Step Three in the Finosec user access review best practices series is to rate and prioritize the system risks you identified as the most important systems in Step Two of the UAR Best Practices and align those with the access permissions required.
Step Three: Rate System Risk and Identify Access Permissions to Review
You identified the systems with the highest risk in Step Two. The next activity is to define the risks to these critical systems as either high, medium, or low. Each system, based on risk, should also follow an established review schedule going forward, to govern the timely completion of your user access reviews.
These two questions give you a straightforward way to identify higher-risk systems.
- Does the system contain customer information?
- Does the system allow transactions?
The answers will enable you to quickly and easily classify the risks of your systems.
Think of the relative risk as either high, medium, or low. This activity also leads directly into a discussion of how frequently you should perform your reviews. The industry consensus for reviewing your high-risk functions and privileged access permissions is quarterly.
We know that the full user access report for systems like your core can be hundreds or thousands of pages long. Reviewing that many pages accurately is a daunting task, which is an understatement. To avoid this massive review that is complex and burdensome we suggest you split things up. If you review your high-risk systems quarterly, there is a lower change rate of the information for you to have to validate. For an even more streamlined approach, using our User Access Reporting platform we can import your reports and produce a change report showing you what changed between this review and the previous one. This saves you a tremendous amount of time.
Document your decisions.
This involves the formalization of the policies, procedures, and sign-off accountability for your system reviews. You should review your plan, policy, procedures, risk assessments, and identified privileged permissions with your steering committee, auditors, or other industry professionals. For example, FINOSEC will review your plans and has a list of already identified permissions that should be reviewed for most of the core systems. If, by chance, we don’t have them for your system, we work with you to identify them.
Want more information?
Are you intrigued by what you’ve read? Remember, this is Step 3 on your journey to better and easier user access reviews. You can review the previous blogs here:
Watch for the last two steps in the User Access Review Best Practices Series, each one exploring ways to help you on your journey to a more successful user access review process.
If your frustration has already peaked because your institution still follows outdated processes to complete your user access reviews, you should contact Finosec today. We’d love to work alongside you to simplify your user access reviews and make them easier and more accurate than ever!