Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC USA Patriot Act Compliance Change Management Children s Online Privacy Protection Act (COPPA) Compliance Compliance Audit Contingency Funding Plan Describes the permissible and prohibited uses of credit union s information resources, including information assets, systems, and networks. Users typically must agree (in writing) to the terms of the Acceptable Use prior to being granted access to the credit union s network. Jurisdictionspecific provisions may be required to comply with foreign law. Provides a framework for preventing unauthorized access to information resources by implementing standardized authentication controls. The controls listed in this policy typically include password strength specifications, periodic mandated password changes, two-factor authentication requirements, and prohibitions on sharing authentication credentials, among others. Describes the process the credit union follows when obtaining and reviewing background check material, including consumer reports that may contain criminal and financial records, with regard to prospective and current employees of the credit union. Sets forth the requirements for the proper copying, storage, and handling of the credit union s electronic records and other information resources. This policy sets forth the requirements under the Bank Secrecy Act and other related money laundering regulations. that governs any changes to the credit union s information systems and any software, hardware, or computing devices that connect to any such system. This program implements the provisions of COPPA and includes providing a privacy notice on the credit union s website and a notice to parents regarding the inadvertent collection of a minor s information and procedures for identification and deletion. Establishes how the credit union will monitor compliance with all applicable laws, regulations, contractual obligations, legal processes, and internal requirements with regard to data security and the security of the credit union s information resources generally. Provides strategies for addressing liquidity shortfalls in emergency situations.
Data Retention and Disposal /Vital Records Preservation Program Desktop Computer Security Disaster Recovery and Business Continuity Email and Instant Messaging Encryption and Key Management E-Sign Act Fair Credit Reporting Act Fiduciary Duties Firewall/Router Information Assets Governs the manner in which the credit union stores data, and for how long, including by establishing guidelines and processes for securely destroying data that is no longer needed or is scheduled for disposal. Usually references the credit union s retention schedules that detail the specific lengths of time for which different categories of records will be retained. Also includes the policy for the credit union s retention of vital records. Addresses the processes and procedures the credit union implements to protect its desktop computing resources and related systems from unauthorized access. Establishes the credit union s policies and procedures for protecting data and information resources, including communication systems, to help ensure that the credit union will have access to its information in the event of a natural or man-made disaster. Also outlines a plan to continue business operations with minimal impact in the event of disruptions caused by different types of disasters. Defines permitted and prohibited uses of the credit union s email and instant messaging resources. Sets forth requirements for the use of encryption techniques to prevent unauthorized disclosure of information resources, including personal data and proprietary information, when such information is transmitted electronically or stored by the credit union. Provides policy and procedures regarding use of electronic records. Provides procedures for implementing and complying with the Fair Credit Reporting Act. Provides for the fiduciary duties of the Board of Directors, which include the Board s responsibilities for the credit union s information security program as well as the Vital Records Preservation Program. Establishes the information security requirements for all firewalls and routers deployed on the credit union s external- and internal-facing network interfaces. Provides a framework to identify and inventory the credit union s information assets, which may include any type of records or data, software, physical assets (e.g., computer equipment), services, and internal know-how. Details how the credit union will respond to, and resolve, any variances with respect to information assets. Page 2 of 6
Information Classification Information Handling Information Security Incident Response Information Security Program Information Security Program Governance Mobile Computing Monitoring and File Integrity Patch Management Physical and Environmental Controls Describes the credit union s criteria for classifying the data it collects, generates, processes, and stores for purposes of assigning the appropriate level of security protection to be applied to each class of data. Defines the requirements for handling and labeling electronic records, hard copy documents, and other media in accordance with how information is classified pursuant to the information classification policy. Outlines the processes by which the credit union, with appropriate leadership and technical resources, will act in a consistent manner to respond to an information security incident that threatens the availability, confidentiality, or integrity of the credit union s information assets, systems, or networks. Establishes the overall information security program for protecting member information from internal and external threats, preventing destruction of vital records, layered security, member account authentication, multifactor identification of members, and risk assessment process. Establishes the internal management structure within the credit union with respect to information security, and sets forth the requirements for defining, documenting, communicating, and assigning accountability for information security. Sets forth the standards and processes the credit union has established to (1) protect and secure the credit union s information resources from unauthorized access by mobile devices; and (2) reduce the risk of loss or theft of mobile devices connected to the credit union s network. Identifies the internal control processes in place to monitor and protect the credit union s information resources and infrastructure from intentional and unintentional unauthorized access, use, modification, disclosure, destruction, or other compromise. Describes how the credit union maintains a consistently-configured network environment that is secure against known vulnerabilities in operating systems and software, in pertinent part by requiring that systems be updated promptly and accurately with security protection mechanisms (patches). Sets forth the standards and processes by which the credit union mitigates risks posed by threats to relevant physical environments, particularly the facilities owned or leased by the credit union that house information technology assets. Page 3 of 6
