Back to Blog

Step 5 – User Access Review Best Practices: Increase Maturity

By Finosec

February 2, 2023

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

Speak with an expert blog ad green

Step 5 is the final step in the User Access Review Best Practices series. The goal of this step is to focus on increasing standardization to develop a more mature and routine approach to user access reviews by focusing on three key areas.

  1. Roles and baseline permissions
  2. Standardized onboarding processes
  3. Procedures to track and account for changes and exceptions.

Step Five: Increase Maturity

In the previous steps, you inventoried and mapped your systems, identified the relative risk of the different systems, rated system risk, and identified those with higher risk. From there, you learned to review the roles, identify the system access each role needs, and how to properly address new and terminated accounts.

Now, it’s time to take what you’ve learned and build a streamlined process that keeps your institution safer while making your job simpler.

Use Security Groups

You should develop a comprehensive list of the baseline permissions per system for each job role or function, making sure the access to be granted is consistent with the standard of least privilege. This is also where you need to identify the privileged access requirements. It may even make sense to create a special group for these elevated rights for ease of management. Be on guard for permission creep and red flags, such as a single user being able to make and approve their own change in a system. Your diligence in this process is a good way for you to reduce overall risk.

Once completed, create security groups to match the job roles or functions you’ve defined. By using group permissions, you can easily add and remove accounts and know what permissions are being altered.

Where do I start?

The path to easy permissions management begins with a Role & Access Matrix that consists of the following items:

  • Roles/Functions
  • The primary function of the role
  • Systems & permissions the role requires
  • Security Groups required for the role

Using this matrix, you can establish the procedures needed to maintain accurate and verifiable permission provisioning for your accounts.

Establish standard onboarding procedures

By utilizing security groups for each job role or function, you can standardize your onboarding process, making it easier, reducing follow-up helpdesk requests for permissions that were overlooked, and setting your new employees up for success.

Work with your HR team, so that job roles and functions are standardized allowing for a smooth process for provisioning new users. For example, HR notifies IT that a new teller is starting on a certain day. IT can then provision that account at the right time and add the user to the teller security groups confidently knowing that they will have all the access they need.

Establish job change and termination procedures

Utilizing the Role & Access Matrix and your security groups benefits your job change and termination procedures, as well. For terminations, you’ll have confidence in knowing what systems to remove the user from and not miss one. For job changes, you can add them to their new security groups and remove them from the security groups and systems no longer needed. This ensures you don’t leave leftover excess permissions along the way.

What about one-offs?

A more complex change case is when an employee, for whatever reason, must be given temporary access to one or more systems. There must be a process in place to manage and handle these temporary situations, so they aren’t forgotten and become permanent.

One way to track these is by using a user variance management process. This can be a separate log or built into your change management program. Be sure that every temporary access request has a defined end date. Then, set reminders to remove the access at the appropriate time. A review of the user access variance log should be completed routinely to ensure that a temporary elevation in permissions doesn’t become an accidental permanent change.

Want more information?

This is the final step of a five-step improved UAR process. If you would like, you can review the previous blogs here:

Or, if you’re already tired of outdated processes to complete user access reviews, you should contact FINOSEC today. We’d love to work alongside you to simplify your user access review process and make them easier than ever!

Speak with an expert blog ad green

More from Finosec

Mastering Access Management: Best Practices for Effective User Access Reviews

Mastering Access Management: Best Practices for Effective User Access Reviews

Access management is a critical component of cybersecurity and compliance, especially for financial institutions where security expectations are paramount. The challenges surrounding permissions management, particularly during user access reviews, are increasing due to regulatory expectations and the complexity of banking applications. In this blog post, we’ll explore the regulatory expectations, common exam findings, and best practices that can help your organization manage user access effectively while adhering to the principle of least privilege – limiting user access to only the resources necessary to perform their job functions.

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.

With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.

The Critical Foundation of Managing Access to Banking Systems

The Critical Foundation of Managing Access to Banking Systems

Managing access to banking systems has become increasingly complex as financial institutions navigate legacy reporting systems, API access, and cloud solutions. These challenges, along with the risks posed by unmanaged systems, emphasize the need for maintaining a...

Talk To An Expert Now
Talk To An Expert Now 770.268.2765