User access management
6.6.2.1User registration and de-registration
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 9.2.1 and the
following additional guidance applies: 6.6.2.2User access provisioning
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 9.2.2 and the
following additional guidance applies: 6.6.2.3Management of privileged access rights
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 9.2.3 applies 6.6.2.4Management of secret authentication information of users
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 9.2.4 applies 6.6.2.5Review of user access rights
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 9.2.5 applies 6.6.2.6Removal or adjustment of access rights
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 9.2.6 applies LGPD (BRA)
Art.46: Processing agents must adopt security
measures, both technical and administrative, suitable
to protect personal data from unauthorized access
and accidental or illegal destruction, loss, change,
communication, or dissemination events, or any other
occurrence resulting from inappropriate or illegal
processing.
§ 1 The National Data Protection Authority may
determine minimum technical standards for the
purposes of the provisions this Article, considering
the nature of the information processed, the specific.
characteristics of the processing, and the current
state of technology, especially in the case of sensitive
personal data, as well as the principles outlined in
Article 6 of this Law.§ 2 The measures contemplated in the head provision
of this Article must be considered from the phase
of the development of the good or service until its
execution. CCPA (US, CA)
S.1798.150.a: (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
(2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth. DPP (Data Protection Principles) - Hong Kong
Personal Data Protection Act - Singapore
Personal Information Protection Act - South Korea
Turkish Data Protection Law numbered 6698