Nearly two years ago, the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) defined their guidelines for risk management related to both information and communication technologies (ICT) and security for the financial and insurance sectors. While these guidelines are not in themselves regulations, they are nonetheless essential and should be considered as best practices (see our previous article, available here).
When reading these guidelines, and more specifically the section dedicated to logical security, the user access review is prominently featured. In fact, this is the only control function that is mentioned. As experts in this field, it is only natural that we share with you the issues involved in carrying out a user access review campaign in your sector of activity, whether it be banking or insurance.
Let’s see how the user access review helps with successfully meeting and overcoming the challenges of securing logical access rights as defined by the EBA and EIOPA. The following are best practice use cases that will help explain the process.
What are the best user access review practices to follow in order to adhere to the EBA and EIOPA guidelines?
Much has been written about the user access review process. If you would like more details about the subject, we invite you to read this article specializing in it by clicking here.
For the time being, we will focus here on the best practices directly linked to the guidelines defined by EBA and EIOPA and highly suggest that it is essential to adopt them.
The principle of balance first and foremost
First, it is likely that the scope of IT assets (systems and accounts) to be reviewed is very broad. A risk-based approach is fundamental in prioritizing the access review and achieving a manageable perimeter. Not all accounts and access rights present the same level of risk. This is why it is important to perform an analysis and evaluate the degree of risk within your systems, accounts and access rights and produce two distinct sets:
- Accounts and access rights that require immediate review.
This involves listing privileged accounts, accounts that have highly atypical characteristics, such as a lack of compliance with the principle of least privilege or segregation of duties (SoD) and, generally, accounts granting sensitive access to financial systems and data. Additionally, it is important to identify any accounts or access rights that have been recently changed but that were not documented.
- Standard accounts and access rights to be reviewed as a second priority.
Accounts and access rights with a lower level of sensitivity will be listed here, for example:
– access rights to read-only resources, and
– any access permissions to systems considered low-risk, or in other words, those that do not give access to any sensitive information, including personal or financial data.
Depending on this risk analysis, it is possible to choose different review strategies based on campaign frequency and the type of review to be done. For example, you can choose to perform incremental or differential reviews of the access rights, spreading the workload over a full year by doing one review per quarter.
Choose your data transmission and reviewers well, leaving nothing to chance
Appointing the people who will be responsible for conducting your access review is crucial because, from the beginning to the end of the campaign, they are the guarantors of its success. They must be able to make informed decisions and that could potentially lead to the revocation of certain access rights. This responsibility is often entrusted to managers who know their teams well, can identify the role of each person and are able to judge the relevance of the access rights with regards to their job functions, while, at the same time, understanding the level of risk associated with each of the granted permissions.
Even if the planning of the review is meticulously orchestrated and specialized tools are in place, the review of access rights remains a time-consuming exercise which cannot be taken lightly and which must be carried out in accordance with strict deadlines. For this reason, managers who are responsible for performing the user access reviews must be fully available to do so.
Finally, the data provided to the reviewers must be up-to-date and understandable. No matter how much experience they have doing reviews, interpreting the data is always more tedious if it is not put into context for them first. Additionally, they should never have to go hunting in the internal systems for information that would explain the meaning of a group identifier or an account permission, for example. Everything must be accessible and clear from the beginning to help and encourage their involvement in rapid, relevant decision-making.
The perfect alignment of timing, frequency and milestones
To determine the duration of user access review campaigns, take into account the frequency with which they will be performed while, at the same time, respecting each step of the execution process:
- campaign planning
- review of access rights
- consolidation of results
- corrective action, such as the removal of certain access rights
At the end of these four steps, the access rights can be certified as compliant and/or the level of security of these rights deemed satisfactory with regards to the original objectives.
If the next campaign starts before the first one has been completed, the exercise loses all its meaning. There would be no time to trigger the corrective actions related to the reviewed access rights. This is why it is important to adhere to each step of the process. If reviewers see that their requests for revocation of rights have not been taken into account and that risks are still present, they would quickly realize that their efforts have had no impact whatsoever.
The principle of Consistency and Accuracy
To ensure consistency, completeness, and traceability, the principle of Consistency and Accuracy (C&A) must be applied during the access rights review process. When a user access review is performed, a data processing chain is built. Access data from applications and information systems, such as Active Directory, financial and other business systems, is correlated, processed and recorded in lists that are then sent to the reviewers and consolidated once again. This makes it possible to know what scope has been reviewed and by whom and what decisions have been subsequently made. The C&A principle is based on the idea that all data related to the defined scope will be reviewed once and only once and that no information will be lost along the way. In other words, it is about being able to ensure the consistency and completeness of the exercise. At the same time, this acts as proof to the auditors of the reliability and integrity of the data with respect to the scope of the access rights to be reviewed.
