Skip to Content

SOC 2 User Registration and Authorization (CC6.2)

234  Matthew Burdick September 26, 2022  Logical and Physical Access Controls

Overview:
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.


Action Items:
1) Create a termination checklist for employees that clearly outlines termination procedures and how to revoke access to systems in the process.
2) Create an access control policy and related procedures that outlines required authentication parameters, password complexity, and other user access requirements. Publish this on the company intranet for employees to access and review.
3) Inspect the access request forms for a sample of employees hired during the review period to determine that user access requests are documented in the ticketing system and received managerial approval prior to access being granted for each employee sampled.
4) Inspect the termination checklists for a sample of employees terminated during the review period to determine that termination checklists are completed and access was revoked as a component of the employee termination process for each employee sampled.
5) Inspect the user access reviews for a sample of quarters during the review period to determine that user access reviews, including privileged users, are performed by management on a quarterly basis to ensure that access to data is restricted and authorized and that accounts identified as inappropriate are investigated and resolved.


Related Documents:
1) Employee termination checklist
2) Access request forms for a sample of employees
3) Documented user access reviews
4) Access control policy

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:


1) Controls Access Credentials to Protected Assets—Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian.
2) Removes Access to Protected Assets When Appropriate—Processes are in place to remove credential access when an individual no longer requires such access.
3) Reviews Appropriateness of Access Credentials—The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials.
Not Rated
Secure Code