Back to Blog

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

By Zach Duke

November 7, 2024

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.

With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.

1. Set a Foundation for Access Management in TPRM

Third-party governance begins with understanding who has access to what.

  • List Every System and Access Granted: A fundamental part of TPRM is maintaining an updated list of systems, vendors, and access granted to employees and third-party vendors. This comprehensive list is the starting point for access management and helps to understand who can access systems.
  • Validating Each System for Every Employee: Once a complete list is in place, institutions should validate each system’s access for every employee and even external vendors and contractors. This ongoing validation ensures that permissions are accurate and reflect current job responsibilities to manage to the principle of least privilege access.

2. Establish the right Frequency for Access Reviews

After determining the list of systems and access, the institution should define the right frequency for access reviews.

  • Assess Review Frequency Based on Risk: Not all systems carry the same risk. Institutions should decide how often each system’s access needs to be reviewed based on the system’s criticality and the potential impact of unauthorized access.
  • Regular Access Reviews: After establishing review frequency, institutions need consistent processes for performing these reviews. Regular user access reviews prevent the accumulation of outdated or unnecessary permissions and reduce exposure to risks associated with third-party relationships.

3. Manage Privileged Access Across High-Risk Systems

Not all access is created equal, and some systems require more stringent controls due to the sensitivity of their data and functions. For high-risk systems and permissions, understanding and controlling privileged access is essential.

  • Identify Privileged and High-Risk Permissions: All systems will have an administrator that can add, remove, and change access. Some systems, particularly those related to core processing, financial reporting, and financial transactions, require additional privileged access.  For systems like core banking, wire transfer services, FedLine, or correspondent banking, it’s critical to understand what privileged access is available and who has access to these high-risk access permissions.

Key question to ask: Does your TPRM document privileged access by system?

4. Integrate SOC Reports and User Entity Controls (UECs)

SOC reports are essential for documenting the governance for vendors. As part of the SOC reporting, responsibilities are outlined; particularly managing access and security within third-party systems.

  • Review User Entity Controls (UECs): Every SOC report includes UECs that outline responsibilities the institution must manage. Access Management is frequently (if not always) highlighted here, requiring institutions to validate and review access to ensure compliance with these controls.
  • Ensuring Control Compliance: For vendor managers that are involved in third-party risk management but not actively engaged in Access Management, reviewing and validating UECs for access-related obligations should be documented. These responsibilities may include validating that authorized users have access to specific high-risk permissions.

Key question to ask: How do we know what systems an employee has when they are terminated? How do we validate they have been removed?

5. Strengthen Access Termination Processes

One significant risk in TPRM is improper offboarding. Ensuring terminated employees and vendors lose access upon termination will address one of the most common audit findings.

  • Implementing Effective Termination Protocols: A sound TPRM framework requires procedures for promptly removing access when employees or third-party vendors (and contractors) are terminated. Without this process, former users could retain access to sensitive systems, increasing the risk of unauthorized activity.
  • Coordination Between Vendor and Access Management Teams: Vendor and Access Management teams should work together to confirm that offboarding processes are consistent and that no access is overlooked. This coordination helps prevent the residual access risks that can arise when employees retain system permissions post-termination.

Building a Secure TPRM Framework Through Access Management

The link between Access Management and Third-Party Risk Management is critical to building a secure framework for financial institutions. From listing systems and validating access to managing high-risk permissions and termination protocols, integrating Access Management into TPRM practices helps institutions reduce risks associated with vendor relationships.

If all of this sounds intimidating, join us for our upcoming webinar on Tuesday November 19 from 12:30-1:30 CST: Mastering User Access Reporting and Compliance. Learn how to:

  • streamline processes
  • track every system and every employee
  • confidently manage to auditor expectations

More from Finosec

Introducing Fin-Atics: A Thankful Launch of Our Customer Referral Campaign

Introducing Fin-Atics: A Thankful Launch of Our Customer Referral Campaign

During Thanksgiving, it’s the perfect time to reflect on gratitude—both personally and professionally. At Finosec, our commitment is grounded in one key principle: the customer is the reason why we’re in business. This belief has been instilled in me since childhood, thanks to the lessons of my father, who not only shaped my views on business but also inspired me to carry these values into my leadership today.

Mastering Access Management: Best Practices for Effective User Access Reviews

Mastering Access Management: Best Practices for Effective User Access Reviews

Access management is a critical component of cybersecurity and compliance, especially for financial institutions where security expectations are paramount. The challenges surrounding permissions management, particularly during user access reviews, are increasing due to regulatory expectations and the complexity of banking applications. In this blog post, we’ll explore the regulatory expectations, common exam findings, and best practices that can help your organization manage user access effectively while adhering to the principle of least privilege – limiting user access to only the resources necessary to perform their job functions.

The Critical Foundation of Managing Access to Banking Systems

The Critical Foundation of Managing Access to Banking Systems

Managing access to banking systems has become increasingly complex as financial institutions navigate legacy reporting systems, API access, and cloud solutions. These challenges, along with the risks posed by unmanaged systems, emphasize the need for maintaining a...

Talk To An Expert Now
Talk To An Expert Now 770.268.2765