The OGO Blog

Credit Union Information Security – Where To Start?

Credit Union information security

As a CUSO providing disaster recovery and production IT services, Ongoing Operations works with hundreds of Credit Unions during the course of the year. And true to the grassroots nature of the industry, we like to share forward information that will help your Credit Union create IT efficiencies, improve recovery strategies and tighten security/controls. During 2014, there was a common theme among those Credit Unions that had undergone an NCUA IT Examination – IT Security Program Compliance (ISP). And while I’m sure this doesn’t come as a shock to anyone in light of the years major data security breeches, what was shocking was the lack of organized approach/tools to put a Credit Union information security program in place. We’ve compiled a list of ISP related resources to help you get started!

NCUA IT Security Compliance Guide –

Sometime in 2006, NCUA published this guideline to assist Credit Unions in the development of their ISP. Specific care was taken to differentiate between IT security guidelines and Privacy rules. Of all the DOR’s I saw this year, the lack of a formal ISP supported by tangible/measurable implementation efforts was by far the most common.  Sure, most Credit Unions had a ISP policy statement but when the examiners looked for evidence, many fell short. This guidelines deals specifically with identifying and controlling risks to information and information systems. So what was missing? You can’t protect what you don’t inventory! Failing to perform an inventory of your member information touch points makes it unlikely that you will adequately protect against all threats. Get started on the inventory asap!

AIRES IT Exam Questionnaires and Chapter 6 Information Systems and Technology (Examiners Guide)

For anyone who has ever wanted a cheat sheet prior to a test – this is your chance! Based on the actual questions that NCUA would expect to cover with you during an exam, this spreadsheet (downloadable) gives you the opportunity to prepare and assess your own level of preparedness any time you choose! Download this today and begin the walkthrough process with you team. And its hard to overlook  – Part 748 (Member Information Security) is right on top!

FFIEC Handbook – Information Security

As an ex-VP/IT for a large CU, I can share that if you have not familiarized yourself with the FFIEC (Federal Financial Institution Examination Council) IT Handbook (the whole thing – not just Information Security) by now, it is not too late! This InfoBase, while written for field examiners, is a veritable gold mine for any CIO in the Credit Union industry. Best practices covering IT risk assessment and security controls/monitoring are covered in depth. As we begin our second series of FFIEC related posts, we will cover the Information Security section in depth. Look for these posts starting this week! You can find our first FFIEC eBook here.


Cyber Security Controls (SANS)

Compliance is one thing – actual protection against attacks/threats is another. The SANS institute recognized the need to provide a list of high-value action items organizations could take to protect themselves against threats. These controls provide the foundation needed for a solid Credit Union information security strategy:

Technical Guide To Information Security Testing and Assessment

Credit Union Compliance and Credit Union Risk Management

Another high-value guide written by the National Institute of Standards and Technology (NIST) – the agency responsible for developing policies and guidelines, including minimum requirements , for providing adequate information security for all agency operations and assets. Highly technical in nature, the guide provides solid details on ISP testing and assessment.

With so many “sources of authority”, it isn’t shocking that Credit Union’s find it difficult to organize and manage their IT infrastructures. Ongoing Operations has both the expertise and the tools to help. Reach out today to talk to one of our engineers!