“Findings for credit unions with total assets less than €40m noted a common risk issue related to inadequately resourced IT function. Credit unions should have in place effective structures to manage IT related risks that are appropriate for the business model, size and technological complexity of the credit union, as well as the sensitivity and value of information and data assets held. As such, it is important that the IT function is adequately resourced with responsible and accountable individuals “
PRISM Supervisory Commentary 2019 Central Bank of Ireland Page 24
Today I was doing some work with a client in this sector referencing the recent Probability Risk and Impact System reviews, PRISM from the Central Bank of Ireland. Common themes are highlighted regularly in the Central Bank’s review of the credit unions including for Information Technology;
- Asset Register
- Access Control
- Sufficient Resources for IT
Information Technology is an Operational Risk, it is a core enabler of the business function of any institution.
Credit Unions with assets of at least €100m (10 out of the sample of 41 )
- Excessive authorisation and or information level access on databases and servers
- Failure of the credit union maintaining an IT asset register
- Lack of resourced IT.
Credit Unions with assets of at least €40m and less than €100m (11 out of 41)
- Failure to conduct an independent review of IT systems post-implementation of new systems including examples of significant changes to IT systems introduced as part of a merger process where no implementation review was conducted to assess adequacy;
- Failure by credit unions to have an external penetration test conducted; and
- Failure by credit unions to maintain an IT asset register.
Credit Unions with assets less than €40m (6 out of 32)
- Evidence of inadequately resourced IT functions within this classification; and
- Evidence of excessive access/authorisation levels granted to staff on various IT systems, relative to their respective role and responsibilities.
From a risk perspective, these are fundamental risk controls for IT; asset register, access control and resources for IT to function correctly. The knowledge of what you have currently in operation in the building. Who has access to the technology and information and finally understanding on how it is meant to operate from a top level view point. These are key building blocks to information security.
Why create an asset register?
Good asset management can help in a number of ways to manage expenditure and for this an asset register is vital. An asset register is essentially a list of an organisation’s assets and their condition. This helps an organisation to record information pertaining to them; location, function, supplier, purchase date and who is responsible for it. The asset register can feed into an asset management system, either a spreadsheet or computer database. The organisation can plan for replacements more concisely, and it is a record for insurance claims and auditors.
A good asset management strategy can deliver significant performance / service improvements to an organisation and make a credit union’s manager and or risk officer life easier at an operational level. Knowing what is contained within the building is a foundation to manage your operational risk register.
Access control is a level of protection which ensures that a system can only be accessible to authorised personnel. When organisations have confidence their information is secure, they are empowered to use it to accelerate their business. There are several ways of ensuring that your information stays authentic, authorised and accounted for. Access control has two functions, physical access to computer servers and the virtual access to databases and file directories on computers. These include Network Access Control (NAC), Authentication and Remote Access.
Network Access Control
Network Access Control ensures that before a computer can have full access to a network that it has followed the prerequisite requirements and complies with a standard protection level. Once the standard is met the computer can have access to all network resources, as well as the web, according to the policies defined by the NAC. Access to applications that are specifically cleared by the system administrator will only be allowed.
Network access control is an ideal solution to help you optimise the productivity and accessibility of your network without compromising your enterprise security. Today, many attacks come from inside your network, bypassing the security provided by traditional firewalls and IPS systems. Modern threats include:
- Wireless and mobile users
- Rogue devices
- Malware and botnets
Authentication is the process of determining whether someone or something is, in fact, who or what it is claims to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords. Knowledge of the password is assumed to guarantee that the user is authentic.
The weakness in this system for transactions that are significant (such as the exchange of money) is that passwords can often be stolen, accidentally revealed, or forgotten. Internet business and many other transactions require a more stringent authentication process.
Remote access solutions allow users to access the LAN from anywhere in the world via the Internet. This access can be enhanced through a further set of security measures; remote users can get onto their desktops and intranet as though they were in the office. These solutions enable a greater degree of productivity for mobile workers. Remote access has many advantages including: increased productivity, flexibility, collaboration and employee satisfaction and retention.
A VPN is a “Virtual Private Network” or a tunnel through a public network. It allows secure communications across the internet between two endpoints or firewalls.
An SSL VPN (Secure Sockets Layer Virtual Private Network) is a form of VPN that can be used with a standard web browser. In contrast to the traditional IPsec (Internet Protocol Security) VPN, an SSL VPN does not require the installation of specialised client software on end users’ computers.
User Access Control
This refers to the management of user accounts, particularly those with special access privileges, to protect against misuse and unauthorised access. Accounts should be assigned only to authorised individuals and provide the minimum level of access to applications, computers and networks. Failure to implement an effective user access control management policy may expose your applications, computers and networks to risk. It may also lead to employees unwittingly or deliberately accessing and misusing data they shouldn’t be authorised to see.
Adequate Resources for IT
The fast-changing nature of technology and a lack of training resources are two of the biggest factors causing a significant gap in IT skills these days, CompTIA 2012 Report still relevant today
Credit unions are financial institutions, dealing with supply of monetary services to its members, but as above, IT is now a core enabler of business operations. From this, there are skills missing from the resources available within the credit union. These are network security, updating equipment, knowledge shortages and ability to optimise the best use of available IT resources. With this fast pace of change, constant training and education is required for staff to keep abreast of IT applications (office applications, windows or cloud platforms). Let alone have the knowledge of the computer systems
Managing IT is nothing new, we have had computers for past 30 years on our desktops, so we understand the investment we all make in them, the function they perform and now with all the issues on cyber security, the risk that is present with the loss or theft of the hardware or data contained with in. Having knowledge of what is present in the location, who has access to what information contained and the knowledge to maintain and operate them sufficiently is good practice in all terms of management. With out controls and oversight on these risks, it is akin to leaving the door closed but open to later problems that we occur. With out the knowledge of what is there, how it is managed, how can we be certain of what is locked down and safe.