Challenges of Manual User Access Reviews in Community Financial Institutions

When I first entered the banking world, user access reviews were much more straightforward. Spreadsheets were used to capture the basics of who had network and core application access. There was a page in each employee’s file listing the keys and codes they had, and to see what had changed in core reports, you’d lay two versions of the same report side by side and use a yardstick to compare them. It was a time-consuming and error-prone process, but back then, it worked.

However, as application risk, system sprawl, and interconnectedness have evolved, this manual format has become increasingly impractical. Ensuring that only the right people have access to the right information is now more critical and complex than ever to keep our institutions safe.

Major Risks of Manual User Access Reviews:

• Extensive Reports: Core processors generate massive permissions reports that are time-consuming and prone to errors.
• Shadow IT: Unmonitored applications and devices can create security vulnerabilities.
• Keys and Codes: Manual tracking of physical access controls can lead to unauthorized access.
• Spreadsheet Challenges: Spreadsheets and vLookups provide basic information but fail to support complex, detailed reviews.
• Terminated Employees: Ensuring that former employees’ access is promptly revoked can be overlooked.
• Reviewer Risk: Reviewers need deep knowledge of applications, sufficient time, and an understanding of the reporting.

User access reviews are about making sure employees have the appropriate level of access to your institution’s systems and information. This task becomes especially challenging when dealing with core processors, which generate extensive permission reports that can be hundreds of pages long. Manually checking each user’s access is not only time-consuming but also prone to errors. Core processors generate massive permissions reports, and manually verifying each person’s access against their job duties is daunting. This can easily lead to unauthorized access or missed updates.

Shadow IT, where employees use applications and devices that the IT department doesn’t know about or hasn’t approved, adds another layer of risk. These “shadow” applications are often not part of the official review process and can go unnoticed. I recently wrote a blog about Shadow IT that dives deeper into this issue. When employees use software tools without informing IT, it creates security vulnerabilities since these applications and their access aren’t monitored.

Beyond digital access, managing physical access to your bank’s locations and secure areas is crucial. “Keys and codes” refer to things like branch keys, vault keys, alarm codes, and server room door codes. Often, these are tracked on paper in employees’ personnel files, adding another layer of complexity. Manually tracking who has what key or code can be cumbersome and inefficient, and outdated or misplaced records can lead to unauthorized access, posing serious security threats.

Most community financial institutions I’ve worked with rely on extensive spreadsheets and use vLookups for user access reviews. While these spreadsheets can provide basic information on who has access to what systems, they fall short when it comes to more complex and detailed reviews needed for critical systems. Spreadsheets don’t tie together seamlessly, leading to gaps in understanding who truly has access and whether it’s appropriate.

Terminated employees also present a risk in manual processes. Ensuring that former employees’ access is promptly revoked from all systems can be overlooked, leaving open access points that should have been closed.

Another significant challenge is the risk posed by the reviewer themselves. The person conducting the reviews needs to have deep knowledge of the applications being reviewed, enough time to thoroughly complete the reviews, and a solid understanding of the reporting. Without these, the review process can be flawed, leading to missed issues or incorrect assessments of user access.

To avoid these risks, consider automating your User Access Reviews. Finosec’s User Access Review platform can handle and analyze vast amounts of data efficiently, ensuring comprehensive and accurate reviews. Here’s how it helps:

• Efficient Analysis: Handles large data sets accurately.
• Comprehensive Reviews: Provides a clear picture of access and identifies unauthorized access.
• Tracks Keys and Codes: Manages both digital and physical access controls rigorously

Thinking back on those not-so-distant days with yardsticks and side-by-side reports, it’s clear that while the fundamentals of user access reviews have remained, the complexity and scale have dramatically increased. Adopting automated solutions like Finosec’s User Access Review platform is not just a modern necessity but a crucial step to ensure our institutions remain secure and compliant in an ever-evolving risk landscape.

If you’re looking to safeguard your operations and reputation, it might be time to reassess your current UAR processes and explore automation.