As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.
With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.
1. Set a Foundation for Access Management in TPRM
Third-party governance begins with understanding who has access to what.
- List Every System and Access Granted: A fundamental part of TPRM is maintaining an updated list of systems, vendors, and access granted to employees and third-party vendors. This comprehensive list is the starting point for access management and helps to understand who can access systems.
- Validating Each System for Every Employee: Once a complete list is in place, institutions should validate each system’s access for every employee and even external vendors and contractors. This ongoing validation ensures that permissions are accurate and reflect current job responsibilities to manage to the principle of least privilege access.
2. Establish the right Frequency for Access Reviews
After determining the list of systems and access, the institution should define the right frequency for access reviews.
- Assess Review Frequency Based on Risk: Not all systems carry the same risk. Institutions should decide how often each system’s access needs to be reviewed based on the system’s criticality and the potential impact of unauthorized access.
- Regular Access Reviews: After establishing review frequency, institutions need consistent processes for performing these reviews. Regular user access reviews prevent the accumulation of outdated or unnecessary permissions and reduce exposure to risks associated with third-party relationships.
3. Manage Privileged Access Across High-Risk Systems
Not all access is created equal, and some systems require more stringent controls due to the sensitivity of their data and functions. For high-risk systems and permissions, understanding and controlling privileged access is essential.
- Identify Privileged and High-Risk Permissions: All systems will have an administrator that can add, remove, and change access. Some systems, particularly those related to core processing, financial reporting, and financial transactions, require additional privileged access. For systems like core banking, wire transfer services, FedLine, or correspondent banking, it’s critical to understand what privileged access is available and who has access to these high-risk access permissions.
Key question to ask: Does your TPRM document privileged access by system?
4. Integrate SOC Reports and User Entity Controls (UECs)
SOC reports are essential for documenting the governance for vendors. As part of the SOC reporting, responsibilities are outlined; particularly managing access and security within third-party systems.
- Review User Entity Controls (UECs): Every SOC report includes UECs that outline responsibilities the institution must manage. Access Management is frequently (if not always) highlighted here, requiring institutions to validate and review access to ensure compliance with these controls.
- Ensuring Control Compliance: For vendor managers that are involved in third-party risk management but not actively engaged in Access Management, reviewing and validating UECs for access-related obligations should be documented. These responsibilities may include validating that authorized users have access to specific high-risk permissions.
Key question to ask: How do we know what systems an employee has when they are terminated? How do we validate they have been removed?
5. Strengthen Access Termination Processes
One significant risk in TPRM is improper offboarding. Ensuring terminated employees and vendors lose access upon termination will address one of the most common audit findings.
- Implementing Effective Termination Protocols: A sound TPRM framework requires procedures for promptly removing access when employees or third-party vendors (and contractors) are terminated. Without this process, former users could retain access to sensitive systems, increasing the risk of unauthorized activity.
- Coordination Between Vendor and Access Management Teams: Vendor and Access Management teams should work together to confirm that offboarding processes are consistent and that no access is overlooked. This coordination helps prevent the residual access risks that can arise when employees retain system permissions post-termination.
Building a Secure TPRM Framework Through Access Management
The link between Access Management and Third-Party Risk Management is critical to building a secure framework for financial institutions. From listing systems and validating access to managing high-risk permissions and termination protocols, integrating Access Management into TPRM practices helps institutions reduce risks associated with vendor relationships.
If all of this sounds intimidating, join us for our upcoming webinar on Tuesday November 19 from 12:30-1:30 CST: Mastering User Access Reporting and Compliance. Learn how to:
- streamline processes
- track every system and every employee
- confidently manage to auditor expectations
