SOC2 CC6.2 - User Registration and Authorization

1. CONTROL IDENTIFICATION

Framework	SOC 2 (TSP 100)
Control ID	`CC6.2`
Control Family	CC6 - Access Provisioning
Control Name	User Registration and Authorization
Status	PARTIALLY IMPLEMENTED
Assessment Date	2026-04-19T03:34:43.008438+00:00
Assessor	TITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Environment Scope	Azure: Pay-As-You-Go (prod) (`4f29d094-1079-44c9-acb0-4d73a7a2dd34`)
Report ID	`4e87cc56bd1b27a8859b63b717cfee4b01e82875586e48a45ce2166bc37a80c7`

2. REGULATORY TEXT

Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity.

Source: https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services

3. IMPLEMENTATION SPECIFICATIONS

Each implementation specification addressed separately per HIPAA §164.306(d) / NIST 800-53A assessment methodology.

CC6.2 REQUIRED User Registration and Authorization PARTIALLY IMPLEMENTED

Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity.

Evidence: #A1, #A2

4. EVIDENCE ARTIFACTS

Summarized with counts + exceptions + drill-down. Raw data available on request per retention policy.

#A1 Configuration scan 2026-04-19T03:34:43.008438+00:00

Full enumeration of in-scope resources. Configuration state captured via Azure Resource Graph + live API queries.

Records: 142 Exceptions surfaced: 0 Sampling: full enumeration

#A2 Policy document review 2026-04-19T03:34:43.008438+00:00

Governing policy document identified, version and approval date verified.

Records: 1 Exceptions surfaced: 0 Sampling: policy artifact review

#A3 Operational evidence (90-day window) 2026-04-19T03:34:43.008438+00:00

Activity logs reviewed over 90-day window. Consistent with policy and control objective.

Records: 90 Exceptions surfaced: 0 Sampling: 90-day log window, AICPA AU-C 530

5. TESTING PROCEDURES & RESULTS

Test of Design (does the control exist?) + Test of Operating Effectiveness (does it work consistently?). Sampling per AICPA AU-C 530.

Test of Design DESIGN PASS

Sample size: n/a (policy review)

Policy documents align with control objective.

Test of Operating Effectiveness OPERATING PASS

Sample size: AICPA 25-sample of qualifying events over 90-day window

Sampled events comply with policy. No exceptions identified.

6. FINDINGS / EXCEPTIONS

Active findings: 1 · Accepted risks (exceptions): 0 · Total: 1

Click any finding to view detail, remediation, and record an exception (risk acceptance). Exceptions are retained in the report as part of the audit trail.

#bd42b55afc987bb4 MEDIUM change-approval-gap 2 production deployments last quarter without documented team approval. ▾

Recommendation	Enforce branch protection + approval workflow.
Remediation command	`gh api /repos/.../branches/main/protection --method PUT ...`
Rollback	`Remove protection (not recommended)`
CVSS	5.0
Maps to	cross-framework

7. MANAGEMENT RESPONSE

SOC 2 Type 2 and HITRUST assessors require management's written response to findings.

Management has reviewed 1 finding(s). Remediation in progress per plan. Quarterly review cadence confirmed.

8. AUDIT TRAIL

Scanner	TITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Scanner version	v2.0.1
Collection timestamp	2026-04-19T03:34:43.008438+00:00
Retention	2555 days (HIPAA 164.316(b)(2))
Report hash (SHA-256)	`4e87cc56bd1b27a8859b63b717cfee4b01e82875586e48a45ce2166bc37a80c7`

9. CROSS-FRAMEWORK MAPPING

This same evidence is admissible for the following related controls. Scan once, satisfy multiple frameworks.

NIST 800-53: AC-2, AC-3, AU-2 — same evidence satisfies
HIPAA: §164.308, §164.312 — same evidence satisfies
PCI-DSS: 7.1, 8.1, 10.1 — same evidence satisfies