Solved

Credit Union Supervisory Committee Question for CIO

Posted on 2013-12-12
5
57 Views
Last Modified: 2015-03-19
This may be way off topic for this site but here it goes.  I am on a supervisory committee for a credit union and we have our annual questionnaire to pose to management.  We would like a overview from the CIO as to what safeguards are in place to protect members data.  What questions should be asked and how should the question be written?  The majority of the committee members are not tech savvy, so the answer we would be looking for is more of an overview of what is in place to secure the data.  Any help with this would be greatly appreciated.
0
Comment
Question by:brisma
5 Comments
 
LVL 9

Expert Comment

by:tsaico
ID: 39715461
Some of the most common ones I see, in no particular order,
1. Do all desktops have real-time AV on them?
2. How are these AV applications updated?  Manually, automatic, scheduled?
3. Is the backup solution encrypted, is this vendor listed on the Approved vendor list?
   -if not, then describe the process in which is is protected from unauthorized use?
4. Is there 3rd party remote control software in use
5. are their wireless access points in use
6. Describe the process used to decommission office equipment at the end of it useful life?
7. Are end users allowed to use USB or other removable media?
  -If yes, how is this controlled/audited?
8. What process/steps/audit trail is in place to prove the above is being adhered to?
   - IE is there a IT asset log, AV reports, IT destruction log, etc.
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 39715538
There are 'official' standards for IT security for financial institutions and the Payment Card Industry Data Security Standards (PCI-DSS).  Here's the site for PCI-DSS: https://www.pcisecuritystandards.org/  I'm sure there is another one (or more) for banks and credit unions.  There are also extensive accounting standards that they have to meet.

Note that to maintain 'accreditation', credit unions and banks have to pass at least quarterly scans and audits to maintain their insurance if nothing else.  You might ask if those reports are available or at least information about them.
0
 

Assisted Solution

by:brisma
brisma earned 0 total points
ID: 39717655
Thanx for the suggestions.  I am familiar with PCI-DSS.  I think the questions posed are good ones by tsaico.  I am trying to keep the questions and answers on a laymen's level as other committee members are not technically savvy.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question