In this case, adhering to this principle can be a real challenge when several hundred reviewers are called upon during the campaign process and dozens of information systems need to be reviewed. However, it is a challenge that cannot be ignored.
The corrective action process, a fundamental step
Beyond the compliance of an organization’s access rights and the need to adhere to the guidelines issued by EBA and EIOPA, it is important to keep in mind the final objective. By utilizing security measures and controls, the main focus is on continually improving the situation within internal systems by identifying the risks linked to access rights and by triggering corrective actions in order to reduce them. In this way, compliance is guaranteed, based on the implementation of this continuous improvement cycle. Remediation, an integral part of the user access rights review, is the last step of the process.
A user access review use case
The user access review is often regarded by companies as a tedious and laborious task. To respond to the difficulties encountered by its customers, Brainwave GRC has been tackling this challenge by developing tools and methods for over ten years. This use case highlights how to optimize the review experience in order to make the exercise more pleasant and efficient.
Use case: What issues regarding user access reviews can the customer expect?
The use case presented here is based on feedback from one of our customers, a European financial institution.
At the time of our first discussion, this organization was already reviewing its access rights using home-grown software. But these tools were expensive to maintain, inflexible, complex to implement and only covered a subset of systems identified as sensitive. Our customer’s expectations were as follows:
- To improve overall security
- To provide a solution that covers all the systems within the company
- To benefit from the adoption of this technology to increase buy-in to the three-line defense model
- To establish a more collaborative process for revewing access rights given the very large number of stakeholders involved and the large amount of data to be processed
- To know at all times who has access to what
What strategy should be put in place to manage user access reviews?
To meet the customer’s expectations, we proceeded in phases.
#1 : The creation of an access rights inventory
We started by implementing a continuous inventory of all user access rights for every system within the organization using Brainwave Identity GRC software. This provided comprehensive visibility into access rights, helped identify users and the accounts to which they have access, and uncovered the permissions assigned to each account.
#2 : The implementation of separate review campaigns
Based on this inventory, we configured several review campaigns by adjusting the strategy of each of them (frequency, type of review) to the resources being reviewed, the degree of sensitivity of the data and the targeted applications.
#3 : The identification of campaign stakeholders and task allocation
Initially, department heads were designated internally for data validation. Since the departments brought together a considerable number of team members and contacts, the workload assigned to the department heads was too heavy. To remedy this, we activated a delegation system in the software by appointing new contacts who were identified by the department heads in order to distribute the workload. This was made possible by the tool itself. Hundreds of employees were able to take part in the user access review campaign, working on different systems and sets, different types of access data, all using the same tool.
#4 : The timing of corrective actions
Finally, it was agreed that corrective actions would be applied at the end of each individual review instead of at the end of the campaign. The objective was to trigger the corrective action process as quickly as possible so that each problem was resolved in a timely manner and the level of risk associated with the access rights was immediately reduced.
What are the results?
With this strategy now put in place, this customer now performs more than 1,000 reviews per year. More than 150,000 accounts, 50,000 access authorizations to systems, applications and unstructured data are reviewed, representing millions of access rights each year.
Two years of historical review data is kept in the inventory made with Brainwave’s software, allowing the customer to have complete traceability that indicates:
- who has access to what,
- who performed the review of each of the access rights, and
- what decisions were made as a result of the various reviews that were done.
For over five years, campaigns continued without the review process having to be reconfigured for any reason. The system put into place worked perfectly and completely fulfilled our customer’s expectations.
Finally, Brainwave’s proposed solution was implemented without disruption of the various identity and access management (IAM) tools already in use within the organization, including those handling account management, provisioning and deprovisioning operations, the identity lifecycle and access controls. In this way, the user access review was successfully carried out in parallel in its role as a control function.
In order to comply with the EBA and EIOPA guidelines, the user access review exercise is a must.
It is clear that if EBA and EIOPA focus their attention on the review of authorizations and permissions, it is precisely because this control mechanism has multiple advantages in terms of logical security.
Within an organization, regular access review campaigns promote:
- the security and protection of resources,
- conformity with the current security policies, and
- the compliance of access rights granted to employees.
Today, various user access review tools and processes support the automation of campaigns and optimize their execution with specialized methodologies and solutions. This helps to alleviate the perception that they are time-consuming, intimidating and complex.
If you are a member of the finance or insurance sector, put luck on your side by following the EBA and EIOPA guidelines and overcome risk challenges based on user access with success.