| ๐ผ 1 Identity and access management controls would ideally ensure access to information assets is only granted where a valid business need exists, and only for as long as access is required. Access is typically granted to users, special purpose system accounts, and information assets such as services and other software. | | 3 | 3 | |
| ๐ผ 2 Factors to consider when authorising access to information assets include: business role, physical location, remote access, time and duration of access, patch and antimalware status, software, operating system, device and method of connectivity. | | | | |
| ๐ผ 3 The provision of access involves the following process stages: | 3 | | | |
| ย ย ย ย ๐ผ a. identification โ determination of who or what is requesting access; | | | | |
| ย ย ย ย ๐ผ b. authentication โ confirmation of the purported identity; | | | | |
| ย ย ย ย ๐ผ c. authorisation โ assessment of whether access is allowed to an information asset by the requestor based on the needs of the business and the level of information security (trust) required. | | | | |
| ๐ผ 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes. | | 8 | 8 | |
| ๐ผ 5 The strength of identification and authentication would typically be commensurate with the impact should an identity be falsified. Common techniques for increasing the strength of identification and authentication include the use of strong password techniques (i.e. length, complexity, re-use limitations and frequency of change), utilisation of cryptographic techniques and increasing the number and type of authentication factors used. Authentication factors include something an individual: a. knows - for example, user IDs and passwords; b. has - for example, a security token or other devices in the personโs possession used for the generation of one-time passwords; c. is - for example, retinal scans, hand scans, signature scans, digital signature, voice scans or other biometrics. | | 3 | 3 | |
| ๐ผ 6 The following are examples where increased authentication strength is typically required, given the impact should an identity be falsified: a. administration or other privileged access to sensitive or critical information assets; b. remote access (i.e. via public networks) to sensitive or critical information assets; c. high-risk activities (e.g. third-party fund transfers, creation of new payees) | | 2 | 2 | |
| ๐ผ 7 A regulated entity would typically deploy the following access controls: | 12 | | | |
| ย ย ย ย ๐ผ a. undertake due diligence processes before granting access to personnel. The use of contractors and temporary staffing arrangements may elevate the risk for certain roles; | | | | |
| ย ย ย ย ๐ผ b. implementation of role-based access profiles which are designed to ensure effective segregation of duties; | | | | |
| ย ย ย ย ๐ผ c. prohibiting sharing of accounts and passwords (with the possible exception of generic accounts, where prohibiting sharing of accounts and passwords is unavoidable due to technology constraints); | | 1 | 1 | |
| ย ย ย ย ๐ผ d. changing default passwords and user names | | | | |
| ย ย ย ย ๐ผ e. timely removal of access rights whenever there is a change in role or responsibility and on cessation of employment; | | | | |
| ย ย ย ย ๐ผ f. session timeouts; | | | | |
| ย ย ย ย ๐ผ g. processes to notify appropriate personnel of user additions, deletions and role changes; | | | | |
| ย ย ย ย ๐ผ h. audit logging and monitoring of access to information assets by all users; | | 7 | 8 | |
| ย ย ย ย ๐ผ i. regular reviews of user access by information asset owners to ensure appropriate access is maintained; | | | | |
| ย ย ย ย ๐ผ j. multi-factor authentication for privileged access, remote access and other high-risk activities; | | 2 | 2 | |
| ย ย ย ย ๐ผ k. generation, in preference to storage, of passwords/Personal Identification Numbers (PINs) where used to authorise high-risk activities (e.g. debit/credit card and internet banking transactions); | | | | |
| ย ย ย ย ๐ผ l. two-person rule applied to information assets with the APRA-regulated entityโs highest level of sensitivity rating (e.g. encryption keys, PIN generation, debit/credit card databases). | | | | |
| ๐ผ 8 For accountability purposes, a regulated entity would typically ensure that users and information assets are uniquely identified and their actions are logged at a sufficient level of granularity to support information security monitoring processes. | | 2 | 2 | |