Delinea
SOC Compliance Training Guide
v2.1 · SOC 1 & SOC 2 · Trust Service Criteria
Interactive Training Module · Compliance Configuration

Preparing Delinea for SOC 1 & SOC 2 Audits

This guide maps Delinea's Privileged Access Management settings directly to AICPA Trust Service Criteria controls — giving you the exact configuration steps and evidence artefacts your external auditors will request.

CC6 · Logical & Physical Access CC7 · System Operations CC9 · Risk Mitigation SOC 1 SSAE 18 SOC 2 Type II
CC6
Logical & Physical Access Controls
Restricts logical access to information assets and manages user authentication, authorisation, and the entire access lifecycle from provisioning to de-provisioning.
9 Delinea configuration items →
CC7
System Operations
Detects and monitors threats, manages security incidents, and ensures system performance through continuous monitoring and logging of privileged activity.
8 Delinea configuration items →
CC9
Risk Mitigation
Identifies and mitigates risks from vendor relationships, business partners, and processes that handle sensitive credentials and privileged accounts.
5 Delinea configuration items →

How to use this guide

Work through each tab in order. The Checklist tab contains every configuration item you need to verify or enable in Delinea Secret Server or Privileged Behaviour Analytics. Check items off as you complete them — your progress is tracked automatically. The Controls Map cross-references each setting to its specific Trust Service Criteria sub-criterion. The Audit Reports tab shows how to generate the evidence packages your auditors will request.

Before you begin: Ensure you have Delinea Secret Server v11.4+ or Delinea Platform (cloud). Some items — such as Privileged Behaviour Analytics and SIEM integration — require the Advanced or Platinum licence tier. Verify your entitlements before the audit window opens.
SOC 1 vs SOC 2: SOC 1 (SSAE 18) focuses on controls relevant to a user entity's internal control over financial reporting. SOC 2 assesses the five Trust Service Criteria. Most Delinea configurations are relevant to both — items specific to financial-system access are marked SOC 1 in the checklist.
Tip: A SOC 2 Type II report covers a minimum observation period of six months. Begin configuring Delinea at least six months before your target audit report date so auditors can evaluate controls in operation, not just their existence.
Configuration Checklist
Verify or enable each setting in Delinea Secret Server / Delinea Platform. Click any item to expand the step-by-step instructions.
0
Completed
22
Total Items
0%
Complete
Audit Readiness 0%
CC6 Logical & Physical Access Controls 0 / 9
Enable Role-Based Access Control (RBAC) for all Secret Server roles
Ensure every user account is assigned the minimum necessary role — no shared Administrator accounts. Maps to CC6.1 (logical access provisioning based on least privilege).
Admin > Users & Groups > Roles > Assign Roles
Step-by-step:
  • Navigate to Admin → Users & Groups → Roles and audit all existing roles.
  • Create role definitions mapping to job functions: Auditor, Secret Owner, Help Desk, Administrator.
  • Under each user account, verify Role Assignment reflects actual job function.
  • Remove the built-in Administrator role from all regular service accounts.
  • Document role matrix and save as audit artefact (Role Assignment Report).
Enforce Multi-Factor Authentication (MFA) on all privileged accounts
MFA must be required for all accounts with access to Secrets. Maps to CC6.1 and CC6.6 (logical access restricted to authorised users via authentication).
Admin > Configuration > Login > Enable Two-Factor Authentication
Step-by-step:
  • Go to Admin → Configuration → Login.
  • Set Require Two Factor Authentication to Yes for all users.
  • Configure approved providers: Duo Security, TOTP (Authenticator apps), or RADIUS.
  • Under Admin → Users, verify no accounts have MFA exemptions (check Two Factor column).
  • For break-glass accounts, document the exemption and compensating control in a risk acceptance.
Configure automatic Secret expiry and rotation schedules
Passwords for all privileged accounts must rotate on a defined schedule. Maps to CC6.1 (management of credentials over their lifecycle).
Admin > Secret Policy > Password Requirements > Expiration Interval
Recommended schedules by account type:
  • Domain Admin accounts: rotation every 30 days.
  • Service accounts: rotation every 90 days (or via RPC heartbeat on change).
  • Local admin accounts: rotation every 60 days.
  • Navigate to Admin → Secret Templates, open each template, click Security, set Expiration Enabled to Yes and enter the interval.
  • Apply a Secret Policy with these settings to the relevant Secret folders.
