SS-SOC2-001C Posture Scorecard
Score SOC 2 posture under SKYE. Auto-fail gates, tier mapping, and export.
SS-SOC2-001C — Posture Scorecard
Score each domain 0–5. Mandatory domains determine the SKYE tier. Auto-fail gates override scoring. Values save to this device.
Average (mandatory) 0.00
Minimum (mandatory) 0
Tier Level 0
Recommendation:
Domain Scores (0–5)
| Domain | Score | Meaning |
|---|---|---|
| SS-IAM | Identity & access control | |
| SS-CHG | Change management | |
| SS-OBS | Logging/monitoring/alerting | |
| SS-VULN | Vulnerability & patch management | |
| SS-IR | Incident response | |
| SS-DATA | Data protection & secrets | |
| SS-VEND | Vendor & third-party risk | |
| Optional (score for completeness; tier does not change unless you enforce per system risk) | ||
| SS-AVL | Availability & disaster recovery | |
| SS-CONF | Confidentiality | |
| SS-PI | Processing integrity | |
| SS-PRIV | Privacy | |
| SS-AI | AI add-on controls | |
Tier Mapping (SKYE)
- Level 0: Any mandatory domain scored 0–1 OR any auto-fail gate triggered.
- Level 1: Mandatory domains average ≥2, but evidence incomplete or inconsistent.
- Level 2: Mandatory domains average ≥3 AND no mandatory domain <3 AND no gates triggered.
- Level 3: Mandatory domains average ≥4 AND no mandatory domain <4 AND cadences current.
Auto-Fail Gates (Risk Flags)
If any gate is checked, the system cannot be Level 2+ until resolved or exception-approved.
No MFA on privileged access
No centralized audit logs for admin actions
No incident response process
No vulnerability scanning or remediation tracking
Secrets committed or unmanaged secrets sprawl
No access review within required cadence
Top 10 Gaps
Fill these in so remediation is trackable and time-bound.
