This Technology Risk Management Standard, applicable to IT specifies the requirements with respect to the “need-to-know / need to have” principle, segregation of duties, user account management, access management, logging and access specific system configuration requirements. The mandatory controls in this standard aim to protect corporate information assets through: the prevention of errors and opportunities for fraud and system abuse, keeping track of significant security events, and ensuring the provision of secure access controls over Company managed information.