Enable Checkout (Check-Out Enabled) and enforce single-user access
Prevents concurrent access to the same Secret, providing a clear chain of custody for privileged credential use. Maps to CC6.3 (access restriction to authorised individuals).
Admin > Secret Policy > Check Out > Check Out Enabled
Step-by-step:
  • Navigate to Admin → Secret Policy, create or edit the policy applied to privileged-account secrets.
  • Set Check Out Enabled = Enforced.
  • Set Change Password on Check In = Enforced (rotates immediately after each use).
  • Set a Check Out Interval — recommend 2 hours for human access, 8 hours for automated scripts with approval.
  • Apply the policy to all sensitive Secret folders via Folder → Edit → Secret Policy.
Configure approval workflows for sensitive Secrets
Requires manager/owner approval before high-risk credentials are accessed. Maps to CC6.3 and CC6.6 (authorisation controls).
Admin > Secret Policy > Approval > Requires Approval For Access
Step-by-step:
  • In the relevant Secret Policy, set Requires Approval For Access = Enforced.
  • Configure Approvers — assign the Secret Owner group or a named manager account.
  • Enable email notifications for both approval requests and approvals granted.
  • For emergency access, configure Allow Emergency Access with a 15-minute time limit and mandatory reason field.
  • Test the workflow end-to-end and document the approval notification trail.
Enforce session recording for all Remote Desktop and SSH launchers
Video and keylogging session records provide irrefutable access audit trails. Maps to CC6.8 (monitoring of access activity).
Admin > Configuration > Session Recording > Enable Session Recording
Step-by-step:
  • Navigate to Admin → Configuration → Session Recording.
  • Set Enable Session Recording = Yes.
  • Configure the session recording server path and sufficient disk retention (minimum 90 days for SOC 2).
  • In each Launcher template (RDP, SSH, Web), enable Record Session in the Launcher settings tab.
  • Apply Secret Policy with Session Recording = Enforced to all production server Secrets.
Configure user access reviews (periodic recertification)
Access reviews confirm that provisioned access is still appropriate. Maps to CC6.2 (prior to issuing system credentials and granting system access).
Reports > User Audit > Export Role & Group Assignments
Process (quarterly cadence recommended):
  • Run Reports → User Audit → Users With Roles, export to CSV.
  • Run Reports → Secret Access → Secrets by User, export to CSV.
  • Distribute reports to respective Secret owners for review and sign-off.
  • Remove or downscope any accounts flagged as no longer needing access.
  • Retain sign-off records (email or ticketing) as audit evidence.
Enable Active Directory synchronisation for user lifecycle management
Automatically disables Delinea accounts when employees are removed from AD. Maps to CC6.2 (termination of access upon departure).
Admin > Directory Services > Active Directory > Enable Synchronisation
Step-by-step:
  • Go to Admin → Directory Services → Active Directory and enable synchronisation.
  • Set sync interval to 15 minutes (or real-time via ILM connector).
  • Under Sync Options, enable Disable users in Secret Server when disabled in Active Directory.
  • Verify the service account used for sync has read-only AD permissions (document this).
  • Test by disabling a test account in AD and confirming the Delinea account is disabled within one sync cycle.
Set account lockout and password complexity policies
Local Delinea accounts must enforce strong authentication baseline controls. Maps to CC6.6 (protection against brute-force attacks).
Admin > Configuration > Login > Local User Password Requirements
Minimum recommended settings:
  • Minimum password length: 16 characters.
  • Require uppercase, lowercase, digit, and special character: Yes.
  • Maximum login failures before lockout: 5 attempts.
  • Lockout duration: 30 minutes (or require admin unlock).
  • Password history: enforce last 24 passwords cannot be reused.
CC7 System Operations 0 / 8
Enable comprehensive audit logging (System Log)
Every privileged action must be logged with user, timestamp, and action type. Maps to CC7.2 (monitoring of the system to detect anomalies).
Admin > Configuration > Application Settings > Enable Detailed Audit Log
Step-by-step:
  • Navigate to Admin → Configuration → Application Settings.
  • Enable Detailed Audit Log = Yes.
  • Set log retention to a minimum of 365 days (SOC 2 Type II requires the full observation period plus buffer).
  • Verify logs capture: Secret View, Edit, Create, Delete, Check Out, Check In, Launch, and Login events.
  • Configure database log archival or export to prevent log purging before retention period ends.
