Because of the increasing level of cyber threats to banks and credit unions, the Federal Financial Institutions Examination Council (FFIEC) puts significant demands on IT department in the form of “guidance.” FFIEC guidelines are very hard to meet without the help of a qualified managed service provider (MSP).
More than just compliance is at stake. Financial institutions face new and innovative competition from non-traditional players such as PayPal or former vendors such as credit card companies. Meeting the challenge to both innovate and protect the customer experience will require the help of informed IT professionals.
By now, most employees are very familiar with regulatory compliance policies. The IT Security regulations are contained within both the Bank Secrecy Act and the collection of US Anti-Money Laundering laws, hence the acronym BSA/AML. The FFIEC conveniently documents the relevant regs in one place commonly referred to as Part 748 Section 353.
The Board of Directors is responsible for IT Security. The Board must approve an IT Security policy and supervise its operation. They delegate the day-to-day IT Security operation to whomever they choose, but as far as the examiners see it, it is the Board who must answer for deficiencies. This fact should elevate the seriousness with which every member of the IT department takes security.
A Policy of IT Security Best Practice
The credit union must develop and strictly adhere to a written and readily available IT Security Policy. The policy will contain specific language about how the institution will:
- protect the “security and confidentiality of member records,”
- protect against the “anticipated” threats or hazards to the integrity of those records,
- respond to and report security breaches,
- provide details helpful in identifying abusers of sensitive data, and
- prevent destruction of vital data.
The policy holds the credit union (and thus it’s IT department) accountable to methods and timed responses. For example, if the policy states that security breaches will be reported within 24 hours of discovery, then the IT department must be able to provide details about what was affected, how it took place, and what is known about the participants in the event – even if it happened at 3:00 AM —within 24 hours of discovering it. Likewise, if the policy states that bank data will be archived off-site and restored to use within 24 hours should there be a disastrous event, the IT department is responsible to deliver on that promise even if the size of the data files increases exponentially.
Sustainable IT security best practice will help Credit Unions both compete and comply.
The FFIEC recommends instilling a culture that “contributes to the effectiveness of the IT Security program.” The IT department can do much to raise awareness of the threats to bank security and their mitigation. For example, because phishing continues to be effective for hackers, the IT department should be involved in training employees in responsible or “defensive” email use. They should help employees identify unencrypted web sites even when they are at home or with other family members. They should understand the risks inherent to social media.
Federally insured credit unions are required to regularly perform risk assessments and security audits. This work would include remediation. It would include patch management and updates, firewall monitoring, asset inventory management, and the like. Vulnerability assessments must also be performed. Such work should be done by parties who did not design the network architecture or who are responsible for maintaining it. This lack of bias will provide assurance to the Board.
The IT Department should play a major role in ensuring the credit union doesn’t bite off more than it can chew in terms of technology. It is left up the credit union to provide the resources it needs to meet such a standard of accountability a basic IT Security policy defines. However, the scope of work is enormous. It is generally well outside the resources of an understaffed IT department.
Managed services for credit union can add strategic value. They can help the financial institution to:
- reduce the time and resources needed to routine matters.
- gain access to an unbiased IT professional for independent reviews and audits.
- minimize the costs and risks from IT Security compliance.
DC Plus brings IT performance and compliance to credit unions with regular 1-, 12-, and 18-month security and vulnerability assessments, patch management, managed AV, and firewall with threat management services (content filtering, AV, SSL inspection, etc.) in addition to regular employee security training!