

Back to Blog

Mastering Access Management: Best Practices for Effective User Access Reviews

By Zach Duke

November 25, 2024

Access management is a critical component of cybersecurity and compliance, especially for financial institutions where security expectations are paramount. The challenges surrounding permissions management, particularly during user access reviews, are increasing due to regulatory expectations and the complexity of banking applications. In this blog post, we’ll explore the regulatory expectations, common exam findings, and best practices that can help your organization manage user access effectively while adhering to the principle of least privilege – limiting user access to only the resources necessary to perform their job functions.

Understanding the Regulatory Landscape

Regulators are emphasizing the importance of managing access to banking systems through user access reviews. Here are key questions to ask to start strengthening your user access review foundation:

Are our access reviews comprehensive? It is not uncommon to have challenges assessing every system and reviewing user permissions, especially with complicated reporting from banking applications.
How effective are we on least privilege access management? It is all too common for employees to have excessive permissions beyond what is necessary for their job roles.
How thorough is our documentation? Without a clear record of access reviews, demonstrating compliance during an exam or audit and receiving cyber insurance coverage becomes challenging.

The core expectation is that financial institutions manage access to ensure users only have the permissions they need to perform their duties, thereby reducing the risk of unauthorized activities. For more details on the regulatory expectations, our blogs on FFIEC expectations and insights from recent exam findings expand on the evolving regulatory landscape.

To make the access management process easier, here are actionable steps you can take to streamline and validate your processes.

Step 1: Know Your Systems

The first step in achieving effective access management is building an inventory of all systems employees have access to. This may sound straightforward, but the reality is that an increasing number of banking applications and shadow IT, unapproved applications your employees can download without IT sign off, further complicate access management and make it difficult to get a complete picture of your system landscape.

Create a comprehensive system inventory: Document every application used across the organization, including third-party and cloud-based solutions.
Identify system owners: Assign ownership to ensure there is accountability for tracking user access and changes.

Want to learn more about creating the system inventory and map for access management? Access our critical foundation to access management e-book.

Step 2: Conduct Manager Reviews

A critical part of validating system access is having managers validate their employees’ access. This process starts with the managers of each department reviewing and confirming the systems for which their employees need access.

Generate access reports: System owners should provide a list of employees and the systems they have access to.
Address Shadow IT: Have managers review the list and confirm accuracy, adding any missing systems, and noting outdated permissions.

Manager reviews are effective because they leverage the direct knowledge of team leaders, ensuring that access aligns with job responsibilities. It also helps the team (or, more accurately, the person) who is responsible for making sure access reviews are completed.

Step 3: Risk-Rate Your Systems

Not all systems are equal in terms of risk. To prioritize your access reviews, start by risk-rating your systems.

High-risk systems: Core banking applications, wire transfer systems, and any system handling financial transactions and customer information.
Complex systems: Applications with detailed permissions or custom configurations may require additional scrutiny as the review processes may not be as comprehensive as needed.

By focusing on high-risk and complex systems, you can allocate your resources more effectively and ensure critical permissions are properly reviewed.

Step 4: Identify and Review Privileged Access

When conducting user access reviews, prioritize checking privileged access permissions. These high-risk permissions often provide the most significant potential for misuse or error.

Consult system owners: System owners typically have the best understanding of which permissions are considered privileged or high risk.
Engage IT auditors: Auditors can also provide insights into permissions that need additional scrutiny or are outside standard user roles.

Examples of privileged permissions to monitor include:

Core systems – General ledger, memo post, online transaction entry, CIF maintenance access, wire transfer, dormant, and insider account access.
Wire transfer systems – Users who can approve wires or change limits (admin, EAUC for Fedline).

Step 5: Track and Validate Changes Over Time

A one-time review is not enough. You need to continue reviewing access changes, and for high-risk systems this should be completed at least quarterly. By focusing on changes since the previous review, you can greatly reduce the effort to complete the review. There are three primary areas for change:

New hires: Ensure they are granted only the necessary systems and access for their role.
Terminated employees: Confirm access is revoked for all systems.
Job Role Changes: Review updated permissions when employees change job roles or responsibilities.

Be on the lookout for exceptions outside of these three common changes, such as temporary project-based access, and ensure these permissions are time-limited and removed based on need.

TIP: Ask your team: How do we report on changes since the last access review was completed?

Document Terminated Employees

One of the most common issues highlighted during exams is the failure to remove access for terminated employees. This can occur if the offboarding process is not synchronized with access management procedures.

Establish a termination checklist: Include steps for removing access to all systems for the employee.

TIP: Ask your team: How do we track what systems each employee has access to?

Final Thoughts: Least Privilege as a Guiding Principle

Managing to the principle of least privilege requires a well-defined process and consistent execution. By focusing on system inventory, manager reviews, risk rating, privileged access, change tracking, and documentation of terminated employees, you can build a solid access management framework.

If all of this feels overwhelming and you are looking to improve your access management practices, our team can help guide you through best practices tailored to your institution’s needs. Contact us today to continue the conversation.

More from Finosec

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

by Zach Duke | Nov 7, 2024

As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.

With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.

The Evolving Role of Access Management: What Financial Institutions Need to Know About the New FFIEC Guidance

by Beth Sumner | Oct 30, 2024

With all eyes focused on AI regulations and the sunset of the Cybersecurity Assessment Tool (CAT), the recently released FFIEC Development, Acquisition, and Maintenance (DA&M) has almost slid under the radar. However, this new booklet is a complete rewrite...

FFIEC Authentication Guidance: Are You Meeting the Expectation?

by Zach Duke | Oct 10, 2024

The FFIEC has updated their expectations for access management with the Authentication and Access to Financial Institution Services and Systems Guidance. This guidance expands beyond traditional customer authentication and places a significant emphasis on...

Shadow AI: Why Financial Institutions Need Comprehensive Governance

by Beth Sumner | Sep 12, 2024

Several months ago, I wrote a blog on Shadow IT, emphasizing the risks of unapproved software and systems used by employees without the knowledge of the IT department. Shadow IT can lead to significant security vulnerabilities, as it is impossible to protect...

How to Get Your Information Security Budget Approved in Cost-Sensitive Times for Community Banks

by Zach Duke | Aug 29, 2024

In the current economic environment, community banks face unique challenges such as rate compression, shrinking margins, liquidity and commercial real estate concerns. These factors make the upcoming budgeting season particularly daunting for IT and information...

Preparing for Your Next Exam: Ensuring Identity Access Management Meets Expectations

by Zach Duke | Aug 15, 2024

Preparing for your next examination can feel overwhelming as the regulatory expectations continue to expand. As you gear up for your next regulatory examination (or audit), it is crucial to align with the expectations outlined in the Federal Financial Institutions...