Configure SIEM integration (Syslog / CEF export)
Forwards Delinea events to your SIEM for centralised anomaly detection and correlation. Maps to CC7.2 and CC7.3 (detection and analysis of security incidents).
Admin > Configuration > Security > SIEM / Syslog
Step-by-step:
  • Navigate to Admin → Configuration → Security → Syslog/SIEM.
  • Enter the SIEM IP address, port, and select protocol (TCP/UDP) and format (CEF or Syslog).
  • Select event categories to forward: at minimum Security Events, Secret Activity, System Log.
  • Test the connection using the built-in Test button and verify events appear in your SIEM within 2 minutes.
  • In your SIEM, create alerts for: multiple failed logins, bulk Secret views, and after-hours access.
Enable Privileged Behaviour Analytics (PBA) alerts
PBA detects abnormal access patterns such as bulk secret views, off-hours access, and impossible travel. Maps to CC7.2 (anomaly detection).
Admin > Privileged Behaviour Analytics > Configuration > Enable PBA
Minimum alert rules to configure:
  • Enable PBA under Admin → Privileged Behaviour Analytics → Configuration.
  • Configure Unusual Secret Access Volume — alert if a user views >20 secrets in 1 hour.
  • Configure After-Hours Access — alert on access outside 07:00–19:00 local time.
  • Configure Access from New IP — alert when a known user logs in from an unrecognised IP range.
  • Set alert notification to the Security Operations team email and Slack/Teams webhook.
Configure heartbeat monitoring for managed accounts
Heartbeat continuously verifies that managed passwords in Delinea are synchronised with the target system. Detects out-of-sync credentials. Maps to CC7.1 (monitoring of system performance).
Admin > Secret Templates > [Template] > Heartbeat > Enable Heartbeat
Step-by-step:
  • Open Admin → Secret Templates, select each active template (Windows, Unix, SQL, etc.).
  • On the Heartbeat tab, set Heartbeat Enabled = Yes.
  • Set heartbeat interval to 4 hours for privileged accounts, 24 hours for service accounts.
  • Configure alerting on heartbeat failure: Admin → Configuration → Email → Heartbeat Failure.
  • Review the Heartbeat Status report monthly and remediate any accounts in "Heartbeat Failed" state.
Enable SSH key management and rotation
SSH keys used for privileged access to Unix/Linux systems must be managed and rotated. Maps to CC7.1 (management of technical vulnerabilities).
Admin > Secret Templates > Unix Account (SSH Key Rotation)
Step-by-step:
  • Use the built-in Unix Account (SSH Key Rotation) template in Secret Server.
  • For each SSH key Secret, configure Key Rotation Enabled = Yes with a 90-day rotation schedule.
  • Ensure the Discovery Scanner is configured to find unmanaged SSH keys on target hosts.
  • Run the SSH Key Discovery report to identify any SSH keys not yet onboarded into Delinea.
  • Enrol all discovered keys and confirm rotation works via a test rotation on a non-production host first.
Configure automated account discovery scanning
Discovery ensures all privileged accounts are onboarded — preventing shadow admin accounts. Maps to CC7.1 (identification of vulnerabilities/unmanaged assets).
Admin > Discovery > Configure Discovery Sources > Enable Scheduled Scans
Step-by-step:
  • Navigate to Admin → Discovery → Discovery Sources and configure an Active Directory source for your domain.
  • Configure additional sources for Unix/Linux (SSH), Databases, and Network Devices as applicable.
  • Set scan schedule to weekly at minimum — daily scans recommended for production environments.
  • Review the Discovery → Unmanaged Accounts report and onboard or document justification for each unmanaged account.
  • Set up alerting for new accounts discovered: Admin → Event Subscriptions → Discovery Account Found.
Configure backup and disaster recovery for Secret Server
Backup configurations ensure business continuity — an availability control. Maps to CC7.4 (response to and recovery from identified security incidents).
Admin > Backup > Configure Backup Settings > Enable Automatic Backup
Step-by-step:
  • Navigate to Admin → Backup and enable Automatic Backup.
  • Set backup frequency to Daily with a nightly window (e.g., 02:00).
  • Configure an off-server backup location (UNC path or cloud storage) — never store backups on the same host.
  • Test a restore from backup quarterly and document the restore test in your DR runbook.
  • Ensure backup encryption key is stored separately (e.g., in a hardware key vault), not alongside the backup.
