Common Criteria 6.1
When a service organization undergoes a SOC 2 audit, auditor will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.1 says, “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” What will an auditor look for when assessing this criterion? Let’s discuss why organizations should implement protections through logical access controls.
Using Logical Access Controls
What would be the impact to an organization if an unauthorized, malicious user gained access to their network? There would likely be financial, operational, and reputational damages that the organization would have to face, and their clients’ sensitive information would be put at greater risk. This is why during a SOC 2 audit, an auditor will assess that organizations have created, implemented, and maintained logical access controls to the network environments. When implementing these protections through logical access controls, organizations must think broadly about what their assets are and how they could impact the organization. In other words, only using a few logical access controls, such as active directory, password policies, or encryption, can only do so much to protect an organization and their clients’ data. Organizations instead must consider all risks that any and all information assets pose to the business and implement logical access controls accordingly. So, how can organizations comply with this criterion during their SOC 2 audit?
Complying with Common Criteria 6.1
When assessing an organization’s compliance with common criteria 6.1, an auditor will want to see that the organization has established protections through logical access controls by doing the following:
- Creating an inventory of all information assets
- Restricting logical access to all information assets
- Identifying and authenticating users
- Managing points of access
- Restricting access to information assets
- Managing identification and authentication
- Managing credentials for infrastructure software
- Using encryption to protect data
- Protecting encryption keys
More SOC 2 Resources
SOC 2 common criteria 6.1 requires that you put into place logical access security software, infrastructure, and architecture in order to protect your critical access devices and make sure that they’re protected against security events. This is really a big requirement, so we’ll try to talk through a few things that you might consider. It seems like a lot of emphasis is placed on the network. Take active directory for example. Organizations might say that they have implemented active directory so that they can manage all of their users, they can enforce a password policy, and they can feel good about who is logging in and who it is that’s being prevented from logging into their network. But you really need to perform an inventory of your assets to understand where everything is, because a lot of times during an audit, we will find that the access controls of network devices that aren’t managed through active directory in some cases might be ignored. For example, an organization might use the same username and password on a firewall that’s never been changed since they bought it, so you need to think more broadly as far as what your assets are, what it is you’re trying to protect, and make sure that you’ve implemented logical access controls in order to protect them from unauthorized access.