Information Security Assessment

The Ongoing Operations Information Security Assessment provides Credit Union IT Leadership, Executives, and Board members an independent view of the Information Security Program at the credit union. In addition, the vCISO works with you to find solutions to reduce the scope of your exposure to lessen the overall cost and burden of regulatory compliance by assessing the credit union’s controls across twenty domains. The assessment includes evaluating technical, administrative, and physical controls to ensure that the three tenets of security, Confidentiality, Integrity, and Availability are maintained.

The assessment is conducted through document review, interviews with staff, and system and control technical reviews. The Credit Union’s controls are assessed against regulations such as GLBA, examination standards and FFIEC/NCUA guidelines, industry standards, and best practices. In addition, the assessment covers areas such as malware protection, incident response, vulnerability mitigation, and training.

Upon completion, the credit union is provided with a comprehensive report that includes assessing the credit union’s controls, a detailed gap analysis, and prioritized recommendations for remediation. In addition, the deliverables include a dashboard that provides a visual representation of the credit union’s security posture across the twenty domains and provides a reference for recommended next step actions to increase the security posture of the credit union.

Ransomware Readiness Assessment

The Ransomware Readiness Assessment is designed to provide Credit Union IT Leadership, Executives, and Board members insight into the state of controls at their organization that can help prevent business disruption due to a ransomware attack.

Credit Union controls are evaluated in their ability to:

• Prevent and Mitigate ransomware
• Detect and Respond to a ransomware attack
• Recover if a ransomware attack occurs in the environment

The assessment is conducted through document review, interviews with staff, and system and control technical reviews. In addition, the Credit Union’s controls are assessed against recommendations provided by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), as well as industry standards, best practices, and regulatory requirements.

The credit union is provided with a report that provides a dashboard to show the preparedness level visually. In addition, the report includes an assessment of the credit union’s controls, recommended next step actions to increase the security posture, a detailed gap analysis, and prioritized recommendations for remediation.

Remote Working Comprehensive Security Assessment

The world we live in today has forced many credit unions to create a flexible work environment to support continued operations to serve their members and keep employees safe. Unfortunately, the flexibility of remote work also increases the risk to the credit union network and member data.

Our security team can complete an 
in-depth evaluation and report of your credit union’s remote work program, covering six key areas:

• Policy
• Technical Architecture
• Security Controls
• BYOD (Bring Your Own Device)
• Governance
• Training

The world we live in today has forced many credit unions to create a flexible work environment to support continued operations to serve their members and keep employees safe. Unfortunately, the flexibility of remote work also increases the risk to the credit union network and member data.

Upon completion of the evaluation, we’ll provide the following deliverables:

• Detailed gap analysis for each of the six key areas
• Gap analysis against the NCUA guidance – Cybersecurity Considerations for Remote Work
• Remediation guidance for all gaps identified in the assessment
• Prioritized action plan to reduce credit union risk

Office 365 Security Assessment

Many credit unions are making the move to cloud services, including Microsoft Office 365. Cloud services allow great flexibility and new abilities to deliver services but provide news risks to the credit union if they are not configured correctly. Additionally, many of the security tools available through Office 365 require additional configuration to fully realize their benefits.

Therefore, the CISO team will evaluate the credit union’s Office 365 tenant to include:

• Evaluation against industry-standard baseline best practices
• Verification of appropriate access controls based on credit union policy.
• Appropriate Multifactor Authenticate (MFA) usage
• Use of mobile device management tools
• Configuration of anti-spam, anti-phishing, and anti-malware tools.
• Configuration of data loss prevention (DLP) and encryption settings.

The credit union is provided with a report that provides a detailed gap assessment against the baseline standard and best practices. In addition, the report will include an action plan with recommended steps and configuration changes to appropriately secure credit union data.

Firewall Best Practices and Rule Assessment

Industry best practices and NCUA recommendations dictate that the credit union’s firewall configuration and rules be reviewed periodically. This process can be time-consuming and requires deep knowledge of the firewall and networking concepts. Our CISO team has experts with years of experience across multiple firewall vendors to help you through this process. We will review your firewall configuration to help ensure that your perimeter is secure and that your firewall is configured with best practices.

The firewall assessment looks at areas such as:

• Appropriate management controls
• Insecure encryption standards
• Overly permissive access control list rules
• Insecure protocols in use
• Appropriate mitigations for common attacks
• Remote access VPN configuration

Upon completion, the credit union will be provided with a report containing a gap analysis for deficiencies in the configuration against best security practices and recommended remediation actions to protect the credit union network and member data. The credit union will also be provided with a list of the access control rules provided to auditors and a list of the services allowed into the credit union network from the outside.

Sensitive Information/PII Assessment

Operating a credit union requires the handling of a large amount of sensitive data on a daily business. Knowing the location and quantity of that data allows the credit union to appropriately set controls to protect the data and ensure that policies are being followed. However, that data can often get stored in locations with permissions that are two permissive or on employees’ local machines, including laptops. Identifying the location of that data can be a significant challenge for IT staff across a distributed environment. The Ongoing Operations CISO team will work with you to determine the location of sensitive information such as social security and credit card numbers stored in clear text format across your devices.

During the assessment, the team will work with you to run a small utility that will locate the data on your devices. The CISO team will provide a report that identifies the location of the sensitive data and the quantity and type of data in the location. We will work with the credit union to identify data that is not stored within credit union policies and then provide prioritized recommended actions for the credit union to protect member data. Subsequent assessments can be run to validate the effectiveness of the implemented controls.