Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
For your organization to be SOC 2 compliant, it needs to satisfy five trust services criteria, ranging from information security to consumer privacy. Security is the first and foremost TSC and supports all other controls. Complying with this pillar goes beyond good password hygiene and multi-factor authentication. You also need to meet SOC 2 software timeout requirements. What does this entail?
SOC 2 requirements related to device and software timeouts appear in CC6: Common Criteria Related to Logical and Physical Access. This family of CC6 security controls requires your organization to implement reasonable user timeouts for any device, software application, platform, database, or network asset that allows access to sensitive information.
Software timeouts involve periodically logging out users from a system. Many organizations implement timeouts based on inactivity. After “X” minutes with no user input, the session ends and a new login is required.
Mobile device security can tie timeouts to the lock screen. Every time the lock screen appears, users must begin a new session.
SOC 2 security criteria don’t spell out a detailed checklist to follow for compliance. Instead, auditors evaluate the unique risks your organization faces and the effectiveness of security measures in place.
The right session timeout policies for one industry may not be ideal for another. For example, nurses who can access patient medical histories in crowded hospitals may need stricter software timeout settings than IT personnel who monitor network activity in a private office.
To create access control policies that are strong but practical for operations, your organization needs to consider several aspects of CC6 guidelines.
CC6.1 requires your organization to “implement logical access security software, infrastructure, and architectures over protected information assets to protect them from security events.” This involves:
Businesses generally think of access control in terms of online logins, but an increasing number of organizations also need to protect against in-person cybersecurity threats. Cybercriminals can gain access through stolen physical devices just as easily as with stolen credentials.
Maintaining software security is an ongoing process, not a “set it and forget it” checklist. CC6.2 explains: “Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.”
On a large scale, this means vetting new employees, customers, and other software users. Once individuals are no longer authorized — e.g., they no longer work at your company — access credentials should be deleted immediately.
This principle also applies to software timeouts. Once users/devices become inactive, their access to the system should be removed ASAP. This also means prohibiting employees from using “trust this device” or saved credentials to log into your software.
The principle of least privilege is a cornerstone of modern cybersecurity, especially as attack surfaces seem to increase exponentially. This principle means that your company should only allow the minimum amount of access necessary for employees to do their job effectively. For example:
Mobile endpoints are notoriously difficult to secure, so your access and session logout policies need to be especially strict for smartphones, tablets, laptops, and any other devices that can connect to your network or SaaS platform.
While other SOC 2 software timeout requirements focus on improper internal access, CC6.6 highlights risks from outside the organization: “The entity implements logical access security measures to protect against threats from sources outside its system boundaries.”
Session timeouts should reasonably consider how unexpected situations can introduce vulnerabilities, such as:
The greater the risks, the stricter your session timeout and user authentication policies need to be for SOC 2 compliance. MFA and monitoring for suspicious logins are a must in high-risk scenarios.
Software timeouts are also helpful for keeping bad actors from exfiltrating sensitive data. CC6.7 requires you to “restrict the transmission, movement, and removal of information to authorized internal and external users and processes.”
This can include automatically requiring credential re-verification for certain actions, even for logged-in users. Anything related to admin settings, network assets, confidential documents, password settings, and the creation of user credentials should trigger this type of automation session timeout.
Data security best practices also include timed lockouts and flagging for failed login attempts. This can help to prevent brute-force attacks, which are more dangerous now that AI systems can rapidly scale login attempts, cracking over 70% of common passwords in a day.
Software timeouts are closely related to following a zero-trust framework. Put simply, you can’t take access control for granted.
Some employees steal. Devices get lost or stolen. Workers can carelessly leave smartphones in the open. Software timeouts help you build strong cybersecurity defenses despite these risks.
Effective cybersecurity requires detailed visualization and tracking of your organization’s vulnerabilities. Compliance platforms like Compyl help you see where you’re at versus where you need to be. Create custom workflows that carefully follow SOC 2 software timeout requirements. Learn more about Compyls powerful SOC 2 compliance features today.
