II.C.7(b)     User Access Program

Management should develop a user access program to implement and administer physical and logical access controls to safeguard the institution's information assets and technology. This program should include the following elements:

  • Principle of least privilege, which recommends minimum user profile privileges for both physical and logical access based on job necessity.
  • Alignment of employee job descriptions to the user access program.
  • Requirements for business and application owners to define user profiles.
  • Ongoing reviews by business line and application owners to verify appropriate access based on job roles with changes reported on a timely basis to security administration personnel.
  • Timely notification from human resources to security administrators to adjust user access based on job changes, including terminations.
  • Periodic independent reviews that ensure effective administration of user access, both physical and logical.

For more information, refer to the "Physical Security" and "Logical Security" sections of this booklet.


Previous Section
II.C.7(a) Security Screening in Hiring Practices
Next Section
II.C.7(c) Segregation of Duties