It's increasingly important to centralize identity access management (IAM) at credit unions. Unfortunately, it's easier said than done.
If you’ve thought about centralizing IAM in your credit union, but don’t know how to start, then this blog is for you.
Recently, we spoke with Angie Garman, internal audit manager for First Florida Credit Union (FFCU). Garman was organizing an effort to centralize identity access management (IAM) at FFCU.
We were joined by Ray Murphy, who has over 20 years of experience in information security—many of them spent as CISO for Navy Federal—and he offered some advice about how to get started. Now, we want to pass his expertise on to you!
Getting Started with IAM
Centralizing IAM might seem like a project for your IT department. But if you are like many credit unions, your IT team has already been handed a lot of responsibilities, and they simply have their hands full. So, you might be wondering how to get started amongst all the other challenges you’re facing.
You can also watch the video of our discussion here.
Step 1: Inventory
Start by compiling an inventory of your applications and users. Included in that inventory should be a list of:
- Who is using the app
- What are the roles of the app users
- Who does the app serve
- Who is the administrator(s) of the app
- Who is responsible for running the app/maintenance
These inventories should be kept up-to-date and monitored by HR as employees are onboarded and offboarded.
Step 2: Clearly Defined Roles
It's important that everybody in the organization has clearly defined roles. This isn't just a good practice for everyday operations—it's also key to making IAM easy.
First, review or appoint app administrators. Make sure they are adequately trained in each app’s functions and capabilities.
Regarding user privileges, app administrators should not be ordinary users. If that’s unavoidable for you, make sure administrator employees have two separate user IDs—one for their actions as an administrator, and one for their actions as an ordinary user.
Part of each employee’s job description should include the apps they require access to—and in what capacity. It’s one thing to remember to deactivate app access when an employee leaves your credit union.
But what if an employee transfers positions within the credit union?
A loan officer will probably have a different list of necessary app access than a teller does. Having clear guidelines about who should be logging onto what will make it easier to define the next step: onboarding and offboarding protocols.
Step 3: Onboarding and Offboarding Protocols
Here is a great place for app administrators to step in. What should the procedures be for granting app access to a new employee? Who should oversee terminating access when an employee leaves? How promptly should that be done?
Once those determinations have been made, you can start getting existing employees and accounts up to standard.
Whether it’s monthly, quarterly or annually, we recommend that your internal audit team sample for proper compliance with your new IAM protocols.
Phase Two of Identity Access Management
Down the line, your credit union’s new routines and roles will become second nature. Then, if you decide to tackle it, you can start phase two of centralizing IAM: implementing new systems infrastructure to make IAM more automated.
There are quite a few tech options to consider that would make IAM easier. Start by building an identity infrastructure. Doing so will allow for tools like access monitoring systems to help detect inappropriate app usage or security risks.
Another option is investing in single sign on (SSO). With single sign on, the pain of having multiple IDs for different applications goes away.
With some planning and patience, you can start centralizing you IAM now.
Additional Support
Subscribe to our blog to stay up to date, or request a demo to see if Redboard would be a good fit for your credit union.
Introducing the Three Lines of Defense in Credit Union Audits