Community banks and credit unions manage hundreds of systems. Due to personnel turnover, hiring, and role changes, permissions on every system generally need to be updated frequently through a manual process.
The use of an IAM system to automate common tasks to improve employee productivity, ensure security, and reduce the time required for audit preparation is a game-changer. If you're here, you already know that. Through conversations with past clients and our own experience, we've put together this checklist.1. Gather the right people and gain alignment.
Before you start talking about the real implications of IAM, pause to be sure all involved departments have a seat at the table. Think granularly about how permissions will be set up, and who should have input. Some obvious suggestions are Human Resources, IT, Helpdesk, and Compliance. Create common goals, objectives, milestones, and a realistic timeline. Ensuring that executives and department leadership are aligned on the importance of IAM will be critical to your success.
2. Reach agreement of roles and permissions throughout the organization.
Before you start making decisions on how to manage the identity, it's important to understand (across all departments) what the bare minimum list of permissions should be, as it relates to different roles, throughout the institution.
3. Evaluate on-premise, cloud, or hybrid deployment options.
IAM solutions come in many forms. One of your earliest decisions will be choosing between on-premise, cloud or a hybrid deployment. Reliability, security, flexibility, ease of use, agility and cost should all be considered in relation to your institution's unique challenges.
4. Review your current authentication procedures.
It's important to ensure that you trust in the identity that is being created, so having an established policy that includes MFA (multi-factor authentication) and/or SSO (single sign-on). Are you confident in your current password policies and how users are being authenticated?
5. Establish a firm workflow that addresses authorization of important changes.
Decide at what point in the employee lifecycle stakeholder acknowledgment is needed. Will permissions need to change? For example, if an employee role needs changes temporarily, what workflow should be triggered? Also consider automated account provisioning needs. When should there be a pre-provisioned Active Directory account prior to hire? What other automated provisioning needs planned?
6. Prioritize systems that are critical to your business and dig deeper.
Identify and prioritize systems that contribute materially to your identity risk, such as your core provider, HR system, loan origination system, and more. For example, if your HR department uses ADP, your ADP representative will need to assist in gaining API access. Identifying these scenarios, and creating an early connection with core providers, such as FIS, Jack Henry, and Fiserv, will once again save you time, and prevent project hold-ups. Additionally, you should take a close look at your systems and decide who should be authorizing access to each one, and who the authoritative source for assigning that responsibility is. Is it a committee, the executive team, an IT leader?
7. Hone your understanding of the compliance and regulatory environment.
It's important to know what is expected of your institution from auditors, so that the IAM system can be managed in a way that efficiently addresses those needs. Both internal and external audit teams are likely to request reporting that proves compliance with numerous regulations and best practices, among other things. Be sure your implementation team is in-the-know about regulations such as GDPR and CCPA. For example, the FDIC/NCUA may require that the people who monitor systems access and request changes are different than the people who approve those changes. Define a certification policy designed to audit your user access.
8. Automated systems are great when it comes to managing access certifications, but there should be a policy in place that outlines a recurring review of those permissions.
Reviewing your roles periodically is important to ensure that your employees only have access to what they need to do their job. Access needs can change, and department heads, an assigned committee, or other identified stakeholder should plan to review and re-certify access within their institution at least annually, if not more often. Having a policy that ensures everyone is in agreement about how, and how often, this review will take place is important.
9. Define IAM success.
Set some expectations for what this implementation means at your institution. What is the end goal, and how will you know the investment was worth it? Is it a time savings from your staff, or perhaps the ability to have flexibility in future years as the regulatory landscape changes? maybe it's the reduction of future risk and reallocation of company resources to more important projects. Whichever benefits first piqued your interest in an identity management solution, keep in mind all of the additional benefits that will come along with the completion of this project.
10. Talk to an expert.
Before you go all in, engage with someone who has a variety of experience in implementation. Consult with peers in the financial information security community to uncover helpful hints, talk to a representative from your core provider, and interview the sales professionals representing the systems you're interested in.
Overdelivering is kind of our thing,so here's one more ...
Bonus: Rest Assured!
If you've made it this far, you've already uncovered the real importance of an IAM system. As institution digital architecture becomes more and more complex, the smartest move to make is one with automated logic that lessens risk, increases efficiency, and focuses on security. By making the move to implement an IAM system, you are joining the ranks of successful businesses all over the world.
If you'd like to share this checklist in true PDF checklist form, download it here.