Back to Blog

Step 3 – User Access Review Best Practices: Risk Rate Systems & Access

By Finosec

January 18, 2023

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

User Access Best Practices Code TwoBlog (1)

Step Three in the Finosec user access review best practices series is to rate and prioritize the system risks you identified as the most important systems in Step Two of the UAR Best Practices and align those with the access permissions required.

Step Three: Rate System Risk and Identify Access Permissions to Review

You identified the systems with the highest risk in Step Two. The next activity is to define the risks to these critical systems as either high, medium, or low. Each system, based on risk, should also follow an established review schedule going forward, to govern the timely completion of your user access reviews.

These two questions give you a straightforward way to identify higher-risk systems.

  1. Does the system contain customer information?
  2. Does the system allow transactions?

The answers will enable you to quickly and easily classify the risks of your systems.

Think of the relative risk as either high, medium, or low. This activity also leads directly into a discussion of how frequently you should perform your reviews. The industry consensus for reviewing your high-risk functions and privileged access permissions is quarterly.

We know that the full user access report for systems like your core can be hundreds or thousands of pages long. Reviewing that many pages accurately is a daunting task, which is an understatement. To avoid this massive review that is complex and burdensome we suggest you split things up. If you review your high-risk systems quarterly, there is a lower change rate of the information for you to have to validate. For an even more streamlined approach, using our User Access Reporting platform we can import your reports and produce a change report showing you what changed between this review and the previous one. This saves you a tremendous amount of time.

Document your decisions.

This involves the formalization of the policies, procedures, and sign-off accountability for your system reviews. You should review your plan, policy, procedures, risk assessments, and identified privileged permissions with your steering committee, auditors, or other industry professionals. For example, FINOSEC will review your plans and has a list of already identified permissions that should be reviewed for most of the core systems. If, by chance, we don’t have them for your system, we work with you to identify them.

Want more information?

Are you intrigued by what you’ve read? Remember, this is Step 3 on your journey to better and easier user access reviews. You can review the previous blogs here:

Watch for the last two steps in the User Access Review Best Practices Series, each one exploring ways to help you on your journey to a more successful user access review process.

If your frustration has already peaked because your institution still follows outdated processes to complete your user access reviews, you should contact Finosec today. We’d love to work alongside you to simplify your user access reviews and make them easier and more accurate than ever!

More from Finosec

Why You Need to Know Every System for Every Employee

Why You Need to Know Every System for Every Employee

Are you confident that your bank has clear and thorough visibility to every employee’s physical and digital access to systems? If you’re like most banks we work with, the answer to this question is “no”. There are many challenges that make tracking employee access...

The Hidden Risks of Shadow IT: Why Community Banks Need a Detailed System Inventory

The Hidden Risks of Shadow IT: Why Community Banks Need a Detailed System Inventory

In the world of community banking, the landscape of information security and cyber risk management has dramatically evolved. Gone are the days when all servers were in-house, and every application installation involved the IT department. Today, it’s easier than ever for a Compliance Officer to sign off on a new software tool to manage Reg DD challenges or for a Loan Officer to adopt a cloud solution to improve customer acceptance rates.

Talk To An Expert Now
Talk To An Expert Now 770.268.2765