Article

I Hear You Knockin'

Owner
KGS Consulting, LLC

5 minutes

Four important concepts for knowing who's who and what they can do in your systems

Note: October is National Cyber Security Awareness month.

fingerprint unlockKnock! Knock!

Who’s there?

This is a question asked and answered hundreds of times each day at your credit union. Joking aside, it’s an important question that gets at an integral aspect of your credit union’s access management and cybersecurity controls. In this article, we’ll review and discuss four important components of identity and access management—that is, knowing who is accessing what on your systems.

Identification

As a starting point, a credit union’s policies and practices need to account for and identify entities accessing systems and information. I use the term “entities,” as the credit union cannot limit its examination to people. In many cases, computer systems and data may be accessed by other computer systems or automated processes.

For example, you may have a centralized log collection server accessing and pulling various logs from other servers. Or a collections/delinquent account management server may gather and download information from your core systems through an automated nightly process. Whether the “entity” is human or machine, internal or external, manual or automated, the credit union needs to understand and catalog who/what is accessing systems and information.

With knowledge of your “entities” in hand, you next should examine how or what process will be used to identify and distinguish one entity from another. When Janie Jones and Ana Ng attempt to access your systems, how will you distinguish between them—or voice response from home banking?

Using your understanding of who (or what) entities may be accessing systems, develop an identification process allowing for unique identifiers. In other words, entities accessing systems should have their own unique user IDs, allowing the credit union to track their activities over time.

In most cases, this is done through the processes the credit union uses to assign user IDs for network access & email, teller numbers or ID’s for your core system, and similar processes done for other software & systems.  The key is to have a framework or system to determine what they will be; not generate them willy-nilly, and have a database, spreadsheet or paper folder where all this information is kept.

The credit union also should avoid having group or department identities (such as AccountingDept, MortgageDept, MemberService, etc.) where multiple individuals can use the ID to perform tasks. Doing so makes it difficult to determine which employee may have done something.

Authentication

Authentication is the process of verifying or validating an identity (you are who you say you are). Authentication methods are usually broken down into three categories:

  • Something you know: Your identity is verified when you provide or use something you know (a password or phrase, PIN, a “secret question” answer, etc.).
  • Something you have: Your identity is validated through the use of something you possess (an access card or device, an electronic token or fob, a USB token, etc.).
  • Something you are: Your identity is checked through comparison of a personal/physical characteristic (fingerprint, voice pattern, iris pattern, facial features).  

The authorization method(s) used should be appropriate to the sensitivity and criticality of the system or information accessed, and the nature of other access controls that may be in place. So, for an employee accessing member information within a credit union branch (where other access controls are in place), only a password may be needed. But, for an employee accessing member information outside of the credit union via a public network (e.g., public/hotel/café WiFi), both a password and electronic access token are needed.

Authorization

Authorization determines what systems an authenticated identity can access and what abilities or rights they have to the information. Access rights would include such abilities as read-only, create/add, update/change, or delete. As an example, an accounting department clerk may have “read-only” access to member name and address data and “update” access to general ledger accounts. Their supervisor may have the same access, plus the ability to “create” general ledger accounts. Users should have only the authorization (access rights) needed to perform their duties and responsibilities (i.e., need-to-do authorization)

Authorization controls can also include controls over when and/or where a system or information can be accessed. For example, an employee’s access may be limited to 9-5, Monday through Friday; no evening or weekend access. Or, IT administrative-level (root) access to the credit union’s core system may be restricted to a terminal located within the credit union’s data center.

Assurance

Assurance provides for the ability to confirm or audit access and identity items. In examining the systems or the controls used for identification, authentication, and authorization, the credit union needs the ability to review or audit these items to confirm they are working as desired. More importantly, the credit union needs to ensure it is not just collecting information, but actively examining and taking action on issues and problems. If the credit union is collecting and maintaining logs of invalid access attempts, but not reviewing them and taking appropriate actions, it might as well not collect them at all.    

As part of your credit union’s pledge during National Cyber Security month (October) to maintain cybersecurity controls over member and credit union data, examine and consider how well you can answer the following Identity and Access Management program questions:

  • Do the credit union’s policies, standards, and procedures for IAM address identification, authentication, authorization and assurance for entities accessing credit union systems?
  • Has the credit union examined and cataloged what entities (human or machine, manual or automated) are accessing various systems?
  • Do credit union IAM policies and standards address providing unique, specific IDs for these entities?
  • Are the methods used to authenticate to systems based on the sensitivity and criticality of the information on the systems being accessed along with other implemented controls?
  • Do users have only the authorizations necessary to perform their duties and responsibilities?
  • Is the credit union actively reviewing various access and control logs for irregularities and taking appropriate action to address issues and concerns?

Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting, LLC, Silverdale, Wash., and provides insight and advice on information technology governance, information security, and technology risk management to credit unions.

Compass Subscription