SOC 2 Controls: Regular User Access Reviews
Controls are the procedures your business uses to drive operations and meet the requirements of SOC 2. Policies are closely linked to controls and when enforced consistently, help to mitigate risk. This post is part of a continuing series of posts focused on specific SOC 2 controls.
What this Control Does: This SOC 2 control focuses on ensuring your company regularly reviews who has access to critical IT infrastructure. For this control, your company must log these reviews and take any actions to resolve any access issues discovered during a review.
There are many ways to word such a control, and you should work with your auditor to find the precise wording for your company. The control’s wording must be precise, concise, and authoritative.
Example Wording:
System user access is reviewed every quarter, and a log of these reviews is retained.
Example Application:
A company using AWS and Github shows logs of who is a user, week after week, and who is an employee in what role for the same time period. New employees should have permissions added to AWS and Github, if relevant to their position, in a timely manner. Departing employees should be removed. The company also has a policy about access management that an auditor will use to check that users are being added and removed as described in the policy. The company would have to show that it did check who had an account in AWS and Github and when it was created or destroyed. If an employee had the wrong access granted, some documentation would be required to show that the issue was handled appropriately.
Who It Affects: Those in IT responsible for access management and those in human resources (HR), human capital management (HCM), or equivalent roles.
Why It Matters: People come and go in every business. But if you don’t review who has access to what regularly, you run the risk of leaving accounts active that authorized users are no longer using. This creates opportunities for bad actors to gain access to your systems. Once inside your systems, those bad actors could see things they shouldn’t or create disruptions ranging from theft to infection of your environment with ransomware or other malware.
The Regular User Access Reviews control also addresses three specific SOC 2 Common Criteria: Logical Access Security (CC6.1), User System Credentials (CC6.2), and Role-Based Access (CC6.3). In addition, it is one of several SOC 2 controls that limit the risks of unauthorized access via credentials that should have been changed or turned off but are still valid. Examples of events that can create such risks include the following.
- A change in any employee’s role, responsibilities, or status (such as going from full- to part-time).
- A consultant or other user joins the organization outside of normal processes.
- A change in available services is not captured in the Access Management procedures.
How to Implement This Control
To comply with this control, you must review who has access to your systems and who doesn’t regularly. You should conduct user access reviews at least annually. Trustero recommends quarterly reviews for greater risk reduction.
The combination of a central identity access and management (IAM) solution and federated identities that consolidate management of authorized users’ identities across multiple systems can ease the capture and review of user access. At Trustero, we use Google Workspace for both tasks. If yours is a larger enterprise, you might already use an IAM solution such as Microsoft’s Active Directory for IAM and a federated identity management system such as Okta. If you don’t use this, work with your auditor to decide which systems need regular user access reviews since you’ll probably have to provide evidence for each platform.
Once you have effective solutions for capturing user access rights and changes to them in place, you need tools and enforceable processes for logging and storing those access information reviews. Your chosen IAM or federated identity management solution may have adequate features for generating and recording your logs. If not, either or both may be able to connect with and supply the relevant data to a separate reporting tool. You should confirm with your auditor that the tools you use produce the information they need in the formats they need it.
SOC 2 also requires that you have a supporting policy, which you can develop with colleagues in HR or another department. Those policies should contain some enforcement mechanisms, such as penalties for not following them. They also need to be shared with all current users and kept current as things change.
These elements will help you manage your user access reviews consistently and effectively. They will also help strengthen your overall access management efforts, which will improve your cybersecurity and help you achieve and sustain continuous SOC 2 compliance.
How Trustero Can Help
Trustero Compliance as a Service includes multiple features to help you implement the Regular User Access Reviews control and to demonstrate compliance with its requirements to your auditor credibly and on demand. The solution’s user interface consolidates the description of the control, information about it and its status, and the ability to test compliance with it on a single screen in plain, clear language.