cc6.1-5-001

CC6.1 · D5 · f1

Difficulty

Gaps

Red Herrings

55%

Avg Score

Task

You are a SOC 2 auditor evaluating Nimbus Health's logical access controls under Trust Services Criteria CC6.1. Review all provided evidence documents to assess whether access provisioning, access reviews, termination procedures, and identity management controls are operating effectively. This is a healthcare company handling PHI, so consider the sensitivity of the data environment. For each finding, assess its materiality and provide your reasoning on whether the issue represents a significant control deficiency or a minor procedural gap. Several of the issues you will find require professional judgment to determine their severity and significance.

Evidence

evidence/access-control-policy.md — Nimbus Health access control policy defining SSO, MFA, access review, termination, and privileged access management requirements
evidence/okta-user-report.csv — Okta user report showing 180 active accounts including 172 employees, 6 contractors, and 2 non-HR-matched accounts (platform-monitoring and demo-environment)
evidence/access-review-q4.csv — Q4 2025 quarterly access review results for 12 systems showing completion status, reviewer details, findings, and remediation actions
evidence/termination-log-q4.csv — Q4 2025 employee termination log showing 5 terminations with Okta disable timestamps and SLA compliance details

Findings

ID	Type	Severity	Finding
F-001	gap	high	Two Okta Accounts with No Matching HR Records The Okta user report shows 180 active accounts, but HR records indicate 172 employees plus 6 contractors (178 total). Two accounts do not match any HR record: USR-0179 (platform-monitoring, an integra...
F-002	gap	medium	AWS Access Review Self-Review by Infrastructure Manager The Q4 access review for AWS Console (Production) was performed by James Chen, Cloud Infrastructure Lead (AR-Q4-001). James Chen is the individual responsible for managing AWS infrastructure and IAM p...
F-003	gap	medium	Weekend Termination Access Revocation Delay Employee Derek Chung (TERM-Q4-004) was terminated Friday December 5 at 5:00 PM EST, but his Okta account was not disabled until Monday December 8 at 9:12 AM EST -- a gap of 64 calendar hours. The acce...
F-004	gap	low	AWS Access Review Completed 2 Business Days Past SLA The AWS Console access review (AR-Q4-001) was completed on October 24, 2 business days after the 15-business-day SLA deadline of October 22. The policy (Section 5.1) requires access reviews to be comp...
F-005	gap	medium	Contractor Okta Accounts Missing Expiration Dates The access control policy (Section 3.3) requires that contractor accounts 'be created with a designated expiration date aligned with the contract end date.' The Okta user report shows 6 active contrac...

Results

Model	Provider	Score	Recall	Prec.	F1	Gaps	Reported
Sonnet 4.6	Anthropic	83%	100%	71%	83%	5/5	7
Opus 4.7	Anthropic	67%	100%	50%	67%	5/5	10
GPT-5.5	OpenAI	57%	80%	44%	57%	4/5	9
GPT-4.1	OpenAI	62%	80%	50%	62%	4/5	8
Haiku 4.5	Anthropic	30%	100%	18%	30%	5/5	28
GPT-4o	OpenAI	31%	40%	25%	31%	2/5	8