Enable change management notifications for Secret configuration changes
Event subscriptions alert the security team when critical Secret Server configuration is modified. Maps to CC7.3 (monitoring for unauthorised changes).
Admin > Event Subscriptions > Create Subscription > System Configuration Changed
Key events to subscribe to:
  • Navigate to Admin → Event Subscriptions → Create Subscription.
  • Subscribe to: Configuration Changed, Role Created/Modified/Deleted, User Created/Deleted.
  • Subscribe to: Secret Policy Changed, Folder Permission Changed, Secret Deleted.
  • Set notification destination to the Security team distribution group and SIEM (via email-to-SIEM bridge if required).
  • Retain event subscription emails or SIEM alerts as evidence of monitoring in operation.
CC9 Risk Mitigation 0 / 5
Configure Secret Server service account with least-privilege AD permissions
The account Delinea uses to manage passwords must have only the AD permissions it requires — no Domain Admin. Maps to CC9.1 (vendor/partner risk — limiting exposure of the PAM platform itself).
Active Directory > Service Account OU > Delegate Control
Required AD permissions only:
  • Create a dedicated service account, e.g. SVC_DelineaSSPM, in a protected OU.
  • Grant: Read all properties, Reset Password, Write lockoutTime on the target OUs only.
  • Do NOT grant: Domain Admin, Enterprise Admin, or Schema Admin.
  • Document the delegation in an Active Directory Delegation Matrix and sign it off by the AD administrator.
  • Rotate the service account password via Delinea itself and monitor its use in AD audit logs.
Enable IP whitelisting / allowlisting for Secret Server admin access
Restricts administrative access to the Delinea console to trusted IP ranges only, reducing attack surface. Maps to CC9.2 (controls over risk of third-party and network access).
Admin > Configuration > Security > IP Address Restrictions
Step-by-step:
  • Navigate to Admin → Configuration → Security → IP Address Restrictions.
  • Add the corporate network CIDR range(s) to the allowlist.
  • Add the VPN exit node IP(s) to allow remote admin access via VPN.
  • Enable Restrict to Allowlisted IPs Only and test from both an allowed and a blocked IP.
  • Document the approved IP ranges in a network architecture diagram for auditor evidence.
Document and manage API application accounts (Application Credentials)
Third-party integrations accessing Delinea via API must use dedicated application accounts with scoped permissions. Maps to CC9.1 (management of third-party service providers).
Admin > Users > Application Accounts > Create Application Account
Step-by-step:
  • For every system integrating with Delinea API (CI/CD, ticketing, scripts), create a dedicated Application Account in Admin → Users → Application Accounts.
  • Assign the application account only to the specific Secret folders it requires access to.
  • Enable Token Authentication with a short token expiry (30–60 minutes) where the integration supports it.
  • Maintain an Application Account Register (spreadsheet) documenting: account name, system, owner, last reviewed date.
  • Review the register quarterly and remove accounts for decommissioned systems promptly.
Enable TLS 1.2+ and disable legacy protocols
All communications to and from Delinea Secret Server must use modern TLS. Disabling TLS 1.0/1.1 reduces cryptographic risk. Maps to CC9.2 (protection against data interception).
IIS Manager > Site Bindings > TLS Configuration + Windows Registry
Step-by-step:
  • Use IIS Crypto (Nartac) or Group Policy to disable TLS 1.0 and TLS 1.1 on the Secret Server host.
  • Ensure a valid TLS certificate from an internal CA or public CA is bound to the IIS site (not self-signed).
  • Verify the certificate CN or SAN matches the FQDN used to access Secret Server.
  • Run an SSL Labs (or internal) scan against the Secret Server URL and confirm A/A+ rating.
  • Document the TLS configuration and certificate details in the audit evidence package.
Enable and document the Delinea encryption key management (Master Key)
The encryption Master Key protects all Secrets at rest. Its storage and access must be documented and controlled. Maps to CC9.2 (encryption of sensitive data).
Admin > Configuration > Security > Encryption & Key Management
Step-by-step:
  • Review Admin → Configuration → Security → Encryption to confirm the Master Key is stored on a Hardware Security Module (HSM) or in DPAPI — not in the file system.
  • If using HSM, document the HSM vendor, model, and key custodian names as audit evidence.
  • Confirm that the encryption key is backed up and the backup is stored separately from the data it protects.
  • Document the Key Management Procedure: who has access to the key, how it is rotated, and what triggers rotation.
  • Test key export restriction — verify non-admin users cannot access or export encryption configuration.
