Back to Blog

Step 3 – User Access Review Best Practices: Risk Rate Systems & Access

By Finosec

January 18, 2023

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

User Access Best Practices Code TwoBlog (1)

Step Three in the Finosec user access review best practices series is to rate and prioritize the system risks you identified as the most important systems in Step Two of the UAR Best Practices and align those with the access permissions required.

Step Three: Rate System Risk and Identify Access Permissions to Review

You identified the systems with the highest risk in Step Two. The next activity is to define the risks to these critical systems as either high, medium, or low. Each system, based on risk, should also follow an established review schedule going forward, to govern the timely completion of your user access reviews.

These two questions give you a straightforward way to identify higher-risk systems.

  1. Does the system contain customer information?
  2. Does the system allow transactions?

The answers will enable you to quickly and easily classify the risks of your systems.

Think of the relative risk as either high, medium, or low. This activity also leads directly into a discussion of how frequently you should perform your reviews. The industry consensus for reviewing your high-risk functions and privileged access permissions is quarterly.

We know that the full user access report for systems like your core can be hundreds or thousands of pages long. Reviewing that many pages accurately is a daunting task, which is an understatement. To avoid this massive review that is complex and burdensome we suggest you split things up. If you review your high-risk systems quarterly, there is a lower change rate of the information for you to have to validate. For an even more streamlined approach, using our User Access Reporting platform we can import your reports and produce a change report showing you what changed between this review and the previous one. This saves you a tremendous amount of time.

Document your decisions.

This involves the formalization of the policies, procedures, and sign-off accountability for your system reviews. You should review your plan, policy, procedures, risk assessments, and identified privileged permissions with your steering committee, auditors, or other industry professionals. For example, FINOSEC will review your plans and has a list of already identified permissions that should be reviewed for most of the core systems. If, by chance, we don’t have them for your system, we work with you to identify them.

Want more information?

Are you intrigued by what you’ve read? Remember, this is Step 3 on your journey to better and easier user access reviews. You can review the previous blogs here:

Watch for the last two steps in the User Access Review Best Practices Series, each one exploring ways to help you on your journey to a more successful user access review process.

If your frustration has already peaked because your institution still follows outdated processes to complete your user access reviews, you should contact Finosec today. We’d love to work alongside you to simplify your user access reviews and make them easier and more accurate than ever!

More from Finosec

Integrating FFIEC Authentication Guidance: A Blueprint for Your Next Exam With Insights from Recent Regulatory Actions

Integrating FFIEC Authentication Guidance: A Blueprint for Your Next Exam With Insights from Recent Regulatory Actions

The Federal Financial Institutions Examination Council (FFIEC) Authentication Guidance update in August 2021 has marked a significant step towards enhancing authentication and security access measures within financial institutions. This update expanded upon previous handbooks from 2005 and 2011, emphasizing a broader scope that now includes employees, third-party vendors, and system-to-system communications via APIs.

Partnering for Peace of Mind and Effective Oversight

Partnering for Peace of Mind and Effective Oversight

Pendleton Community Bank, a $700 Million Dollar Bank with 133 Employees in Franklin, WV, led by CEO Bill Loving, faced a critical challenge when their Information Security Officer departed, leaving a significant void in their oversight capabilities. Their goal was clear: establish an effective process for information security governance and cybersecurity oversight to ensure compliance and peace of mind.

Talk To An Expert Now
Talk To An Expert Now 770.268.2765