New IT Contractor and IT Exam Priorities
June 26, 2007
New Contractor For IT Exams
Effective July 2, 2007, the Division of Credit Unions (Division) is revising the Information Technology (IT) portion of our examination. IT examinations will be performed by Division examiner Glenn Ross along with the Division’s new contractor. Steinke Consulting is the new contractor and will be represented by Gerhard Steinke. Mr. Steinke has significant IT experience and has worked with Trust CC for the past two years. His experiences will help in identifying best practices and in determining areas of weakness in state chartered credit unions.
Credit union managers told us the IT exams have been very informative and we were pleased with the work provided by Trust CC. We are changing the contractor as a result of the normal bid process for state contracts. The contract with Steinke Consulting runs through June 30, 2009.
IT Exam Focus
The Division will focus on the following areas during the next two years:
- Key controls are regularly tested – Examiners will review whether the credit union’s information security risk assessment provides satisfactory guidance for testing key controls, whether key controls are routinely tested, and that proper changes are made when testing indicates weaknesses in the effectiveness of key controls. Controls identified in the risk assessment should be incorporated into the information security program/policy.
- Remote access of computer systems – Examiners will review whether management has implemented appropriate remote access security controls that include, at a minimum, strong authentication and encrypted sessions for remote access to the credit union’s internal network and routinely log / monitor remote access usage.
- Business continuity / disaster recovery planning – Examiners will review credit union plans for recovering critical systems and operations to determine if they are satisfactory and appropriate and whether they are routinely updated and regularly tested.
- Vendor management – Examiners will review whether management has exercised satisfactory due diligence in the selection of service providers; whether a satisfactory process has been established and used to monitor service provider performance, including regular review of service provider security controls (SAS 70 Type II report review), and whether credit union contracts require service providers to implement appropriate measures as mandated by Section 501(b) Gramm-Leach-Bliley Act of 1999.
- Mobile device (notebook computer, PDA, flash drive, external drive, etc.) security – Examiners will review whether management has implemented appropriate mobile device security measures, including, but not limited to encryption of non-public information stored on all mobile devices.
The IT Exam Fee Waiver Will Continue Through June 2008
The Director will continue to waive the IT exam fees at least through June 2008. By April 2008, the Division will review its budget and cash fund to determine whether the Division can afford to continue waiver of the IT exam fees.
Please contact Doug Lacy-Roberts at (360) 902-0507 if you have questions.