Identity
Understanding Identity risk scores and the controls required to be in place.
Pātiki and Waharua Kōpito patterns
Risk Score Matrix
Assessed based on Privacy score at this stage. See Privacy.
Identity minimum mandatory controls for API risk scores.
|
Requirements |
Low |
Medium |
High |
Extreme |
|
|
The principle of segregation of duties enforced by having role-based access control system that ensures no single individual has end-to-end access control whilst regular audits are conducted. |
YES |
YES |
YES |
YES |
|
|
In the event of a security incident we can restore the system to a secure state in 1 hour |
NO |
NO |
YES |
YES |
|
|
We have an automated notification system that informs relevant parties when there is a change in access permissions or user roles. |
NO |
NO |
NO |
YES |
|
|
We have an automated access revocation system that disables users within the hour of detection in the event of a security incident or personnel change. |
NO |
NO |
YES |
YES |
|
|
We have advanced detection algorithms that notify us to investigate potential fraud indicators and security risks in user activities or transactions. |
NO |
YES |
YES |
YES |
|
|
We discourage unauthorised access and compliance with legislative requirements by implementing strict access controls, training programmes and enforce strict consequences for policy violations. |
NO |
YES |
YES |
YES |
|