A leading global investment banking, securities, and investment management firm had an audit finding stating that technologists had unconstrained access to production systems, exposing the firm to significant financial, operational, and reputational risk. The client sought support for its newly initiated program to coordinate and manage access reductions and the development and adoption of constrained production access tools across all of its business units.
We helped generate access metrics on a weekly basis to monitor production access events. Our team worked with different Business Units across the firm to uplift controls for all technology platforms. We analyzed several extant policies and standards, including Application Change Management, Application Security, Incident Management, and Model Control policies and recommended and facilitated confirmation of scope for the contents of a new policy and two new standards as well as harmonizing the extant policies and standards as they relate to production access. We defined and operationalized a governance process for policy and standard assurance, developed detailed procedural material articulating practical recommendations and developed an assessment tool to support risk assessment and categorization of all production entry points for enforcing the adoption of the new control regime.
We enabled all technology teams to improve business process and achieve the stated goal of reducing production access by 50% for the year. The client’s business units adopted the technology controls rapidly. The technology risk committee ratified the policy and related standards we recommended, and the firm began to take concrete steps to manage the transition to 100% compliance with the policy.