Information Security Risk Assessment

Fulton County Federal Credit Union

Date 5/23/2013, 5/1/2012, 5/25/11; 4/28/10; 3/25/2009

Information Technology and Systems Threats

Data Policies and Procedures to Mitigate and Control Risks Final

Description Risks/Threats Rating Prevention/Detection Responsibility Response Conclusion Risk Rating
Internal
Core Processing System Improper access to non public customer L USERS (FISERV)has adopted a risk management Board of Directors The SAS 70 report contains an independent- LOW 1
(Third Party Processor) information and account information program to focus its supervisory activities on the and Information & third-party opinion of the effectiveness of the
areas that pose significant risk to management Technology DataSafe System's information technology and
processes and to identify, measure, monitor, and Committee. application controls.
control such risks. USERS(FISERV) management
uses a risk assessment matrix which summarizes
management's risk rating for key objectives within
key business areas.

Network Access avenue to core processing system and data
stored on the network via other applications
running on network or stored on network
L The Credit Union has installed an ASA 5510 Board of Directors
(firewall). Testing by external auditors have and Information &
determined that security from an outside internet Technology
based attack to be very good. An intrusion Committee.
detection system has been implemented at the
network edge to track & prevent unauthorized
network access.
All switches were found to have account LOW 1
password in the 12/19/08(03/30/2013) audit by
Northeastern Information Tech. Systems. There
is no external access allowed via the firewall;
outbound access is also restricted.

Ancillary Systems (Loan Improper access to non public customer L The door to the server/switch room is locked and Board of Directors No physical security issues were found in the LOW 1
Processing, Imaging, information and account information the key is secured with the CEO. Security camera and Information & 12/19/08(03/30/2013) audit by Northeastern
Optical, etc). in the stairwell to the basement. Doors are locked Technology Information Tech. Systems.
for rooms which contain sensitive member Committee.
information.

Personal Computers Access avenue to data or applications containing L FCFCU requires unique, complex passwords for Board of Directors The Password Protection Policy is part of the LOW 1
(including applications, customer information which is loaded or stored both the Windows network and the and Information & comprehensive Security Program.
such as Word, Excel, on the individual personal computer. USERS(FISERV) network. Technology
Etc.) Committee.

Disaster Recovery/ Loss of customer information or loss of security L USERS(FISERV) hosts our sensitive member Board of Directors APC Backups Pro are installed on all FCFCU LOW 1
Business Continuity measures through power outages, etc. information systems. There is a hot site and Information & critical systems. Back up strategy is in place;
established. Annual disaster tests conducted. Technology data restore test being performed regularly.
Committee.

Intranet Email Sharing customer information with unauthorized L User access is limited to only the data they use. All Board of Directors Internet Usage Policy & Electronic Mail Policy LOW 1
employees data is re-directed to the server. No business data is and Information & are parts of the comprehensive Security
left on workstations. Technology Program.
Committee.
Information Security Risk Assessment
Fulton County Federal Credit Union
Date 5/23/2013, 5/1/2012, 5/25/11; 4/28/10; 3/25/2009
Information Technology and Systems Threats
Data
Description Risks/Threats
External
Internet Banking Access to customer information and transactions
and external transfer of customer funds via Bill
Pay.
Web Site Site data could be maliciously modified; customer
information transferred via the web site could be
improperly intercepted.
Telephonic Banking Obtaining access to various account information.
(IVR)
Internal Internet Usage Access to customer information by attacks from
& Email outside individuals via "hacking" or viruses;
Misappropriation of customer information by
internal employees over the internet
Policies and Procedures to Mitigate and Control Risks Final
Rating Prevention/Detection Responsibility Response Conclusion Risk Rating
L Controls to mitigate risk include: SAS 70 report is Board of Directors Hosted by USERS(FISERV). Online Resources LOW 1
reviewed for processors internal controls; user and Information & Bill Pay service Provider(FISERV CheckFree).
considerations are addressed; service provider has Technology PCU Access Policy is part of the comprehensive
vulnerability and penetration tests performed and Committee. Security Program.
results are shared with the institution; Institution
has implemented customer identification
methodologies; user name and password are
required for customer access; customers are
required to change passwords; customers not able
to open initial on line access without institution
initiation; customer transactions and information is
transferred to service provider via a secured
transmission.
L Website is hosted by Empire Web Pages(SMARTT Board of Directors Hosted by Empire Web Pages. Online LOW 1
Software LLC - info@smarttsoftwarellc.com); and Information & Resources Bill Pay service Provider(Fiserv
service provider's security policies meet or exceed Technology CheckFree). PCU Access Policy is part of the
institutions. Committee. comprehensive Security Program.
L Audio response system hosted by Maxxar interface Board of Directors Updates to the Maxxar TNT Audio Response LOW 1
with USERS(FISERV). Maxxar unit has been and Information & system are deployed in a timely manner.
disconnected from the inside network; ACL's were Technology CornerStone telephone company is qualified
set up in the firewall to permit Maxxar access to Committee. outside service provider.
the internet but prohibit access to the inside
network.
L Employees have signed the institution's internet Board of Directors Internet Usage Policy & Electronic Mail Policy LOW 1
usage policy, which has been approved by the and Information & are part of FCFCU's comprehensive Security
board of directors; Internet usage is monitored; As Technology Program.
noted above - firewall is properly configured for Committee.
internet usage; filters in place; vulnerability and
penetration tests have been performed. Virus
protection is running continuously and updated
regularly; employees sign institution's email policy
detailing customer information sharing policies;
external email which contains customer
information is encrypted and password protected;
emails are periodically monitored.
Information Security Risk Assessment
Fulton County Federal Credit Union
Date 5/23/2013, 5/1/2012, 5/25/11; 4/28/10; 3/25/2009

Information Technology and Systems Threats

Data Policies and Procedures to Mitigate and Control Risks Final

Description Risks/Threats Rating Prevention/Detection Responsibility Response Conclusion Risk Rating
Modem Usage Access to customer information via intrusion to L Modem lines are disconnected when not in use; Board of Directors Staff does not have dial in capability. LOW 1
the institution's network through external modem vendors required to call institution before dial in and Information &
connections activity occurs; Staff does not have dial in Technology
capability. Committee.
Information Security Risk Assessment
Fulton County Federal Credit Union
Date 5/23/2013, 5/1/2012, 5/25/11; 4/28/10; 3/25/2009

Information Technology and Systems Threats

Data Policies and Procedures to Mitigate and Control Risks Final

Description Risks/Threats Rating Prevention/Detection Responsibility Response Conclusion Risk Rating
Electronic Funds Improper access to EFT systems could result in L Security access levels are set on system to ensure Board of Directors The SAS 70 report contains an independent- LOW 1
Transfers (ACH, Wire improper access to customer information and segregation of duties; the access levels are and Information & third-party opinion of the effectiveness of the
Transfers, ATM) result in monetary loss. periodically reviewed. USERS(FISERV) processes Technology DataSafe System's information technology and
FCFCU's ACH through EPN. Committee. application controls.

Credit Reporting Improper access to credit reporting systems, L Access to credit reporting agencies is restricted to Board of Directors Access controls are placed on all levels of LOW 1
which would include access to nonpublic authorized individuals; credit bureau's privacy and Information & authorization through the CRA's.
customer information, could result in damaging policies meet or exceed institutions policies; Technology
customer credit and reputation. secondary review process ensures accuracy of Committee.
reported information.

Final Risk Ratings (L, M, H) with:

Risk Rating Codes: Low (L), Medium (M), High (H) 1-with controls
2-with controls, needs improvement
3-without controls