• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 76
  • Last Modified:

Credit Union Supervisory Committee Question for CIO

This may be way off topic for this site but here it goes.  I am on a supervisory committee for a credit union and we have our annual questionnaire to pose to management.  We would like a overview from the CIO as to what safeguards are in place to protect members data.  What questions should be asked and how should the question be written?  The majority of the committee members are not tech savvy, so the answer we would be looking for is more of an overview of what is in place to secure the data.  Any help with this would be greatly appreciated.
0
brisma
Asked:
brisma
2 Solutions
 
tsaicoCommented:
Some of the most common ones I see, in no particular order,
1. Do all desktops have real-time AV on them?
2. How are these AV applications updated?  Manually, automatic, scheduled?
3. Is the backup solution encrypted, is this vendor listed on the Approved vendor list?
   -if not, then describe the process in which is is protected from unauthorized use?
4. Is there 3rd party remote control software in use
5. are their wireless access points in use
6. Describe the process used to decommission office equipment at the end of it useful life?
7. Are end users allowed to use USB or other removable media?
  -If yes, how is this controlled/audited?
8. What process/steps/audit trail is in place to prove the above is being adhered to?
   - IE is there a IT asset log, AV reports, IT destruction log, etc.
0
 
Dave BaldwinFixer of ProblemsCommented:
There are 'official' standards for IT security for financial institutions and the Payment Card Industry Data Security Standards (PCI-DSS).  Here's the site for PCI-DSS: https://www.pcisecuritystandards.org/  I'm sure there is another one (or more) for banks and credit unions.  There are also extensive accounting standards that they have to meet.

Note that to maintain 'accreditation', credit unions and banks have to pass at least quarterly scans and audits to maintain their insurance if nothing else.  You might ask if those reports are available or at least information about them.
0
 
brismaAuthor Commented:
Thanx for the suggestions.  I am familiar with PCI-DSS.  I think the questions posed are good ones by tsaico.  I am trying to keep the questions and answers on a laymen's level as other committee members are not technically savvy.
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now