| πΌ 1 Identity and access management controls would ideally ensure access to information assets is only granted where a valid business need exists, and only for as long as access is required. Access is typically granted to users, special purpose system accounts, and information assets such as services and other software. | | 3 | 3 | | no data |
| πΌ 2 Factors to consider when authorising access to information assets include: business role, physical location, remote access, time and duration of access, patch and antimalware status, software, operating system, device and method of connectivity. | | | | | no data |
| πΌ 3 The provision of access involves the following process stages: | 3 | | | | no data |
| γπΌ a. identification β determination of who or what is requesting access; | | | | | no data |
| γπΌ b. authentication β confirmation of the purported identity; | | | | | no data |
| γπΌ c. authorisation β assessment of whether access is allowed to an information asset by the requestor based on the needs of the business and the level of information security (trust) required. | | | | | no data |
| πΌ 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes. | | 8 | 8 | | no data |
| πΌ 5 The strength of identification and authentication would typically be commensurate with the impact should an identity be falsified. Common techniques for increasing the strength of identification and authentication include the use of strong password techniques (i.e. length, complexity, re-use limitations and frequency of change), utilisation of cryptographic techniques and increasing the number and type of authentication factors used. Authentication factors include something an individual: a. knows - for example, user IDs and passwords; b. has - for example, a security token or other devices in the personβs possession used for the generation of one-time passwords; c. is - for example, retinal scans, hand scans, signature scans, digital signature, voice scans or other biometrics. | | 3 | 3 | | no data |
| πΌ 6 The following are examples where increased authentication strength is typically required, given the impact should an identity be falsified: a. administration or other privileged access to sensitive or critical information assets; b. remote access (i.e. via public networks) to sensitive or critical information assets; c. high-risk activities (e.g. third-party fund transfers, creation of new payees) | | 2 | 2 | | no data |
| πΌ 7 A regulated entity would typically deploy the following access controls: | 12 | 11 | 12 | | no data |
| γπΌ a. undertake due diligence processes before granting access to personnel. The use of contractors and temporary staffing arrangements may elevate the risk for certain roles; | | | | | no data |
| γπΌ b. implementation of role-based access profiles which are designed to ensure effective segregation of duties; | | | | | no data |
| γπΌ c. prohibiting sharing of accounts and passwords (with the possible exception of generic accounts, where prohibiting sharing of accounts and passwords is unavoidable due to technology constraints); | | 1 | 1 | | no data |
| γπΌ d. changing default passwords and user names | | | | | no data |
| γπΌ e. timely removal of access rights whenever there is a change in role or responsibility and on cessation of employment; | | | | | no data |
| γπΌ f. session timeouts; | | | | | no data |
| γπΌ g. processes to notify appropriate personnel of user additions, deletions and role changes; | | | | | no data |
| γπΌ h. audit logging and monitoring of access to information assets by all users; | | 8 | 9 | | no data |
| γπΌ i. regular reviews of user access by information asset owners to ensure appropriate access is maintained; | | | | | no data |
| γπΌ j. multi-factor authentication for privileged access, remote access and other high-risk activities; | | 2 | 2 | | no data |
| γπΌ k. generation, in preference to storage, of passwords/Personal Identification Numbers (PINs) where used to authorise high-risk activities (e.g. debit/credit card and internet banking transactions); | | | | | no data |
| γπΌ l. two-person rule applied to information assets with the APRA-regulated entityβs highest level of sensitivity rating (e.g. encryption keys, PIN generation, debit/credit card databases). | | | | | no data |
| πΌ 8 For accountability purposes, a regulated entity would typically ensure that users and information assets are uniquely identified and their actions are logged at a sufficient level of granularity to support information security monitoring processes. | | 2 | 2 | | no data |