Skip to content
Meridian7 Wiki

SOC 2 Type II Implementation Plan

1. Overview

Section titled “1. Overview”

Authoritative SOC 2 implementation reference for Meridian Seven.

Operating model:

  • No dedicated GRC platform (no Vanta/Drata).
  • No Okta at current scale — reconsider at 10-15 headcount.
  • No Linear for compliance workflow.
  • Compliance is GitHub-native: Issues + Project for control execution, evidence/ for artifacts.

2. Compliance Stack

Section titled “2. Compliance Stack”
SystemRole in Control Environment
Google Workspace Enterprise StandardPrimary IdP, MFA, endpoint policy, CAA, DLP, admin logs
CrowdStrike FalconEndpoint NGAV/EDR, containment, host telemetry
Cloudflare (WAF + Zero Trust + CASB)Boundary protection, access policy, SaaS posture
1Password BusinessHuman credential governance, shared vault controls, Watchtower
DopplerRuntime/application secrets authority
GitHub TeamChange management, issue workflow, CI/CD
GitHub Secret ProtectionSecret leak prevention and push protection
GCP Cloud MonitoringUptime checks/alert policies/notification channels/incident timelines
SlackAlert routing and incident communication
Supabase / GCP Cloud RunProduction platform operations and logs
Backblaze B2 + Cube BackupBackup/recovery controls

3. Control Coverage Matrix

Section titled “3. Control Coverage Matrix”
Control AreaPrimary Systems
CC1.1-1.4 Control environmentPolicies (repo), GitHub Project, role ownership
CC2.1-2.3 CommunicationSlack, GitHub Issues, procedures in repo
CC3.1-3.4 Risk assessmentCrowdStrike, 1Password Watchtower, vendor register
CC4.1-4.2 Monitoring activitiesGCP Cloud Monitoring, GitHub Issues/Project, evidence manifests
CC5.1-5.3 Control activitiesGoogle policy enforcement, GitHub rulesets, Doppler controls
CC6.1 Logical accessGoogle IdP/MFA, Cloudflare Access, GitHub org controls
CC6.2 Credential controls1Password + Doppler + Google password/MFA policy
CC6.3 Provisioning/deprovisioningGoogle lifecycle + GitHub workflow checklists + monthly access review
CC6.4 Asset protectionGoogle endpoint management + CrowdStrike
CC6.5 System operations — restrict data movementCloudflare WAF + rate limiting, Google DLP
CC6.6 Boundary/system protectionCloudflare + CrowdStrike + Google CAA
CC6.7 Restrict data movementGoogle DLP + Doppler segmentation + Cloudflare policies
CC7.1 Infrastructure monitoringGCP Cloud Monitoring + CrowdStrike + platform logs
CC7.2 Anomaly detectionGCP Cloud Monitoring alert policies + CrowdStrike detections + Google anomalies
CC7.3 Evaluate eventsIncident workflow in GitHub Issues + GCP Cloud Monitoring alerts + retained artifacts
CC7.4 Incident responseGCP Cloud Monitoring alerts → Slack notification channel + post-mortem via Slack modal + GitHub incident issues
CC7.5 RecoveryCube/Backblaze + Supabase PITR + restoration tests
CC8.1 Change managementGitHub PR workflow, branch protection, required checks
CC9.1-9.2 Risk mitigation/vendor mgmtVendor register + policy set + backup architecture

4. Provisioning and Access Management

Section titled “4. Provisioning and Access Management”

Google Workspace is the source of truth for workforce identity. MFA is mandatory everywhere.

Joiner / Mover / Leaver

Section titled “Joiner / Mover / Leaver”
  • Every onboarding, role change, and offboarding is tracked via the access-provision.yml workflow and GitHub issue.
  • The provisioning.py automation handles system access changes; manual items (1Password, CrowdStrike) are completed by the owner.
  • Issue templates define required system actions and evidence attachments.
  • Offboarding SLA: 24 hours (1 hour for involuntary).

