Preparing for Your Next Exam: Ensuring Identity Access Management Meets Expectations

Preparing for your next examination can feel overwhelming as the regulatory expectations continue to expand. As you gear up for your next regulatory examination (or audit), it is crucial to align with the expectations outlined in the Federal Financial Institutions Examination Council (FFIEC) Authentication Guidance and recent regulatory actions. One area of the exam or audit that can feel particularly daunting is providing your User Access Reporting (UAR) documentation, policies and procedures. As application risk, system sprawl and interconnectedness have evolved, there is more to track and report on than ever. Increasingly, your institution is at risk if you’re not properly tracking and reporting on this information. To help, we’ve created actionable steps that emphasize the need for thorough user access tracking, comprehensive system inventories, and regular authentication risk assessments to ensure compliance and security.

Understanding the FFIEC Authentication Guidance and Recent Regulatory Actions

The FFIEC Authentication Guidance update in August 2021 expanded the scope of previous guidelines, emphasizing the importance of secure access measures for employees, third-party vendors, and system-to-system communications via APIs. This update necessitates a more thorough approach to user access management, monitoring, and verification across all systems.

Our team at Finosec is consistently reviewing public enforcement actions, and we consistently help our customers going through exams and audits. Here are the most common challenges and gaps we’ve identified to make sure you have addressed before your next exam.

1. Access Approval Policies and Procedures: Financial institutions often struggle with inconsistent access approval processes, leading to unauthorized access or outdated access permissions.
   • Action Step: Develop robust access approval policies that define clear standards for granting, reviewing, and documenting user access across all systems.
2. Least Privilege Access Management: Many institutions fail to implement least privilege principles effectively, resulting in excessive access rights and increased risk exposure. 
   • Action Step: Conduct regular user access reviews to ensure users have access only to the systems and data necessary for their roles. It is not uncommon for this process to be labor intensive when performed to meet examiner expectations.  Tip:  Review software tools and processes to automate the review of user access levels. Focus on the most important in the review by reporting on privileged access and change reporting to system access.
3. Service Account Management: Service accounts, often overlooked, are security vulnerabilities if not managed properly.
   • Action Step: Inventory all service accounts and assign responsibility to specific employees or departments for managing these accounts according to established security policies.

What to Have in Place Before Your Next Exam

1. Detailed System Inventory
   A complete inventory of systems and technology assets is essential for managing access and mitigating the risks associated with shadow IT; applications that have not gone through the appropriate approval process that open your institution to risk.
   • Action Steps:
     • Document all systems, including hardware, software, and applications, with details about their function, location, and login access i.e,individual login(s) or single sign on.
     • Establish an approval process for new systems and applications to prevent the introduction of unauthorized or unvetted technologies.  With the proliferation of cloud services and software as a service (SaaS) solutions, it is not uncommon for access to systems to no longer require the IT team
2. Comprehensive User Access Reviews
   Ensuring visibility and control over who accesses your systems is foundational to compliance and security. Financial institutions must have documentation in place to track access.
   • Action Steps:
     • Regularly review and update access rights to align with job roles and responsibilities, ensuring adherence to the principle of least privilege.
     • Validate and document what systems each employee has access to. Integrate this documentation into your termination and onboarding policies and procedures.
3. Authentication Risk Assessment
   An authentication risk assessment helps identify vulnerabilities and ensure that authentication practices are up to date and effective. The risk assessment should leverage information from the system inventory, including high risk systems and access, the non-public information assessment, and document the controls the institution has for each system.
   • Action Steps:
     • Document what systems have multi-factor authentication (MFA) available (and implemented).  MFA is a baseline security measure, particularly for high-risk systems and high-risk users.
     • Conduct an authentication frequency assessment to evaluate the frequency and thoroughness of user access reviews.

5 Questions to Ask to determine if your UAR practices are up to par:

1. How confident are you that you know every system for your employees and vendors?
2. Are your managers and HR team involved in approving system access and permissions for your employees?
3. Do you know if your employees (current or former) have outdated, excessive, and privileged access?
4. Do the frequencies and thoroughness of your reviews align with the assessment of risk for the system?
5. Would you feel prepared to submit your UAR policies/procedures/documentation to an auditor today?

By addressing these key areas and answering these questions, your financial institution can better prepare for their next exam and enhance their overall cybersecurity posture. Implementing documented access approval policies, ensuring least privilege access provisioning, and managing service accounts effectively are critical components of a robust authentication program. Additionally, conducting a risk assessment for access and maintaining a detailed system inventory will help keep you ahead of examiner expectations.

For more information on aligning with the FFIEC Authentication Guidance and improving your institution’s security posture, consult the full FFIEC Guidance.

If you answered “no” to any of the questions above, learn more about how Finosec’s User Access Reporting can help.

Leverage our additional blogs and resources to further evaluate your cybersecurity posture:

• The Hidden Risks of Shadow IT: Why Community Banks Need a Detailed System Inventory
• Why You Need to Know Every System for Every Employee
• Challenges of Manual User Access Reviews in Community Financial Institutions
• Integrating FFIEC Authentication Guidance: A Blueprint for Your Next Exam With Insights from Recent Regulatory Actions