Delinea SOC Compliance Training Guide · v2.1
Controls Mapping Matrix
Every Delinea configuration setting mapped to its specific AICPA Trust Service Criteria sub-control, SOC applicability, and implementation priority.
Sub-controls below reference the 2017 AICPA Trust Service Criteria (TSC). SOC 2 Type II auditors will test each listed sub-control within the observation period. SOC 1 auditors typically focus on CC6 and CC7 items related to financial-system access.
Criteria Sub-Control Delinea Setting Module / Path Priority
CC6.1 Logical access controls — provisioning based on least privilege Role-Based Access Control (RBAC) Admin → Users & Groups → Roles Required
CC6.1 Authentication — credentials issued to authorised identities Multi-Factor Authentication (MFA) Admin → Configuration → Login Required
CC6.1 Credential lifecycle — expiry and rotation of privileged credentials Secret Expiry & Auto-Rotation Admin → Secret Policy → Expiration Required
CC6.2 Access removal — timely de-provisioning upon role change or departure AD Sync — Disable on AD Disable Admin → Directory Services → AD Required
CC6.2 Periodic access review — recertification of access entitlements User Access Review Reports Reports → User Audit Required
CC6.3 Authorisation — access approved by authorised personnel Approval Workflows Admin → Secret Policy → Approval Required
CC6.3 Segregation of duties — single-user credential checkout Secret Checkout (Exclusive) Admin → Secret Policy → Check Out Required
CC6.6 Network access — restriction to authorised network paths IP Address Allowlisting Admin → Configuration → Security Recommended
CC6.6 Authentication — brute-force protection Account Lockout Policy Admin → Configuration → Login Required
CC6.8 Monitoring — detection of unauthorised access attempts Session Recording (RDP/SSH) Admin → Configuration → Session Recording Required
CC7.1 System configuration — management of technical vulnerabilities Heartbeat Monitoring Admin → Secret Templates → Heartbeat Required
CC7.1 System configuration — discovery of unmanaged accounts Account Discovery Scanning Admin → Discovery → Sources Required
CC7.1 SSH key management — rotation of cryptographic credentials SSH Key Rotation Admin → Secret Templates → SSH Key Recommended
CC7.2 Anomaly detection — identification of abnormal system activity Privileged Behaviour Analytics Admin → PBA → Configuration Required
CC7.2 Centralised monitoring — SIEM event forwarding Syslog / CEF SIEM Integration Admin → Configuration → Security → SIEM Required
CC7.2 Audit logging — complete event audit trail Detailed Audit Log (365-day) Admin → Configuration → App Settings Required
CC7.3 Change detection — alerting on unauthorised configuration changes Event Subscriptions (Config Changed) Admin → Event Subscriptions Recommended
CC7.4 Backup & recovery — tested restore procedures Automatic Backup Configuration Admin → Backup Required
CC9.1 Vendor risk — management of third-party system integrations Application Account Register Admin → Users → Application Accounts Required
CC9.1 Least-privilege vendor access — scoped service account permissions Service Account AD Delegation Active Directory Delegation Control Required
CC9.2 Encryption in transit — modern TLS for all communications TLS 1.2+ Enforcement IIS / Windows Registry / Group Policy Required
CC9.2 Encryption at rest — master key management and HSM usage Encryption Key Management (HSM) Admin → Configuration → Security → Encryption Recommended
Required — must be implemented Recommended — strongly advised Optional — context-dependent
Audit Evidence Reports
The reports below are what external auditors typically request during a SOC examination. Each entry shows exactly how to generate the report from Delinea and what format to export.
Preparation tip: Prepare your audit evidence package at least 4 weeks before the auditor fieldwork begins. Most SOC 2 Type II auditors request a rolling 12-month population for sampling — ensure log retention and report archives cover this window before the audit period closes.
UA
User Access & Role Assignment Report
CC6.1 · CC6.2 · CC6.3
Proves that access is provisioned on a least-privilege basis and that access reviews have occurred. Auditors will sample user records and verify role assignments are appropriate.
Generation steps
  • 1Navigate to Reports → User Audit → Users with Roles
  • 2Set date range to cover the full observation period
  • 3Click ExportCSV CSV
  • 4Also run Reports → Groups → Group Memberships and export
  • 5Attach access review sign-off emails to the evidence package
SA
Secret Access Activity Log
CC6.8 · CC7.2 · SOC 1
Full log of who accessed which privileged credentials and when. Auditors use this to test that access is only by authorised users and to verify access is logged comprehensively.
