehensive vendor risk management framework with documented policies, procedures, or detailed assessments. Assessment Decision: Partially Implemented Rationale: The provided evidence shows a partial consideration of vendor risk through support contracts but lacks detailed procedures covering all required points of focus. Evidence: Orland Fire District‐SIA‐Final.pdf – Recommendations section (page 35) Gaps: Missing formal vendor management policies and procedures, comprehensive risk assessment documentation, detailed communication and exception handling protocols, vendor performance evaluations, and termination procedures.	2025-04-10
C1.1	Confidentiality	The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.	Identifies Confidential Information (procedures for designation, identification, retention period determination); Protects Confidential Information From Destruction During Retention Period	Information Protection	Evaluate the entity's procedures for identifying, classifying, retaining, and protecting confidential information from unauthorized erasure or destruction.	Description of Implementation: The entity designates information as confidential by including a confidentiality notice in its document, indicating an initial procedure for identifying and labeling confidential data. Assessment Decision: Partially Implemented Rationale: While the confidentiality designation is present, evidence lacks detailed data classification, retention schedules, and secure storage protocols for full compliance. Evidence: Orland Fire District-SIA-Final.pdf – “CONFIDENTIALITY NOTE” Gaps: Missing documented data classification procedures, retention period determination, and secure retention practices as per the points of focus.	2025-04-10
C1.2	Confidentiality	The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.	Identifies Confidential Information for Destruction; Destroys Confidential Information	Information Disposal	Evaluate the entity’s procedures to identify confidential information requiring disposal and ensure secure destruction at the end of its retention period.	Description of Implementation: No evidence was found indicating the implementation of procedures to identify or destroy confidential information. Assessment Decision: Not Implemented Rationale: No documented policies, retention schedules, or records of destruction were provided to meet the control criteria. Evidence: No evidence found for this control. Gaps: Identification of confidential information for destruction and documented procedures/records confirming its secure destruction are missing.	2025-04-10
P1.1	Privacy	The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects timely when privacy practices change.	Communicates to Data Subjects (purpose, choice and consent, types of personal information collected, methods of collection, use/retention/disposal, access, disclosure to third parties, security for privacy, data quality responsibilities, monitoring and enforcement, sources if not directly collected); Provides Notice Timely; Covers Entities and Activities; Uses Clear and Conspicuous Language	Privacy Notice	Evaluate the completeness, clarity, timeliness, and accuracy of the privacy notices provided to data subjects, including all required elements.	Description of Implementation: No evidence was provided to indicate that the organization has implemented a privacy notice with the required elements or maintained records and timely communications related to updates. Assessment Decision: Not Implemented Rationale: The provided evidence shows no reference to privacy notices, update records, or communication to data subjects. Evidence: None provided Gaps: Missing evidence on communicating privacy practices (purpose, consent, type of data collected, processing details, third-party disclosure, security, etc.), lack of timely updates, records of distribution, and clear language per the points of focus.	2025-04-10
P2.1	Privacy	The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information, obtains consent when required, and ensures such consent aligns with intended purposes related to privacy.	Communicates Choices and Consent Requirements; Communicates Consequences of Denying or Withdrawing Consent; Obtains Explicit or Implicit Consent; Documents and Obtains Consent for New Purposes and Uses; Obtains Explicit Consent for Sensitive Information; Obtains Consent for Data Transfers	Consent and Choice	Evaluate processes to inform data subjects of privacy choices, obtain explicit or implicit consent appropriately, document consent, and ensure adherence to consent preferences.	Description of Implementation: There is no identifiable documentation or evidence regarding privacy consent policies or documented consent acquisition processes. Assessment Decision: Not Implemented Rationale: No evidence supports compliance with the consent and choice requirements, including communication of options and obtaining documented consent. Evidence: None Gaps: Lacks communication on choices, consent options, consequences of consent withdrawal, explicit consent records for sensitive information, and documented consent for data transfers per TSPRef: P2.1 points of focus.	2025-04-10
