SOC 2 · CC6
CC6 · Access Controls
11 controls in this family.
SOC2-CC6-MFA
Multi-Factor Authentication (MFA)
Requirement for a second authentication factor for all access to production systems, cloud consoles, VPNs, and identity providers.
SOC2-CC6-PAM
Privileged Access Management
Controls governing the granting, use, and monitoring of privileged (admin/root) access to production systems and cloud infrastructure.
SOC2-CC6-PROVISIONING
User Provisioning and Deprovisioning
Formal process for granting system access when employees join or change roles, and revoking it within 24 hours of termination.
SOC2-CC6-ACCESS-REVIEWS
Quarterly Access Review Process
Structured review of all user accounts and their access rights to confirm appropriateness and remove stale or excessive permissions.
SOC2-CC6-PHYSICAL-ACCESS
Physical Access Controls
Controls restricting physical access to offices, data centers, and server rooms to authorized personnel only.
SOC2-CC6-ACCESS-BOUNDARY
Logical and Physical Access Boundary Controls
Network and infrastructure controls that enforce boundaries between public-facing systems, internal networks, and restricted production environments.
SOC2-CC6-FIREWALL
Firewall and Network Security
Firewall rules and network monitoring controls that restrict unauthorized network traffic into and between systems.
SOC2-CC6-ENCRYPTION-REST
Encryption at Rest
Encryption of all data-at-rest in databases, object storage, and backups using industry-standard algorithms.
SOC2-CC6-ENCRYPTION-TRANSIT
Encryption in Transit (TLS)
Enforcement of TLS 1.2+ for all data transmitted over networks, including internal service-to-service communication.
SOC2-CC6-ENDPOINT
Endpoint Protection (EDR/Antivirus)
Endpoint detection and response software on all corporate laptops and workstations used to access production systems or customer data.
SOC2-CC6-REMOTE-ACCESS
Remote Access VPN Policy
Policy and technical enforcement requiring VPN use for access to internal systems and production environments from outside the corporate network.
Multi-Factor Authentication (MFA)
Requirement for a second authentication factor for all access to production systems, cloud consoles, VPNs, and identity providers.
Testing: Quarterly
Privileged Access Management
Controls governing the granting, use, and monitoring of privileged (admin/root) access to production systems and cloud infrastructure.
Testing: Monthly
User Provisioning and Deprovisioning
Formal process for granting system access when employees join or change roles, and revoking it within 24 hours of termination.
Testing: Per offboarding event
Quarterly Access Review Process
Structured review of all user accounts and their access rights to confirm appropriateness and remove stale or excessive permissions.
Testing: Quarterly
Physical Access Controls
Controls restricting physical access to offices, data centers, and server rooms to authorized personnel only.
Testing: Monthly
Logical and Physical Access Boundary Controls
Network and infrastructure controls that enforce boundaries between public-facing systems, internal networks, and restricted production environments.
Testing: Quarterly
Firewall and Network Security
Firewall rules and network monitoring controls that restrict unauthorized network traffic into and between systems.
Testing: Quarterly
Encryption at Rest
Encryption of all data-at-rest in databases, object storage, and backups using industry-standard algorithms.
Testing: Monthly
Encryption in Transit (TLS)
Enforcement of TLS 1.2+ for all data transmitted over networks, including internal service-to-service communication.
Testing: Quarterly
Endpoint Protection (EDR/Antivirus)
Endpoint detection and response software on all corporate laptops and workstations used to access production systems or customer data.
Testing: Weekly
Remote Access VPN Policy
Policy and technical enforcement requiring VPN use for access to internal systems and production environments from outside the corporate network.
Testing: Quarterly