The Federal Financial Institutions Examination Council (FFIEC) updated its Authentication Guidance in August 2021, which aims to standardize and enhance security measures for financial institutions. We are seeing a focus on these areas during exams and audits, and understanding these new guidelines is crucial for compliance and risk management.

Today, we’re delving into an essential topic that affects both the security and the integrity of your digital assets: privilege creep. In this blog, we’ll explore the potential risks, and provide you with actionable strategies to prevent this sneaky threat from undermining your cybersecurity efforts.

User Access Reviews (UAR) are crucial for financial institutions, examiners and auditors are focusing on them, and best practices mandate managing to least privilege.   However, the process can be complicated and time-consuming. This is why it's important to standardize and simplify the process as much as possible. Our User Access Review Best Practices white paper outlines five steps to help you achieve this. 

“The Customer is Why You are in Business”  Allen Duke, Mentor & Father.

Those who know me well have probably heard me talk about my father's impact on me and business.   For those of you who haven’t heard the passion I have related to these lessons I learned, here is some context:

My dad was a manufacturer sales representative for furniture companies, selling furniture to furniture stores across multiple states.  My dad was intentional about teaching me business lessons; some of the most memorable lessons were when I would travel with my dad.  As part of these trips, we would visit his customers all across the territory.  I learned so much from these trips and have many fond memories of the time with my dad…

One of the lessons that he continuously reiterated to me was that “The Customer is Why You are in Business.”   Being in business held a ton of weight, partly because my dad didn’t have a base salary; he only made an income if the furniture stores sold his furniture, and it was embedded in his deep-rooted integrity for going the extra mile.

In case you haven’t heard, we are ecstatic to announce that Beth Sumner has joined us as VP of Customer Success.  Beth has deep roots in community banking, technology, and information security.  As part of her role, she will be a facilitator for our customers to maximize the Finosec impact of helping our customers simplify information security and cybersecurity governance.  She will also be a conduit for our customers to give our team feedback on enhancements and improvements we can make to go the extra mile for our customers.  If you are a customer, be on the lookout for a meeting with Beth in the coming weeks, and if you have known Beth for as many years as I have, you know we are truly blessed to have her on the team.

Step Four in the FINOSEC user access review best practice series is to ensure users who have access to your systems have legitimate duties that justify not only access but their specific permissions for those systems.

Step Three in the FINOSEC user access review best practices series is to rate and prioritize the system risks you identified as the most important systems in Step Two of the UAR Best Practices and align those with the access permissions required.

Let’s acknowledge a few things at the start.

1. User access reviews (UAR) are important, and increasingly so.

2. Examiners expect you to complete them regularly.

3. They’re a crucial element of your overall cybersecurity program.

4. They’re complicated and they take time.

Do you believe the full title? Or do you believe the parenthetic comments are a better descriptor? Here’s a simple and universal truth of the human condition: we tend to avoid tasks we think will be hard. Or complicated. Or time consuming. Or all three!

Financial institutions have long viewed user access reviews as a double edged sword. On one hand, regulators require them. They’re a crucial component in managing to least privilege. But they’re a challenge to conduct on a regular schedule. And if you have to rely on legacy technology and outdated manual processes, the frustrations can compound logarithmically.

But you don’t need to be stuck in the past. Help is on the way.

User access reviews are important. They also tend to be a complex, time-consuming task. When you add the regulatory and cybersecurity insurance expectations about these reviews and how often they really should be completed, it gets worse. Finally, to complete the picture, you may have to rely on legacy systems or tedious manual processes. It all adds up to one big “ouch.”