The financial services industry is no stranger to data protection concerns. Perhaps tied only with the healthcare industry, financial institutions collect vast amounts of sensitive nonpublic personal information (NPI). Malicious actors target financial institutions because they can easily sell records on the Dark Web. Meanwhile, internal actors pose additional risks, particularly across complex IT ecosystems. Whether seeking to perpetrate fraud or accessing data accidentally, internal users with excess access can undermine an organization’s data protection program. Financial services institutions can mature their compliance posture and create proactive data protection programs by modernizing their Identity, Governance, and Administration (IGA) strategies with automation and analytics.
Do financial institutions still need point-in-time audits?
While most people would agree that point-in-time audits are archaic vestiges of the analog days, they still provide value. Increasingly, compliance requirements focus on continuous monitoring. In other words, you need to use your point-in-time audit to validate your continuous monitoring processes. While compliance is not equal to security, security can be an indicator that your current processes do not protect data.
Data Breach Statistics Indicate Lack of Identity and Access Governance
While not every data breach arises from manual processes, managing user access across a variety of printed request documents, emails, and shared drives often leads to human error risk. As a financial institution scales, the need to rapidly provide access and terminate access becomes a business imperative.
According to the Accenture Cost of Cybercrime Study in Financial Services: 2019 Report, malicious insider attacks:
- Cost on average $243,101 per event
- Took 55.1 days on average to resolve
Compared to other cybercrimes, malicious insider attacks were both the costliest to the organization and the hardest to contain.
Financial Institutions Will Always Be Audited
Unfortunately for auditors and regulators, most people dislike audits and exams. The processes require large amounts of time and money.
Gathering documentation, responding to additional requests, and meeting with auditors reduces workforce member productivity. Meanwhile, according to the Financial Education & Research Foundation (FERF) 2019 Audit Fee Survey, average hourly audit fees increased from $216/hour in 2009 to $283/hour in 2019.
Financial institutions increasingly add new technologies to their IT portfolios. Whether developing their own applications to generate better customer experiences or onboarding new cloud-based applications to streamline business operations, the IT ecosystem complexity means that audits can provide insight into how well the organization manages its expanded portfolio.
Given the data breach information available, financial institutions struggle to manage the identity lifecycle. With that in mind, regulations will continue to increase the fines and penalties associated with non-compliance as the stick that holds the carrot.
Why legacy IGA fails to remediate audit findings
Traditionally, financial institutions have a single year between exams to prove radical changes in response to audit findings. Using legacy tools when responding to identity, privilege, and access management findings can fail for a variety of reasons.
Deciding on a remediation plan
Most likely, an organization with significant findings needs to devise a new plan for managing identity, privilege, and access. If you were using manual processes, the first step is likely finding a tool that can help. If you’re already using a tool, then the audit findings suggest that the tool is ineffective.
Working with key stakeholders requires setting up meetings and establishing a plan. Even when rushed, this process can take a month or two.
Although the vendor research process may coincide with the planning process, organizations with multiple stakeholders need to create consensus over the direction. Researching vendors becomes arduous, including a lengthy request for proposal (RFP) review process. Then, the organization needs to engage in proof of concept (PoC) to determine whether the chosen vendors can remediate the problems.
The typical start to finish process can take up to 10-12 months. A decision cycle that long means that you’re still planning on how to remediate your audit findings by the next exam.
Engaging in Due Diligence
Securing your information means that you need to incorporate vendor risk management as part of your audit remediation strategy. Again, collecting, reviewing, and discussing reports takes time – which most organizations don’t have if regulators want to see changes.
Implementing a Solution
Legacy IGA tools often require an on-premises only, cumbersome deployment. In some cases, full implementation of the legacy IGA tool can take anywhere between 12 and 18 months after inking the contract.
The Overall Timeline is a Problem
Putting together all of these steps, the remediation process can take anywhere from 24-32 months after the initial audit. You’re on an annual audit/exam cycle which means that this timeline encompasses two more audits/exams. Auditors and examiners can be patient. Sometimes. However, typically they expect to see significant improvement within the first 12 months or year.
Choosing a legacy IGA tool means that your organization most likely won’t be able to remediate all of the findings within that “window of patience.” An inability to show significant improvement and remediation can lead to a Memorandum of Understanding (MoU) which usually means “if you don’t complete the work, you can’t engage in business.”
8 Steps to reducing audit findings by modernizing IGA
Ensuring appropriate access to resources means more than just preventing workforce members from accessing personally identifiable information, it also means segregating networks and infrastructures. For example, as your organization creates in-house developed applications, you want to separate access to development and production environments.
Obtain Stakeholder Support
Obtaining internal stakeholder support often becomes a primary roadblock to new IT projects. By identifying and bringing together all internal stakeholders, you can create consensus and explain how the project’s short term business process disruption will ultimately benefit everyone.
