Skip to content
BOL Conferences
Thread Options
#2224775 - 10/30/19 02:48 PM User Access Review vs User Access Audit
leo_bsayer Offline
Platinum Poster
Joined: Aug 2006
Posts: 645
Can someone share their bank's processes for performing user access (or employee access) reviews? In your bank, who performs the reviews? Are the reviews then audited on a sample basis to ensure proper controls are being met? I'm looking for interagency guidance or best practices, too. Thank you.

Return to Top
Audit
#2224793 - 10/30/19 04:38 PM Re: User Access Review vs User Access Audit leo_bsayer
osucpa Offline
Diamond Poster
Joined: May 2011
Posts: 1,406
With respect to the core process system, management performs a user access review on an annual basis. IA will then review it for accuracy by testing a sample.

Return to Top
#2224798 - 10/30/19 05:01 PM Re: User Access Review vs User Access Audit leo_bsayer
P*Q Offline

Power Poster
P*Q
Joined: May 2001
Posts: 8,458
Somewhere
Did you look at the FFIEC handbooks on IT?

Return to Top
#2224839 - 10/30/19 11:05 PM Re: User Access Review vs User Access Audit osucpa
TomS Offline
Gold Star
Joined: Jan 2004
Posts: 317
USA
My previous employer follows the same process described by osucpa.
_________________________
CRCM, CAFP, DAD

Return to Top
#2224854 - 10/31/19 03:34 PM Re: User Access Review vs User Access Audit P*Q
leo_bsayer Offline
Platinum Poster
Joined: Aug 2006
Posts: 645
I have looked through the FFIEC IT Handbooks, but I don't see anything that specifically discusses user access. Am I just missing it?

Return to Top
#2227909 - 12/21/19 07:15 PM Re: User Access Review vs User Access Audit leo_bsayer
Texibus Offline
New Poster
Joined: Aug 2019
Posts: 10
Howdy, the department head is responsible for reviewing the access of their employees, as that's part of the control. IA typically looks if it's functioning correctly like reviewing quarterly reports and comparing access to human resource records to ensure accuracy and performance.

Would also sample a privilege group to ensure that it is inline with least access necessary and segregation of duties issues.

Return to Top
#2230310 - 02/05/20 06:52 PM Re: User Access Review vs User Access Audit leo_bsayer
Texibus Offline
New Poster
Joined: Aug 2019
Posts: 10
Leo_Bsyaer , I'm a little late to the ball game but if you're looking for the IT Handbook location for User Access, see below:

II.C.15 Logical Security

https://ithandbook.ffiec.gov/it-boo...k-mitigation/iic15-logical-security.aspx

Return to Top

Moderator:  Andy_Z