Four important concepts for knowing who’s who and what they can do in your systems.

Note: October is National Cyber Security Awareness month.

Knock! Knock!

Who’s there?

This is a question asked and answered hundreds of times each day at your credit union. Joking aside, it’s an important question that gets at an integral aspect of your credit union’s access management and cybersecurity controls. In this article, we’ll review and discuss four important components of identity and access management—that is, knowing who is accessing what on your systems.

Identification

As a starting point, a credit union’s policies and practices need to account for and identify entities accessing systems and information. I use the term “entities,” as the credit union cannot limit its examination to people. In many cases, computer systems and data may be accessed by other computer systems or automated processes.

For example, you may have a centralized log collection server accessing and pulling various logs from other servers. Or a collections/delinquent account management server may gather and download information from your core systems through an automated nightly process. Whether the “entity” is human or machine, internal or external, manual or automated, the credit union needs to understand and catalog who/what is accessing systems and information.

With knowledge of your “entities” in hand, you next should examine how or what process will be used to identify and distinguish one entity from another. When Janie Jones and Ana Ng attempt to access your systems, how will you distinguish between them—or voice response from home banking?

continue reading »