Back to Blog

The Evolving Role of Access Management: What Financial Institutions Need to Know About the New FFIEC Guidance

By Beth Sumner

October 30, 2024

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

With all eyes focused on AI regulations and the sunset of the Cybersecurity Assessment Tool (CAT), the recently released FFIEC Development, Acquisition, and Maintenance (DA&M) has almost slid under the radar.  However, this new booklet is a complete rewrite of the 2004 guidance and brings with it almost 20 years of changes, making it critical for financial institutions to understand what the guidance entails and how it impacts their IT programs.

While the DA&M booklet itself is probably the most technical ever published, I want to dig into two key areas today: Information Technology Asset Management (ITAM) and User Access Management (UAM). Both ITAM and UAM are critical for ensuring a secure and well-managed IT environment, but they come with new expectations.

What Has Changed?

The new guidance places a much stronger emphasis on comprehensive Information Technology Asset Management. ITAM is now mentioned 24 times in this booklet.  The term wasn’t in the previous version at all.  The booklet defines ITAM using NIST terminology and states that ITAM “refers to a set of policies and procedures that an organization uses to track, audit, and monitor the state of its IT assets and maintain system configurations.”

We can understand that part. IT Asset Management is how you track and monitor everything. It’s what we’ve done for years. But the new booklet calls for you to think beyond your traditional IT assets and systems.

The guidance also expands ITAM’s scope, stating that financial institutions “must have an inventory of all systems and components (including open-source software, proprietary APIs, container images, and related licenses).”  Not only that, but every component needs to be included in access authentication and authorization controls throughout the supply chain to ensure security.

This comprehensive view of asset management highlights the growing complexity of the IT environments financial institutions must oversee and emphasizes the need to identify, monitor, and protect every single asset. Essentially, you cannot protect what you do not know exists.

Why It Matters: Examiners Will Be Looking

With an increase in attacks targeting third-party service providers, the supply chain, and internal threats, examiners will be paying closer attention to how financial institutions are managing their IT assets and access controls. The Examiner Procedures in the back of the booklet give us some ideas as to what they are expected to look for:

  • A Complete Asset Inventory: This includes everything from applications & hardware to software components, APIs, and configurations, and licenses and data storage locations.
  • Access Management Practices: Institutions need to demonstrate that they have robust processes for managing who has access to what – particularly in areas like off-boarding users, securing third-party systems, and ensuring privileged access is tightly controlled.
  • Integration of ITAM with UAM Programs: The booklet repeatedly emphasizes the need to align IT asset management with your User Access Management (UAM) program. Each asset’s access controls should be regularly reviewed and adjusted based on changes in roles, risks, or the asset’s lifecycle stage.

Also, just as a tip, if you ever want the test answers, jump to the back! All updated booklets have the examiner procedures listed.

What’s the Risk?

Access management is a core component of ensuring the security and integrity of a financial institution’s IT environment. Weak or inappropriate access controls can lead to unauthorized access, data breaches, and, ultimately, loss of trust and reputation. “Inappropriate access controls” are the first risk identified under its “Risks Related to APIs” section, but this concern extends far beyond just APIs. Access control issues exist in every area where sensitive data is stored or processed.

According to the FFIEC, “Management should provide current access and authentication lists and appropriate controls to minimize the potential for insider threats as entities develop and acquire systems and components.” This is a critical reminder that both internal and external access points need to be consistently monitored and reviewed.

In addition, the guidance warns that “attackers often exploit a third-party service provider’s supply chain to access multiple other victim businesses for subsequent attacks.”  We’ve seen this be the case. Without strong authentication and authorization measures, banks risk becoming vulnerable to supply chain attacks that can quickly spiral out of control.

Practical Changes You Can Implement

To prepare for these changes and reduce the risk of non-compliance, community financial institutions should consider the following steps:

  • Establish an Information Technology Asset Inventory: Finosec calls this the System Inventory Map. This single source of truth for all your IT assets allows you to track not only what exists but also its state, usage, and associated access controls. This list should include all applications, software components, development sites, and all third-party integrations.
  • Enhance Your Access Review Program: Ensure that each asset is tied to your access management policies. Regularly audit permissions, particularly for privileged users and changes.  With Finosec’s Governance 360 platform, the Access Management module can help streamline this process, making it easier to identify any potential gaps.
  • Implement Strong Off-Boarding Procedures: Design a robust process for decommissioning assets and revoking access for employees and third-party providers. The new guidance specifically calls out this area as a point of weakness, making it crucial to have documented steps for every stage of the asset lifecycle.
  • Integrate ITAM with UAM: Your IT Asset Management and User Access Management programs should not operate in silos. Ensure your access management policies are aligned with your asset inventory, so every asset has appropriate controls, and every change is documented and reviewed.

The Role of Governance 360 in Simplifying Compliance

Finosec’s Governance 360 solution is designed to support financial institutions in these areas. The System Inventory Map helps institutions build and maintain a comprehensive asset inventory, while the Access Management module provides the tools to manage, track, and review access controls for all systems. This combination ensures that financial institutions have a strong foundation to meet the new FFIEC guidance.

Looking Ahead

As your institution navigates these updates, it’s important to stay proactive. By focusing on developing a clear asset inventory and aligning it with robust user access controls, your institution will not only meet the new expectations but also be better prepared to protect against evolving cyber threats.

For more information on how Finosec’s platform can help your institution stay compliant, reach out to us today!

More from Finosec

Introducing Fin-Atics: A Thankful Launch of Our Customer Referral Campaign

Introducing Fin-Atics: A Thankful Launch of Our Customer Referral Campaign

During Thanksgiving, it’s the perfect time to reflect on gratitude—both personally and professionally. At Finosec, our commitment is grounded in one key principle: the customer is the reason why we’re in business. This belief has been instilled in me since childhood, thanks to the lessons of my father, who not only shaped my views on business but also inspired me to carry these values into my leadership today.

Mastering Access Management: Best Practices for Effective User Access Reviews

Mastering Access Management: Best Practices for Effective User Access Reviews

Access management is a critical component of cybersecurity and compliance, especially for financial institutions where security expectations are paramount. The challenges surrounding permissions management, particularly during user access reviews, are increasing due to regulatory expectations and the complexity of banking applications. In this blog post, we’ll explore the regulatory expectations, common exam findings, and best practices that can help your organization manage user access effectively while adhering to the principle of least privilege – limiting user access to only the resources necessary to perform their job functions.

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.

With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.

The Critical Foundation of Managing Access to Banking Systems

The Critical Foundation of Managing Access to Banking Systems

Managing access to banking systems has become increasingly complex as financial institutions navigate legacy reporting systems, API access, and cloud solutions. These challenges, along with the risks posed by unmanaged systems, emphasize the need for maintaining a...

Talk To An Expert Now
Talk To An Expert Now 770.268.2765