search trigger icon
search close button
Information Security

User Access Management – Know Yourself

Nick Shirk
Dec 5, 2022

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

- Sun Tzu, The Art of War

Do you know all accounts for every system at your organization? Chances are, you have unknown or unmanaged privileged user accounts. As cyber threats continue to rise, the need for effective user access management has become more critical than ever.

Ransomware Claim Denied Based on Ineffective User Access Management

As a recent court ruling illustrates, ineffective user access management can have significant financial and operational ramifications.

In Travelers Property Casualty Co. of America v. International Control Services Inc., No. 22-cv-2145, Traveler’s insurance denied a claim following a ransomware attack on the basis that the organization had misrepresented its use of multifactor authentication (MFA). The organization’s cyber policy application included an attestation that the company used MFA for administrative or privileged access. However, an investigation following a ransomware attack found that MFA had only protected remote network access and not other digital assets, such as servers and other network infrastructure. Travelers stated that these misrepresentations and incorrect statements materially affected the risk the insurer agreed to grant. Ultimately, the court rescinded the policy and declared it “null and void, from its inception.”

How Can We Avoid Finding Out the Hard Way?

The FFIEC Information Technology Examination Handbook on Information Security provides guidance on ways to mitigate the risk posed by users. Beyond establishing and administering security screenings during your hiring process, you should establish and administer a user access program for physical and logical access.

In response to the current cybersecurity threat environment, the FFIEC issued guidance on Authentication and Access to Financial Institution Services and Systems.

According to the guidance, an institution should implement risk management practices that support oversight of identification, authentication, and access solutions as part of an institution’s information security program.

These risk assessments help management make informed decisions about managing user access risks, and identify when MFA or controls of equivalent strength, combined with other layered security controls should be applied to effectively mitigate risk associated with authentication.

How Can You Manage Something You Don’t Know Exists?

In addition to establishing an inventory of information systems, effective risk management includes identifying all internal users, service accounts, and users at third parties, that access financial institution information systems and data. Service accounts are dedicated accounts with escalated privileges used for running applications and other processes. These present a unique risk in that they are not tied to a specific person, so may fly under the radar.

Users should be given access based on the principle of least privileged access, meaning that they are given only the access needed to do their jobs and nothing more.

Care should be given for users with access to critical systems and data; privileged users, including security administrators; remote access to information systems; and key positions such as senior management.

It’s Not Enough to Get It Right Once

Assigning least privileged access is only the first step. How can you ensure that you maintain effective access management? In addition to establishing policies for approving and documenting access to institution information systems, ongoing monitoring and reporting are key. Specific trigger events increase potential risk and should be managed accordingly. These include the following:

  •  Changes in User Status: System administrators are informed in a timely manner of changes (e.g., alteration, removal, or suspension) to user status.
  •  Automatic Suspension or De-provisioning of User Credentials: Policies and system controls are in place to de-provision or suspend access credentials after a certain period of account inactivity.
  •  Role Changes: Users should be granted access to systems, applications, and databases based on their job responsibilities. Over time, roles may change, requiring more or less access, which should be adjusted accordingly.

Organizations should also perform periodic reviews of user access activity.

User Access Program

Developing an effective user access program takes ongoing effort to be sustained.

In addition to applying the principle of least privilege access, periodic reviews of employee job descriptions should be performed to ensure alignment with the user access program. Business line and application owners should also perform ongoing reviews to verify appropriate access based on job roles with changes reported on a timely basis to security administration personnel. Furthermore, any job changes, including terminations, should be reported promptly to security administrators to update access.

Lastly, periodic independent reviews should be performed to ensure effective administration of user access.

Next Steps

Given the risk and all that’s needed to stay on top of user access, many savvy organizations have implemented automated user access management platforms. Please feel free to contact us if you would like to find out more information about user access management or other ways Jack Henry can help protect your financial institution.

For more information about reducing risk and fraud, visit jackhenry.com.


subscribe to our blog

Stay up to date with the latest people-inspired innovation at Jack Henry.

blog subscription image
floating background gradient

contact us

Learn more about people-inspired innovation at Jack Henry.