Bulletin No. 2005-06-CU
In the matter of Information Security Program
Issued and entered this 10th day of June 2005
By Linda A. Watters, Commissioner
This bulletin is to advise credit union officials that all federally-insured credit unions are required to adopt a comprehensive information security program. The requirement is a result of the Section 501(b) of the Gramm-Leach-Bliley Act, signed into law on November 12, 1999, which impacts the existing regulations governing security programs in federally-insured credit unions. Specifically, paragraph (b) of 748.0 of the National Credit Union Administration (NCUA) Rules and Regulations, 12 CFR 748.0, includes security concerns of member information relating to the emerging electronic marketplace. Member information includes any records, data, files, or other information about a member containing nonpublic personal information. This includes records in paper, electronic, or any other form that are within the control of a credit union or that are maintained by any service provider on behalf of a credit union.
Many credit unions have documented information security plans; however, examinations reveal that the plans are not maintained, do not address certain aspects of information security, and are not reviewed or approved by the credit union board on a recurring basis.
- Guidelines for a comprehensive information security program must include:
- Identification and assessment of risks that may threaten member information
- Development of the written plan containing policies and procedures to manage and control the risks identified
- Implementation and testing of the plan
- Adjusting the plan on a continuing basis to account for changes in technology, the sensitivity of member information, and internal or external threats to information security
Objectives for a comprehensive information security program must include establishing appropriate measures to ensure the security and confidentiality of member information, to protect against any anticipated threats or hazards to the security or integrity of such information, and to protect against unauthorized access to or use of member information that could either: (1) result in substantial harm or inconvenience to any member; or (2) present a safety and soundness risk to the credit union.
The Board of Directors must oversee the development, implementation, and maintenance of the information security program, including regular review of management reports. The Board of Directors must also approve the written information security policy and plan.
Management's responsibilities include performing an ongoing assessment of changes in technology and the impact on the credit union. Management must also evaluate the impact on the security plan of changing business arrangements (e.g. alliances, joint ventures, or outsourcing arrangements), and changes to member information systems. Management must document compliance with guidelines and keep the Board of Directors informed on the current status of the information security program.
Emerging information processing technologies have created new risk and control issues for credit unions. Written policies, procedures, and standards provide the basis for establishing and maintaining proper control over member information. All Michigan state-chartered credit unions were required to have a comprehensive information security program in place by July 1, 2001. 12 CFR 748, Appendix A.
A comprehensive information security program must include written policies and procedures on each of the following subjects:
- Access rights to member information
- Access controls on member information systems, including controls to authenticate and grant access only to authorized individuals and companies
- Access restrictions at locations containing member information, such as buildings, computer facilities, and records storage facilities
- Encryption of electronic member information while in transit or in storage on networks or systems to which unauthorized individuals may have access
- Procedures to confirm that member information system modifications are consistent with the credit union's information security plan
- Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to member information
- Contract provisions and oversight mechanisms to protect the security of member information maintained or processed by service providers
- Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into member information systems
- Response programs that specify actions to be taken when unauthorized access to member information is suspected or detected
- Protection against destruction of member information due to potential physical hazards, such as fire and water damage
- Response programs to preserve the integrity and security of member information in the event of computer or other technological failure, including, where appropriate, reconstruction of lost or damaged member information
Any questions regarding this bulletin should be directed to:
Office of Financial and Insurance Services
Credit Union Division
611 West Ottawa Street
P.O. Box 30220
Lansing, Michigan 48909-7720
Phone: (517) 373-6930
Toll Free: (877) 999-6442
Signed: Linda A. Watters
Commissioner of Financial and Insurance Services