cc6.1-4-001

CC6.1 · D4 · f1

Difficulty

Gaps

Red Herrings

80%

Avg Score

Task

You are conducting a SOC 2 Type II readiness assessment for Vantage Corp covering Q4 2025 (October 1 – December 31, 2025). You have been provided with multiple evidence artifacts. Review all documents, cross-reference them, and assess compliance with CC6.1 (Logical Access Security). Note that not all documents may be relevant to this control. Identify genuine findings only — consider whether exceptions or compensating controls adequately address apparent gaps before flagging them.

Evidence

evidence/access-control-policy.md — Vantage Corp access control policy
evidence/gcp-service-accounts.json — GCP service account configuration and key status
evidence/exception-register.csv — CISO-approved security exceptions with compensating controls
evidence/business-continuity-plan-summary.md — BCP executive summary — not relevant to CC6.1 [noise]
evidence/vendor-risk-assessment-q4.csv — Vendor risk assessments — not relevant to CC6.1 [noise]

Findings

ID	Type	Severity	Finding
F-001	red_herring	low	Legacy ETL service account has a manual key (but has valid CISO exception) The legacy-etl service account has a manually created key, violating the policy's workload identity requirement. However, the exception register shows EXC-2025-004 — a current, CISO-approved exception...
F-002	gap	critical	Terraform import service account with editor role still active 9 months after use terraform-import has roles/editor (extremely broad permissions) and a key that was last used March 12, 2025. The exception register shows EXC-2025-003 expired on April 8, 2025. The key and service acc...
F-003	gap	high	Monitoring agent exception expired but key still in use The monitoring-agent service account has a manually created key (violating workload identity policy). Exception EXC-2025-002 covered this until December 10, 2025 — but the key was still actively used ...
F-004	gap	medium	Legacy ETL exception compensating control (key rotation) not evidenced EXC-2025-001 and its renewal EXC-2025-004 list compensating controls including 'key stored in HashiCorp Vault' and 'automated daily key usage audit.' However, the GCP service account data shows the le...

Results

Model	Provider	Score	Recall	Prec.	F1	Gaps	Reported
Sonnet 4.6	Anthropic	100%	100%	100%	100%	3/3	3
Opus 4.7	Anthropic	75%	100%	60%	75%	3/3	5
GPT-5.5	OpenAI	100%	100%	100%	100%	3/3	3
GPT-4.1	OpenAI	86%	100%	75%	86%	3/3	4
Haiku 4.5	Anthropic	67%	100%	50%	67%	3/3	6
GPT-4o	OpenAI	50%	67%	40%	50%	2/3	5