Systems Covered by Checklist Workflow

Section titled “Systems Covered by Checklist Workflow”

Google Workspace, GitHub, Slack, 1Password, GCP IAM, Supabase, Doppler, Cloudflare.

Review Cadence

Section titled “Review Cadence”

Monthly access review issue auto-created by GitHub Actions. Reviewer compares expected roster against every in-scope system. Discrepancies remediated and documented in linked issues.

5. Evidence Architecture

Section titled “5. Evidence Architecture”

Storage

Section titled “Storage”
  • Working documents, policies, procedures, guides in repository.
  • Operational evidence under evidence/.

Evidence Folder Standard

Section titled “Evidence Folder Standard”
evidence/
  README.md
  automation/manifests/YYYY/MM/DD/
  weekly-security-reviews/YYYY/
  monthly-access-reviews/YYYY/
  incidents/YYYY/
  vulnerabilities/YYYY/
  access/onboarding/YYYY/
  access/offboarding/YYYY/
  logs/
    github/YYYY/MM/
    gcp-monitoring/YYYY/MM/
    cloudflare/YYYY/MM/
    crowdstrike/YYYY/MM/
    google-workspace/YYYY/MM/
    supabase/YYYY/MM/
  restoration-tests/YYYY/QN/
  vendor-reviews/YYYY/

Automation Principles

Section titled “Automation Principles”
  • Scheduled GitHub issue creation for recurring control execution.
  • Daily evidence manifest generation for file integrity tracking.
  • Automated repository snapshots for GitHub-native control evidence.
  • External-system evidence ingested to evidence/logs/ with source/date naming.

6. Operating Cadence

Section titled “6. Operating Cadence”
ProcessFrequencySystem of RecordOwner
Weekly security reviewWeekly (Monday)GitHub Issue + evidence/weekly-security-reviewsCTO
Monthly access reviewMonthly (1st)GitHub Issue + evidence/monthly-access-reviewsCISO
Vulnerability remediationEvent-drivenGitHub Issue + evidence/vulnerabilitiesCTO
Incident response/postmortemEvent-drivenGitHub Issues + evidence/incidentsCISO
Backup restoration testQuarterlyGitHub Issue + evidence/restoration-tests/YYYY/QNCTO
Vendor reviewQuarterly/Annual by tierguides/Vendor-Register.md + evidence/vendor-reviewsCISO

7. Automation Workflows

Section titled “7. Automation Workflows”
WorkflowSchedule (UTC)Systems
evidence-collector.yml06:20 dailyGitHub (API snapshots + SHA-256 manifests)
evidence-gcp.yml06:30 dailyGCP Cloud Monitoring
evidence-cloudflare.yml06:40 dailyCloudflare
evidence-crowdstrike.yml06:50 dailyCrowdStrike
evidence-google.yml07:00 dailyGoogle Workspace
evidence-supabase.yml07:10 dailySupabase
evidence-external.yml07:20 dailyDoppler, 1Password, Slack, Backblaze
system-verify.yml05:00 nightlyAll systems
access-provision.ymlOn demand (workflow_dispatch)All provisioning-covered systems

Workflows staggered 10 minutes to prevent git push conflicts. Missing credentials produce SKIP results, not failures. All automations are part of the control design and must remain enabled.

Automation modes:

  • bootstrap — Configure SOC2-required settings (idempotent, dry-run supported)
  • verify — Check config against expected state (read-only)
  • evidence — Collect audit logs and snapshots to evidence/logs/

8. Project Tracking

Section titled “8. Project Tracking”

Linear is for strategic roadmap tracking only. Automated workflows (security-cadence.yml, access-provision.yml) handle operational cadence — weekly reviews, monthly access reviews, onboarding, and offboarding. Control execution records and evidence are GitHub-native.

Linear Project: SOC 2 Type II Implementation

Meridian Seven — Confidential