Every access control question has a structural answer.

MyCena generates complete, tamper-evident audit evidence automatically for every access event — covering 100% of governed systems. This page is for audit and compliance professionals reviewing credential governance.
Book a briefing →
0
Coverage of every MyCena-mediated access event — no gaps, no anonymous events
0
Termination-to-zero-access time — measurable from the revocation log per user, per system
0
Shared-credential events possible — credentials are never in user possession to share
0
Major compliance frameworks directly addressed by MyCena's automatically generated evidence
What MyCena does — the audit-relevant summary

A structural answer to credential governance.

The most common finding in credential governance reviews is the same across every sector: users know their passwords, which means attackers can too. Training and policy cannot close this gap — they address behaviour after the credential exists in human knowledge. MyCena closes it structurally.

MyCena generates every credential centrally, distributes it encrypted, and injects it invisibly at the moment of authentication. The user clicks once and accesses the system normally. They never see, store, or know the credential. There is nothing to phish, share, or steal — because the user never holds it.

For credential governance reviews, this has a direct implication: every access control criterion that asks “how do you prevent unauthorised credential use?” has a structural, architectural answer — not a policy answer. The evidence exists in the audit log, not in an acceptable use policy.

“The evidence exists in the audit log. Not in an acceptable use policy.

Evidence outputs

Audit evidence generated automatically — for every access event.

Every log below is generated as a byproduct of normal operation. No manual compilation. No preparation before inspection. Available on demand for any audit period.

Access event log
Every login, attributed
Every login event across every connected system. User identity, system, timestamp, device, IP address. 100% coverage of MyCena-mediated access. No anonymous or shared-credential events possible.
Export: CSV · JSON · SIEM-compatible
Provisioning log
Authorisation chain per access grant
Every credential issuance: authorising administrator, user identity, target system, timestamp, scope. Complete chain of authorisation per access grant. No self-provisioning possible.
Export: CSV · PDF report
Revocation log
Zero access window, provable
Every revocation event with timestamp and confirmation. Includes post-revocation blocked access attempts. Demonstrates zero access window after termination — per user, per system, per event.
Export: CSV · Timestamped confirmation
Third-party access report
Vendor governance at point-in-time
All vendor and contractor credentials in scope: last access, revocation status, system scope, duration. Answers the third-party access governance question directly — no manual compilation required.
Export: CSV · Point-in-time snapshot
Workforce lifecycle log
Joiner-to-leaver credential history
Joining-to-departure credential lifecycle per user. Onboarding authorisation, scope changes, offboarding revocation — with exact timestamps throughout. Full audit trail per employee.
Export: Per-user PDF · Bulk CSV
Anomaly detection export
Unusual access patterns flagged
Access events flagged for unusual patterns: off-hours access, unusual source IPs, unusual frequency, post-revocation attempts. Feeds directly into existing SIEM or monitoring infrastructure.
Export: SIEM-compatible event stream
Audit Q&A

Common audit questions — and what MyCena’s evidence demonstrates.

The audit questionWhat MyCena’s evidence demonstrates

“How do you prevent employees from sharing credentials?”

Credentials are never in employee possession — sharing is architecturally impossible. The browser is actively blocked from saving or displaying credential values. The access event log confirms all access is MyCena-mediated with no shared-credential events.

“How quickly is access revoked when an employee leaves?”

The revocation log records the exact timestamp of revocation and any post-revocation blocked access attempts. Revocation is simultaneous across all connected systems — not sequential. Termination-to-revocation time is measurable from the log — typically under 60 seconds.

“How do you govern third-party and vendor access?”

All vendor credentials are generated, scoped, and revocable by the organisation — not the vendor. The third-party access report shows current vendor credentials, last access, scope, and revocation status. No vendor retains access after engagement ends without explicit re-authorisation.

“Can you demonstrate who accessed what system and when?”

Yes. The access event log provides a complete, tamper-evident record of every access event to every connected system: user identity, system, timestamp, device, and source IP. Exportable for any audit period. 100% coverage of MyCena-governed access.

“How do you protect against phishing of credentials?”

There is no credential in the user’s knowledge to phish. The credential is injected at authentication by the MyCena platform — it never appears in user-visible form. Phishing attacks that target user-held credentials find nothing to steal.

“What evidence exists of access control policy enforcement?”

Access control policy is enforced architecturally, not procedurally. The provisioning log demonstrates that every access grant required administrator authorisation. The access event log confirms no access occurred outside of MyCena-controlled credentials.

Framework coverage

Framework requirements directly addressed by MyCena.

Evidence is generated automatically as a byproduct of normal operation — not assembled before inspection.

SOC 2 Type II (AICPA TSC)
  • CC6.1 — Logical access controls
  • CC6.2 — User registration & authorisation
  • CC6.3 — Role-based access and removal
  • CC6.6 — External threat protection
  • CC6.7 — Transmission and movement
  • CC7.2 — Security event monitoring
  • CC9.2 — Vendor access management
HIPAA Security Rule (45 CFR 164)
  • §164.312(a)(1) — Unique user identification
  • §164.312(a)(2)(i) — Automatic logoff
  • §164.312(a)(2)(ii) — Emergency access
  • §164.312(b) — Audit controls
  • §164.312(c)(1) — ePHI integrity
  • §164.312(d) — Person authentication
  • §164.308(a)(3) — Workforce security
NIST CSF 2.0
  • PR.AA-01 — Credential management
  • PR.AA-02 — Identity proofing & binding
  • PR.AA-05 — Least privilege access
  • DE.AE-02 — Anomaly & event detection
  • RS.MA-01 — Incident containment
  • GV.OC-01 — Governance & roles
How to use MyCena evidence in an audit conversation
When your SOC 2 auditor asks about access control evidence, open the MyCena dashboard and export the access event log for the period under review. Every CC6 and CC7 criterion can be evidenced from a single export. The provisioning and revocation logs together demonstrate the full user lifecycle — from authorised issuance to confirmed termination — with no gaps. Evidence samples available on request.
Request evidence samples
Every audit question answered from a single export. Evidence samples available on request.
Book a briefing →
MyCena
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.