In the
matter of Information Security Program
Issued
and entered this 10th day of June 2005
By
Linda A. Watters, Commissioner
This bulletin
is to advise credit union officials that all federally-insured credit unions
are required to adopt a comprehensive information security program. The requirement
is a result of the Section 501(b) of the Gramm-Leach-Bliley Act, signed into
law on November 12, 1999, which impacts the existing regulations governing security
programs in federally-insured credit unions. Specifically, paragraph (b) of
748.0 of the National Credit Union Administration (NCUA) Rules and Regulations,
12 CFR 748.0, includes security concerns of member information relating to the
emerging electronic marketplace. Member information includes any records, data,
files, or other information about a member containing nonpublic personal information.
This includes records in paper, electronic, or any other form that are within
the control of a credit union or that are maintained by any service provider
on behalf of a credit union.
Many credit unions
have documented information security plans; however, examinations reveal that
the plans are not maintained, do not address certain aspects of information
security, and are not reviewed or approved by the credit union board on a recurring
basis.
Guidelines
Guidelines for a comprehensive information security program must
include:
| • |
Identification
and assessment of risks that may threaten member information |
| • |
Development
of the written plan containing policies and procedures to manage and control
the risks identified |
| • |
Implementation
and testing of the plan |
| • |
Adjusting
the plan on a continuing basis to account for changes in technology, the
sensitivity of member information, and internal or external threats to information
security |
Objectives
Objectives for a comprehensive information security program must include establishing
appropriate measures to ensure the security and confidentiality of member information,
to protect against any anticipated threats or hazards to the security or integrity
of such information, and to protect against unauthorized access to or use of
member information that could either: (1) result in substantial harm or inconvenience
to any member; or (2) present a safety and soundness risk to the credit union.
Responsibility
The Board of Directors must oversee the development, implementation, and maintenance
of the information security program, including regular review of management
reports. The Board of Directors must also approve the written information security
policy and plan.
Management’s
responsibilities include performing an ongoing assessment of changes in technology
and the impact on the credit union. Management must also evaluate the impact
on the security plan of changing business arrangements (e.g. alliances, joint
ventures, or outsourcing arrangements), and changes to member information systems.
Management must document compliance with guidelines and keep the Board of Directors
informed on the current status of the information security program.
Conclusion
Emerging information processing technologies have created new risk and control
issues for credit unions. Written policies, procedures, and standards provide
the basis for establishing and maintaining proper control over member information.
All Michigan state-chartered credit unions were required to have a comprehensive
information security program in place by July 1, 2001. 12 CFR 748, Appendix
A.
A comprehensive
information security program must include written policies and procedures on
each of the following subjects:
| a. |
Access
rights to member information |
| b. |
Access controls
on member information systems, including controls to authenticate and grant
access only to authorized individuals and companies |
| c. |
Access restrictions
at locations containing member information, such as buildings, computer
facilities, and records storage facilities |
| d. |
Encryption
of electronic member information while in transit or in storage on networks
or systems to which unauthorized individuals may have access |
| e. |
Procedures
to confirm that member information system modifications are consistent with
the credit union’s information security plan |
| f. |
Dual control
procedures, segregation of duties, and employee background checks for employees
with responsibilities for or access to member information |
| g. |
Contract
provisions and oversight mechanisms to protect the security of member information
maintained or processed by service providers |
| h. |
Monitoring
systems and procedures to detect actual and attempted attacks on or intrusions
into member information systems |
| i. |
Response
programs that specify actions to be taken when unauthorized access to member
information is suspected or detected |
| j. |
Protection
against destruction of member information due to potential physical hazards,
such as fire and water damage |
| k. |
Response
programs to preserve the integrity and security of member information in
the event of computer or other technological failure, including, where appropriate,
reconstruction of lost or damaged member information |
Any
questions regarding this bulletin should be directed to:
Office of Financial
and Insurance Services
Credit Union Division
611 West Ottawa Street
P.O. Box 30220
Lansing, Michigan 48909-7720
Phone: (517) 373-6930
Toll Free: (877) 999-6442
Signed: Linda
A. Watters
Commissioner of Financial and Insurance Services
Printer Friendly
Text Version 
Email Page
