SOC Controls 2: Regular User Access Reviews
Controls are the procedures your business uses to drive operations and meet the requirements of SOC 2. Policies are closely related to controls and, when applied consistently, help mitigate risk. This post is part of an ongoing series of posts focusing on specific SOC 2 controls.
What this control does: This SOC 2 check aims to ensure that your company regularly checks who has access to critical IT infrastructure. For this control, your company must record these reviews and take all necessary steps to resolve any access issues discovered during a review.
There are many ways to word such a check, and you should work with your auditor to find the exact wording for your business. Control wording should be precise, concise and authoritative.
Example of wording:
User access to the system is reviewed quarterly and a log of these reviews is maintained.
A company using AWS and Github shows logs showing who is a user week after week, and who is an employee in which role for the same period. New hires should have permissions added to AWS and Github, if relevant to their position, in a timely manner. Departing employees should be fired. The company also has a policy on access management that an auditor will use to verify that users are added and removed as described in the policy. The company should show that it verified who had an account in AWS and Github and when it was created or destroyed. If an employee was granted the wrong access, certain documentation would be required to show that the issue was handled appropriately.
Who it affects: Those in IT responsible for access management and those in human resources (HR), human capital management (HCM) or equivalent roles.
Why is this important: People come and go in all businesses. But if you don’t regularly check who has access to what, you run the risk of leaving accounts active that authorized users no longer use. This creates opportunities for bad actors to gain access to your systems. Once inside your systems, these malicious actors could see things they shouldn’t or create disruptions ranging from stealing to infecting your environment with ransomware or other malware.
Controlling regular user access reviews also meets three specific SOC 2 common criteria: logical access security (CC6.1), user system credentials (CC6.2), and role-based access (CC6.3). Additionally, it is one of several SOC 2 controls that limit the risk of unauthorized access via credentials that should have been changed or disabled but are still valid. The following are examples of events that can create such risks.
- A change in an employee’s role, responsibilities or status (such as a change from full-time to part-time).
- A consultant or other user joins the organization outside of normal processes.
- A change in the services available is not taken into account in the access management procedures.
How to implement this control
To comply with this control, you should regularly review who has access to your systems and who does not. You should perform user access reviews at least once a year. Trustero recommends quarterly reviews for greater risk reduction.
The combination of a central access and identity management (IAM) solution and federated identities that consolidate the management of authorized user identities across multiple systems can make it easier to capture and review user access. At Trustero, we use Google Workspace for both tasks. If yours is a large enterprise, you may already be using an IAM solution such as Microsoft Active Directory for IAM and a federated identity management system such as Okta. If you’re not using it, work with your auditor to decide which systems require regular user access reviews, as you’ll likely need to provide evidence for each platform.
Once you have effective solutions for capturing user access rights and changes to them, you need enforceable tools and processes to record and store those reviews of access information. Your chosen IAM or federated identity management solution may have adequate functionality to generate and save your logs. If not, one or the other or both may be able to connect and provide the relevant data to a separate reporting tool. You need to confirm with your auditor that the tools you use produce the information they need in the formats they need.
SOC 2 also requires you to have a support policy, which you can develop with colleagues from HR or another department. These policies should contain enforcement mechanisms, such as penalties for non-compliance. They should also be shared with all current users and kept updated as things change.
These elements will help you manage your user access notices consistently and efficiently. They will also help strengthen your overall access management efforts, which will improve your cybersecurity and help you achieve and maintain ongoing SOC 2 compliance.
How Trustero can help you
Trustero Compliance as a Service includes several features to help you implement regular user access review control and demonstrate compliance with its requirements to your auditor in a credible, on-demand manner. The solution’s user interface consolidates the control’s description, information about it and its status, and the ability to test its compliance on a single screen in simple, clear language.
The post SOC 2 Controls: Regular User Access Reviews appeared first on Trustero.
*** This is a syndicated blog from Resources Archive’s Security Bloggers Network | Trustero written by Bo Adler. Read the original post at: https://trustero.com/resources/soc-2-controls-regular-user-access-reviews/