Access Controls in SOC2

This is the second blog in our series on SOC 2 compliance. In the first one, we answered some general questions about the process. Now it is time to discuss some of the details about making changes to Access Controls to comply with SOC. We’ll discuss policy making, implementation, monitoring, and training as part of what is necessary to comply with the requirements, which fall into four main categories:

1. Define and Implement Policies to control who has access to what data.
2. Define and Implement Organisational Password Policies
3. Monitor Resources for Vulnerabilities
4. Document and Train Employees on these Procedures.

Control Data

Data is one of the most valuable resources a company has and its employees and their Intellectual Property in today's world. Depending on the country's laws the data is collected from, you may own it, but there is talk of making personal data property of the person or entity it is about. Either way protecting the data requires:

1. Defining policies of how to control the data.
2. Documenting the policies
3. Implementing the policies.
4. Training Employees about the policies
5. Monitoring the effectiveness of the policies.

Defining the policies involves evaluating who needs what information, determining how they get the data, and removing access. Different groups within the company will need access to various assets. For instance, Executives should have access to read any information they need but may not need to write access. In contrast, the accounting department will primarily need read/write access to financials. Once you’ve considered what each group needs, you can create a policy for what information each group has access to, how they request new access, and how access is removed upon leaving the company or a change in roles. These policies need to be in writing. It would be best if you had specific guidelines for the following:

• Granting Access
• Removing Access (Use a Checklist to make sure you don’t miss permissions)
• Restricted Access to change Production
• Dedicated Accounts for Restricted Access that do not access web, email, etc.
• Multifactor Identification
• Malware and Spyware Identification
• Saving Baseline Configuration for Rollback
• User Access Groups
• Monitoring System

Once the policies are documented, the system administrator will create the user groups based on the policies. When first setting the user groups up, it will need to be done manually, but later, people's additions and removals may be made manually or through automation. Automating processes to assign or remove access based on the title when employment changes are made are more costly on the front end but are easily scalable as the organisation grows. Manual processes require lower upfront costs but may quickly need escalating labour requirements as a company grows due to adding or removing people as employees are added.

Once the policies are implemented, employees need to be trained on the procedures. Depending on the employee function, the training will be different, but should include:

• Do they give, remove, monitor, or approve access to others?
• How do they get access?
• What data can they access? Is it read, write, or read-write access?
• Who do they contact to request additional access?
• What happens if they fail to follow policies?

I know this section packs much information in a small space, but it gives you a high-level outlook of what is required to meet SOC2 compliance regarding Access Controls. In addition, we offer free consultations, so don’t hesitate to reach out if you need help.

Password Protection

Password protection will follow the same steps used for controlling data but is focused on protecting passwords. You should specifically focus on the following policies for both application and server access:

• Minimum Password Length: 8 or more characters.
• Password Complexity: Enabled
• Compare to last Passwords: 24 Passwords
• Password Maximum Age: 90 days
• Lockout Attempts: Lockout after 5-10 Failed Attempts
• Multi-Factor Authentication: Enabled

Utilising these best practices will help protect your passwords from becoming compromised.

Monitoring

Having processes in place, written down, and implemented is essential. Still, to make sure that the methods are achieving the intended goals, we need to be monitoring them to see if there are areas we can improve. Aspects that should be monitored include:

• Login attempts
• Data deletion on application and infrastructure level
• Downtime
• Continuous Monitoring of System Availability
• Continuous Monitoring of % resources used.
• Antivirus software for known risks
• Quarterly Review of Scope of Permissions

Document and Train

This step is to make sure all employees understand what their role in the SOC process is. All policies should be in writing, and checklists should be utilised to verify compliance and reviewed routinely to ensure that the policies are being followed. Especially should be taken during the hiring and termination periods to ensure access is granted and removed to protect the security of the organisational assets. In addition, all employees will need proper training (and documentation).

HR and IT will need the most training to perform the functions necessary to comply with the audit, but all roles will need to know whom to contact for access to information, report compromised accounts, or reset passwords if locked out.

Taking the time to implement all these considerations will help you establish the framework necessary when you are ready to become SOC 2 certified. IF you need help establishing what you need to accomplish, check out our security reviews page.

Cheers!

Mat