SOC 2 Controls: “Regular User Access Reviews” – An Updated Guide
Controls are the foundations of your SOC 2 compliance efforts. They define how your business executes its policies, drive operations and meet SOC 2 compliance requirements. When policies and controls are tightly aligned and enforced consistently, they help to mitigate risk and increase trustworthiness and agility for your business. This post is part of a continuing series of posts focused on specific SOC 2 controls.
Who This Control Affects: Those in IT responsible for access management and those in human resources (HR), human capital management (HCM), or equivalent roles.
Why It Matters: People come and go in every business. But if you don’t review who has access to what regularly, you run the risk of leaving accounts active that authorized users are no longer using. This creates opportunities for bad actors to gain access to your systems. Once inside your systems, those bad actors could see things they shouldn’t or create disruptions ranging from theft to infection of your environment with ransomware or other malware.
What this Control Does: This SOC 2 control focuses on ensuring your company regularly reviews who has access to critical IT infrastructure. Compliance with this control requires your company to log these reviews and take any actions to resolve any access issues discovered during a review.
The Regular User Access Reviews control also addresses three specific SOC 2 Common Criteria. These are Logical Access Security (CC6.1), User System Credentials (CC6.2) and Role-Based Access (CC6.3). This SOC 2 control is also one of several that limit the risks of unauthorized access via credentials that should have been changed or turned off but are still valid. Examples of events that can create such risks include the following.
- A change in any employee’s role, responsibilities, or status (such as going from full- to part-time).
- A consultant or other user joins the organization outside of normal processes.
- A change in access rules or permissions is not captured in the Access Management policies or procedures.
Example Wording: Each control’s wording must be precise, concise, and authoritative. There are many ways to word a control, and you should work with your auditor to find the precise wording for your company. Here’s an example of how this control should be worded.
System user access is reviewed every quarter, and a log of these reviews is retained.
Example Application: A company uses a SaaS service such as AWS or Github. The company adds new users to its accounts when those users join the company or begin working on a new project that requires access to those accounts. When someone leaves the company or stops working on the project that requires access to those accounts, their access should be removed in a timely manner.
An auditor will check that users are being added and removed as described in the company’s access management policy. The company would have to show that it did check who had an account in AWS and Github and when it was created or destroyed. If an employee had the wrong access granted, some documentation would be required to show that the issue was handled appropriately.
How to Implement This Control
To comply with this control, you must regularly review who has access to your systems and who doesn’t. You should conduct user access reviews at least annually. Trustero recommends quarterly reviews for greater risk reduction.
The combination of a central identity access and management (IAM) solution and single sign-on (SSO) features can ease the capture and review of user access. SSO solutions consolidate management of authorized users’ identities across multiple systems At Trustero, we use Google Workspace for both tasks. If yours is a larger enterprise, you might already use an IAM solution such as Microsoft’s Active Directory for IAM and an SSO system such as Okta. If you don’t use these, work with your auditor to decide which systems need regular user access reviews since you’ll probably have to provide evidence for each platform.
Once you have effective solutions for capturing user access rights and changes to them in place, you need tools and enforceable processes for logging and storing those access information reviews. Your chosen IAM or SSO solution may have adequate features for generating and recording your logs. If not, either or both may be able to connect with and supply the relevant data to a separate reporting tool. You should confirm with your auditor that the tools you use produce the information they need in the formats they need it.
SOC 2 also requires that you have a supporting policy, which you can develop with colleagues in HR or another department. Those policies should contain some enforcement mechanisms, such as penalties for not following them. They also need to be shared with all current users and kept current as things change.
These elements will help you manage your user access reviews consistently and effectively. They will also help strengthen your overall access management efforts, which will improve your cybersecurity and help you achieve and sustain continuous SOC 2 compliance.
How Trustero Can Help
Trustero Compliance as a Service (CaaS) is a cloud-based, AI-powered compliance automation platform. It includes multiple features to help you implement the Regular User Access Reviews control. Trustero CaaS also enables you to demonstrate compliance to your auditor credibly and on demand. The platform’s user interface consolidates the description of the control, information about it and its status, and the ability to test compliance with it on a single screen. And it does everything in plain, clear language.
Unlike competing offerings that focus only on “audit-readiness,” Trustero CaaS speeds and simplifies audit and evidence documentation. It provides automated, actionable, “auditor-friendly” mapping of controls, policies and evidence. The solution also uses AI to offer evidence testing recommendations. These and other features get and keep your company SOC 2 compliant, even as requirements and your business evolve.
If you’re new to SOC 2, download a copy of our free ebook, “SOC 2 Compliance: Why it Matters and How to Get There.” If you’re already familiar with SOC 2 controls, click here to learn more about Trustero CaaS or to schedule a demo.
MJ Raber is Head of GRC at Trustero.
Note: this article is an update to an earlier Trustero post, “SOC 2: Regular User Access Reviews,” originally published July 21, 2022.