Skip to Content

SOC 2 Protecting Information Assets (CC6.1)

233  Matthew Burdick September 26, 2022  Logical and Physical Access Controls

Overview:
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.


Action Items:
1) Create an access control policy and related procedures that outlines required authentication parameters, password complexity, and other user access requirements. Publish this on the company intranet for employees to access and review.
2) Create a user account listing (inventory) for all in-scope systems and associated security groups. This is often done using a centrally managed access control system, but not always. Regardless of the system used, it should be regularly updated, reviewed, and maintained.
3) Create an administrative access listing (inventory) of all administrative accounts for in-scope systems and associated security groups. These accounts represent users that have privileged access to sensitive systems and should be carefully monitored, ideally using automated mechanisms, and all accounts should require approval. This is often done using a centrally managed access control system, but not always. Regardless of the system used, it should be regularly updated, reviewed, and maintained.
4) Create a network diagram of the environment that validates the production network is segmented from other lower environments.
5) Create an acceptable use policy and related procedures and publish on the company intranet for employees to access and review.
6) Create an asset management policy and related procedures and publish on the company intranet for employees to access and review.
7) Inspect the authentication parameters for the in-scope systems to determine that the in-scope systems are configured to authenticate users with a unique user account and enforce minimum password requirements or SSH public key authentication.
8) Inspect the user account listing for the centrally managed access control systems to determine that predefined security groups are utilized to assign role-based access privileges and segregate access to data to the in-scope systems.
9) Inspect the administrative access listing for the centrally managed access control systems to determine that administrative access privileges to the in-scope systems are restricted to user accounts accessible by authorized personnel.
10) Inspect the user access listings and the most recent user access review to determine that shared user accounts are prohibited on in-scope systems.
11) Inspect the environment to determine that the production network is segmented to ensure that confidential data is isolated from other unrelated networks.
12) Inspect the company policies to determine that an information security and acceptable use policy are in place to guide personnel using information assets.
13) Inspect the listing of assets to determine that an inventory of information assets is maintained and updated as needed.


Related Documents:
1) Access control policy
2) User account inventory
3) Administrative account inventory
4) Network diagram
5) Acceptable use policy
6) Authentication parameters, settings, and configurations for in-scope systems
7) Documented user access reviews
8) Asset Management Policy

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:


1) Identifies and Manages the Inventory of Information Assets—The entity identifies, inventories, classifies, and manages information assets.
2) Restricts Logical Access—Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets.
3) Identifies and Authenticates Users—Persons, infrastructure and software are identified and authenticated prior to accessing information assets, whether locally or remotely.
4) Considers Network Segmentation—Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
5) Manages Points of Access—Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed.
6) Restricts Access to Information Assets—Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets.
7) Manages Identification and Authentication—Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software.
8) Manages Credentials for Infrastructure and Software—New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use.
9) Uses Encryption to Protect Data—The entity uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk.
10) Protects Encryption Keys—Processes are in place to protect encryption keys during generation, storage, use, and destruction.
Not Rated
Secure Code