Don't be shellfish...Email this to someoneShare on LinkedInTweet about this on TwitterShare on Facebook

credit union audit , credit union cloud readiness, virtual emergency operations centerI had the honor of speaking at a credit union chapter meeting this evening and while discussing my career path as a computer scientist working in a lab to an IT leader in the credit union industry – it dawned on me that the two industries have one strong commonality – COLLABORATION. As a scientist, we freely swapped lessons learned from experiments or beta (alpha!) projects. The same is true for our industry as credit union leaders engage in collaborative efforts from sharing simple best practices to formation of CUSOs. Today’s post is all about that type of information sharing as we bring you new trends we are seeing in NCUA examination that may impact your credit union DR/BCP program!

Trend 1 – Better break out your  “Interagency Guidelines Establishing Information Security Standards (NCUA Rules & Regulations, Part 748, Appendix A&B)

You may be thinking but that’s IT security, not DR! Let me tell you, whatever fine line there was before seems to have disappeared.  Part 748 calls for the safeguarding and protection of member data from risks/threats. Sound familiar? Your BIA (Business Impact Analysis) , which is the foundation of your entire business continuity program,  calls for the identification of threats and the development of mitigation strategies.  It is an easy transition to see how  a new focus is being placed on credit union s to enhance their BCP program to include an expanded risk assessment which covers Part 748.

Action Steps To Take Now:

1) If you haven’t already read (and re-read) the IT Security Compliance Guidelines – start here. This isn’t a once and done read. If IT isn’t your area, schedule some time with your IT department to review the guidelines and discuss ways to integrate it into your DR/BCP.

2) Perform your member information inventory – include electronic and physical locations as well as communications/transmissions. Ensure you have a good understanding of what your credit union has determined as “sensitive” data. I’m old school – if it’s not marketing material meant to be in the publics hands, then I protect it.

3) Expand your DR/BCP risk assessment to include the member information inventory/assets.

Trend 2 – RTO/RPO Values – Really??

When you performed your BIA you came up with a list of critical processes, some may even have RTO’s of <4 hours which represents the criticality of the disruption to your credit union. Or does it? A common mistake when calculating or assigning RTO/RPO values is to put the “hoped for” value vs. the tested value.  Huge gaps in your plan can happen if these numbers are not aligned with the reality of recovery resources (time, money, equipment, bandwidth, etc.) During recent exams , credit unions have been asked to demonstrate that those values are more than just a number – they’d like to see test results!

Action Steps To Take Now:

1) Pull out your BIA and review your critical processes. Depending on your credit union size, you may have anywhere between 10-30. Clean up the list first and remove any that do not require priority recovery.

2) Test, test and test again. One-by-one begin working through the list to determine if your RTO/RPO values not only make sense but are also achievable. Tabletop exercises are a great tool to use for this work. Gather the impacted departments and your leadership team and work thru a worse case scenario. But don’t stop there – perform actual tests where your disrupted process is recovered and made available thru it’s recovery path. Waiting until a crisis hits it is too late to work out any bugs!

Trend 3 – Do you know your cyber risk?

With the escalating trends in cyber-crime, there is little tolerance for not doing all you can to mitigate the risk to your credit union infrastructure. DDoS and other cyber-related threats are not “the other guys” problem – EVERY credit union is at risk and examiners are wanting to see evidence that the risk is understood and taken seriously.

Action Steps To Take Now:

1) Understand your internet dependencies by performing an inventory of all processes, systems and services that depend on the Internet. Are any of these critical to your recovery? If so, does your communications infrastructure support a recovery time objective of <24 hours?

2) Understand your network and communications infrastructure by developing and maintaining network diagrams. Are there any obvious single-points-of-failure that in the event of a cyber attack prevent your credit union from achieving it’s recovery goals? If so, and you can’t change the RTO what are your procurement plans to eliminate the gaps? This is where the RTO/RPO frequently becomes distorted as discussed above.

It is still early in 2014 and we are already seeing key issues that are impacting our credit unions. You can count on us to share forward and we look forward to hearing your experiences! Take a moment to comment below!