Information and Data Security Flashcards
What must be addressed in the written information security program?
When must it be updated?
Written information security program requires:
Ensure the security and confidentiality of member info
Protect against any anticipated threats or hazards to the security and integrity of the information
Protect against unauthorized use or access of that information that could result in harm to the member
Ensure proper disposal and destruction of information
FOCUS ON HARM TO THE MEMBER
Timing: at least on an annual basis
What does NCUA require from CUs in the event of a catastrophic act?
How should a credit union certify compliance with NCUA’s security program requirements?
§ 748.1 Filing of reports. (a) The president or managing official of each federally insured credit union must certify compliance with the requirements of this part in its Credit Union Profile annually through NCUA’s online information management system
What is the role of the CUs board in the information security program?
What is their role with regard to IT oversight?
At the outset, the board,
or appropriate committee, should approve the written information security program.
Thereafter, the board or appropriate committee must oversee the implementation and
maintenance of the program. These duties include assigning specific responsibility for
implementing the program and reviewing reports prepared by management.
What must be addressed in the response program for unauthorized access to member information?
When does the response program apply?
Is member notice required?
If so, what must be included in the notice?
Response program must:
assess the nature and scope of any incident
Identify what member information has been accessed
Contain & control the incident to prevent further unauthorized accesss
Preserve records and evidence
File SAR
Notify regulator
Timeline:
1. Investigation
2. Standard for Notice (notification where misuse of the information)
3. Timing of the Notice: Notification ASAP unless it is delayed by law enforcement
*Review state requirement
Member notice:
1.general terms and type of member compromised
2. Steps CU is taking to protect members from further unauthorized access
3. Steps members can take to protect themselves from harm
4, Notification must also provide some FTC guidance regarding steps member can take to stop ID theft
When must a CU report a cyber incident to NCUA?
What information must be reported?
CU must report no later than 72 hours after it reasonably believes that a reportable cyber incident has occurred or being notified by a third-party, whichever is sooner.
CU must report:
1. Services that were impacted
2. If sensitive data or member information compromised?
Letter to CU
Are IT audits required?
What is necessary for an IT audit to be valid?
What is the structure and purpose of the FFIEC Cybersecurity Assessment Tool?
The assessment tool asks you questions about how you manage cyber security for your business. Based on your answers, it will determine your current cyber security maturity level. It will then provide you with guidance on how to improve. You can download this guidance as a PDF, so you can track your progress.
Info and Data Security Program requirements
Must be risk based
Authentication procedures and limited access
Clean desk policies and secure storage
Encrypting information while in transit
