SOC 2 Academy: Access Controls for Remote Employees

by Joseph Kirkpatrick / February 22nd, 2019

Common Criteria 6.7

During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.7. Common criteria 6.7 says, “The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.” While we’ve discussed ways that organizations can comply with this requirement, let’s take a look at how an organization’s environment can change the way they approach compliance with common criteria 6.7.

What are Best Practices for Implementing Access Controls for Remote Employees?

Complying with common criteria 6.7 means different things for different organizations depending on their environment. For instance, if your employees work in an office building, then implementing and maintaining procedures for transmitting, moving, and removing data might be easier because of the lack of removable media in use. However, because so many organizations are opting to hire remote employees, implementing procedures for transmitting, moving, and removing data can be more difficult, which is why we suggest that organizations implement access controls for remote employees, along with these five best practices:

  1. Use security awareness training
  2. Establish thorough usage policies
  3. Create effective password and encryption policies
  4. Monitor Internet connections
  5. Ensure devices and applications are updated

Hiring remote employees has many benefits, but it also creates additional threats that must be accounted for. When an organization pursues SOC 2 compliance, it’s critical that they mitigate these risks by using access controls for remote employees, in addition to the best practices listed above. Doing so allows organizations to safeguard their business from potential breaches, demonstrates to clients that their data is protected, and provides peace of mind that the procedures for transmitting, moving, and removing sensitive information remotely are in place.

If you’re unsure if you’ve implemented access controls for remote employees, consider the following scenario. Let’s say that your remote employee leaves their laptop containing sensitive information in their rental car and is unable to recover the device. Do you have a GPS tracker on the device to locate it? Do you have the ability to wipe the device remotely? Are you able to restrict access to the device? It’s far too common for a situation like this to occur, which is why it’s necessary for SOC 2 compliance that organizations implement access controls for remote employees and their mobile devices.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

 Common criteria 6.7 in the SOC 2 framework is an excellent example of how the criteria change depending on the environment we’re talking about. If we’re talking about a system that’s in a data center where there are production servers or virtual servers and there’s not a lot of removable media or mobile devices in and out of that environment, then common criteria 6.7 wouldn’t cause you to put a lot of controls in place to manage laptops. However, if you’re in an environment where people do work remotely, or they do carry around laptops, smartphones, or tablets, then common criteria 6.7 takes on a whole other meaning, because you have to think about ways to restrict the movement of those devices that may have critical information on them, or at least they have the ability to access critical information through the technologies that you have installed on those devices. If you are a company that has a situation like this, you’ll hear your auditor ask more questions about how you control mobile devices. Do you have an inventory of all of the devices that you allow into your environment, so that if something does go missing, you can do a regular audit and you can check regularly to make sure that everything is accounted for and nothing has been taken out. You’ll hear your auditor ask questions like: Do you have methods to do remote wiping of these remote devices? Do you use GPS tracking so you can figure out where the device went? Do you have those kinds of controls remotely so that you can enforce policies out to those devices that are in the field, so that if you want to restrict access to them, you could? Again, this goes back to assessing risk and understanding what your environment looks like and how common criteria 6.7 would apply to your specific circumstance.