SOC 2 – CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. Authorizing or Modifying Access How do organizations grant or change access to protected assets? Asset owners must approve any request to grant or change access. This aligns with the individual’s role, responsibilities, or the system’s design. Removing Access What steps do organizations take to remove outdated access? Automated workflows revoke access when it’s no longer needed, ensuring ongoing security. Types of Access Control What kind of access control systems are commonly used? Role-based access controls often limit access and segregate duties, ensuring that employees have just enough access to do their jobs but not more. Periodic Review of Access How often does a review of access permissions occur? Regular audits by IT security teams ensure the appropriateness of access roles and rules. Modifying Access Rules How do organizations update access roles and rules? The organization updates access roles and rules based on the findings of periodic reviews.