Management is required to develop, implement, and maintain the Information Security Program. Management is also required to report the effectiveness of the Information Security Program to the Board of Directors at least annually.
The Board of Directors plays a crucial role. The Board is responsible for approval of the Credit Union’s Information Security Program, as well as development, implementation, and the maintenance of the program. The NCUA also holds the Board responsible for delegating implementation of the program.
Identify the policies, standards & procedures, and practices that have been established at your Credit Union. Use what you are already doing and build upon that to develop an Information Security Program that meets regulatory requirements and industry best practices.
A properly configured firewall is a vital component to a comprehensive Information Security Program. If however you rely solely on your firewall or other security product to protect member information, it may still be vulnerable to compromise.
You may entrust information processing, maintenance, and the storage to a Third Party, but the Regulation requires Credit Unions to maintain responsibility for protecting their member's information. Credit Unions should perform sufficient due diligence to ensure that the Third Party Service Provider’s security is acceptable in protecting member information.
Credit Unions must develop, implement, and maintain a comprehensive Information Security Program that addresses each element of the Regulations to be in compliance.
On November 12, 1999 President Bill Clinton signed the Gramm-Leach-Bliley Act into law. Section 501, Protection of Nonpublic Personal Information, requires the NCUA to establish appropriate standards relating to the administrative, technical, and physical safeguards for member information. In response, the NCUA modified its security regulation (12CFR Part 748.0) to require Credit Unions to protect member information. The NCUA published these Guidelines within Appendix A of the regulation. The NCUA will also be establishing Appendix B to the regulation. This portion of the Guideline will address standards Credit Unions should establish regarding response to intrusion and member notification.
Call CastleGarde. Our staff has the capability, knowledge, and one hundred plus years ofcombined experience to help your Credit Union develop, implement, and maintain an Information Security Program that will exceed the requirements of the Regulations without costing the Credit Union a fortune.
While connection to the Internet increases risk to the security and integrity of your member information, Regulations still require appropriate protection of member information regardless of form, media, or presence on the Internet.
Not necessarily. Privacy policies generally don’t provide the level of protection for member information required by the Regulations. Effective information security is a process, not a product. A complete Information Security Program encompasses administrative, physical, and technical components.
The Regulations require management to report the effectiveness of the Information Security Program to the Board of Directors at least annually. Risk assessment should be included in the report, and thus performed annually. Assessments should also be scheduled according to the Credit Union’s needs and most current assessment results.
Not necessarily. Some investment may be required, but it need not be excessive. The key is to perform an information security assessment and use the results to determine what is appropriate for your Credit Union.
Although many Credit Unions may find it cost-prohibitive to hire the necessary expertise to perform a thorough risk assessment, we have found that some large Credit Unions have allocated the resources to perform their own risk assessment. You should also keep in mind that the required tests serve an audit function and the personnel that execute these tests should be independent of those who maintain the information systems.