Content library
SOC 2 (Systems and Organization Controls)
CC6.6: Logical access security measures against threats from sources outside system boundries

Requirement description

The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

Points of focus:

- Restricts Access
- Protects Identification and Authentication Credentials
- Requires Additional Authentication or Credentials
- Implements Boundary Protection Systems

How to fill the requirement

SOC 2 (Systems and Organization Controls)

CC6.6: Logical access security measures against threats from sources outside system boundries

Task name
Priority
Status
Theme
Policy
Other requirements
Use of multi-factor authentication for important data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
36
requirements

Examples of other requirements this task affects

Članak 30.1.i (Pristup): Politike kontrole pristupa
NIS2 Croatia
Članak 30.1.j: Korištenje višefaktorske provjere autentičnosti ili rješenja kontinuirane provjere autentičnosti
NIS2 Croatia
9.7 §: Pääsynhallinta, todentaminen ja MFA
Kyberturvallisuuslaki
4.1.2: Security of authentication
TISAX
30 § 3.10°: D'authentification à plusieurs facteurs
NIS2 Belgium
See all related requirements and other information from tasks own page.
Go to >
Use of multi-factor authentication for important data systems
1. Task description

Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.

For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).

Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.

Use and evaluation of password management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
23
requirements

Examples of other requirements this task affects

Članak 30.1.i (Pristup): Politike kontrole pristupa
NIS2 Croatia
Članak 30.1.j: Korištenje višefaktorske provjere autentičnosti ili rješenja kontinuirane provjere autentičnosti
NIS2 Croatia
9.7 §: Pääsynhallinta, todentaminen ja MFA
Kyberturvallisuuslaki
30 § 3.9° (l'accès): Contrôle d'accès
NIS2 Belgium
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Use and evaluation of password management system
1. Task description

The password management system allows the user in a registration situation to decide how complex a password is to be set this time and to remember it on behalf of the user.

When using the password management system, e.g. the following principles:

  • the system will force the use of unique passwords in the future
  • the system warns the user to change old recurring passwords
  • the system forces you to choose passwords that are complex enough, of high quality
  • the system forces the user to change the temporary password the first time they log on
  • the system forces you to change the password that may have been compromised in the data leak
  • the system prevents the same passwords from being reused
  • the system keeps password files separate from other data and strongly encrypted
Personnel guidelines for safe data system and authentication info usage
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system management
34
requirements

Examples of other requirements this task affects

Članak 30.1.j: Korištenje višefaktorske provjere autentičnosti ili rješenja kontinuirane provjere autentičnosti
NIS2 Croatia
9.7 §: Pääsynhallinta, todentaminen ja MFA
Kyberturvallisuuslaki
4.1.3: Management of users in data systems
TISAX
30 § 3.10°: D'authentification à plusieurs facteurs
NIS2 Belgium
PR.AC-7: Identities are proofed, bound to credentials and asserted in interactions.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Personnel guidelines for safe data system and authentication info usage
1. Task description

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

Personnel guidelines for avoiding phishing
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Email and phishing
Email and web browser
9
requirements

Examples of other requirements this task affects

13.2.1: Information transfer policies and procedures
ISO 27001
13.2.3: Electronic messaging
ISO 27001
PR.AT-1: Awareness
NIST
HAL-12: Ohjeet
Julkri
5.14: Information transfer
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Personnel guidelines for avoiding phishing
1. Task description

The organization has developed guidelines for staff that define the acceptable use of various communication services and aim to prevent the disclosure of confidential information to, for example, a phisher or other third parties.

Choosing and using network protection systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Virtualization
12
requirements

Examples of other requirements this task affects

PR.PT-4: Communications and control networks
NIST
ARCHITECTURE-2: Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2
CC6.6: Logical access security measures against threats from sources outside system boundries
SOC 2
6.11: Alusta- ja verkkopalvelujen tietoturvallinen käyttö tietosuojan ja varautumisen kannalta
Tietoturvasuunnitelma
3.1.1: Management of secure areas
TISAX
See all related requirements and other information from tasks own page.
Go to >
Choosing and using network protection systems
1. Task description

Cyber criminals can exploit configuration errors or technical vulnerabilities in applications, firewalls, or networks to access our information.

An organization must use defense-in-depth technologies to protect against, detect, and respond to cyber-attacks. The techniques should be suitable for controlling physical, logical and administrative controls.

Network areas and structurally secure network design
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
21
requirements

Examples of other requirements this task affects

13.1.3: Segregation in networks
ISO 27001
PR.AC-5: Network integrity
NIST
8.22: Segregation of networks
ISO 27001
ARCHITECTURE-2: Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2
CC6.6: Logical access security measures against threats from sources outside system boundries
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Network areas and structurally secure network design
1. Task description

An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.

Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:

  • trust level (eg public, workstations, server)
  • organizational units (eg HR, financial management)
  • or by some combination (for example, a server domain that is connected to multiple organizational units)

Separation can be implemented either with physically separate networks or with logically separate networks.

Network usage log and process for detecting inappropriate network traffic
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
26
requirements

Examples of other requirements this task affects

I11: Poikkeamien havainnointikyky ja toipuminen
Katakri
12.4.1: Event logging
ISO 27001
13.1.1: Network controls
ISO 27001
PR.AC-3: Remote access management
NIST
PR.AC-5: Network integrity
NIST
See all related requirements and other information from tasks own page.
Go to >
Network usage log and process for detecting inappropriate network traffic
1. Task description

An appropriate log is generated from the use of the network to enable the detection of actions relevant to cyber security.

The normal state of network traffic (traffic volumes, protocols, and connections) is known. In order to detect anomalies, there is a procedure for detecting events that are different from the normal state of network traffic (for example, anomalous connections or their attempts).

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.