Beruflich Dokumente
Kultur Dokumente
Network Access avenue to core processing system and data L The Credit Union has installed an ASA 5510 Board of Directors All switches were found to have account LOW 1
stored on the network via other applications (firewall). Testing by external auditors have and Information & password in the 12/19/08(03/30/2013) audit by
running on network or stored on network determined that security from an outside internet Technology Northeastern Information Tech. Systems. There
based attack to be very good. An intrusion Committee. is no external access allowed via the firewall;
detection system has been implemented at the outbound access is also restricted.
network edge to track & prevent unauthorized
network access.
Ancillary Systems (Loan Improper access to non public customer L The door to the server/switch room is locked and Board of Directors No physical security issues were found in the LOW 1
Processing, Imaging, information and account information the key is secured with the CEO. Security camera and Information & 12/19/08(03/30/2013) audit by Northeastern
Optical, etc). in the stairwell to the basement. Doors are locked Technology Information Tech. Systems.
for rooms which contain sensitive member Committee.
information.
Personal Computers Access avenue to data or applications containing L FCFCU requires unique, complex passwords for Board of Directors The Password Protection Policy is part of the LOW 1
(including applications, customer information which is loaded or stored both the Windows network and the and Information & comprehensive Security Program.
such as Word, Excel, on the individual personal computer. USERS(FISERV) network. Technology
Etc.) Committee.
Disaster Recovery/ Loss of customer information or loss of security L USERS(FISERV) hosts our sensitive member Board of Directors APC Backups Pro are installed on all FCFCU LOW 1
Business Continuity measures through power outages, etc. information systems. There is a hot site and Information & critical systems. Back up strategy is in place;
established. Annual disaster tests conducted. Technology data restore test being performed regularly.
Committee.
Intranet Email Sharing customer information with unauthorized L User access is limited to only the data they use. All Board of Directors Internet Usage Policy & Electronic Mail Policy LOW 1
employees data is re-directed to the server. No business data is and Information & are parts of the comprehensive Security
left on workstations. Technology Program.
Committee.
Information Security Risk Assessment
Fulton County Federal Credit Union
Date 5/23/2013, 5/1/2012, 5/25/11; 4/28/10; 3/25/2009
External
Internet Banking Access to customer information and transactions L Controls to mitigate risk include: SAS 70 report is Board of Directors Hosted by USERS(FISERV). Online Resources LOW 1
and external transfer of customer funds via Bill reviewed for processors internal controls; user and Information & Bill Pay service Provider(FISERV CheckFree).
Pay. considerations are addressed; service provider has Technology PCU Access Policy is part of the comprehensive
vulnerability and penetration tests performed and Committee. Security Program.
results are shared with the institution; Institution
has implemented customer identification
methodologies; user name and password are
required for customer access; customers are
required to change passwords; customers not able
to open initial on line access without institution
initiation; customer transactions and information is
transferred to service provider via a secured
transmission.
Web Site Site data could be maliciously modified; customer L Website is hosted by Empire Web Pages(SMARTT Board of Directors Hosted by Empire Web Pages. Online LOW 1
information transferred via the web site could be Software LLC - info@smarttsoftwarellc.com); and Information & Resources Bill Pay service Provider(Fiserv
improperly intercepted. service provider's security policies meet or exceed Technology CheckFree). PCU Access Policy is part of the
institutions. Committee. comprehensive Security Program.
Telephonic Banking Obtaining access to various account information. L Audio response system hosted by Maxxar interface Board of Directors Updates to the Maxxar TNT Audio Response LOW 1
(IVR) with USERS(FISERV). Maxxar unit has been and Information & system are deployed in a timely manner.
disconnected from the inside network; ACL's were Technology CornerStone telephone company is qualified
set up in the firewall to permit Maxxar access to Committee. outside service provider.
the internet but prohibit access to the inside
network.
Internal Internet Usage Access to customer information by attacks from L Employees have signed the institution's internet Board of Directors Internet Usage Policy & Electronic Mail Policy LOW 1
& Email outside individuals via "hacking" or viruses; usage policy, which has been approved by the and Information & are part of FCFCU's comprehensive Security
Misappropriation of customer information by board of directors; Internet usage is monitored; As Technology Program.
internal employees over the internet noted above - firewall is properly configured for Committee.
internet usage; filters in place; vulnerability and
penetration tests have been performed. Virus
protection is running continuously and updated
regularly; employees sign institution's email policy
detailing customer information sharing policies;
external email which contains customer
information is encrypted and password protected;
emails are periodically monitored.
Information Security Risk Assessment
Fulton County Federal Credit Union
Date 5/23/2013, 5/1/2012, 5/25/11; 4/28/10; 3/25/2009
Credit Reporting Improper access to credit reporting systems, L Access to credit reporting agencies is restricted to Board of Directors Access controls are placed on all levels of LOW 1
which would include access to nonpublic authorized individuals; credit bureau's privacy and Information & authorization through the CRA's.
customer information, could result in damaging policies meet or exceed institutions policies; Technology
customer credit and reputation. secondary review process ensures accuracy of Committee.
reported information.