Core IAM Principles (Aligned with NIST AC and FCA)

Least Privilege

AC-6

Access rights assigned based on job roles via Role-Based Access Control (RBAC)

Separation of Duties

AC-5

No individual can approve and execute financial or code deployment processes

Access Authorization

AC-3

All access is reviewed and approved through a ticket-based system with manager + system owner signoff

User Identification and Authentication

AC-2, IA family

MFA, unique IDs, OAuth2/SAML integration, password policy per NIST SP 800-63

Access Review and Recertification

AC-2(4), AC-6(10)

Quarterly access reviews, immediate revocation on offboarding

Audit and Monitoring

AU-2 to AU-6

All access activity is logged, monthly reviews are common depending on organisation needs and compliance requirements. Not all alerts generated by the Security Information and Event Management (SIEM) require immediate escalation

Third-Party Access

AC-20, CA-3

Third-party access reviewed quarterly, time-bound, and monitored

Privileged Access Management (PAM)

AC-6(5)

Admin access provisioned via just-in-time access and password vaults