Skip to Content

SOC 2 Managing Access to Information Assets (CC6.3)

235  Matthew Burdick September 26, 2022  Logical and Physical Access Controls

Overview:
The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.


Action Items:
1) Create an access control policy and related procedures that outlines required authentication parameters, password complexity, and other user access requirements. Publish this on the company intranet for employees to access and review.
2) Inspect the access request forms for a sample of employees hired during the review period to determine that user access requests are documented in the ticketing system and received managerial approval prior to access being granted for each employee sampled.
3 ) Inspect the termination checklists for a sample of employees terminated during the review period to determine that termination checklists are completed and access was revoked as a component of the employee termination process for each employee sampled.
4) Inspect the user account listings for the centrally managed access control systems to determine that predefined security groups are utilized to assign role-based access privileges and segregate access to data to the in-scope systems.
5) Inspect the administrator user access listings to determine that administrative access privileges to the centrally managed access control systems are restricted to user accounts accessible by authorized personnel.
6) Inspect the user access reviews for a sample of quarters to determine that user access reviews, including privileged users, are performed by management on a quarterly basis to ensure that access to data is restricted and authorized and that accounts identified as inappropriate are investigated and resolved.


Related Documents:
1) Access control policy
2) Access request forms for a sample of employees
3) Employee termination checklist
4) User account inventory
5) Administrative account inventory
6) Documented user access reviews

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:


1) Creates or Modifies Access to Protected Information Assets— Processes are in place to create or modify access to protected information assets based on authorization from the asset's owner.
2) Removes Access to Protected Information Assets—Processes are in place to remove access to protected information assets when an individual no longer requires access.
3) Uses Role-Based Access Controls—Role-based access control is utilized to support segregation of incompatible functions.
Not Rated
Secure Code