| ๐ผ a. undertake due diligence processes before granting access to personnel. The use of contractors and temporary staffing arrangements may elevate the risk for certain roles; | | | | |
| ๐ผ b. implementation of role-based access profiles which are designed to ensure effective segregation of duties; | | | | |
| ๐ผ c. prohibiting sharing of accounts and passwords (with the possible exception of generic accounts, where prohibiting sharing of accounts and passwords is unavoidable due to technology constraints); | | 1 | 1 | |
| ๐ผ d. changing default passwords and user names | | | | |
| ๐ผ e. timely removal of access rights whenever there is a change in role or responsibility and on cessation of employment; | | | | |
| ๐ผ f. session timeouts; | | | | |
| ๐ผ g. processes to notify appropriate personnel of user additions, deletions and role changes; | | | | |
| ๐ผ h. audit logging and monitoring of access to information assets by all users; | | 7 | 8 | |
| ๐ผ i. regular reviews of user access by information asset owners to ensure appropriate access is maintained; | | | | |
| ๐ผ j. multi-factor authentication for privileged access, remote access and other high-risk activities; | | 2 | 2 | |
| ๐ผ k. generation, in preference to storage, of passwords/Personal Identification Numbers (PINs) where used to authorise high-risk activities (e.g. debit/credit card and internet banking transactions); | | | | |
| ๐ผ l. two-person rule applied to information assets with the APRA-regulated entityโs highest level of sensitivity rating (e.g. encryption keys, PIN generation, debit/credit card databases). | | | | |