Back to Blog

Step 3 – User Access Review Best Practices: Risk Rate Systems & Access

By Finosec

January 18, 2023

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

User Access Best Practices Code TwoBlog (1)

Step Three in the Finosec user access review best practices series is to rate and prioritize the system risks you identified as the most important systems in Step Two of the UAR Best Practices and align those with the access permissions required.

Step Three: Rate System Risk and Identify Access Permissions to Review

You identified the systems with the highest risk in Step Two. The next activity is to define the risks to these critical systems as either high, medium, or low. Each system, based on risk, should also follow an established review schedule going forward, to govern the timely completion of your user access reviews.

These two questions give you a straightforward way to identify higher-risk systems.

  1. Does the system contain customer information?
  2. Does the system allow transactions?

The answers will enable you to quickly and easily classify the risks of your systems.

Think of the relative risk as either high, medium, or low. This activity also leads directly into a discussion of how frequently you should perform your reviews. The industry consensus for reviewing your high-risk functions and privileged access permissions is quarterly.

We know that the full user access report for systems like your core can be hundreds or thousands of pages long. Reviewing that many pages accurately is a daunting task, which is an understatement. To avoid this massive review that is complex and burdensome we suggest you split things up. If you review your high-risk systems quarterly, there is a lower change rate of the information for you to have to validate. For an even more streamlined approach, using our User Access Reporting platform we can import your reports and produce a change report showing you what changed between this review and the previous one. This saves you a tremendous amount of time.

Document your decisions.

This involves the formalization of the policies, procedures, and sign-off accountability for your system reviews. You should review your plan, policy, procedures, risk assessments, and identified privileged permissions with your steering committee, auditors, or other industry professionals. For example, FINOSEC will review your plans and has a list of already identified permissions that should be reviewed for most of the core systems. If, by chance, we don’t have them for your system, we work with you to identify them.

Want more information?

Are you intrigued by what you’ve read? Remember, this is Step 3 on your journey to better and easier user access reviews. You can review the previous blogs here:

Watch for the last two steps in the User Access Review Best Practices Series, each one exploring ways to help you on your journey to a more successful user access review process.

If your frustration has already peaked because your institution still follows outdated processes to complete your user access reviews, you should contact Finosec today. We’d love to work alongside you to simplify your user access reviews and make them easier and more accurate than ever!

More from Finosec

Mastering Access Management: Best Practices for Effective User Access Reviews

Mastering Access Management: Best Practices for Effective User Access Reviews

Access management is a critical component of cybersecurity and compliance, especially for financial institutions where security expectations are paramount. The challenges surrounding permissions management, particularly during user access reviews, are increasing due to regulatory expectations and the complexity of banking applications. In this blog post, we’ll explore the regulatory expectations, common exam findings, and best practices that can help your organization manage user access effectively while adhering to the principle of least privilege – limiting user access to only the resources necessary to perform their job functions.

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.

With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.

Talk To An Expert Now
Talk To An Expert Now 770.268.2765