Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

SOC-2 CC6: Logical and Physical Access Controls

The sixth SOC-2 requirement in the CC-series is Logical and Physical Access Controls. These include:

CC6.1, which requires that your organisation implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet your organisation’s objectives.

CC6.2 requires that your organisation register and authorise new internal and external users whose access is administered by the organisation prior to issuing system credentials and granting system access.

CC6.3 requires that your organisation authorises, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes.

CC6.4, which requires that your organisation restricts physical access to facilities and protected information assets (for example, data centre facilities, backup media storage, and other sensitive locations) to authorised personnel to meet your organisation’s objectives.

CC6.5 requires that your organisation discontinue logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet your objectives.

CC6.6 requires that your organisation implement logical access security measures to protect against threats from sources outside your system boundaries.

CC6.7 requires that your organisation restricts the transmission, movement, and removal of information to authorised internal and external users and processes and protects it during transmission, movement, or removal to meet your organisational objectives.

CC6.8, which requires that your organisation implements controls to prevent or detect and act upon the introduction of unauthorised or malicious software to meet your organisation’s objectives.

CC6.1

SOC 2 CC6.1 highlights the following points of focus:

Identifies and Controls the Inventory of Information Assets

The organisation should recognise, inventory, categorise, and manage its information assets.

Restricts Logical Access

Logical access to information assets should be restricted through the use of access control software and rule sets. Assets include:

  • Hardware
  • Data (at-rest, throughout processing, or in transmission)
  • Software
  • Administrative authorities
  • Mobile devices
  • Output
  • Offline system elements.

Identifies and Validates Users

Individuals, infrastructure, and software should be recognised and verified before being given access to information assets, whether locally or remotely.

Considers Network Segmentation

Network segmentation should permit disparate portions of your organisation’s information system to be isolated from one another.

Oversees Points of Access

Points of access by external bodies and the types of data that flow through the points of access should be recognised, inventoried, and controlled. The types of individuals and systems using each point of access should also be identified, documented, and controlled.

[H3] Limits Access to Information Assets

To establish access-control rules for information assets, combinations of the following should be used:

  • Data classification
  • Separate data structures
  • Port restrictions
  • Access protocol restrictions
  • User identification
  • Digital certificates.

Oversees Identification and Verification

Your organisation should establish, document and manage identification and authentication requirements for individuals and systems accessing organisational information, infrastructure, and software.

Manages Credentials for Infrastructure and Software

New internal and external infrastructure and software should be registered, authorised, and recorded prior to being given access credentials and implemented on the network or access point. When access is no longer required or the infrastructure and software are no longer in use, credentials should be removed and access disabled.

Uses Encryption to Protect Data

Your organisation should use encryption to support other measures to protect data at rest when such safeguards are considered necessary based on assessed risk.

Protects Encryption Keys

Procedures should be in place to safeguard encryption keys during creation, storage, use, and destruction.

CC6.2

CC6.2 highlights the following points of focus:

Controls Access Credentials to Protected Assets

Information asset access credentials should be created based on approval from the system's asset owner or authorised custodian.

Eliminates Access to Protected Assets When Applicable

Your organisation should implement processes to remove credential access when an individual no longer requires such access.

Reviews Appropriateness of Access Credentials

The appropriateness of access credentials should be reviewed periodically to identify and remove any unnecessary or inappropriate individuals with credentials.

CC6.3

CC6.3 highlights the following points of focus:

Creates or Modifies Access to Protected Information Assets

Processes should be in place to create or alter access to protected information assets based on authorisation from the asset’s owner.

Removes Access to Protected Information Assets

Processes should be in place to remove access to protected information assets when an individual no longer requires access.

Uses Role-Based Access Controls

Role-based access control should be implemented to support the separation of incompatible functions.

Reviews Access Roles and Rules

The suitability of access roles and access rules should be reviewed periodically for unnecessary and inappropriate individuals with access. Access rules should be altered as applicable.

CC6.4

CC6.4 highlights the following points of focus:

Creates or Alters Physical Access

Processes should be in place to create or modify physical access to your organisation’s facilities, such as data centres, office spaces, and work areas, based on authorisation from the system's asset owner.

Eliminates Physical Access

Processes should be in place to remove access to physical resources when a person or entity no longer requires access.

Evaluates Physical Access

Processes should be implemented to periodically review physical access to ensure consistency with roles and duties.

CC6.5

CC6.5 highlights the following points of focus:

Detects Data and Software for Disposal

Procedures should be in place to identify data and software stored on equipment to be disposed of, and to make such data and software unreadable.

Removes Data and Software From Organisational Control

Procedures should be in place to remove data and software stored on equipment from the physical control of your organisation and to render said data and software unreadable.

CC6.6

CC6.6 highlights the following points of focus:

Restricts Access

The types of activities that can take place through a communication channel (for example, FTP site, router port) should be restricted.

Protects Identification and Validation Credentials

Identification and validation credentials should be protected during transmission outside your organisation’s system boundaries.

Requires Additional Authentication or Credentials

Further authentication information or credentials should be required when accessing the system from outside its boundaries.

Implements Boundary Protection Systems

Boundary protection systems (e.g. firewalls, demilitarised zones, and intrusion detection systems) should be put in place to protect external access points from attempts and unauthorised access, and are monitored to detect such attempts.

CC6.7

CC6.7 highlights the following points of focus:

Restricts the Ability to Perform Transmission

Data loss prevention procedures and technologies should be used to restrict the ability to authorise and execute the transmission, movement, and/or removal of information.

Uses Encryption Technologies or Secure Communication Channels to Protect Data

Encryption technologies or secured communication channels should be used to protect data transmission and other communications beyond connectivity access points.

Protects Removal Media

Encryption technologies and physical asset protections should be used for removable media, e.g. USB drives and backup tapes, as necessary.

Protects Mobile Devices

Processes should be in place to safeguard mobile devices (e.g. laptops, smart phones, and tablets) that serve as information assets.

CC6.8

CC6.8 highlights the following points of focus:

Restricts Application and Software Installation

The ability to install applications and software should be limited to authorised individuals.

Detects Unauthorised Changes to Software and Configuration Parameters

Processes should be put in place to detect changes to software and configuration parameters that may indicate unauthorised or malicious software.

Uses a Defined Change Control Process

A management-defined change control process should be used for the implementation of software.

Uses Antivirus and Anti-Malware Software

Antivirus and anti-malware software should be implemented and preserved to intercept or recognize malware and remediate it.

Scans Information Assets from Outside the Entity for Malware and Other Unauthorised Software

Procedures should be in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorised software, and to remove any items detected prior to its deployment on the network.