Our organization is preparing for SOC 2 Type II and ISO 27001 audits, and we’re prioritizing security investments for our Workday R1 2023 implementation. The debate within our security team centers on two areas: database encryption at rest versus granular access control policies.
Budget constraints mean we can only fully implement one approach this quarter, with the other following next year. Our CISO advocates for comprehensive database encryption, arguing it’s non-negotiable for compliance. Our IAM team pushes for enhanced access controls, claiming most data breaches result from excessive permissions rather than encryption gaps.
Both seem important for audit readiness, but which should take priority? We manage sensitive financial data including payroll, executive compensation, and M&A planning information. Current state: basic database encryption enabled, role-based access with approximately 200 roles defined but not recently audited.
What have auditors focused on most in your compliance reviews? Looking for perspectives from organizations that have been through rigorous security audits recently.
Having guided multiple organizations through SOC 2 and ISO 27001 audits with Workday implementations, here’s my analysis of the encryption vs access control prioritization question:
Database Encryption Considerations:
Workday provides encryption at rest by default for all customer data - this is part of their baseline security architecture and covered under their SOC 2 Type II certification. Unless you’re implementing additional encryption layers for specific regulatory requirements (HIPAA, PCI-DSS for payment data), the standard encryption is typically sufficient for audit purposes. Auditors verify encryption is enabled but rarely require additional hardening beyond Workday’s standard implementation. The encryption checkbox is usually satisfied without significant additional investment.
Access Control Policies - The Critical Focus:
This is where auditors spend 70-80% of security review time in my experience. They’re looking for evidence of:
- Documented access control policies aligned with least privilege principles
- Role definitions with clear business justifications
- Segregation of duties enforcement (especially for financial processes)
- Quarterly access reviews with documented remediation
- Automated provisioning/deprovisioning tied to HR events
- Monitoring and alerting for privileged access and sensitive data access
With 200 roles that haven’t been recently audited, you likely have significant exposure. Common findings we see: roles with excessive permissions, lack of segregation between requestor and approver functions, orphaned accounts, and insufficient monitoring of administrative access.
Compliance Audit Preparation Priority:
For SOC 2 Type II and ISO 27001, prioritize access controls decisively. Here’s why:
- It addresses your highest actual risk (internal unauthorized access)
- It’s what auditors will scrutinize most heavily
- Remediation takes 3-4 months minimum (role rationalization, access reviews, documentation)
- Encryption is largely already handled by Workday’s baseline security
Recommended Approach:
Phase 1 (This Quarter): Access Control Remediation
- Conduct comprehensive role analysis and consolidation (target 80-120 roles)
- Implement quarterly access certification process
- Document segregation of duties matrices for key financial processes
- Deploy access monitoring dashboards for audit evidence
- Create access control policy documentation
Phase 2 (Next Year): Enhanced Encryption (if needed)
- Evaluate if specific data types require additional encryption (payroll, M&A)
- Implement field-level encryption for highly sensitive data if regulatory requirements demand it
Resource Requirements:
Access control remediation for your scope: 2-3 security resources plus 1 Workday admin for 3-4 months. Budget for access governance tooling ($50K-80K annually) to automate reviews and maintain audit evidence.
From an audit readiness perspective, strong access controls with documented evidence will satisfy auditors far more effectively than enhanced encryption without proper access governance. The data shows internal threats and excessive permissions cause more actual breaches than encryption gaps in cloud environments.
We went through ISO 27001 certification last year. Auditors required evidence of: 1) Access control policy documentation, 2) Quarterly access reviews with remediation tracking, 3) Segregation of duties matrices, 4) Logging and monitoring of privileged access. Encryption was verified but not deeply scrutinized since Workday provides it by default. The access control evidence requirements were extensive - plan for 40+ hours of documentation preparation.
Both are important but serve different purposes. Encryption protects data if physical media is compromised or backups are stolen. Access controls prevent unauthorized internal access which is a much more common risk. For Workday specifically, since it’s cloud-based, physical security is Workday’s responsibility. Your audit focus should be on what you control - access governance and monitoring.
From my SOC 2 audit experience, auditors spent far more time on access controls than encryption. They want to see evidence that only authorized users can access sensitive data, proper segregation of duties, and regular access reviews. Encryption is checked but it’s more of a checkbox requirement if you’re using Workday’s standard encryption.
Consider that with 200 roles, you likely have significant access control cleanup needed. Role proliferation is a common problem - we had 300+ roles and audit found 60% were redundant or overly permissive. Took us three months to consolidate and properly document. That’s a bigger compliance risk than encryption gaps in most audit frameworks.
The feedback about role proliferation hits home - we definitely have overlapping roles that haven’t been reviewed systematically. What’s the typical scope for an access control remediation project? Trying to understand resource requirements and timeline to present realistic options to leadership.