A chief Financial Officer (CFO) has asked the Chief Information Officer (CISO) to provide responses to a recent audit report detailing deficiencies in the organization security controls. The CFO would like to know ways in which the organization can improve its authorization controls. Given the request by the CFO, which of the following controls should the CISO focus on in the report? (Select Three)

A. Password complexity policies

B. Hardware tokens

C. Biometric systems

D. Role-based permissions

E. One time passwords F. Separation of duties G. Multifactor authentication H. Single sign-on I. Lease privilege