By Marsha Sapino
One of the most painstaking tasks a credit union security officer can perform is the review of all employee access points on their core platform. Unless an employee security policy has already been established at the credit union, chances are nobody’s dedicated the time to sit down and review every feature, function, or tool each employee has been granted access to, nor adjusted them according to job description, risk, and segregation of duties.
When that strategy has slowly gotten away from the credit union, it can leave a haphazard, shoot-from-the-hip approach to employee access. IT examiners have taken notice over the last few years, and employee security reviews are becoming increasingly important, as there’s increasing pressure to beef up system securities due to internal fraud.
Employees who have more access to core applications than what is defined in their job description can open doors to employee dishonesty.
This can be a reviled task, as depending on the staff size and the complexity of the core, it can be a lengthy project. On top of that, those managing the task find that they become the “bad guy” taking access away from employeesnwho become increasingly frustrated and defensive. (Although being the “bad guy” is nothing new to internal auditors!)
The challenge really comes down to how much access is the “right” amount of access, and credit unions both large and small have unique challenges. Larger credit unions might find that employees have more defined roles, meaning less access and more restricted staff members, stifling curiosity.
Employees of smaller credit unions, alternatively, have more broadly defined roles as they wear multiple hats, requiring more expansive access and mounting risk. In these cases, the CU should have processes in place to help mitigate the potential risk of insider abuse.
So what’s the best way to manage your employee security access: internally or through a third-party? Either! One benefit of outsourcing this work is that it provides relief to upper management/internal auditors who are now no longer directly responsible for curtailing access. However, many credit unions continue to successfully manage this internally and with great success.
The important part is that you have a clearly defined policy and that you stick to it, avoiding access creep. Stick with your defined roles and the access you’ve decided those roles warrant, and be ready to document and defend exceptions.
Marsha Sapino is Assistant Manager with AuditLink.