Control of the Week #3: Access Control for SOC 2
This week’s control is on access control. Jose Costa (CISO at Tugboat Logic) and Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic) explain why access control is important and how you can implement it for your audits.
Why This Control Is Important
“AC3.1 – Manage Account Access – Access to in-scope system components (application(s) and its underlying infrastructure) requires a documented access request and approval from management prior to access provisioning.“
This control is one of the literal gatekeepers for your data because it prevents the wrong people from getting a set of keys to the data or tools they don’t own. And while the control seems simple at a glance, it’s one that’s often failed in audits! This doesn’t have to be thieves or hackers, but even members within your own organization who do not have advanced approval to access that data.
While granting access can seem harmless enough at first, know that it can “trickle down” to other roles. For example, your security officer can grant full access to your head of marketing to access a tool. The head of marketing assumes that any one of their marketers can also have access. Without understanding what full access entails, the entire marketing team suddenly has full access and can potentially access data or tools they never should have been able to, merely because no access plan or documentation existed.
Coming up with a plan in advance and approving access with internal teams before it’s granted will help to manage who has specific types of access, granting and revoking access during on/offboarding, and ensuring that client access is documented and updated.
How to Implement This Control for Your Audits
The first step is to establish who has ownership over control. Make sure that whoever is granting access, understands it in advance. Giving sweeping access to a program or software might seem like a fantastic idea in terms of making your life easier in the short-term, but that software has personal information stored in it that people in your org shouldn’t have access to.
As an organization grows and involves more employees, clients, and vendors, the process becomes more complicated. So, remember this key practice: You need to grant approval before you grant access.
It’s so important that it bears repeating: You need to grant approval before you grant access.
A two-way system will help reduce mistakes and halt that trickle-down effect. This system can involve simple documentation and policies:
- Create a template list of apps with a list of access.
- Implement an on/offboarding process.
- Ensure everyone in the organization knows who the gatekeeper is.
And, consider every type of access:
- Administrator Accounts – self-explanatory.
- Undocumented Accounts – when an owner is granting the access, ensure they have the approval to do so.
- System Accounts – general management accounts that are linked to the organization and not an individual.