Written by JiJi Bahhur, Director of Regulatory Compliance
With all the hype on cyber and data security, it would be appropriate to point out that it’s not always external threats we need to be wary of. Internally, the credit union needs to be aware of and take appropriate steps to ensure that sound practices are in place for managing and monitoring privileged access to data and systems.
In its August 2015 issue of the NCUA Report, NCUA defines privileged users and systems as “those with credentials that provide them with significant or unrestricted access to a credit union’s applications, systems and technologies.” The article, What to Consider When Reviewing Privileged Access, goes on to state, “While this [privileged access] is necessary for the implementation, maintenance and operation of some of a credit union’s most vital systems, these people and systems also represent a significant risk. These users have the potential to cause enormous damage if they act maliciously or inappropriately.”
The short article goes on to provide key considerations that should be addressed during a credit union’s review of privileged access and users, which should occur, according to NCUA, at least annually. The four key considerations discussed in the article include:
- Do our users need the level of access they currently have?
- Have we segregated sensitive systems and data stores into secure enclaves?
- Do we have effective oversight of privileged access?
- How can we make active monitoring part of our culture?
I’ll let you read the article to get more details on those four particular points, but I would like to take a moment to point you to other sources of information on how to strengthen your privileged access procedures, which in turn will assist with minimizing risks from the inside.
FFIEC IT Examination Handbook
The Federal Financial Institutions Examination Council’s (FFIEC) IT Examination Handbook is a great resource for determining the types of internal controls that will strengthen your privileged access procedures. Specifically, take a look at the Information Security Booklet. Within the Information Security Booklet’s subsections, you will find good practices for controlling privileged access; information on restricting and monitoring privileged access; the importance of activity monitoring; and examination procedures that may help your credit union determine the effectiveness of your current processes.
IT Aires Questionnaire
Credit unions may also find NCUA’s AIRES IT Exam Questionnaire useful when determining whether they have strong procedures in place for dealing with privileged access. The questionnaires consist of a checklist of questions that examiners use when determining whether the credit union is in compliance or has a strong program in place to address risks.
Actively managing privileged access by taking the steps addressed – in both the above-mentioned resources and article – can assist in reducing unauthorized access of critical systems.
Time Flies. My little buds are growing up so fast – they turned 3 just last week! “Time flies, but memories last forever” . . . thanks to cameras! And a big thanks to you all for sharing in on those memories with me!