Credit union’s backbone is the ability to have a banking software solution active and to facilitate credit union members to access their account(s) online and or within the credit union. This is a critical aspect of the operations of credit unions. It is thus important that the operational staff, management and Credit Union Board thoroughly assess the risks in managing and overseeing Information Technology.
We recommend this is through a comprehensive use of policies, procedures, processes, checklists, controls and audit programs to ensure all of these aspects are working correctly within their designed control parameters and to address the risks of operating a financial institution. Management should engage independent testing of the key process with a scope and frequency necessary to monitor these risks, typically on a yearly cycle.
Information security assessment has several steps that will outline the credit unions risks and mitigation controls. These steps should include:
a) Information Technology Asset registers. This will identify, catalogue and record all assets that are used to create, store or transmit data in the credit union, either electronically or by paper form. This will include hardware (computers, tablets, servers and other electronic devices), software (banking systems, email communication methods, cloud computing assets and normal Microsoft based office applications, for example) and communication means (WiFi, telephone lines, fax machines). You may also want to consider the storage of hardcopy (paper) records, but this should be covered with in your GDPR, General Data Protection Regulation regulations and policies.
Also to consider 3rd party vendors that may store or transmit your data with authorisation on your behalf.
b) Cyber security within the Credit union to monitor, identify, protect and deter specific threats and vulnerabilities to the confidentiality, integrity and accessibility of data and the means to create, store or transmit that data.
c) Understanding of the implications to a data breach by internal or external means within the credit union. Risk assessment and mitigation of the likelihood that such a threat could occur and the impact of this threat on the Confidentially, Integrity, Accessibility and Reputation of the credit union in terms of data storage for its member’s information. Also to understand how each risk means to the potential data loss and potential vulnerability.
d) Good governance to monitor, review and amend all Information Technology related policies, procedures, process and controls in the credit union. Understanding of how they all link together to form the foundation of your Information Security Risk Assessment and the mitigation of risk to data and IT assets.
e) Testing of all of these areas is recommended on a regular basis and any issues that are identified that corrective actions are implemented based on their threat level with the approval of the Board and IT providers to the credit union. It is the Board of the Credit Unions responsibility to provide oversight into the management of the IT Risks, whether this is done by volunteer board members, audit function and or outsourced to 3rd party vendors.
The IT Risk Assessment should be the foundation for the management and Board to review the internal controls; policies, procedures, processes and controls. These are used to address specific threats to the IT solution, identify threats, establish controls and solutions to address vulnerabilities and to ultimately mitigate risk within the Credit Union.
Once these corrective actions have been implemented, Board should review IT Risk Assessment and implement a continuous risk assessment of their IT solution.