SOC 2 Academy: Additional Points of Focus for Logical Access
Common Criteria 6.1
While not requirements, points of focus are meant to serve as references to assist organizations when they are designing, implementing, operating, and evaluating controls over security, availability, confidentiality, processing integrity, and privacy. When it comes to implementing logical access controls, there are some additional points of focus that will help organizations ensure that their information security systems remain secure. Let’s take a look at how these additional points of focus will help service organizations comply with common criteria 6.1 during a SOC 2 audit.
Managing Users with Logical Access Controls
During a SOC 2 audit, in order to ensure that unauthorized users don’t have access to an organization’s sensitive assets, logical access controls must be implemented and monitored. For example, let’s say that an organization is onboarding a new entry-level administrative assistant. What resources would that position require? Would they need to access information that the IT administrator has access to? Probably not. But what if there was an oversight or ineffective controls were in place that allowed the new hire to gain access to sensitive information? There could be a serious damages to the organization’s business continuity, finances, and reputation.
Because employees are the weakest link of every organization, the proper measures must be taken to mitigate the risks associated with human error prior to engaging in a SOC 2 audit. When implementing logical access controls to comply with common criteria 6.1, organizations should consider following these best practices:
- Role-based access: This might also be referred to as least access necessary, business need to know, or least privilege. This means that organizations only give their employees the minimum access needed to fulfill their job duties. For instance, a CISO would need more access to an organization’s sensitive information than an administrative assistant. By implementing role-based access, organizations can ensure that only the employees with a legitimate need to access resources and environments have the ability to do so.
- Username and password management: How does your organization manage usernames and passwords? When a new hire is onboarded, do they receive universal log-in credentials? When do passwords need to be reset? What processes are in place to revoke usernames and passwords if an employee is terminated or quits? To ensure that logical access controls are working efficiently, having a system for username and password management is critical.
- Log monitoring: Implementing logical access controls is only half the battle. Organizations must also perform their due diligence and monitor the activity on their system to ensure that the logical access controls are working as intended. For example, an organization might implement role-based access, but a malicious employee might still attempt to access sensitive information. If something like this occurs, organizations need to have monitoring processes, such as logs, in place to monitor who it is that’s attempting to access that information so that they can mitigate the issue.
Ultimately, common criteria 6.1 aims to ensure that service organizations meet their business objectives by protecting their sensitive assets from malicious internal and external threats. If your organization is beginning your SOC 2 journey, what logical access controls do you currently have in place?
More SOC 2 Resources
Understanding Your SOC 2 Report
SOC 2 Compliance Handbook: The 5 Trust Services Criteria
Some additional points of focus to consider for logical access controls have to do with managing your users and also monitoring the type of activity that’s going on in the system. I’ll start with the users first. You have to be really diligent in making sure that users are given access to resources that they need to have access to. You can do this by implementing role-based access rules to make sure that an employee doesn’t have a username and password to a system or environment that they really don’t have a reason to access anyway. It’s a way to pare down and strengthen your controls in that area. You should be diligent about removing access when your employee leaves your organization or when a third party, who maybe had a reason at one time to access a system to provide maintenance or other types of services but are no longer active, removing them from that. This is so that the level of risk is no longer there after you’ve removed that particular user from the system. You also have to monitor the activity on your system. You’ve put these password rules in place to be enforced, and to make sure that people don’t have access to things that they shouldn’t, but then monitoring who it is that’s attempting to access the network or other things like that. I remember one time when I was looking at an SFTP server with a client and there were these logs where over and over again an unauthorized user was just attempting to log in with incorrect credentials. They hadn’t noticed that before because they didn’t monitor that particular log, so having some visibility into the logical access controls that you’ve put into place so that you can take action when you notice that the control that you have is working but someone is trying to circumvent it by using different usernames and passwords. Being able to monitor that in addition to having the protection in place would be a very important aspect to that control.