Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
Roles, responsibilities, and authority for third-party management are defined and communicated to ensure accountability across the organization.
Processes are established for granting, modifying, and revoking access to information assets, ensuring access is authorized and based on the principle of least privilege.
Directors should exercise independent judgement and discretion when authorising remuneration outcomes, taking account of company and individual performance, and wider circumstances.
Identities and credentials for authorized users, services, and hardware are managed by the organization
Remuneration schemes and policies should enable the use of discretion to override formulaic outcomes. They should also include provisions that would enable the company to recover and/or withhold sums or share awards and specify the circumstances in which it would be appropriate to do so.
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
Roles and responsibilities regarding cybersecurity are clearly defined and communicated across the organization, including the board, senior management, and the three lines model.
Non-executive directors should have a prime role in appointing and removing executive directors. Non-executive directors should scrutinise and hold to account the performance of management and individual executive directors against agreed performance objectives. The chair should hold meetings with the non-executive directors without the executive directors present.