The purpose of this procedure is to establish guidelines for managing user access to systems and data in compliance with SOC 2 requirements. It outlines the processes for granting, modifying, and revoking user access, as well as conducting periodic user access reviews.
The policy this relates to is the Door Access Control Policy
Restricted Access - Access to systems and data shall be restricted based on the principle of least privilege. Users shall only be granted access to the resources necessary for performing their job duties.
Administration Accounts - Administration accounts shall be properly secured and protected. Access to administration accounts shall be granted only to authorized personnel only. The use of administration accounts shall be logged and monitored.
User Validation and Authorization - Users shall be validated and authorized before being granted access to systems. The validation process shall include verifying the identity and role of the user.User Modification and Removal - Requests for modifying or removing user access shall be submitted through the service desk ticketing system. The service desk will perform initial checks, set the ticket as ‘Internal’ and escalate the request to the product administrator or external administrator, if applicable.Role-Based Access Control - Access to systems and data shall be based on the principle of role-based access control (RBAC). The RBAC framework shall be implemented to assign access levels and permissions to users based on their roles and responsibilities.The off-boarding process for leavers is documented here. Access to systems and data shall be promptly revoked upon an employee’s departure.
Periodic Access Reviews - User access levels shall be periodically reviewed to ensure compliance with the principle of least privilege also acting as a check that the process above have been completed correctly for Starters/Leavers/Modifications.Data Provision to Security Team - The Support Manager shall provide data to the Security team in the required timeframes for the following systems:The provided data shall assist the Security team in monitoring and auditing user access and roles.
Compliance This procedure is designed to comply with the SOC 2 requirements related to user access management. It shall be reviewed periodically to ensure its effectiveness and adherence to applicable policies and regulations.