Technology Best Practices, Part II

Changing system access requests (SAR) from a manual procedure to an automated process was an essential step in the ongoing evolution of system access security at Affinity Plus Federal Credit Union, St. Paul, Minn.

The $1.28 billion asset credit union won a 2010 CUNA Technology Council Best Practices Award in the Information Security/Privacy Category for its new automated procedure.

Affinity Plus Federal had continually refined its SAR process over the years to address the varied types of staffing and levels of security found within the credit union’s workforce.

The time required to complete a system access request has been reduced from days to hours, giving IT staff more time to tackle other projects say Affinity Plus FCU’s Keith Malbrue, chief operations officer (left), and Cary Tonne, vice president, information technology.

The result was a complex process involving the input of multiple employees and teams within the information technology (IT) staff. This manual system was prone to occasional “misses,” which were highlighted during internal and external audits, prompting additional checks and balances.

A comprehensive solution

Lengthy conversations between IT and human resources (HR) set the objectives for a new SAR solution that would:

• Automate the submission process from a centralized source through to completion and back to the submitter with confirmation;
• Provide comprehensive audit tracking and real time updating of the submission’s current status;
• Offer the ability to submit multiple types of requests through a single portal;
• Provide a comprehensive oversight mechanism to notify management and HR if the process isn’t completed in the established timeframe;
• Satisfy audits and regulators’ reviews; and
• Meet regulatory requirements, such as those set by the National Credit Union Administration.

Next: A SAFE process

A SAFE process

Affinity Plus Federal introduced its System Access for Employees (SAFE) solution in January 2010 based on internal workflow architecture developed using OnBase software from Hyland Software, Cleveland.

All SAFE requests flow from HR to IT with an automated notification of completion sent back to HR. Initial requests are highlighted in a default alert message to all IT staff.

Requests then follow a track that allocates ownership of specific segments of the process based on the type of request.

IT staff marks the completion of each segment and the system records it with a time and date stamp. A notice is sent to IT management if the process lags beyond the predefined timeline.

The process accommodates several types of requests, ranging from vendor and auditor/regulator access requests, to name or department changes, to termination. The SAFE process sets expiration criteria for temporary employees, contract employees, vendors, and auditors or regulators.

All completed SAFEs are archived and stored in Affinity Plus’ OnBase imaging system so they can be provided to regulators and auditors for review and verification.

A clean environment

The time required to complete a SAR has been reduced from days to hours, giving IT more time to tackle other projects. Verification and audit reporting is now highly visible and easily verifiable for auditors.

Policies governing access are implemented with features such as expiration of temporary access and a defined approval process. The SAFE process is modular, so it can easily evolve to meet new requirements.

SAFE requests are now completed accurately and on time to help ensure a “clean” security environment.

For employees, management, and regulators alike, that’s a SAFE process for guarding access to critical systems.

View the full entry and visit the CUNA Councils website to learn more about the CUNA Technology Council and the Best Practice Awards.