As a CUSO providing disaster recovery and production IT services, Ongoing Operations works with hundreds of Credit Unions during the course of the year. And true to the grassroots nature of the industry, we like to share forward information that will help your Credit Union create IT efficiencies, improve recovery strategies and tighten security/controls. During 2014, there was a common theme among those Credit Unions that had undergone an NCUA IT Examination – IT Security Program Compliance (ISP). And while I’m sure this doesn’t come as a shock to anyone in light of the years major data security breeches, what was shocking was the lack of organized approach/tools to put a Credit Union information security program in place. We’ve compiled a list of ISP related resources to help you get started!
Sometime in 2006, NCUA published this guideline to assist Credit Unions in the development of their ISP. Specific care was taken to differentiate between IT security guidelines and Privacy rules. Of all the DOR’s I saw this year, the lack of a formal ISP supported by tangible/measurable implementation efforts was by far the most common. Sure, most Credit Unions had a ISP policy statement but when the examiners looked for evidence, many fell short. This guidelines deals specifically with identifying and controlling risks to information and information systems. So what was missing? You can’t protect what you don’t inventory! Failing to perform an inventory of your member information touch points makes it unlikely that you will adequately protect against all threats. Get started on the inventory asap!
For anyone who has ever wanted a cheat sheet prior to a test – this is your chance! Based on the actual questions that NCUA would expect to cover with you during an exam, this spreadsheet (downloadable) gives you the opportunity to prepare and assess your own level of preparedness any time you choose! Download this today and begin the walkthrough process with you team. And its hard to overlook – Part 748 (Member Information Security) is right on top!
As an ex-VP/IT for a large CU, I can share that if you have not familiarized yourself with the FFIEC (Federal Financial Institution Examination Council) IT Handbook (the whole thing – not just Information Security) by now, it is not too late! This InfoBase, while written for field examiners, is a veritable gold mine for any CIO in the Credit Union industry. Best practices covering IT risk assessment and security controls/monitoring are covered in depth. As we begin our second series of FFIEC related posts, we will cover the Information Security section in depth. Look for these posts starting this week! You can find our first FFIEC eBook here.
- Security Process
- Information Security Risk Assessment
- Information Security Strategy
- Security Controls Implementation
- Security Monitoring
- Security Process Monitoring and Updating
- Appendix A: Examination Procedures
- Appendix B: Glossary
- Appendix C: Laws, Regulations, and Guidance
Compliance is one thing – actual protection against attacks/threats is another. The SANS institute recognized the need to provide a list of high-value action items organizations could take to protect themselves against threats. These controls provide the foundation needed for a solid Credit Union information security strategy:
- 1: Inventory of Authorized and Unauthorized Devices
- 2: Inventory of Authorized and Unauthorized Software
- 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- 4: Continuous Vulnerability Assessment and Remediation
- 5: Malware Defenses
- 6: Application Software Security
- 7: Wireless Access Control
- 8: Data Recovery Capability
- 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- 11: Limitation and Control of Network Ports, Protocols, and Services
- 12: Controlled Use of Administrative Privileges
- 13: Boundary Defense
- 14: Maintenance, Monitoring, and Analysis of Audit Logs
- 15: Controlled Access Based on the Need to Know
- 16: Account Monitoring and Control
- 17: Data Protection
- 18: Incident Response and Management
- 19: Secure Network Engineering
- 20: Penetration Tests and Red Team Exercises
Another high-value guide written by the National Institute of Standards and Technology (NIST) – the agency responsible for developing policies and guidelines, including minimum requirements , for providing adequate information security for all agency operations and assets. Highly technical in nature, the guide provides solid details on ISP testing and assessment.
With so many “sources of authority”, it isn’t shocking that Credit Union’s find it difficult to organize and manage their IT infrastructures. Ongoing Operations has both the expertise and the tools to help. Reach out today to talk to one of our engineers!