Controls are the foundations of your SOC 2 compliance efforts. They define how your business executes its policies, drive operations and meet SOC 2 compliance requirements. When policies and controls are tightly aligned and enforced consistently, they help to mitigate risk and increase trustworthiness and agility for your business. This post is part of a continuing series of posts focused on specific SOC 2 controls.
What This Control Is For: This control is about making sure only authorized users have access to your system and anyone no longer in your organization is out of your system too.
Who Is Responsible for This Control: This control is typically owned by IT or human resources (HR).
What this Control Does: This SOC 2 control ensures removal of access rights for users who have been terminated or even just transferred to different roles that don’t involve the same access rights. Critically, this control should specify how quickly access is removed. You’ll need to pick a time period, such as one day, that is realistic for your company and sufficient for your auditor to feel that you’re complying with SOC 2 principles.
Most auditors agree that this control usefully addresses four specific SOC 2 Criteria:
- Logical Access Security (CC6.1);
- User System Credentials (CC6.2);
- Role-Based Access (CC6.3); and
- Secure Device Disposal (CC6.5).
Why It Matters: In November 2021, an employee of the South Georgia Medical Center quit, then downloaded and leaked private patient information the next day. The Center had to provide patients with free credit monitoring and identity restoration services. This scenario represents a very real risk to most businesses. When users are terminated or transferred, but their access is left in place, that access becomes a possible entry point for malfeasance. For example, the disgruntled user could steal data, disrupt systems, or sell their credentials to criminals. This control helps to mitigate the risks associated with unauthorized access.
Example Wording: There are different ways to write this control. Look for the similarities and differences in the examples below. Then work with your auditor to determine the best exact wording for your organization.
- Systems access that is no longer required for terminated or transferred users is removed within one business day.
- For terminated employees, access to key IT systems is revoked in a timely manner.
- A termination checklist and ticket are completed, and access is revoked for employees as a component of the employee termination process.
- Upon termination during the exit interview process, access to production systems, tools, and network access is removed in accordance with access control policies.
- User access to Company systems is revoked within 24 hours of the employee record being terminated (deactivated) in the HR System by Human Resources.
How to Implement This Control
Users should only have access to systems they need, and only for as long as they need that access. When someone is terminated, all access should be removed. When someone is transferred, their old boss should remove access, and the new boss should add access.
You’ll need to set up online infrastructure for this and prove that you’re following through.
There are many products available to help you with this and related account and identity issues. An identity access and management (IAM) solution or federated identity (“single sign-on” or “SSO”) platform lets you activate and deactivate users centrally. Otherwise you may need to deactivate users on each specific platform to which they had access. That can be hard to track!
At Trustero, for example, we use Google Workspace. New employee? Add them here. Employee gone? Deactivate their Google account. Any platform where the employee doesn’t use Google Workspace for their login requires extra attention. Okta and Microsoft Active Directory are also popular solutions.
Whatever tools you choose, implementing this control effectively and consistently requires accurate, comprehensive, and timely knowledge about each user’s authorized access. Compliance also requires accurate and timely information about each user’s status as an employee, especially when that status changes. Access and HR managers must also ensure they share the information they need without infringing on any user’s privacy or lessening the protection of their personally identifiable information (PII).
You must ensure your IT and HR managers have clear and effective lines of communication and collaboration. You also need to ensure that IT has accurate and up-to-date information about all authorized users, their access rights, and their devices. Real-time monitoring of access attempts across your network is also essential to confirm the timely termination of removed access rights and flag unauthorized access attempts.
You will also need clear, documented, and enforced policies that spell out the circumstances under which access rights are terminated or changed. These should be incorporated into onboarding content, and employee manuals provided by your HR team should be reviewed regularly and updated whenever there are changes in your IT access methods or relevant employment-related policies, procedures, or processes.
To satisfy your auditor, you will need to show that you have effective access removal policies in place and that these policies are being followed and enforced. Therefore, your chosen compliance automation solution should include straightforward and flexible features for generating credible reports on demand. For example, suppose you are using Jira tickets to track access removals. In that case, you should add a consistent Jira “label” to each ticket to generate a report of all relevant activity for your auditor.
These elements will help you manage access termination consistently and improve the overall cybersecurity of your environment. They will also help strengthen your overall access management efforts, which are critical to achieving and sustaining SOC 2 compliance.
How Trustero Can Help
Trustero offers a cloud-based compliance platform to make controls like this easy to setup, automate, monitor, and share with auditors any day of the year. The platform comes with an Access Removal control or you can add your own. It integrates with common federated identity platforms and other cloud services to automatically gather the required data about who has access and who no longer does.
The platform lets you handle confusing compliance obligations in consistent and conventional ways.
If you’re new to SOC 2, download a copy of our free ebook, “SOC 2 Compliance: Why it Matters and How to Get There.” If you’re already familiar with SOC 2 controls, click here to learn more about Trustero CaaS or to schedule a demo.
MJ Raber is Head of Governance, Risk and Compliance (GRC) at Trustero.
NOTE: This article is an update to an earlier Trustero post, “SOC 2 Controls: Access Removal for Terminated or Transferred Users,” originally published June 30, 2022.