It seems so simple. Give employees access to the documents they need to do their jobs. But ask any IT manager, and they will tell you permission management is much more complicated than it appears.
Part of the problem is that permissions are far easier to grant than revoke. Does a particular employee still need access to those files? Maybe not. Do you have time to email employees to ask? No, you don’t.
Getting permissions right is essential for two reasons: 1) granting employees access to proprietary and sensitive information presents a security risk, and 2) employees become distracted and less efficient when overloaded with unnecessary documents.
Let’s look at some permissioning mishaps that underscore the importance of having a robust permission management system.
Misappropriated documents cause financial, reputational, and compliance nightmares
Financial institutions' largest security threat is their employees – whether it’s an employee who falls for a hacker’s scam or commits insider theft.
Make no mistake: most banking employees pose no threat. At the same time, it only takes a few bad apples to expose your institution to significant financial and reputational harm.
When a $737-million bank in Manchester, Iowa, said goodbye to three employees, it had no idea they’d be taking proprietary client account information with them. The Federal Reserve issued enforcement actions against the three employees for transferring accounts to their new employer's nonbank FI. The Iowa bank suffered doubly from the stolen accounts and the bad press.
Then, there’s the case of the former CFO of a Wyoming bank who received 280,000 electronic documents with confidential supervisory information belonging to the Fed Board of Governors. The Federal Reserve issued a consent order against the CFO, forbidding him from working at any federally insured depository institution in the future.
For most industries, permission management is all about deterring crime. As the examples above show, mitigating insider crime is a critical aspect of permissions management for financial institutions. But institutions also need to consider the compliance implications of employee access to confidential documents.
The Gramm-Leach-Bliley Act (GLBA) requires FIs to identify any operational risks that leads to the exposure of legally protected consumer data. Under FFEIC guidelines, financial institutions must:
- Identify users who need enhanced authentication and access controls
- Periodically evaluate the effectiveness of these controls
- Implement layered security to protect against unauthorized access
- Create awareness and educational programs for access risks
- Verify the identity of all users
Permission management protects FIs from bad actors inside their organization accessing sensitive documents with consumer or proprietary information. Additionally, it enables institutions to meet compliance requirements.
Best practices for your permission management program
FIs need a program for managing permissions. Far too many institutions rely on inefficient manual document management practices that lack consistent controls, putting themselves at risk.
Giving employees access to documents they don’t need also introduces inefficiencies. Have you ever tried and failed to locate a file in Sharepoint? Permission management is about mitigating risks and enhancing efficiency, giving employees access to the right documents to increase productivity.
Best practices in permission management include:
Creating a centralized hub for your documents: When banking documents, such as policies and procedures, forms, and product sheets, are held in multiple locations, it’s impossible to know who has access to what. Sending documents over email adds to the problem. Financial institutions require a dedicated portal for storing banking documents and making them accessible to select employees.
Related: 5 Ways to Show Your Files Some Love – And Better Manage Risk
Designating departmental administrators to grant permissions: Many businesses, including those in the financial sector, designate a super administrator to control permissions. Super administrators (or “super admins”) have control of all the documents, objects, and group permissions in your system. This practice has many downsides. What happens in an emergency when personnel need to access critical documents and your super admin is on vacation?
Granting excessive privileges to personnel also poses a security risk. Permission management is much better handled at the departmental level, with designated managers as admins granting access to team members and other personnel.
Ensuring that every document can be permissioned: The last thing you want is for sensitive information to spread to every employee at your institution. FIs must create a system that lets them permission every document.
Having a log-in record to determine who viewed or edited a document: A digital paper trail is essential to permission management. Your FI needs to know who viewed or edited a document (and when it occurred) for security and quality control purposes.
Giving a date range on select documents: Certain banking documents should only be available for a select period of time. Automating the removal of documents from your system ensures that your employees aren’t working with outdated information while also protecting sensitive data.
Making certain documents unavailable for download: Documents containing legally protected consumer data or proprietary information should not be downloadable.
Converting documents into other formats: Documents that require employee sign-off should be automatically convertible to PDFs. A system that performs this function saves time and helps FIs track items such as employee training completion rates and policy acknowledgments, increasing efficiency and productivity.
Leveraging technology for successful permission management
Robust permissioning ensures that your sensitive banking documents aren’t compromised. It also boosts efficiency and helps you comply with data protection and privacy laws. Finally, it shifts some of the burden for managing permissions from IT to other departments and senior managers.
Programs like Sharepoint don’t give you enough control over your documents – they're too susceptible to unauthorized access. Sensitive data stored without sufficient access restrictions puts your institution at risk of data breaches and fraud.
Many financial institutions have begun implementing platforms with a dedicated permission management component. You don't want to ignore the matter until it’s too late and your private information ends up in the wrong hands.
Permission with Purpose
Subscribe to the Nsight Blog
Share this
6 Essentials for Flawless Policy Management
The Life of a Strategic Risk Manager: Building Buy-In
