SOC 2 Controls: Access Removal for Terminated or Transferred Users

Controls are the procedures, processes, and systems your business uses to drive its operations and to meet the requirements of regulations, standards, and recommendations such as those that make up SOC 2. Controls both define and enforce your business policies and, when implemented well and enforced consistently, help to mitigate risk. This is part of an occasional series of posts focused on specific SOC 2 controls.

What this Control Does: This SOC 2 control focuses on ensuring the timely removal of access rights from users who have been terminated and those who have been transferred to new roles. The control also stipulates that removal or revision of access rights takes place in a timely fashion, typically within one business day, and is both verified and documented.

An example of how this control might be worded appears below. Again, work with your auditor to ensure your control wording is sufficiently precise and comprehensive to meet auditor expectations and requirements.

Example Wording:

  1. Systems access that is no longer required for terminated or transferred users is removed within one business day.
  2. For terminated employees, access to key IT systems is revoked in a timely manner.
  3. A termination checklist and ticket are completed, and access is revoked for employees as a component of the employee termination process.
  4. Upon termination during the exit interview process, access to production systems, tools, and network access is removed in accordance with access control policies.
  5. User access to Company systems is revoked within 24 hours of the employee record being terminated (deactivated) in the HR System by Human Resources.

Who It Affects: Those in IT responsible for access management and those in human resources (HR), human capital management (HCM), or equivalent roles.

Why It Matters: In November 2021, an employee of the South Georgia Medical Center quit, then downloaded and leaked private patient information the next day. The Center had to provide patients with free credit monitoring and identity restoration services.

In January 2021, four lawyers of Delaware’s Elliot Greenleaf law firm decided to help a competing firm launch a new office. To jump-start their efforts, they stole the Elliot Greenleaf client database and volumes of information about work projects and pleadings at the firm, then deleted emails that contained evidence of their theft. While the firm recovered most of the emails, its ability to compete was so damaged that it was forced to close one of its Delaware offices.

When users are terminated or transferred, but their access is left in place, that access becomes a possible entry point for malfeasance. For example, the disgruntled user could steal data, disrupt systems, or sell their credentials to criminals. This control helps to mitigate the risks associated with unauthorized access. The control also addresses four specific SOC 2 Common Criteria: Logical Access Security (CC6.1), User System Credentials (CC6.2), Role-Based Access (CC6.3), and Secure Device Disposal (CC6.5).

How to Implement This Control

Users should only have access to systems they need, and only for as long as they need that access. When someone is terminated, all access should be removed. When someone is transferred, their old boss should remove access, and the new boss should add access.

These steps are easy if your company uses a central identity access and management (IAM) solution and federated identities that securely manage each authorized user’s identity across multiple systems. At Trustero, for example, we handle most of our IAM and identity federation needs with Google Workspace. Larger enterprises use solutions such as Microsoft’s Active Directory for IAM and Okta for federated identity management.

Whatever tools you choose, implementing this control effectively and consistently requires accurate, comprehensive, and timely knowledge about each user’s authorized access. Compliance also requires accurate and timely information about each user’s status as an employee, especially when that status changes. Access and HR/HCM managers must also ensure they share the information they need without infringing on any user’s privacy or lessening the protection of their personally identifiable information (PII).

You must ensure your IT and HR/HCM managers have clear and effective lines of communication and collaboration. You also need to ensure that IT has accurate and up-to-date information about all authorized users, their access rights, and their devices. Real-time monitoring of access attempts across your network is also essential to confirm the timely termination of removed access rights and flag unauthorized access attempts.

You will also need clear, documented, and enforced policies that spell out the circumstances under which access rights are terminated or changed. These should be incorporated into onboarding content, and employee manuals provided by your HR/HCM team should be reviewed regularly and updated whenever there are changes in your IT access methods or relevant employment-related policies, procedures, or processes.

To satisfy your auditor, you will need to show that you have effective access removal policies in place and that these policies are being followed and enforced. Therefore, your chosen compliance automation solution should include straightforward and flexible features for generating credible reports on demand. For example, suppose you are using Jira tickets to track access removals. In that case, you should add a consistent Jira “label” to each ticket to generate a report of all relevant activity for your auditor.

These elements will help you manage access termination consistently and improve the overall cybersecurity of your environment. They will also help strengthen your overall access management efforts, which are critical to achieving and sustaining SOC 2 compliance.

How Trustero Can Help

Trustero Compliance as a Service includes multiple features to help you implement the Access Removal for Terminated or Transferred Users control and to demonstrate compliance with its requirements to your auditor credibly and on-demand. The solution’s user interface consolidates the description of the control, information about it and its status, and the ability to test compliance with it on a single screen in plain, clear language.