Back to Blog

Preparing for Your Next Exam: Ensuring Identity Access Management Meets Expectations

By Zach Duke

August 15, 2024

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

Preparing for your next examination can feel overwhelming as the regulatory expectations continue to expand. As you gear up for your next regulatory examination (or audit), it is crucial to align with the expectations outlined in the Federal Financial Institutions Examination Council (FFIEC) Authentication Guidance and recent regulatory actions. One area of the exam or audit that can feel particularly daunting is providing your User Access Reporting (UAR) documentation, policies and procedures. As application risk, system sprawl and interconnectedness have evolved, there is more to track and report on than ever. Increasingly, your institution is at risk if you’re not properly tracking and reporting on this information. To help, we’ve created actionable steps that emphasize the need for thorough user access tracking, comprehensive system inventories, and regular authentication risk assessments to ensure compliance and security.

Understanding the FFIEC Authentication Guidance and Recent Regulatory Actions

The FFIEC Authentication Guidance update in August 2021 expanded the scope of previous guidelines, emphasizing the importance of secure access measures for employees, third-party vendors, and system-to-system communications via APIs. This update necessitates a more thorough approach to user access management, monitoring, and verification across all systems.

Our team at Finosec is consistently reviewing public enforcement actions, and we consistently help our customers going through exams and audits. Here are the most common challenges and gaps we’ve identified to make sure you have addressed before your next exam.

  1. Access Approval Policies and Procedures: Financial institutions often struggle with inconsistent access approval processes, leading to unauthorized access or outdated access permissions.
    • Action Step: Develop robust access approval policies that define clear standards for granting, reviewing, and documenting user access across all systems.
  2. Least Privilege Access Management: Many institutions fail to implement least privilege principles effectively, resulting in excessive access rights and increased risk exposure. 
    • Action Step: Conduct regular user access reviews to ensure users have access only to the systems and data necessary for their roles. It is not uncommon for this process to be labor intensive when performed to meet examiner expectations.  Tip:  Review software tools and processes to automate the review of user access levels. Focus on the most important in the review by reporting on privileged access and change reporting to system access.
  3. Service Account Management: Service accounts, often overlooked, are security vulnerabilities if not managed properly.
    • Action Step: Inventory all service accounts and assign responsibility to specific employees or departments for managing these accounts according to established security policies.

What to Have in Place Before Your Next Exam

  1. Detailed System Inventory
    A complete inventory of systems and technology assets is essential for managing access and mitigating the risks associated with shadow IT; applications that have not gone through the appropriate approval process that open your institution to risk.
    • Action Steps:
      • Document all systems, including hardware, software, and applications, with details about their function, location, and login access i.e,individual login(s) or single sign on.
      • Establish an approval process for new systems and applications to prevent the introduction of unauthorized or unvetted technologies.  With the proliferation of cloud services and software as a service (SaaS) solutions, it is not uncommon for access to systems to no longer require the IT team
  2. Comprehensive User Access Reviews
    Ensuring visibility and control over who accesses your systems is foundational to compliance and security. Financial institutions must have documentation in place to track access.
    • Action Steps:
      • Regularly review and update access rights to align with job roles and responsibilities, ensuring adherence to the principle of least privilege.
      • Validate and document what systems each employee has access to. Integrate this documentation into your termination and onboarding policies and procedures.
  3. Authentication Risk Assessment
    An authentication risk assessment helps identify vulnerabilities and ensure that authentication practices are up to date and effective. The risk assessment should leverage information from the system inventory, including high risk systems and access, the non-public information assessment, and document the controls the institution has for each system.
    • Action Steps:
      • Document what systems have multi-factor authentication (MFA) available (and implemented).  MFA is a baseline security measure, particularly for high-risk systems and high-risk users.
      • Conduct an authentication frequency assessment to evaluate the frequency and thoroughness of user access reviews.

5 Questions to Ask to determine if your UAR practices are up to par:

  1. How confident are you that you know every system for your employees and vendors?
  2. Are your managers and HR team involved in approving system access and permissions for your employees?
  3. Do you know if your employees (current or former) have outdated, excessive, and privileged access?
  4. Do the frequencies and thoroughness of your reviews align with the assessment of risk for the system?
  5. Would you feel prepared to submit your UAR policies/procedures/documentation to an auditor today?

By addressing these key areas and answering these questions, your financial institution can better prepare for their next exam and enhance their overall cybersecurity posture. Implementing documented access approval policies, ensuring least privilege access provisioning, and managing service accounts effectively are critical components of a robust authentication program. Additionally, conducting a risk assessment for access and maintaining a detailed system inventory will help keep you ahead of examiner expectations.

For more information on aligning with the FFIEC Authentication Guidance and improving your institution’s security posture, consult the full FFIEC Guidance.

If you answered “no” to any of the questions above, learn more about how Finosec’s User Access Reporting can help.

Leverage our additional blogs and resources to further evaluate your cybersecurity posture:

More from Finosec

Introducing Fin-Atics: A Thankful Launch of Our Customer Referral Campaign

Introducing Fin-Atics: A Thankful Launch of Our Customer Referral Campaign

During Thanksgiving, it’s the perfect time to reflect on gratitude—both personally and professionally. At Finosec, our commitment is grounded in one key principle: the customer is the reason why we’re in business. This belief has been instilled in me since childhood, thanks to the lessons of my father, who not only shaped my views on business but also inspired me to carry these values into my leadership today.

Mastering Access Management: Best Practices for Effective User Access Reviews

Mastering Access Management: Best Practices for Effective User Access Reviews

Access management is a critical component of cybersecurity and compliance, especially for financial institutions where security expectations are paramount. The challenges surrounding permissions management, particularly during user access reviews, are increasing due to regulatory expectations and the complexity of banking applications. In this blog post, we’ll explore the regulatory expectations, common exam findings, and best practices that can help your organization manage user access effectively while adhering to the principle of least privilege – limiting user access to only the resources necessary to perform their job functions.

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.

With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.

The Critical Foundation of Managing Access to Banking Systems

The Critical Foundation of Managing Access to Banking Systems

Managing access to banking systems has become increasingly complex as financial institutions navigate legacy reporting systems, API access, and cloud solutions. These challenges, along with the risks posed by unmanaged systems, emphasize the need for maintaining a...

Talk To An Expert Now
Talk To An Expert Now 770.268.2765