CC6 — Logical and Physical Access Controls
CC6.1 — Logical access provisioning
When an HRIS connector is wired, Codex correlates the HRIS hire-date record to the IdP provisioning event so auditors see the full chain: HRIS hire → IdP provisioning → app assignments.
Evidence shape per provisioning event:
CC6.2 — User access reviews
Codex generates a quarterly access-review snapshot:- Per user: list of apps assigned, role within each app, last activity date
- Per app: list of users with access, broken down by role
- Diff vs previous review: who was added, removed, or changed roles
CC6.3 — Role-based access enforcement
Source data:
- IdP role assignments per app (via SCIM or app-specific API)
- Per-app admin/owner/member counts
- Privileged-access reports (admin role count by app, with named users)
CC6.6 — Logical access removal on termination
The control most companies fail. Codex measures the gap between HRIS termination and IdP deactivation.CC6.7 — Encryption at rest
Codex polls these daily and flags any unencrypted resource as a material exception.
CC6.8 — Endpoint protection
CC7 — System Operations
CC7.1 — Vulnerability management
- All findings from Snyk, Wiz, CrowdStrike, Dependabot, GHAS
- Time to triage + time to remediate per severity
- SLA compliance rates (% of High findings resolved within 30d, etc.)
CC7.2 — Security event detection
Source data: SIEM connector events (Datadog, Splunk, Sumo, New Relic). Codex pulls:- Event volume per category (auth failures, anomalous logins, privilege escalations)
- Alert rules configured + last fired
- Coverage gaps (event sources NOT being collected)
CC7.3 — Incident response
Per-incident evidence:CC7.4 — Recovery from incidents
Auditors specifically want to see restore tests. Codex sends quarterly reminders to your backup owner to test a restore and upload the result.
CC8 — Change Management
CC8.1 — Change authorization
- Required reviewers met
- Branch protection rules enforced (no direct pushes to main)
- CI passed before merge