- Board of Directors: Establish key risk indicators, not just key performance indicators
- Senior Management: Dashboards with continuous visibility and streamlined reporting
- Line of Business: User-friendly access review processes
- Application Owners: Fewer access requests to burden administrators
- End-Users: Rapid access approvals that increase productivity
Responding to audit findings and bringing in all impacted stakeholders can often lead to project scope creep. Financial institutions need to put governance around their entire Identity and Access Management (IAM) processes, which includes working with human resources, line of business, IT, audit, and senior management. With each stakeholder having different needs and wants, you need to manage expectations by providing timelines for each stakeholder to engage them and provide them visibility into the process. For example:
- Map logic effectively by focusing on high-risk applications in the first phase
- Provide user education over the process
- Focus on modernizing IGA as a process focused on continuous
Understand and Validate Current State
Before building or designing your new process, you need to understand and validate the current status to gain insight into what issues led to the audit findings. For example:
- Clean up current authoritative source of identity
- Identify all organizational job role functions
- Create meaningful role descriptions
- Understand the difference between employee and non-employee accounts
Once you clean up the data on the back end, you can build a more robust data warehouse across your modernized IGA solution for a stronger governance process.
Starting fresh or “boiling the ocean” increases human and technical capital. While the initial process may be focused on responding to audit findings, your IGA modernization strategy will be around for the long term.
- Determine your strategy, including authoritative source of identity
- Understand the purpose
- Provide stakeholder updates regularly
- Assign final decision-making power to an individual or small group
- Prevent scope creep
Secure Access to High-Risk Environments
When modernizing IGA processes, financial institutions need to think holistically about governance. Many organizations develop their own applications to drive customer engagement or workforce productivity.
- Talk with infrastructure IT teams, DevOps, development, and engineering teams
- Clean up areas that are not transparent to the business users
- Manage infrastructure access
- Incorporate Privileged Access Management (PAM) with Just-in-Time (JIT) provisioning
- Understand application and infrastructure criticality
- Ensure that users gain access to the right infrastructures but only when they need it
Provide Frictionless User Experience
A frictionless user experience prevents productivity disruptions. Audit findings often occur because organizations fear new processes will lead to lower productivity. However, a modernized IGA solution can minimize business impacts by providing users information as part of their daily workflow without interacting with the platform.
Creating a policy-driven program that enables real-time access request analysis can inform users about approval likelihood. Organizations can choose whether to automate access request approval or provide them insight into the request’s process. These capabilities both ensure compliance with organizational policies and empower workforce members.
Prove Quantifiable Results
To sustain executive sponsorship, you need to continue to prove the investment’s value – both the human and technology investment. During the first 3 to 6 months, you need to have minimum targets met, and by year-end prove real progress.
Modernized IGA solutions provide visibility into the number of access risks so that you can prove decreased risk and program enhancement over time.
Provide a Service That Drives User Adoption
Any audit finding remediation strategy needs end-user buy-in to be successful. While organizations can adopt modernized IGA processes, end-users need to view the technology as a service provided rather than a roadblock to productivity.
During Saviynt’s Converge 2019, Andrew Ehrlich from Jeffries, a financial services company, explained, “From our perspective, it allowed us to target what our business needed, our business lines, and it evolved from there. It allowed us to do what our customers needed – our internal customers as well as our external customers – and limit the amount of people pushing back. Adoption went up through the roof.”
When IT, audit, and compliance departments work together to resolve audit findings, they can gain higher user adoption rates, ultimately leading to more robust risk, compliance, and security postures, by showing:
- Application Teams: no need to worry about access provisioning/deprovisioning with automation
- Senior Leadership: easy insight into key risk indicators
- End-users: more rapid provisioning to needed digital assets that enable productivity
Why Saviynt? Modernized IGA Solution with Compliance-as-a-Service
Saviynt’s cloud-based platform can complete an initial remediation phase within 3-6 months, giving organizations the quantifiable results necessary auditors and examiners need to gain assurance over your strategies.
Our platform is the first and only modernized IGA solution to achieve FedRAMP ATO status, and our completion of key security compliance initiatives accelerates your vendor risk management (VRM) process.
We are committed to enabling all users – technology and line-of-business – with our easy-to-use interface for a frictionless experience that drives adoption rates.
Saviynt’s platform incorporates an extensive identity warehouse that enables organizations to generate risk-based access policies while our peer- and usage-based analytics continuously monitor access requests. This intelligent access request process automates provisioning for low-risk requests, surfacing medium- and high-risk requests with actionable remediation suggestions so that IT administrators and application owners can prioritize their activities.
Our Application Access Governance (AAG) tool enables you to set fine-grained controls, such as read-only or edit level, so that you can proactively prevent Segregation of Duties (SoD) violations and enforce the principle of least privilege across the complex security hierarchies in your connected application ecosystem. With our dashboards that show key risk indicators, you can continuously monitor and document your compliance within the platform, easing audit burdens and proving program maturity.