Pub. 7 2016 Issue 1

spring 2016 15 West Virginia Banker the requested access. The same process should exist for requested changes. When an employee separates from the financial in- stitution, a formal process should exist that communicates the employee separation in a timely manner. A process should also exist that allows for emergency logical access changes in the event the employee is leaving involuntarily or the employee has elevated privileges that present a security issue to the financial institution. The communication to the logical access security administrator should come from human resources or payroll. However, exceptions to the policy may be needed to address unusual items including involuntary separations. • Review of Logical Access Assigned – A formal review process over additions, changes and removals over logical access should be conducted on a regular basis. When the activity is initially implemented, the logical access activity conducted should be independently reviewed to ensure the ac- tivity was in accordance with an approved request. In addition, an institution should conduct a periodic review of the logical ac- cess assigned to address the subtle changes that could occur throughout the year. The reviews should be documented and any questions communicated to the responsible personnel until they are resolved. The re- sults of the review should be communicated to the appropriate committee (IT Steering Committee or equivalent). • Review of Activity Conducted on Cus- tomer Accounts – As indicated previously, in some cases, access is assigned to person- nel who serve as backups to the primary personnel responsible for an area. The goal is to allow for timely customer service. It is very important that the activity conducted on customer accounts be reviewed on a regular basis. Ideally, personnel indepen- dent of the process conduct the review. The review should be documented (can be elec- tronically documented on the report) with any issues noted along with the ultimate resolution. When an issue is discovered, a process should be established for consistent resolution. An issues tracking log should be maintained to monitor the overall status of the discovered issues. • Do Not Forget About Other Systems – In most cases, the financial institution focuses on the core processing system, as that is where most of the customer transactions occur. However, it is also important to have established procedures for other systems to reduce the risk of unauthorized access to and activity on the financial institution’s information technology system. For example, accounts with elevated network privileges (i.e. Domain Admins, Enter- prise Admins, Schema Admins) should be reviewed on a regular basis. The policies on firewalls and the network should be reviewed for appropriate password policies, account lockouts and inactivity. In addi- tion, the firewall appliances (as well as other systems including network users) should be included in the employee separation and change in employee status forms. Ancillary products should also be considered and reviewed. Another area to consider is the network service accounts. In many cases, the network service accounts are excluded from forced password changes to reduce the risk of customer service interruption. However, exclusion from forced password changes should not result in exclusion from password changes. Where possible, the passwords for service accounts should be periodically changed in a controlled envi- ronment to allow for sound security practic- es and reduce the risk of customer service interruption. Finally, do not overlook vendor accounts. When a vendor relation- ship terminates or changes, their account(s) should be changed appropriately. If vendors have individual employee accounts on the network, procedures should exist for proper, timely communication to ensure the account(s) are removed or disabled when an employee separates employment with the vendor. Conclusion. Logical access controls are a critical component of a financial institu- tion’s control environment. Formal poli- cies and procedures should be established to ensure consistent practices. Exceptions should be communicated and addressed in a timely manner. n Chris Joseph is a Partner of Arnett Carbis Toothman LLP, Certified Public Accountants, in the Charleston, West Virginia office. A Certi- fied Public Accountant, Certified Informa- tion System Auditor, Certified in Risk and Information Systems Control andCertified Information Technology Professional, Mr. Joseph has over thirty years of experience