Baseline Nonbank Cybersecurity Exam Program

Question 18

How does the institution determine who needs access to what data/information? Is user access limited to business need/least privilege? Are all user access levels, including administrators, monitored and reviewed regularly? How is unauthorized access detected?

17

Question 19

Is there an employee departure checklist, regardless of the reason the employee is leaving (including transitioning to a different position)? Are user accounts disabled for employees who have left the institution or changed job responsibilities?

18