SOC 2 Restricting Physical Access (CC6.4)

Overview:
The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.

Action Items:
1) Create a Physical and Environmental Security Policy and publish on the company intranet for employees to access and review.
2) Create an inventory list of all physical facilities. This list should include, at a minimum, facility location attributes, purpose/overview, key contacts, etc.
3) Create a list of personnel that have access to all facilities.
4) Inspect the security controls that are applied to the facilities and information assets for completeness and control effectiveness.
5) Inspect a sample of users who have access to facilities and determine why these users have access and if their access is still required.

Related Documents:
1) Physical and environmental security policy
2) Inventory list of all physical facilities
3) Inventory list of personnel that have access to facilities

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Creates or Modifies Physical Access—Processes are in place to create or modify physical access to facilities such as data centers, office spaces, and work areas, based on authorization from the system's asset owner.
2) Removes Physical Access—Processes are in place to remove access to physical resources when an individual no longer requires access.
3) Reviews Physical Access—Processes are in place to periodically review physical access to ensure consistency with job responsibilities.