- Information Security Program (ISP)
Information Security Assessment Services (ISAS)
- Internal Security Assessment (ISA)
- External Vulnerability Assessment/Penetration Testing (EVA/PT)
- Physical Security Assessment (PSA)
- Remote Internal Vulnerability Assessment (R/IVA)
- Wireless Vulnerability Assessment (WVA)
- Branch Controls Assessment (BCA)
- Virtual Vulnerability Assessment (VVA)
- Website Penetration Testing Assessment (W/PTA)
- Mobile Device Management Assessment (MDM)
- Risk Management/Business Continuity Program
- CastleGarde NetAudit (CNA)
- Remote Social Engineering (RSE)
- Website Compliance Assessment (WCA)
Q1. What is required of the credit union’s board of directors when implementing an information security program?
The board is responsible for overseeing the credit union’s written information security program which includes reviewing and approving the information security policy, appointing an information security committee or information security officer, and assigning specific responsibility for the development, implementation, and maintenance of the information security program (probably to the information security committee or information security officer), and reviewing reports from management.
Q2. What is required of the information security committee or information security officer?
The information security committee or information security officer is responsible for the development, implementation, and maintenance of an information security program that addresses all elements of the information security policy. The information security committee or information security officer must report to the board at least annually on the effectiveness of the information security program.
Q3. What is required of credit union management?
Management is required to assist in the implementation of the information security program by ensuring that everyone at the credit union understands and complies with the information security standards and procedures.
Q4. How do we get started?
Identify the policies, standards, procedures, and practices that have already been established at your credit union. CastleGarde will help you build upon what you are already doing by expanding and revising as necessary to develop an information security program that meets regulatory requirements.
Q5. We have a firewall, isn’t that all we need?
A properly configured firewall is a vital component of a comprehensive information security program; however, relying solely on your firewall or other security product to protect member information will still leave it vulnerable to compromise.
Q6. What is the difference between cybersecurity and information security and should cybersecurity be included in an information security program?
Cybersecurity is an integral part of an effective information security program. Cybersecurity is aimed at protecting electronic data, programs networks, systems, and other endpoints (computers, smartphones, tablets, etc.) from digital access or attack. Cybersecurity is a crucial component of information security, but information security also includes such things as ensuring documents and electronic data are securely destroyed when no longer needed, ensuring physical security (buildings, data centers, work areas within the building, records and media storage areas, computers, desks, file cabinets, etc.), preventing successful social engineering and phishing scams, emergency preparedness (including maintaining backups of information and systems), and disaster recovery.
Q7. How often are credit unions required to assess their information security program?
NCUA regulations require that the effectiveness of the information security program be reported to the board of directors at least annually. The report to the board should include the credit union’s compliance with the regulations, risk assessment, risk management and control, results of testing, details of attempted and/or actual security breaches or violations and responsive actions taken, the overall status of the information security program, and any recommendations for improvements in the information security program.
Q8. Do we need a separate e-commerce program?
No, in fact, CastleGarde recommends including the e-commerce program as part of the information security program. E-commerce is included as an element of the information security policy and a chapter on e-commerce is included in the information security standards & procedures document.