Generation steps
  • 1Navigate to Reports → Secret Access → Secret Activity
  • 2Filter by date range: full observation period (min. 6 months)
  • 3Include columns: User, Secret, Folder, Action, Date/Time, IP Address
  • 4Export to CSV CSV and also to PDF PDF for auditor reading copy
  • 5For SOC 1, also filter to only Secrets tagged Financial Systems
SS
Session Recording Archive & Index
CC6.8 · CC7.2
Demonstrates that all privileged remote sessions were recorded and are retrievable. Auditors may request playback of sampled sessions to verify completeness.
Generation steps
  • 1Navigate to Admin → Session Monitoring → View Sessions
  • 2Filter by date range and export the session index to CSV CSV
  • 3Include: Session ID, User, Target Host, Start Time, Duration, Recording URL
  • 4Prepare an on-demand playback procedure document for the auditor team
  • 5Provide read-only auditor access to the session playback portal if available
HR
Heartbeat & Password Rotation Report
CC6.1 · CC7.1
Evidences that managed credentials are actively rotated on the defined schedule. Auditors check that no stale, non-rotating privileged accounts exist in scope.
Generation steps
  • 1Navigate to Reports → Password Compliance → Last Changed
  • 2Filter to scope: all privileged account Secrets in production folders
  • 3Also run Reports → Heartbeat → Heartbeat Status and export
  • 4Export both reports to CSV CSV
  • 5Annotate any Heartbeat Failed accounts with remediation timestamps
DL
Discovery & Unmanaged Accounts Report
CC7.1 · CC9.1
Shows that your organisation has inventoried all privileged accounts and can account for any that are not yet managed. Auditors test completeness of scope.
Generation steps
  • 1Navigate to Admin → Discovery → Discovery Results
  • 2Export the All Discovered Accounts list (managed and unmanaged)
  • 3Export to CSV CSV; include: Account, Host, Status (Managed/Unmanaged), Last Discovered
  • 4For each unmanaged account, attach a business justification or risk acceptance document
  • 5Show scan logs proving discovery ran on schedule throughout the observation period
CL
Configuration Change Log & System Event Log
CC7.2 · CC7.3
Proves that Delinea itself is monitored for unauthorised changes and that configuration changes follow a change management process. Auditors will sample change events and match to approved change tickets.
Generation steps
  • 1Navigate to Admin → Configuration → System Log
  • 2Filter event type to Configuration, Role, and Security
  • 3Export to CSV CSV for the full observation period
  • 4Cross-reference each change event with your change management ticketing system (ServiceNow, Jira, etc.)
  • 5Highlight any changes made without a corresponding change ticket for remediation
PB
PBA Alerts & Anomaly Incident Log
CC7.2 · CC7.3 · CC7.4
Demonstrates that anomalous access patterns are detected, triaged, and resolved. Auditors will look for evidence of the full detect-respond-close cycle for at least a sample of alerts.
Generation steps
  • 1Navigate to Admin → Privileged Behaviour Analytics → Alerts
  • 2Export all alerts for the observation period to CSV CSV
  • 3For each alert: include Alert Type, User, Timestamp, Status (Open/Resolved), Resolution Notes
  • 4Attach incident tickets from your ITSM tool for a sample of resolved alerts
  • 5Show SIEM correlation rules that forwarded Delinea alerts into incident management workflow
MFA
MFA Compliance & Exemption Report
CC6.1 · CC6.6
Proves that all in-scope user accounts have MFA enforced and that any exemptions are documented with compensating controls. A common auditor finding when MFA is not universally applied.
Generation steps
  • 1Navigate to Admin → Users → All Users and export user list to CSV CSV
  • 2The export includes a Two Factor Authentication column — filter for None values
  • 3For each account without MFA: document type (service account, break-glass, API account) and compensating control
  • 4Attach risk acceptance sign-offs for any permanent MFA exemptions
  • 5Re-run this report quarterly and include all versions in the observation period evidence package
Evidence package structure: Organise your audit evidence folder as: /Evidence/CC6/, /Evidence/CC7/, /Evidence/CC9/. Within each, sub-folder by report name with date-stamped filenames (e.g. UserAccessReport_2025-09-01_to_2026-03-01.csv). Include a master index spreadsheet mapping each evidence file to the specific TSC sub-control it satisfies.