P3.1	Privacy	Personal information is collected consistent with the entity’s objectives related to privacy.	Limits the Collection of Personal Information; Collects Information by Fair and Lawful Means; Collects Information from Reliable Sources; Informs Data Subjects When Additional Information Is Acquired	Information Collection	Evaluate processes for ensuring personal information collection is limited, fair, lawful, from reliable sources, and properly communicated to data subjects when new information is obtained.	Description of Implementation: No evidence was found documenting procedures or policies that ensure personal information is collected in a limited, fair, lawful manner or from reliable sources, nor are there communications to data subjects regarding additional information acquired. Assessment Decision: Not Implemented Rationale: The provided document lacks any sections addressing data collection policies, procedures for lawful practices, source reliability, or data subject notifications. Evidence: Orland Fire District-SIA-Final.pdf (executive summary, recommendations, technical findings, appendices) Gaps: Missing documentation related to limits on personal data collection, fair and lawful collection methods, verification of reliable third-party sources, and communications to data subjects when new information is acquired.	2025-04-10
P4.1	Privacy	The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy.	Uses Personal Information for Intended Purposes (information is used only as intended, with explicit or implicit consent, unless otherwise required by law or regulation)	Information Use	Evaluate procedures ensuring personal information is used exclusively for specified purposes, aligned with obtained consent and applicable regulations.	Description of Implementation: The provided evidence does not include any privacy-focused documentation; it only covers IT and systems-related assessments without referencing personal data usage policies, consent management, or regulatory compliance related to privacy. Assessment Decision: Not Implemented Rationale: No evidence confirms that personal information is used solely for intended purposes as required by control P4.1. Evidence: Orland Fire District-SIA-Final.pdf (lacks privacy-related sections) Gaps: Missing documentation on data usage policies, consent management records, and regulatory compliance aligned with the intended purposes for personal information use.	2025-04-10
P4.2	Privacy	The entity retains personal information consistent with the entity’s objectives related to privacy.	Retains Personal Information Only for Required Period; Protects Personal Information From Erasure or Destruction During Retention Period	Information Retention	Evaluate processes ensuring personal information is retained only as long as necessary, with effective protections against unauthorized erasure or destruction.	Description of Implementation: No applicable evidence is provided regarding personal information retention or its protection from unauthorized erasure or destruction. Assessment Decision: Not Implemented Rationale: The evidence only addresses network security without any data retention or personal information protection details. Evidence: Orland Fire District-SIA-Final.pdf (network security section) Gaps: Missing retention schedules, data disposal policies, and procedures ensuring protection of stored personal information during retention.	2025-04-10
P4.3	Privacy	The entity disposes of personal information to meet the entity’s objectives related to privacy.	Captures, Identifies, and Flags Requests for Deletion; Disposes of Personal Information Securely to Prevent Unauthorized Access, Theft, Loss, or Misuse; Implements Policies and Procedures to Erase or Destroy Personal Information	Information Disposal	Evaluate processes for secure disposal of personal information, including handling deletion requests and ensuring effective data destruction.	Description of Implementation: No evidence related to the secure disposal of personal information, deletion requests tracking, or established data destruction policies and procedures was found. Assessment Decision: Not Implemented Rationale: The documentation lacks any reference to deletion processes, secure disposal records, or policies, indicating no implementation of the required privacy control. Evidence: No evidence found for SOC2 Control P4.3. Gaps: Capturing and flagging deletion requests; documentation of secure disposal processes; established policies and procedures for erasing or destroying personal information.	2025-04-10
P5.1	Privacy	The entity grants identified and authenticated data subjects access to their personal information and informs them of denials and reasons for denials, as appropriate.	Authenticates Data Subjects’ Identity; Provides Data Subjects Access to Personal Information; Responds in Reasonable Timeframe and at Reasonable Cost; Informs Data Subjects If Access Is Denied (including reasons, unless prohibited by law or regulation)	Access and Authentication	Evaluate processes ensuring data subjects' identity is authenticated, personal information access requests are addressed timely, and proper communication occurs when access is denied.	Description of Implementation: The provided evidence does not address any of the required elements for authenticating data subjects' identities or processing their access requests. Assessment Decision: Not Implemented Rationale: No evidence demonstrates the implementation of data subject authentication, access provisions, or communication of access denials. Evidence: Orland Fire District-SIA-Final.pdf Gaps: Missing identity authentication procedures; lack of documented personal information access policies; absence of records on access requests and communications regarding access denial.	2025-04-10
