Is Your Risk Assessment Authentication & Access Ready?
In August, the FFIEC released new guidance titled “Authentication and Access to Financial Institution Services and Systems”. Because the guidance...
The access review is the most underrated control in the Information Security Officer’s toolkit.
We hear so much about threat intelligence, vulnerability management, and fancy tools that monitor this and automate that, but I’d wager some of the best risk mitigation lies in maintaining access to the least necessary privilege and executing on this in a timely manner.
Access to data is the holy grail of hackers. Whether they want it to commit fraud for financial gain, steal intellectual property or just cause damage to a system, access is that all important first step. It’s what the phishing emails are about, why password crackers were created, why we need multi-factor authentication on all of our accounts and why, way back before my time, the firewall was erected on network perimeters everywhere. One can see why this is the most listed control in a risk assessment.
In our governance program we recommend multiple access reviews for critical systems, such as the core, wire and ACH, network, remote access, firewall, etc. Yet when access reviews are mentioned, many people sulk like a child who was just asked to eat a green vegetable. I can understand it, any task that is reoccurring can be mundane and just like laundry or dishes not keeping up on it can be overwhelming. Additionally, many access reviews were never really set up correctly in the first place, and because of this the lists have recognizable names but everything else in the report can seem like gibberish.
Here are 5 steps to streamline your system access reviews:
Don’t forget the most important step: follow through on the adjustments identified in the review. All of this was for naught unless you take action. Note those and follow up to make sure they were done in a timely manner.
If you need help with your reviews or scheduling your program tasks we would love to help! Contact us as support@bedelsecurity.com!
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
5 Key Ransomware Controls
https://www.bedelsecurity.com/blog/5-key-ransomware-controls
Technologies to Consider During Cybersecurity Planning
https://www.bedelsecurity.com/blog/technologies-to-consider-during-cybersecurity-planning
In August, the FFIEC released new guidance titled “Authentication and Access to Financial Institution Services and Systems”. Because the guidance...
We are seeing findings related to change management cropping up in several audit reports this year. Appropriately scoping change management can be...
When the Gramm-Leach-Bliley Act was implemented, each regulatory agency adopted a set of interagency guidelines and regulations required for...