CASE 01 SOC 2 — Access Management SOC 2 framework: SOC 2 Type II scope: Access Management Overview Framework Focus CC6 — Logical & Physical Access Controls Control Domains Provisioning, MFA, Review, Offboarding Audit Period 12 months of continuous evidence required Rating Scale READY PARTIAL GAP Compliance Checklist Control ID Description Evidence Status Owner CC6.1 [CRITICAL] MFA enforced on all user accounts MFA enrollment report GAP IAM CC6.2 [CRITICAL] Access provisioning requires manager approval Approval workflow logs PARTIAL IAM CC6.3 Quarterly access reviews conducted Review completion reports READY IAM CC6.4 [CRITICAL] Offboarding revokes access within 24h Offboarding tickets + timestamps GAP IT CC6.5 Least privilege enforced by role RBAC matrix + role definitions PARTIAL IAM CC6.6 Privileged accounts use separate credentials PAM vault enrollment list READY IAM Top 5 Common Gaps MFA not enforced on all accounts FIX:Enable MFA via SSO provider for all user types including service accounts. Offboarding SLA exceeds 24 hours FIX:Automate account disablement via HR system integration with AD/Okta. Access reviews not documented FIX:Implement IGA tool or structured spreadsheet process with sign-off timestamps. No formal approval workflow for access requests FIX:Configure ServiceNow or Jira approval workflow with audit trail. RBAC roles not formally documented FIX:Create and maintain a role matrix aligned to job functions. Evidence Collection Guide MFA enrollment report — exported from Okta / Azure AD Access request tickets with manager approval — ServiceNow Quarterly access review completion logs — IAM team sign-off Offboarding tickets with timestamp of account disablement RBAC role matrix and permission documentation 90-Day Audit Preparation Timeline Day 1–30 Enable MFA for all users Document RBAC roles Automate offboarding Day 31–60 Implement approval workflow Run first access review Collect evidence artifacts Day 61–90 Mock audit walkthrough Close remaining gaps Final evidence package