Access Controls in SOC2

Access Controls in SOC2

This is the second blog in our series on SOC 2 compliance. In the first one, we answered some general questions about the process. Now it is time to discuss some of the details about making changes to Access Controls to comply with SOC. We’ll discuss policy making, implementation, monitoring, and training as part of what is necessary to comply with the requirements, which fall into four main categories:

  1. Define and Implement Policies to control who has access to what data.
  2. Define and Implement Organisational Password Policies
  3. Monitor Resources for Vulnerabilities
  4. Document and Train Employees on these Procedures.

Control Data

Data is one of the most valuable resources a company has and its employees and their Intellectual Property in today's world. Depending on the country's laws the data is collected from, you may own it, but there is talk of making personal data property of the person or entity it is about. Either way protecting the data requires:

  1. Defining policies of how to control the data.
  2. Documenting the policies
  3. Implementing the policies.
  4. Training Employees about the policies
  5. Monitoring the effectiveness of the policies.

Defining the policies involves evaluating who needs what information, determining how they get the data, and removing access. Different groups within the company will need access to various assets. For instance, Executives should have access to read any information they need but may not need to write access. In contrast, the accounting department will primarily need read/write access to financials. Once you’ve considered what each group needs, you can create a policy for what information each group has access to, how they request new access, and how access is removed upon leaving the company or a change in roles. These policies need to be in writing. It would be best if you had specific guidelines for the following:

No alt text provided for this image

  • Granting Access
  • Removing Access (Use a Checklist to make sure you don’t miss permissions)
  • Restricted Access to change Production
  • Dedicated Accounts for Restricted Access that do not access web, email, etc.
  • Multifactor Identification
  • Malware and Spyware Identification
  • Saving Baseline Configuration for Rollback
  • User Access Groups
  • Monitoring System

Once the policies are documented, the system administrator will create the user groups based on the policies. When first setting the user groups up, it will need to be done manually, but later, people's additions and removals may be made manually or through automation. Automating processes to assign or remove access based on the title when employment changes are made are more costly on the front end but are easily scalable as the organisation grows. Manual processes require lower upfront costs but may quickly need escalating labour requirements as a company grows due to adding or removing people as employees are added.

Once the policies are implemented, employees need to be trained on the procedures. Depending on the employee function, the training will be different, but should include:

  • Do they give, remove, monitor, or approve access to others?
  • How do they get access?
  • What data can they access? Is it read, write, or read-write access?
  • Who do they contact to request additional access?
  • What happens if they fail to follow policies?

I know this section packs much information in a small space, but it gives you a high-level outlook of what is required to meet SOC2 compliance regarding Access Controls. In addition, we offer free consultations, so don’t hesitate to reach out if you need help.

Password Protection

Password protection will follow the same steps used for controlling data but is focused on protecting passwords. You should specifically focus on the following policies for both application and server access:

  • Minimum Password Length: 8 or more characters.
  • Password Complexity: Enabled
  • Compare to last Passwords: 24 Passwords
  • Password Maximum Age: 90 days
  • Lockout Attempts: Lockout after 5-10 Failed Attempts
  • Multi-Factor Authentication: Enabled

Utilising these best practices will help protect your passwords from becoming compromised.

Monitoring

No alt text provided for this image

Having processes in place, written down, and implemented is essential. Still, to make sure that the methods are achieving the intended goals, we need to be monitoring them to see if there are areas we can improve. Aspects that should be monitored include:

  • Login attempts
  • Data deletion on application and infrastructure level
  • Downtime
  • Continuous Monitoring of System Availability
  • Continuous Monitoring of % resources used.
  • Antivirus software for known risks
  • Quarterly Review of Scope of Permissions

Document and Train

No alt text provided for this image

This step is to make sure all employees understand what their role in the SOC process is. All policies should be in writing, and checklists should be utilised to verify compliance and reviewed routinely to ensure that the policies are being followed. Especially should be taken during the hiring and termination periods to ensure access is granted and removed to protect the security of the organisational assets. In addition, all employees will need proper training (and documentation).

HR and IT will need the most training to perform the functions necessary to comply with the audit, but all roles will need to know whom to contact for access to information, report compromised accounts, or reset passwords if locked out.

Taking the time to implement all these considerations will help you establish the framework necessary when you are ready to become SOC 2 certified. IF you need help establishing what you need to accomplish, check out our security reviews page.

Cheers!

Mat

要查看或添加评论,请登录

Mathew Grace的更多文章

  • Leadership & Career Progression: Actionable Tips to Follow

    Leadership & Career Progression: Actionable Tips to Follow

    What do you think are the hallmarks of great leadership? In this article, I’m sharing my thoughts on the most important…

    4 条评论
  • No Code/Low Code: Did It Miss the Mark?

    No Code/Low Code: Did It Miss the Mark?

    Did the no code/low code campaign miss or hit the mark? Here’s what I think: it hit a different area from what it was…

    3 条评论
  • Start With The Customer Experience

    Start With The Customer Experience

    I’ve produced nearly 100 videos on Flying Donkey’s YouTube channel. And I’ve never featured any popular videos from…

    1 条评论
  • Insolvencies and The Growth-at-All-Costs Mindset

    Insolvencies and The Growth-at-All-Costs Mindset

    It’s been a tough period for technology companies since there’s been a shift from a growth-at-all-cost mindset to a…

    2 条评论
  • Remote, Hybrid or In-Office: What Works for SaaS Teams?

    Remote, Hybrid or In-Office: What Works for SaaS Teams?

    Prior to the COVID-19 pandemic, almost all software development companies worked in offices. Some tinkered with the…

    2 条评论
  • Product/Market Fit: What Does It Mean?

    Product/Market Fit: What Does It Mean?

    I’ve talked to a lot of companies trying to launch their product, and they’ve all told me they have the so-called…

  • Does the Best SaaS Product Always Win?

    Does the Best SaaS Product Always Win?

    Does the best product always win? That’s a tough question to answer, but in my experience, the best product doesn’t…

    3 条评论
  • Using Templates in Your SaaS Products

    Using Templates in Your SaaS Products

    Are you using templates in your business? If not, you should — they offer truly surprising benefits in terms of product…

    1 条评论
  • The Medibank Hack Scenario

    The Medibank Hack Scenario

    We can learn plenty of lessons from various hacking scenarios around the world. In this article, I want to focus on the…

  • Creating a Crypto Coin: The Fluffy Coin Experiment

    Creating a Crypto Coin: The Fluffy Coin Experiment

    Today, I want to talk about crypto — specifically, launching crypto coins, what’s involved in the process, and what…

    1 条评论

社区洞察

其他会员也浏览了