More and more, consumers are choosing smaller institutions, including credit unions, over big banks. That’s why it’s so important to embrace the idea that member information security is more than just a compliance issue. Over the last few quarters, the credit union industry has experienced significant growth in new members. Does your credit union's risk assessment adequately identify the business risks of protecting member information? Here are a few areas to consider.
Information Security Risk Assessment
Every credit union information security officer I’ve worked with has consistently been able to pull a spreadsheet out of a compliance folder; however, when we start talking about the reach and benefits of the assessments, the conversation leads to a wide range of results.
The primary reason for conducting most risk assessments is to comply with regulations. However, a properly developed assessment can provide a lot more value than simply checking off a regulatory audit documentation request, as the compliance requirements reach into the value-add areas of risk assessments as well.
The Gramm-Leach-Bliley Act was signed into law into 1999. As part of that requirement and the NCUA’s interpretation, credit unions need to appropriately secure their member information. Key requirements include implementing an information security program and overseeing service provider arrangements; however, the requirement to assess risk should be the first step to guide the implementation of these other control areas.
Do you remember the threats affecting your credit union when the first branch opened? For older institutions, securing hard-copy information was probably a bit more top of mind than the red flag non-compliance and online banking phishing threats affecting you today. Today, the standard Confidentiality, Integrity, and Availability threats may remain the same; however, as your member information moves around, the threats affecting them have evolved to match as well. In order to properly identify threats, each organization needs to first identify where confidential information is housed, whether it’s in file cabinets, databases, or vendor data centers. Once the valuable member information has been flagged, specific threats can be identified and assessed. As credit unions upgrade to new services like mobile check scanning, the member information storage locations and relative risks will need to be reconsidered as well.
By updating the risk assessment before implementing new services, you can be better prepared to discuss threats and mitigating controls with the new service vendors. Functionality may lead the vendor decision-making process, but not having the appropriate security discussions can lead to costly “one-off” code development projects or the constant stream of regulator findings and resulting vendor support ticket requests for increased security options.
Once threats such as natural disasters causing business outages and hackers breaching firewalls have been identified, IT and Risk Management can formally assess the probability and impact of each threat. To help add some real-world guidance to the hypothetical probability discussions, consider the current quantity of phishing e-mails blocked or the recent trend of thefts in the community. Impacts of each threat should focus on:
- Member impact — Inability to access accounts and identity theft
- Organization impact — Damaged reputation leading to lost business and increased work for employees to complete incident response procedures
- Compliance impact — Fines and additional audits
Formally identifying these higher probability and impact threats should only support the credit union’s ideas about critical risks to prevent. This will be more evident in the next step of assessing controls, as the credit union hopefully has more controls in place to prevent the more critical threats.
The most tangible piece of the information security risk assessment is the assessment of implemented controls. Instead of potential risks and hypothetical probabilities, this portion of the risk assessment is an actual inventory list of controls already in place. Key controls identified should include:
- Technical controls such as firewalls, password requirements, and anti-virus
- Physical controls related to overall branch security and specific to the data center
- Procedures, including user access maintenance, software development life cycle, and training
- Policies such as information security, incident response, and business continuity
- Channel-specific, including ATM, online banking, and mobile banking
By mapping controls across each threat, the credit union can identify which threats are being appropriately mitigated and which areas don’t have strong enough controls in place. This heat map should give the credit union comfort in accepting some remaining risks while also providing a targeted list of risks to actively attempt to further mitigate.
Through the identification of the controls, each credit union should also be noting potential areas for improvement. These can be pulled in from past audit findings, consultant recommendations, and new FFIEC/NCUA guidelines posted online. These controls should then either be put on a plan for implementation or accepted as not necessary, largely depending upon the following factors:
- Other mitigating controls already in place
- Applicable risks the new control would further mitigate
- Regulatory requirements and audit recommendations
- Management’s overall risk appetite
Just like a business plan or business continuity plan, organizations that let the information security risk assessment gather too much dust will gain the least from the process. As threats evolve and the credit union starts providing new services, the risk assessment need to be modified to reflect these changes. A well-thought-out and periodically updated risk assessment will not only help your organization comply with security regulations, but also:
- Guide vendor security-related due diligence discussions
- Provide risk-related rationale for IT security budget requests
- Identify action plans for additional mitigating controls
Plante Moran provides risk assessment review services as part of our Information Technology General Control and GLBA audits. In addition, we also provide assistance to credit unions in developing and updating their own risk assessments or our template risk assessment. For additional information, please see the risk assessments area of our website.