Back to Blog

Step 4 – User Access Review Best Practices: Review System Access and Permissions

By Finosec

January 26, 2023

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

Step Four in the FINOSEC user access review best practice series is to ensure users who have access to your systems have legitimate duties that justify not only access but their specific permissions for those systems.

Step Four: Review System Access and Permissions

In Step Three, you assessed your system risks and categorized them as high, medium, or low. This assessment helped you create your annual plan for user access reviews based on risk. Now, it’s time to get a bit more granular. Continuing our theme of starting with the most important, we must look at privileged access permissions first. You need to validate that the users with privileged access to your systems have job duties requiring that level of access. You then need to confirm you are managing all of your users to the principle of least privilege, meaning that users have the least permissions necessary to do their jobs.

Who exactly are “users”?

The term “users” includes employee accounts, contractor accounts, system accounts, service accounts, vendor accounts, and API integrations. The systems and data accessed by these accounts may exist outside your institution’s firewall and should be reviewed.

About those vendor accounts…

The access vendors have to your data, such as for managed services providers, should be analyzed in terms of “active or inactive.” For example, do all the vendors currently classified as active need to be active, or should some be classified as inactive?

Where do I start?

Your permissions review should start with the high-risk functions on your highest-risk systems. This lets you focus on perhaps 20-30 of the most crucial privileged permissions. Then you can address the rest of the more typical users at a later time.

You need to review all account changes from previous reviews.

When roles change, ensure the permissions no longer needed have been removed and confirm that the appropriate new permissions have been added. You also have to inspect individual permission changes and permissions that have been added to a security group. If you can structure your review to focus only on what’s changed, it’s a far more efficient process.

Finally, work together!

Reach out to HR, Department Managers, and anyone else who can help you validate what permissions are required to fulfill the duties of a given role. The odds are that it needs to be clearly defined, and users may have more access than they need.

There are three significant side effects of this effort:

  1. Onboarding a new employee
    When hired for a specific job role, IT will know precisely what permissions to give the user to complete their work resulting in fewer helpdesk tickets.
  2. Terminating a user
    One of the most common IT Security Audit findings is a terminated user with an active account hanging around. By documenting the systems a user has access to, you will know what systems they need to be removed from and can avoid that audit finding.
  3. Changing Job Roles
    If a user is changing jobs, more often than not, they are given the permissions they need for their new role, but the permissions they don’t need are not removed. By documenting the required permissions for each job role, you will know what to add and, most importantly, what to remove.

Want more information?

Are you intrigued by what you’ve read? This is the fourth step of a five-step improved UAR process. There’s one more yet to come. You can review the previous blogs here:

Or, if your frustration has already spiked because your institution still follows outdated processes to complete your user access reviews, you should contact FINOSEC today. We’d love to work alongside you to simplify your user access review process and make them easier than ever!

More from Finosec

Mastering Access Management: Best Practices for Effective User Access Reviews

Mastering Access Management: Best Practices for Effective User Access Reviews

Access management is a critical component of cybersecurity and compliance, especially for financial institutions where security expectations are paramount. The challenges surrounding permissions management, particularly during user access reviews, are increasing due to regulatory expectations and the complexity of banking applications. In this blog post, we’ll explore the regulatory expectations, common exam findings, and best practices that can help your organization manage user access effectively while adhering to the principle of least privilege – limiting user access to only the resources necessary to perform their job functions.

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.

With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.

Talk To An Expert Now
Talk To An Expert Now 770.268.2765