P5.2	Privacy	The entity corrects or updates personal information based on data subject requests and communicates updates or denials as required to meet the entity’s objectives related to privacy.	Communicates Denial of Correction Requests (including legal basis and appeal rights if applicable); Permits Data Subjects to Update or Correct Personal Information; Communicates Updates to Third Parties as Required	Information Correction and Update	Evaluate processes enabling data subjects to update or correct personal information, including effective communication of corrections to third parties or appropriate handling and communication of denial requests.	Description of Implementation: The organization has not implemented any procedures or maintained records demonstrating the ability to update personal information, document correction requests, or communicate denials and updates to data subjects or third parties. Assessment Decision: Not Implemented Rationale: No evidence or documentation supports any part of the control requirements for handling data subject correction requests. Evidence: Orland Fire District-SIA-Final.pdf (absence of relevant sections) Gaps: Lacks procedures for data subject correction, records of correction requests and outcomes, and documentation of denial notices including legal basis and appeal options.	2025-04-10
P6.1	Privacy	The entity discloses personal information to third parties with the explicit consent of data subjects obtained prior to disclosure, to meet the entity’s objectives related to privacy.	Communicates Privacy Policies to Third Parties; Discloses Personal Information Only When Appropriate and Consent Obtained; Discloses Personal Information Only to Appropriate Third Parties (with privacy agreements and control evaluations); Discloses Information to Third Parties for New Purposes and Uses Only With Prior Consent	Information Disclosure	Evaluate procedures for obtaining consent prior to disclosure, communicating privacy policies to third parties, and ensuring third-party protection and control effectiveness for personal information disclosure.	Description of Implementation: There is no evidence of procedures or documentation demonstrating that personal information is disclosed to third parties only with explicit consent or that third-party privacy safeguards are evaluated and communicated. Assessment Decision: Not Implemented Rationale: No evidence supports obtaining consent, communicating privacy policies, or third-party privacy assessments. Evidence: Orland Fire District-SIA-Final.pdf – no relevant sections found. Gaps: Missing documentation on explicit consent from data subjects, privacy policy communications to third parties, third-party privacy agreements, and evaluations of third-party privacy controls.	2025-04-10
P6.2	Privacy	The entity creates and maintains records of authorized disclosures of personal information, ensuring completeness, accuracy, and timeliness to meet the entity’s objectives related to privacy.	Creates and Retains Complete, Accurate, and Timely Records of Authorized Disclosures of Personal Information	Information Disclosure	Evaluate processes for accurately recording, documenting, and retaining timely records of authorized disclosures of personal information.	Description of Implementation: There is no implementation evident as there is no record of authorized disclosures of personal information or related tracking logs, policies, or procedures in the available documentation. Assessment Decision: Not Implemented Rationale: The review of the provided document revealed no evidence of records, tracking logs, or policies to support authorized disclosures of personal information. Evidence: Orland Fire District-SIA-Final.pdf – document focus unrelated to disclosure records Gaps: Missing creation and retention of complete, accurate, and timely disclosure records; absence of tracking logs and records management policies as required by the control criteria.	2025-04-10
P6.3	Privacy	The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information.	Creates and Retains Complete, Accurate, and Timely Record of Unauthorized Disclosures of Personal Information	Incident Management (Privacy)	Evaluate procedures ensuring complete, accurate, and timely documentation of unauthorized disclosures or breaches of personal information.	Description of Implementation: There is no documented evidence of procedures or records related to unauthorized disclosures of personal information. Assessment Decision: Not Implemented Rationale: No evidence of complete, accurate, and timely records for unauthorized disclosures has been provided. Evidence: None found in the reviewed documents. Gaps: Missing documentation on unauthorized disclosure incident management procedures, breach logs, incident tracking records, and breach notification details as required by the SOC control details.	2025-04-10
P6.4	Privacy	The entity obtains privacy commitments from vendors and third parties accessing personal information, and assesses their compliance periodically or as needed, to meet the entity’s privacy objectives.	Discloses Personal Information Only to Third Parties with Privacy Commitments and Effective Controls; Remediates Misuse or Unauthorized Disclosure by Third Parties Through Evaluation Procedures and Controls Assessment; Periodically Assesses Third-Party Compliance with Privacy Commitments	Third-Party Privacy Management	Evaluate entity's procedures for obtaining, maintaining, and assessing third-party privacy commitments and compliance, including periodic assessments and remediation of issues.	Description of Implementation: The evidence does not show any implementation of obtaining privacy commitments or conducting periodic compliance assessments with vendors and third parties. Assessment Decision: Not Implemented Rationale: No documentation or evidence is provided regarding third-party privacy commitments, compliance evaluations, or remediation actions. Evidence: Orland Fire District-SIA-Final.pdf Gaps: Missing documentation for privacy agreements with vendors, periodic assessments of third-party privacy compliance, and records of remediation actions for privacy violations.	2025-04-10
