System Access Controls #
Control ID: SDLC-CTRL-0015 | Type: Preventive
Summary #
All access to runtime environments requires authentication via SSO and generates full audit trails for review.
Mitigates Risk
SDLC-RISK-0002:
Insider Threat
SDLC-RISK-0004:
Credential and Secret Exposure
SDLC-RISK-0006:
Audit and Compliance Failure
SDLC-RISK-0007:
Unauthorised System Access
SDLC-RISK-0009:
Environment Breach
Description #
As part of normal software development, it can be necessary to gain remote access to runtime environments for debugging, running migration scripts, or inspecting the behaviour of running systems. This access must be limited to authorised personnel, and all activities performed must have full audit trails.
Access controls ensure that only authenticated, authorised individuals can interact with production systems, and that every session is logged for forensic analysis and compliance reporting.
Requirements #
- All access to production environments MUST require authentication via single sign-on (SSO) or equivalent identity provider
- All access sessions MUST generate audit trails recording who accessed what, when, and what actions were performed
- Access MUST be limited to authorised personnel on a least-privilege basis
- Access audit trails MUST be reviewed regularly
- Remote access to production systems MUST be encrypted
How we implement this control #
- Any remote shell session requires SSO authentication and full audit trails are logged in Kosli here: https://app.kosli.com/kosli/audit-trails
- This forms part of our System Access Control Policy
- All access audit trails are reviewed
Compliance Frameworks #
NIST SP 800-53 Rev. 5
- AC-2 — Account management — governs provisioning, review, and revocation of access to production systems.
- AC-3 — Access enforcement — requires consistent enforcement of access controls on all production environments.
- AC-6 — Least privilege — access to runtime environments must be limited to the minimum necessary for the task.
- AC-17 — Remote access — remote access to production systems must be controlled, monitored, and encrypted.
- AU-3 — Content of audit records — all access activities must be logged with sufficient detail for forensic analysis.
- AU-12 — Audit record generation — the system must generate audit records for all access to production environments.
- IA-2 — Identification and authentication — all users must be uniquely identified and authenticated before accessing production systems.
SOC 2 Type II
- CC6.1 — Requires logical access security over information assets; maps directly to system access control policies and enforcement mechanisms.
- CC6.2 — Requires authentication of users before granting access; maps to SSO, MFA, and identity provider integration.
- CC6.3 — Requires authorisation based on roles and responsibilities; maps to RBAC policies and least-privilege access models.