Lab 1
Stand up Acme’s Security controls in an afternoon
Scenario
Acme Services’ largest prospective client sent a security questionnaire and asked about SOC 2 plans. Priya decides to start readiness now with SOC 2 Security scope in SentriAI, aiming for a Type I in six months.
Steps
- 1
Scope SOC 2 with the Security category and open the generated control set.
Expected: A concrete control list appears (access control, change management, incident response, vendor management, etc.).
- 2
Assign owners: Priya takes governance and vendor controls; the IT contractor takes technical controls; Jordan takes people controls (onboarding/offboarding, training).
Expected: Zero unowned controls on the dashboard.
- 3
Attach first evidence to three controls: MFA enforcement (identity provider settings record), offboarding (last departure’s access-removal record), backups (the restore-test note from June).
Expected: Three controls show current evidence; the rest show missing - an honest baseline.
- 4
Create the risk register’s first five entries, including "single IT contractor is a key-person dependency" with treatment "accept, review in Q4" signed by Priya.
Expected: Five risks with likelihood/impact and linked controls; one documented acceptance.
- 5
Read the readiness dashboard and write the 90-day plan from the gaps (top items: no incident-response test ever run; access reviews never performed).
Expected: A prioritized gap list generated from control status, not from guesswork.
- 6
Schedule the first quarterly access review and record it in SentriAI when done.
Expected: The access-review control gains its first evidence record - the continuous loop has begun.
Checkpoints - you got it right if…
- Every Security control has a named owner
- At least three controls carry timestamped evidence
- The risk register exists with one explicit, signed risk acceptance
- A 90-day remediation plan derives from the dashboard’s actual gaps