Document ID: SOC2-ACP-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: CISO / Head of Engineering
Purpose
This policy governs logical access to [Organisation Name]βs production systems, customer data, and infrastructure. It implements the access-related Common Criteria (CC6.1, CC6.2, CC6.3) required for SOC 2 Type II compliance.
1. Access Provisioning
All access to production systems must follow this process:
- Request β Employee or manager submits access request via [ticketing system]
- Approval β System owner or CISO approves based on role and need-to-know
- Provisioning β IT/DevOps provisions access at the minimum required level
- Documentation β Access is recorded in the Access Register with date and approver
- Notification β Employee is notified of access granted and acceptable use obligations
Provisioning SLAs
| Access Type | SLA |
|---|---|
| Standard employee access | 1 business day |
| Production system access | 2 business days (requires CISO approval) |
| Privileged / admin access | 3 business days (requires two approvers) |
| Emergency access | Within 2 hours (requires post-hoc review within 24 hours) |
2. Least Privilege Principle
Access must be granted at the minimum level required to perform the userβs role. Access rights must not be accumulated over time β when a role changes, previous access that is no longer required must be revoked within 5 business days.
| Role | Typical Access Level |
|---|---|
| Engineer | Read/write to assigned services; no prod database direct access |
| Senior Engineer | Read/write to assigned services; read-only prod database access |
| DevOps / SRE | Infrastructure access; no direct customer data access |
| CISO / Security | Audit access across all systems; no routine data processing access |
| Customer Support | Read-only access to customer records required for support; no bulk export |
3. Multi-Factor Authentication (MFA)
MFA is mandatory for all access to in-scope systems:
| System | MFA Requirement |
|---|---|
| AWS / Azure / GCP console | β Required β hardware token or TOTP for production |
| SSO / Identity provider | β Required β all users |
| VPN | β Required β all users |
| Production database access | β Required β jump host + MFA |
| Code repositories (GitHub) | β Required β all users |
| Customer support tools | β Required β all users |
| Internal tools (staging/dev) | β Required |
Exceptions to MFA require CISO approval and a compensating control. Exceptions must be reviewed every 90 days.
4. Privileged Access Management
Privileged accounts (admin, root, IAM admin, database superuser) are subject to additional controls:
- Just-in-time access β Privileged access is granted temporarily for specific tasks and revoked immediately after
- Session recording β All privileged sessions are recorded and retained for 12 months
- Dual approval β Production changes requiring privileged access require a second approver
- Dedicated accounts β Privileged tasks use dedicated accounts separate from day-to-day user accounts
- No shared credentials β Shared admin accounts are prohibited; all access must be attributable to an individual
5. Access Reviews
| Review Type | Frequency | Responsible |
|---|---|---|
| All production system access | Quarterly | System owners |
| Privileged access | Monthly | CISO |
| Third-party / vendor access | Quarterly | Vendor manager |
| Dormant accounts (no login 30+ days) | Monthly | IT Admin |
| Departing employee access | Within 24 hours of departure | HR + IT |
Access review findings must be remediated within 10 business days. Unresolved findings are escalated to CISO.
6. Offboarding
When an employee or contractor leaves:
| Timeline | Action |
|---|---|
| Immediately on departure | SSO account disabled; physical access revoked |
| Within 1 hour | VPN and remote access revoked |
| Within 4 hours | Production system access revoked |
| Within 24 hours | All remaining access reviewed and revoked; access register updated |
| Within 5 days | Equipment returned and wiped |
HR is responsible for notifying IT of all departures. Emergency departures (terminations for cause) require immediate action.
7. Remote Access
- All remote access to production systems must be via VPN or approved jump host
- Remote access is subject to the same MFA requirements as on-site access
- Personal devices may not be used to access production systems without enrolled MDM
- Access via unmanaged networks (public WiFi) requires VPN at all times
8. Review
This policy is reviewed annually and after significant access-related incidents or audit findings.
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [Author] | Initial issue |