Administrative employees and registered securities representatives may be allowed to access some aspects of core data processing, but their access should be strictly limited to what is needed to perform their jobs for the bank.
The FFIEC’s IT Examination Handbook is an excellent guide for data processing system access questions.
- The “Access Control” section states that “[a]ccess should be authorized and provided only to individuals whose identity is established, and their activities should be limited to the minimum required for business purposes” and that “[a]uthorized individuals may be employees, technology service provider (TSP) employees, vendors, contractors, customers, or visitors” (emphasis in bold added).
- The limitation of access based on employee activities is discussed in further detail in the “Logical Security” section of the FFIEC IT Examination Handbook:
Management should employ the principle of least possible privilege throughout IT operations. The principle provides that individuals should only have privileges on systems and access to functions that are required to perform their job function and assigned tasks. Access privilege may include read-only, read/write, or create/modify. Even read-only access poses risk since employees can print or copy sensitive customer information for inappropriate use. System administrator and security administrator level access allow an individual to change access privileges to systems and information. Individuals with these roles and privileges should have minimal transactional authority. Independent employees should monitor the system and security administrator activity logs for unauthorized activity. Smaller operations centers are challenged in implementing separation of duties and the principle of least privilege because they frequently do not have the resources. Management at smaller institutions should establish compensating controls in these circumstances.
- The FFIEC also recommends, in the “Application Access” section, that banks maintain “consistent processes for assigning new user access, changing existing user access, and promptly removing access to departing employees,” while also “[e]asing the administrative burden of managing access rights by utilizing software that supports group profiles.”
- Group profiles allow banks to group “employees with similar access requirements under a common access profile” (for example, you could set up one group profile that would apply to all tellers).
Also, as you are considering outsourcing your core data processing, we would recommend reviewing the Federal Reserve’s Supervisory Letter discussing the risks of outsourcing technology services — SR 00-17 (November 28, 2000) (also found in the Federal Reserve Commercial Bank Examination Manual, Section 4060.1, Appendix A). Though out-of-date in some ways, the New York Federal Reserve Bank’s publication on the same subject is also very helpful — Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks (October 1999).