P6.5	Privacy	The entity obtains commitments from vendors and third parties with access to personal information and ensures notification and remediation in case of misuse to meet the entity’s privacy objectives.	Remediates Misuse of Personal Information by a Third Party; Obtains Commitments from Third Parties Regarding Privacy Incident Response and Notification; Evaluates Third-Party Compliance with Notification and Remediation Requirements	Third-Party Privacy Management	Evaluate the entity's processes to secure privacy-related commitments from third parties, ensure third-party compliance, and respond effectively to unauthorized disclosures or misuse of personal information.	Description of Implementation: There is no documented implementation of vendor privacy commitments or third-party evaluation processes. Assessment Decision: Not Implemented Rationale: No evidence was provided to support processes for obtaining third-party commitments, compliance assessments, or remediation actions for privacy incidents. Evidence: No evidence found for this control. Gaps: Remediation of misuse of personal information by a third party; obtaining commitments on privacy incident response; evaluating third-party compliance with notification and remediation requirements.	2025-04-10
P6.6	Privacy	The entity provides timely notification of breaches and incidents affecting personal information to data subjects, regulators, and others, consistent with privacy objectives.	Provides Notice of Breaches and Incidents to Data Subjects, Regulators, and Others; Remediates Misuse of Personal Information by Third Parties Through Notification and Corrective Action	Incident Response and Notification	Evaluate the entity's procedures for timely notification of privacy breaches or incidents to affected parties, regulators, and appropriate personnel, including remediation of third-party misuse.	Description of Implementation: No evidence was found that addresses breach notification policies, records, or remediation actions. Assessment Decision: Not Implemented Rationale: The provided documents do not include any evidence of breach/incident notification processes or remediation measures. Evidence: Orland Fire District-SIA-Final.pdf (sections on vulnerabilities and recommendations) Gaps: Missing evidence for notification policies, breach records, and remediation logs for third-party misuse of personal information.	2025-04-10
P6.7	Privacy	The entity provides data subjects, upon request, an accounting of personal information held and disclosures made, meeting privacy objectives.	Identifies Types of Personal Information and Handling Processes (including sensitive data, systems, and third parties involved); Captures, Identifies, and Communicates Requests for Personal Information and Disclosures	Information Disclosure Requests	Evaluate processes enabling accurate accounting of personal information held, and timely, clear responses to data subjects' requests regarding disclosures of their personal information.	Description of Implementation: No procedures, documentation, or records were found that describe or support the handling of personal information requests or responses to data subjects. Assessment Decision: Not Implemented Rationale: The provided evidence does not include any documentation addressing data subject requests, personal information accounting, or disclosure responses. Evidence: No evidence found for this control. Gaps: Missing documentation on types of personal information handled, processes for capturing and responding to data subject requests, and records of disclosures to third parties.	2025-04-10
P7.1	Privacy	The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet privacy objectives.	Ensures Accuracy and Completeness of Personal Information; Ensures Relevance of Personal Information to Intended Purposes	Information Quality	Evaluate processes ensuring personal information collected is accurate, complete, up-to-date, and relevant to specified uses.	Description of Implementation: The reviewed document does not include any policies or documented processes for collecting, maintaining, or validating the accuracy, completeness, or relevance of personal information. Assessment Decision: Not Implemented Rationale: No evidence demonstrates required personal information review, validation processes, or associated policies as per SOC2 control details. Evidence: Orland Fire District-SIA-Final.pdf Gaps: Missing documentation of data accuracy checks, completeness reviews, relevance confirmation, and procedural validation methods as outlined in the COSO Privacy point of focus.	2025-04-10
P8.1	Privacy	The entity implements a process for receiving, addressing, resolving, and communicating inquiries, complaints, and disputes from data subjects, monitors compliance, and corrects deficiencies timely.	Communicates Contact Methods to Data Subjects; Addresses Inquiries, Complaints, and Disputes; Documents and Communicates Resolution to Individuals; Reviews and Reports Compliance Results to Management; Documents and Reports Instances of Noncompliance with Privacy Objectives; Performs Ongoing Monitoring of Privacy Controls and Implements Timely Corrective Actions	Monitoring and Enforcement	Evaluate the entity’s procedures for receiving, resolving, and communicating resolutions of privacy-related inquiries, complaints, disputes, and monitoring compliance, including documentation and timely correction of deficiencies.	Description of Implementation: No process or records were provided that demonstrate the organization’s procedures for receiving, addressing, resolving, communicating resolutions, or monitoring compliance for privacy-related inquiries or disputes. Assessment Decision: Not Implemented Rationale: The evidence lacks any inquiry, complaint, dispute resolution process, associated monitoring, or corrective action documentation as required. Evidence: Orland Fire District-SIA-Final.pdf Gaps: Missing communication of contact methods, documented resolution of inquiries, monitoring of privacy controls, and reporting of noncompliance with privacy objectives.	2025-04-10