It is not unusual for a community financial institution with limited personnel to have the Information Security Officer (ISO) act as a backup network administrator. In fact, this is a relatively common practice in an environment where key personnel will typically wear several hats. And there are practical reasons for this; the ISO is typically tech-savvy, and can act as an expedient resource when needed. Often when admin (or privileged) access is required, it is for a business critical purpose.
However, we have received several post-exam reports recently that examiners are taking a closer look at this practice. The finding is called “concentration of duties” (or sometimes “separation of duties”), and it addresses the very legitimate concern that the ISO must act in an oversight capacity to the network administrator, and that oversight dynamic is lost if the ISO has administrative capabilities. In fact in their Information Technology Officer’s Questionnaire, the FDIC requires you to “…briefly describe any known conflicts or concentrations of duties” . This oversight dynamic is exactly what they are referring to.*
If your institution engages in this multiple-hat practice, there are several things you can do to address this with the regulators. The first is to transfer the administrative oversight responsibilities from the ISO to a committee, typically the audit or tech steering committee. This requires more frequent meetings (preferably monthly, but no less than quarterly), and a strict adherence to an agenda that always includes discussion (and documentation) of rights and permission changes whether or not there were any. You may also want to consider event log monitoring software that can collect and aggregate all administrative user activity, and preferably store it on a logically separate system.
It’s also a good idea to have the committee review and re-approve all privileged accounts at each meeting. Another best practice is to make sure the ISO has a user account for administrative activities separate from their everyday user account. This assures that all activity is properly captured and reported. Finally, never share log in credentials…particularly admin accounts.
Also, review the section on privileged user access from the FFIEC IT Examination Handbook, Information Security Booklet, Page 23:
Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or application controls. Good practices for controlling privileged access include
- Identifying each privilege associated with each system component,
- Implementing a process to allocate privileges and allocating those privileges either on a need-to-use or an event-by-event basis,
- Documenting the granting and administrative limits on privileges,
- Finding alternate ways of achieving the business objectives,
- Assigning privileges to a unique user ID apart from the one used for normal business use,
- Logging and auditing the use of privileged access,
- Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations, and
- Prohibiting shared privileged access by multiple users.
Incorporate these best practices into your access rights administration process. In the end, what’s expected is that you understand the risk of “concentration of duties”, and balance that against your business needs, given your size and complexity and the nature and scope of your operations. If you understand the residual risk, and believe your business needs are best met by sharing admin duties with your ISO, make sure your examiner knows how you got to that decision, and how you plan to manage it going forward.
*Note – Although you may be tempted to answer “No” to this question in order to avoid drawing attention to it, you are much better off responding “Yes”, and then describing your risk assessment process and resulting controls. It may not prevent the finding, but you will have a proactive response to it, which almost always implies more effective risk management.