Security Compliance Program Guidelines require credit unions to implement an information security compliance program that includes administrative, technical, and physical safeguards designed to achieve the following objectives:
- Guarantee the security and confidentiality of member information;
- Block any anticipated threats or hazards to the security or integrity of such information;
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member and
- Ensure the proper disposal of member and consumer information.
In order to achieve these objectives, an information security compliance program must suit the size and complexity of a credit union’s operations and the nature and scope of its activities. The various business units or divisions of the credit union are hardly required to create and implement the same policies and procedures for
Dynamic Data Masking
If the business units have different security controls, the credit union must include them in its written information security compliance program and coordinate the implementation of the controls so as to safeguard and ensure the proper disposal of member information throughout the credit union. Implementing an information security compliance program begins with conducting an assessment of reasonably foreseeable risks. Like other elements of an information security compliance program, risk assessment procedures, analysis, and results must be written.
Under the Security Compliance Guidelines for dynamic data masking, a risk assessment must include the following four steps:
- Spot reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems;
- Gauging the likelihood and potential damage of identified threats, taking into consideration the sensitivity of the member information;
- Assessing the sufficiency of the policies, procedures, member information systems, and other arrangements in place to control the identified risks; and
- Applying each of the foregoing steps in connection with the disposal of information.
Engaging in an Ongoing Risk Assessment Process Risk assessment is an ongoing process. Credit unions should continually review their current policies and procedures to make certain they are adequate to safeguard member information and member information systems, ensure the proper disposal of member information, and include in their written information security compliance program both their review and their findings. The risk assessment must be updated, as necessary, to account for system changes before they are implemented or new products or services before they are offered.