SOC 2 Academy: Registering Internal and External Users

by Joseph Kirkpatrick / February 1st, 2019

Common Criteria 6.2

When a service organization undergoes a SOC 2 audit, auditors will validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.2 says, “Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.” What will an auditor look for when assessing how organizations go about registering internal and external users? Let’s discuss.

Registering Internal and External Users for SOC 2 Compliance

When entities hire new employees or enter into new business partnerships, they need to have processes in place for registering internal and external users. For example, an organization’s human resources manager might notify the IT administrator via memo that a new employee has been hired and that they need user credentials and access to limited network resources. This would be a clear and efficient process for alerting the IT administrator that they are authorized to create new access credentials for the employee but only for limited resources.

Complying with Common Criteria 6.2

During a SOC 2 audit, an assessor will verify that the organization has such processes in place for registering internal and external users, but they will also verify that the organization has process in place for removing access for internal users when an employee quits or is terminated, or an external user no longer needs access to the network resources to fulfill their job. Having such processes in place limits the risk of unauthorized access and supports an organization’s ability to keep their assets secure. When pursuing SOC 2 compliance, use the following questions to ensure that you comply with common criteria 6.2:

  • Do you control access credentials to protected assets?
  • Do you remove access to protect assets when appropriate?
  • Do you review appropriateness of access credentials on a regular basis?

More SOC 2 Resources

SOC 2 common criteria 6.2 requires that you have a registration process for internal and external users when they are requesting access to a particular system and that you have a process for removing those users when access is no longer required. Let’s talk about internal users first. If a new employee comes on board, you need to have a process for issuing them their first-time credentials. You might use a random password generator to set their first password. You might require them to change that password upon their first log in to the system. However, prior to any of that happening, the really critical piece to this criterion is that you have a way to identify them and register them, so that the IT administrator doesn’t simply provide them access. It needs to be approved. Maybe a form comes through from HR or maybe some type of approval is emailed from the hiring supervisor that instructs the IT administrator to provide access to certain system resources for the new employee. That’s an example of how you would go about registering an internal user. On the other hand, an external user might be a client. Perhaps your company provides a software-as-a-service or it’s a hosted platform. How is it that you allow people to gain access to your service? How do they register? How do they identify themselves? Do you have some kind of independent mechanism of verifying who they say they are before you provide them access? Finally, how do you remove access when it’s no longer required? Let’s talk about a vendor. If approval has come in saying that a vendor should have access to your network in order to provide their services, but then the contract expires or the project is over, is there a mechanism to make sure that the IT administrator knows to remove access for that person? This should also apply to employees when they’re leaving or any other type of business partner that may have had a need to access the environment at one time but now needs to be removed from the system.