| User Access Provisioning |
Only authorized users should access systems |
ISO 27001 A.9.2, DORA Art. 5, NIS2 Art. 21, GDPR Art. 25, MAS TRM 9.1.2, 11.1, LGPD Art. 46, Taiwan FSC §2.2.1.1–2.2.1.3, FCA/PRA, CBEST, GLBA §501(b), APRA CPS 230, HIPAA §164.308(a)(3) |
Depends—manual user creation; inconsistent governance. |
Automated provisioning via encrypted credential delivery. |
| Password Complexity |
Strong, unique, complex credentials |
ISO 27001 A.9.2.1, PCI DSS 8.2.3, NIST SP 800-63, MAS TRM 11.2.2, LGPD Art. 46, LGPD Art. 46, Taiwan FSC §2.2.3.1–2.2.3.2, HIPAA §164.308(a)(5)(ii)(D) |
Weak or reused passwords. |
Auto-generated, encrypted credentials strong by default. |
| Access Control Policy |
Role-based, policy-driven enforcement |
ISO A.9.1, DORA Art. 6, NIS2 Art. 21, CBEST, LGPD Art. 46, FCA/PRA, Taiwan FSC §2.2.1.5, HIPAA §164.312(a)(1) |
Partially defined, inconsistently applied. |
Policy-driven segmented vaults per role and per system. |
| Segmentation of Access |
Prevent lateral movement, data minimization |
ISO A.9.1.2, GDPR Art. 5(1)(c), DORA Art. 9, CBEST, LGPD Art. 46, Taiwan FSC §2.2.1.6, HIPAA §164.308(a)(4) |
Flat access structure with lateral risk. |
Segmented access zones (Bronze/Silver/Gold). |
| Least Privilege |
Match access to job role |
ISO A.9.2.3, GDPR Art. 5(1)(c), DORA Art. 9, LGPD Art. 46, Taiwan FSC §2.2.1.4, GLBA §501(b), HIPAA §164.308(a)(4) |
Overprovisioning is common. |
Role- and system-based credential assignment. |
| Joiner-Mover-Leaver |
Access updates based on user role changes |
ISO A.9.2.6, DORA Art. 8, NIS2 Art. 23, APRA CPS 230, MAS TRM 11.1.2, CBEST, FCA/PRA, GLBA §501(b), APRA CPS 230, LGPD Art. 46, Taiwan FSC §2.2.1.7, HIPAA §164.308(a)(3) |
Manual and slow. |
Real-time revocation and provisioning. |
| Credential Storage & Encryption |
Passwords must be encrypted and invisible to users |
ISO A.10.1, GDPR Art. 32, DORA Art. 6, NIS2 Art. 21, PCI DSS 3.4, MAS TRM 11.2.3, APRA CPS 230, Taiwan FSC §2.2.3.2, LGPD Art. 46, HIPAA §164.312(a)(2)(iv) |
Often visible/stored in insecure ways (browsers, docs). |
Credentials encrypted and invisible to users. |
| Authentication Security |
Secure login beyond passwords (e.g., MFA, zero-trust) |
ISO A.9.4.2, DORA Art. 6, NIST SP 800-63B, PCI DSS 8.3, MAS TRM 11.2.4, GDPR Art. 25, Taiwan FSC §2.2.3.3, LGPD Art. 46, HIPAA §164.312(d) |
MFA often limited or bypassable; credentials still user-managed. |
Unphishable encrypted access with optional MFA add-on. |
| Audit Trails for Access |
Log all access events for traceability |
ISO A.12.4.1, DORA Art. 9, NIS2 Art. 22, FCA/PRA, MAS TRM 11.2.5, GLBA §501(b), Taiwan FSC §2.2.4.1, LGPD Art. 37, Art. 41, HIPAA §164.312(b) |
Basic logs; not real-time or complete or audit-ready. |
Real-time immutable logs and dashboards. |
| Third-Party Access Management |
Control access by vendors and supply chain |
ISO A.15, DORA Art. 6(9), NIS2 Art. 21(3), GLBA §501(b), CBEST, APRA CPS 230, MAS TRM 11.3, Taiwan FSC §2.2.5.1, LGPD Art. 42, HIPAA §164.308(b)(1) |
Little third-party visibility or control. Vendor access unmanaged. |
Segmented and encrypted vendor accounts or API access, optional restricted by IP/device. |
| Access Revocation |
Remove access instantly if no longer needed |
ISO A.9.2.6, DORA Art. 8, NIS2 Art. 23, GDPR Art. 17, GLBA §501(b), CBEST, Taiwan FSC §2.2.1.7, MAS TRM 11.1.2, LGPD Art. 46, HIPAA §164.308(a)(3)(ii)(C) |
Manual, error-prone, slow. |
One-click revocation from the console. |
| Rotation Compliance |
Periodic credential rotation |
ISO A.9.2.4, NIST SP 800-53 IA-5, PCI DSS 8.2.4, MAS TRM 11.2.2, Taiwan FSC §2.2.3.4, HIPAA §164.308(a)(5)(ii)(C) |
Relies on users/admins to remember to rotate. |
Fully automated or admin-controlled rotation. |
| Credential Visibility Risk |
Prevent password sharing, reuse, and theft |
ISO A.9.4.3, NIS2 Art. 21, GDPR Art. 25, PCI DSS 8.2.5, CBEST, LGPD Art. 46, Taiwan FSC §2.2.3.2, HIPAA §164.312(a)(2)(iv) |
Passwords visible to users; prone to reuse and leaks. |
Users never see or manage credentials; unsharable and unphishable. |