How does EchelonGraph detect SOC 2 CC6.4 violations?

EchelonGraph automatically detects SOC 2 CC6.4 violations using scanner rule SOC2-CC6-004. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for SOC 2 CC6.4?

Show the AWS / GCP / Azure SOC 2 attestation report covering data-center physical security. What badge access controls protect your office? Show the visitor log. What is the MDM policy for laptop screen-lock + full-disk encryption? When was the last physical-security walkthrough?

🛡️SOC 2 CC6.4Rule: SOC2-CC6-004medium

Physical Access to Facilities and Information Assets

Description

The entity restricts physical access to facilities and protected information assets to authorized personnel, supplementing logical access controls.

⚠️ Risk Impact

Physical access bypasses logical controls. An attacker with physical access to a data center, an office, or even an unattended laptop can extract credentials, plant persistent access, or directly access data — invisible to every IAM and EDR control.

🔍 How EchelonGraph Detects This

SOC2-CC6-004Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.

🔧 Remediation

For cloud-first orgs: inherit physical security from the cloud provider's SOC 2 attestation (AWS / GCP / Azure all publish current reports). For office environments: badge access logs, visitor management with sign-in, secure workstation policies, MDM-enforced screen lock. Document.

💀 Real-World Attack Scenario

A late-night contractor accessed an office under tailgating conditions (let in by an employee who didn't verify badge), plugged a USB Rubber Ducky into an unlocked workstation, and exfiltrated AWS credentials cached locally. The breach was detected only when AWS billing flagged anomalous compute consumption two weeks later. Physical access bypassed every other control.

💰 Cost of Non-Compliance

Physical-access breach: average $4.2M (IBM 2024) — typically lower frequency than network attacks but higher per-incident cost because traditional defenses don't apply. SOC 2 audit findings on physical controls cited in 19% of qualified opinions when cloud-only orgs forget the office portion.

📋 Audit Questions

1.Show the AWS / GCP / Azure SOC 2 attestation report covering data-center physical security.
2.What badge access controls protect your office? Show the visitor log.
3.What is the MDM policy for laptop screen-lock + full-disk encryption?
4.When was the last physical-security walkthrough?

🎯 MITRE ATT&CK Mapping

T1200 — Hardware AdditionsT1078 — Valid Accounts

⚡ Common Pitfalls

⛔Cloud-only orgs forgetting that office, co-working, and home-office environments are still in scope
⛔Inheriting cloud provider physical attestation but not documenting it as evidence in your SOC 2 package
⛔Allowing tailgating culture ('hold the door for me, I forgot my badge') that defeats every technical badge control

📈 Business Value

Documented physical security closes a category of attack that bypasses every other security investment. The cost is low; the audit-defensibility is high.

⏱️ Effort Estimate

Manual

8-16 hours for facility walkthrough + policy documentation + cloud provider attestation collection

With EchelonGraph

EchelonGraph evaluates cloud-provider attestation freshness and policy gaps

🔗 Cross-Framework References

ISO27001-A.7.1NIST-PE-2HIPAA-164.310(a)

Automate SOC 2 CC6.4 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →