In reviewing recent audit and examination findings, the issue of access rights and permissions is coming up with increasing regularity. Making sure that end-users have no more access rights than absolutely necessary to do their job is one of the best information security controls. According to the FFIEC, formal access rights administration for users consists of four processes:
- An enrollment process to add new users to the system;
- An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information;
- An authentication process to identify the user during subsequent activities; and
- A monitoring process to oversee and manage the access rights granted to each user on the system.
One best practice for simplifying the management of access rights is to assign them via group membership based on the employee’s role. Most financial institution employees are easily categorized by job duties (lending, deposit ops, senior management, IT, etc.). Job duties logically translate to responsibilities, and network file and folder access flows from that. When an employees job duties change, changing group membership is much easier than changing individual file and folder permissions.
One of the main reasons for audit and exam findings in this area is not necessarily that users and groups aren’t maintained, but that there is a disconnect between access rights on the Core system and the local network (Active Directory). Unfortunately until the Core providers implement Active Directory integration this is a manual, 2-step process.
The key to addressing the FFIEC guidance (and preventing rights gaps in the process) is to manage all four of the above steps at the same time in the IT Steering Committee (or functional equivalent). Each time the committee meets it should approve all access rights adds, changes and deletes, and review activity logs. Periodically review the existing users (by group if possible) to validate the appropriateness of their (and the groups) access rights on a schedule commensurate with the risk. Properly restricted regular users may only require semi-annual reviews, but privileged access (administrative) accounts should be reviewed for activity and re-approved at each committee meeting.