LAS VEGAS (12/8/15)--High-tech processes to keep information secure are often undone by the human element. Behaviors and corporate practices can put members’ information at risk, attendees at the CUNA Supervisory Committee and Internal Audit Conference in Las Vegas heard Monday.
Supervisory committee members have an inherent responsibility to ensure proper information security measures are in place, said Josh Witt of Two Mile Consulting.
Employees and members should abide by operational guidelines and best practices to keep credit union information secure. There’s more to it than just written policies--everyone has to promote “what right looks like.”
To do so, they can't take short cuts that don’t protect electronic data, safeguard passwords or keep computers secure. Security starts with people--processes and technological solutions are layered on top of that, Witt noted during “Diving into the Deep End with Information Security.”
Tools, automated programs and high technology are no match for a security lapse made, often innocently, by untrained people.
Information technology (IT) security starts with knowing the nature of threats and risks, advised Ron Hulshizer, managing director of BKD LLP.
Employee and management training and member awareness are key to identifying attacks and being aware of security risks. A third-party review provides an external independent view of the organization, and an organization should self-assess to determine its security posture, he said.
A recent tool made available to credit unions is the Federal Financial Institutions Examination Council's (FFIEC) cybersecurity assessment tool. Hulshizer said the supervisory committee should make sure it knows the results of this self-assessment before the examiners come into the credit union.
A credit union’s best practices for IT security include:
See more News Now coverage of the CUNA Supervisory Committee and Internal Audit Conference: Internal, external fraud lurks in every corner; and Keeping CUs on right track by defining what is ‘right'.
Register here for next year's conference, set for Dec. 4-7 in Las Vegas.