SOC 2 – CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.
Authorizing or Modifying Access
How do organizations grant or change access to protected assets? Asset owners must approve any request to grant or change access. This aligns with the individual’s role, responsibilities, or the system’s design.
- Sample Control: A change request form must be filled out and approved by the asset owner for any access changes.
- Example Scenario: Imagine a healthcare provider where nurses, doctors, and administrative staff all need different levels of access to patient records. A nurse might only need to view medical histories, while a doctor needs to make updates. The asset owner, likely the CIO or Data Manager, would approve these varying levels of access.
What steps do organizations take to remove outdated access? Automated workflows revoke access when it’s no longer needed, ensuring ongoing security.
- Sample Control: When an employee leaves or changes roles, automated workflows revoke their old permissions.
- Example Scenario: Consider a marketing agency using a project management tool. When a project ends, team members should lose their access to that project’s data. Automated workflows can handle this, ensuring that only current team members can view or edit the project.
Types of Access Control
What kind of access control systems are commonly used? Role-based access controls often limit access and segregate duties, ensuring that employees have just enough access to do their jobs but not more.
- Sample Control: The system assigns permissions based on predefined roles, like “Developer” or “HR Manager.”
- Example Scenario: In a financial institution, customer service reps might have read-only access to client accounts, while account managers can make changes. Role-based controls make this segregation possible.
Periodic Review of Access
How often does a review of access permissions occur? Regular audits by IT security teams ensure the appropriateness of access roles and rules.
- Sample Control: Every quarter, the IT team audits access roles and permissions.
- Example Scenario: In a university setting, professors, administrators, and students all have different access needs. Regular audits can catch any inappropriate access, like a student who still has access to a course system after dropping out.
Modifying Access Rules
How do organizations update access roles and rules? The organization updates access roles and rules based on the findings of periodic reviews.
- Sample Control: To update roles or rules, you need approval from department heads and a compliance check.
- Example Scenario: In a fast-growing startup, roles can change quickly. An employee might start as a generalist but later specialize. Their access needs will change, and the system must adapt.