Privacy Privilege Management Protection from Malicious Software Remote Access and Mobile Computing Removable Media Security Audit Security Awareness and Training Selection, Retention, and Evaluation of Service Providers Provides for the non-disclosure of nonpublic information, to determine whether nonpublic information will be shared and proper delivery of disclosures. Describes the varying levels of user access privileges for different types of users of a credit union s network, provides a formal authorization process for granting privileges, and mandates periodic reviews of access to such privileges. Sometimes referred to as an anti-virus policy, this document establishes how the credit union safeguards and controls its information systems and infrastructure through vigilant, continuous monitoring and remediation of viruses, malware, and other software-related vulnerabilities that may impact the credit union s information systems. Provides the framework for the protection of the credit union s information resources from unauthorized remote access to the credit union s network. Describes how the credit union formally reviews and approves remote access connections before any access is granted to the credit union s information technology infrastructure, and how the credit union maintains and monitors the security of remote access connections on an ongoing basis. Establishes standards and processes to protect the credit union s data, systems, and other information resources from unauthorized access through the use of removable media devices such as USB thumb drives, memory sticks, external hard drives, MP3 players, CD-R/RW devices and DVD-R/RW devices. Dictates how the credit union implements systematic evaluation processes to (1) analyze the security of its information systems; and (2) measure how well the credit union complies with established criteria. Outlines the ways in which all authorized users of the credit union s information systems and networks are made aware of policies regarding the classification of, access to, and appropriate use of, the credit union s information resources. Provides criteria for evaluating the privacy and information security posture of potential third-party service providers, establishes specific terms concerning privacy and information security that must be included in service provider agreements, and describes how the credit union monitors its service providers compliance with the relevant contract terms and applicable legal requirements. Page 4 of 6
Software Installation/Download System Assurance and Risk Assessment Third Party Connectivity Management Vulnerability Management Website Wireless Workforce Security Responsibilities PRIVACY POLICIES Privacy Governance Member Notice Sets forth how the credit union minimizes the risk of malicious code infecting its information systems by controlling how software is downloaded and installed on network devices. This policy is typically directed towards departments that evaluate, test, or install new tools and facilities. Establishes standards for the continuous monitoring of information security processes and controls, and describes how the credit union conducts internal risk assessments (and engages third parties to perform risk assessments) to verify that the mechanisms in place to protect the credit union s information resources are operating effectively. Dictates the credit union s requirements for reviewing and approving electronic or technical connections between the credit union and third parties that require access to the credit union s systems, before any third party devices are permitted to connect to the system. Defines the level of security the credit union is to maintain over its information resources and network, sets guidelines for vulnerability management practices, classifies various types of credit union-specific vulnerabilities, and mandates periodic scans of the network for vulnerabilities. Written policies or procedures to address implementation and ongoing management of the credit union s website. Sets security control requirements for the implementation and use of wireless devices and wireless networks used by the credit union and its employees. Establishes which departments, groups, and individuals within the credit union are responsible for specific information security safeguards, and describes how the credit union verifies that only appropriately trained and vetted parties have access to systems or processes that may create information security risks for the credit union. Establishes the governance structure for the credit union s privacy program and outlines the requirements for defining, documenting, updating, communicating, and assigning accountability for the credit union s privacy policies and procedures. Sets forth the requirements for providing appropriate notice to members regarding the credit union s privacy policy and practices with respect to the collection and use of members personal information. Page 5 of 6
Member Information Collection Member Consent and Preferences Member Access and Amendment (Canada / EU) Member Personal Information Integrity Member Inquiries and Complaints Privacy Violations Describes the circumstances under which, and the means by which, the credit union collects members personal information, and identifies situations in which the credit union must provide notice and obtain consent from members before collecting such personal information. Identifies the requirements for obtaining and managing member consent and preferences with regard to the collection, use, disclosure, or any other processing of their personal information. Describes how the credit union provides access to, and allows for amendment of, members personal information that is processed in, or which originates from, Canada or the European Union. Details the steps the credit union takes to keep members personal information accurate, complete, and current, and describes how the credit union amends inaccurate personal information of any member who so requests. Establishes the process by which the credit union manages member complaints and inquiries regarding its policies for collecting, storing, and processing members personal information. Mandates the reporting of violations of the credit union s privacy policies, and any applicable privacy laws or regulations, and details the sanctions that may be imposed for such violations. Page 6 of 6