Access Control

Access control is the practice of restricting which users and systems can read, modify, or execute actions on protected resources. SOC 2 audits scrutinize access control under the Common Criteria CC6 series, covering logical access security, user access provisioning and deprovisioning, authentication strength, and physical access to facilities. Strong access control programs implement the principle of least privilege, where users receive only the access required for their job function, and separation of duties, where sensitive activities require multiple people. Access reviews performed quarterly or more frequently confirm provisioned access still matches job needs. Common controls include role-based access models, multi-factor authentication on sensitive systems, just-in-time access for production environments, automated provisioning tied to HR systems, and immediate revocation when employees leave. Auditors test access control by sampling user lists, comparing them to authorized rosters, reviewing access change tickets, and verifying termination workflows fired correctly. Weak access control is the single most common source of SOC 2 exceptions and security incidents.