cc6-1 Critical priority Security / Logical and Physical Access

Logical access security measures restrict access to assets

Access to systems, data, and infrastructure must be restricted to authorized users only. This is the foundational access control requirement. It covers authentication mechanisms, the use of MFA, password policies, and the principle of least privilege. Weak access controls are consistently the leading cause of data breaches and the area auditors scrutinize most closely in a SOC 2 examination.

8h estimated effort

access-control mfa authentication least-privilege

Implementation steps

1

Enforce MFA across all systems

Multi-factor authentication must be required for all access to systems that process or store customer data. This includes cloud consoles, SSO providers, code repositories, production databases, and business applications. Disable or prevent access for accounts that bypass MFA. Enforce MFA at the identity provider level so it cannot be circumvented.

okta google-workspace azure-ad duo
2

Implement a password policy

Enforce a password policy through your identity provider: minimum length (12+ characters), complexity requirements, prohibition of reused passwords, and maximum age (90-365 days). For service accounts and API keys, use short-lived credentials, key rotation policies, or secret management systems instead of static passwords.

okta 1password hashicorp-vault aws-secrets-manager
3

Apply least privilege access principles

Users and service accounts should have the minimum permissions required to do their job. Use role-based access control. Avoid shared credentials. Regularly review and trim permissions. Alert on or block requests that exceed normal access patterns. Document your access control model.

aws-iam okta google-workspace azure-ad