Centralizing identity access management (IAM) is somewhat of an enigma for many credit unions.  No one can deny its importance in today’s environment, but it feels like such a mammoth undertaking.  If you’ve thought about centralizing IAM in your credit union, but don’t know how to start, then this blog is for you.

 

Last month, we had the opportunity to speak with Angie Garman, internal audit manager for First Florida Credit Union (FFCU). Garman is in the process of organizing an effort to centralize identity access management (IAM) at FFCU.

We were joined by Ray Murphy who has over 20 years of experience in information security—many of them spent as CISO for Navy Federal—and he offered some advice about how to get started. Now, we want to pass his expertise on to you! 

Centralizing IAM might seem like a project for your IT department. But if you are like many credit unions, your IT team has already been handed a lot of responsibilities, and they simply have their hands full. So, you might be wondering how to get started amongst all the other challenges you’re facing.

We summarized the key points of our conversation with Garman and Murphy to help you with steps you can execute now to begin the process of centralizing IAM--without creating a massive project for your IT department.  You can also watch the video of our discussion here.


Step 1: Inventory

Start by compiling an inventory of your applications and users. Included in that inventory should be a list of:

  • Who is using the app
  • What are the roles of the app users
  • Who does the app serve
  • Who is the administrator(s) of the app
  • Who is responsible for running the app/maintenance

These inventories should be kept up-to-date and monitored by HR as employees are onboarded and offboarded.


Step 2: Clearly Defined Roles

Besides being a good practice for everyday operations, having clearly defined roles will assist with IAM.

First, review or appoint app administrators. Make sure they are adequately trained in each app’s functions and capabilities.

Regarding user privileges, app administrators should not be ordinary users. If that’s unavoidable for you, make sure administrator employees have two separate user IDs—one for their actions as an administrator, and one for their actions as an ordinary user.

Part of each employee’s job description should include the apps they require access to—and in what capacity. It’s one thing to remember to deactivate app access when an employee leaves your credit union. But what about if an employee is transferring positions within the credit union?

A loan officer will probably have a different list of necessary app access than a teller does. Having clear guidelines about who should be logging onto what will make it easier to define the next step: onboarding and offboarding protocols.


Step 3: Onboarding and Offboarding Protocols

Here is a great place for app administrators to step in. What should the procedures be for granting app access to a new employee? Who should oversee terminating access when an employee leaves? How promptly should that be done?

Once those determinations have been made, you can start getting existing employees and accounts up to standard.

Whether it’s monthly, quarterly or annually, we recommend that your internal audit team sample for proper compliance with your new IAM protocols.


Phase Two

Down the line, your credit union’s new routines and roles will become second nature. Then, if you decide to tackle it, you can start phase two of centralizing IAM: implementing new systems infrastructure to make IAM more automated.

There are quite a few tech options to consider that would make IAM easier. Start by building an identity infrastructure. Doing so will allow for tools like access monitoring systems to help detect inappropriate app usage or security risks.

Another option is investing in single sign on (SSO). With single sign on, the pain of having multiple IDs for different applications goes away.

With some planning and patience, you can start centralizing you IAM now.


Free Webinar

Learn a structured process to manage the findings process. Resolve audit findings — on time and as expected. Escape from the pain of managing via spreadsheet and cut your administrative time in half.
Sign Up Now >

Additional Support

Subscribe to our blog to stay up to date, or request a demo to see if Redboard would be a good fit for your credit union.

Updates to the NCUA Supervisory Priorities for 2020

Introducing the Three Lines of Defense in Credit Union Audits

Posted in: