One of the most difficult moments in my career happened several years back at an ICBA Live event in New Orleans. I can immediately go back to that moment…
Step Four in the FINOSEC user access review best practice series is to ensure users who have access to your systems have legitimate duties that justify not only access but their specific permissions for those systems.
Step Three in the FINOSEC user access review best practices series is to rate and prioritize the system risks you identified as the most important systems in Step Two of the UAR Best Practices and align those with the access permissions required.
We learned about the importance of a System Map in Step One: Building the Foundation, last week.
This week, we are discussing Step 2 – Start with the Most Important. In this critical step in the user access review process, you will identify the most important systems by identifying the high-risk activities each system performs.
Let’s acknowledge a few things at the start.
-
User access reviews (UAR) are important, and increasingly so.
-
Examiners expect you to complete them regularly.
-
They’re a crucial element of your overall cybersecurity program.
-
They’re complicated and they take time.
Do you believe the full title? Or do you believe the parenthetic comments are a better descriptor? Here’s a simple and universal truth of the human condition: we tend to avoid tasks we think will be hard. Or complicated. Or time consuming. Or all three!
Financial institutions have long viewed user access reviews as a double edged sword. On one hand, regulators require them. They’re a crucial component in managing to least privilege. But they’re a challenge to conduct on a regular schedule. And if you have to rely on legacy technology and outdated manual processes, the frustrations can compound logarithmically.
But you don’t need to be stuck in the past. Help is on the way.
Cybersecurity insurance is an increasingly important component of your financial institution’s overall information security program. When a data breach or other hostile technology event occurs, cybersecurity insurance proceeds can provide funds to repair your hardware, recover intellectual property, and even pay for the work you do to reverse adverse reputational impacts.
