SOC2 and human resource security (Part 2)

Last week I shared my first article looking at some of the individual criteria necessary for SOC2 accreditation and how these define the human resource security requirements for your organization. In this article, I am going to focus on how the access control requirements within the SOC2 regulations interact with human resource security.

SOC 2 Logical and Physical Access Controls

In addition to the 17 COSO principles, the trust criteria section of the SOC2 regulations includes principles that focus on risk mitigation, system operations, change management and, access controls. It is these access control principles that have the greatest impact on human resource security.

These controls deal with how access to your organization’s data and systems is given to or blocked from internal and external factors. For human resource security, this is how, when, and where your employees access the data they need to carry out their responsibilities within your organization and ensuring controls are in place to stop unauthorized access.

There are five criteria detailed within the SOC2 principles which impact your data and your employees. These are detailed below.

The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.

The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.

The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.

Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.

What this means to you and your organization

In practice your organization needs to have access controls in place to restrict assess to information assets, hardware, software, data (at-rest, during processing, or in transmission), administration privileges, mobile devices, output, and offline systems.

Access should be given to these assets in line with the role and responsibilities of the individual employee. Hardware, applications, and software must be password protected, with passwords being provided securely to your employees.

Passwords and user credentials should only be created and issued by the delegated system administrator or proprietor. These user credentials should be managed to ensure any access rights granted are documented. For SOC2 this information will be requested by your auditor.

Any new infrastructure and software must be registered and authorized for use before access is granted to employees. These credentials must be removed and access disabled when the infrastructure or software is no longer in use or when an employee leaves. Again, this will need to be documented and evidence provide to your auditor.

Access should be based on user roles and where possible segregation of duties should be supported. Depending on the size of your organization, this may or may not be possible. The granted access should be reviewed periodically to ensure that any unnecessary or inappropriate credentials are revoked.

Physical access to the office, servers, data centers, and other physical locations where information is stored should also be secure, documentation and access revoked at the appropriate time. The SOC2 requirements cover both physical and cloud-based assets.

Finally, your organization should have a system in place to deal with the disposal of redundant equipment and either making any data and software unreadable or full removal of any data and software stored on such equipment.

Best Practice

By following the above controls, you will be reducing the security risk to your data. Having a strong control environment will provide your staff, customers, and suppliers confidence in your product and business.

Monitoring, documenting, and having these controls in place will also provide your auditor with the assurance they need for your SOC2 accreditation.

My first article on SOC2 and human resource security can be found here.

Please note the information presented on this website is provided as a general guide and is not a substitute for legal or tax advice. For specific advice, be sure to consult with a qualified professional.