Disclaimer This sample policy provides a guide or a place to begin Credit union policies should always be structured to meet the specific needs of th by ptp71675


More Info
This sample policy provides a guide or a place to begin. Credit union policies should always be structured to
meet the specific needs of the credit union and its membership. Efforts are made to update the material to
reflect applicable changes in the law. This sample should not be considered legal advice nor relied upon as
a substitute for professional services. Credit unions are encouraged to contact legal counsel for legal
advice. The Kansas Credit Union Association will not be liable for any direct, indirect or consequential
damages resulting from the use of this policy.

                                    Information Security Policy

I.   Policy Statement

     It is the policy of the credit union to comply with NCUA Rules & Regulations, Part
     748 and Appendix A—Guidelines for Safeguarding Member Information and
     Appendix B—Response Programs for Unauthorized Access to Member Information
     and Member Notice. The intent of this policy is to ensure the security and
     confidentiality of member information; protect against any anticipated threats or
     hazards to the security or integrity of such information; to protect against
     unauthorized access to or use of information that could result in substantial harm or
     inconvenience to any member; and ensure the proper disposal of member
     information and consumer information.

II. Scope

         A. This policy does not replace, but works in conjunction with the other policies
            of the credit union such as Privacy, Disaster Recovery, Business
            Resumption, or Physical Security.

         B. Member information means any records containing nonpublic personal
            information about a member, whether in paper, electronic or other form that is
            maintained by or on behalf of the credit union.

         C. Member information system includes any method used to access, collect,
            store, use, transmit, protect or dispose of member information.

         D. Service Provider means any person or entity that maintains, processes, or
            otherwise is permitted access to member information through provision of
            services to the credit union.

III. Responsibility

         A. It is the responsibility of the Board of Directors to approve the credit union’s
            written information security policy and program.

         B. It is the responsibility of the Board of Directors to oversee the development,
            implementation and maintenance of the credit union’s information security
            program or to delegate to an individual or committee specific authority to
            perform those responsibilities.

                   i. Responsibility for implementing the program is delegated to

f54f94e9-c030-4c23-afb4-ca938ae5e2bf.doc            -1-
                  ii. Reports on compliance with the security program will be presented to
                      the Board of Directors                      (monthly, quarterly, or at
                      least annually).
                 iii. The program will be reviewed and modified on at least an annual
                      basis to provide for changes in technology, the sensitivity of member
                      information, internal or external threats to information, and changes in
                      the credit union’s business arrangements, i.e., mergers, acquisitions,
                      joint ventures, outsourcing arrangements, etc.

IV. Risk Assessment

         A. The credit union will identify reasonably foreseeable internal and external
            threats that could result in unauthorized disclosure, misuse, alteration, or
            destruction of member information or member information systems.

         B. The credit union will develop an information security program commensurate
            with the complexity and scope of the credit union’s activities.

V. Risk Management

         A. The credit union will consider and adopt appropriate policies and procedures
            in the following areas:

                   i. Access Controls On Member Information Systems – to include
                      controls to authenticate and permit access only to authorized
                      individuals and controls to prevent employees from providing
                      information to unauthorized individuals who may seek to obtain this
                      information through fraudulent means;

                  ii. Access Restrictions at the Physical Location – to permit access to
                      buildings, computers, and record storage facilities only to authorized

                 iii. Records Retention/Destruction – to include proper protection of
                      records containing member information and to provide for appropriate
                      method of destruction to preserve confidentiality of information.

                 iv. Encryption – to provide for encryption of electronic member
                     information while in transit or in storage on networks or systems to
                     which unauthorized individuals may have access;

                  v. Information System Modifications – to ensure that member
                     information system modifications are consistent with the credit union’s
                     information security program;

                 vi. Monitor – to monitor systems and procedures to detect actual and
                     attempted attacks on or intrusions into information systems;

                 vii. Response Programs - to specify the action to be taken when the
                      credit union suspects or detects that unauthorized individuals have
                      gained access to information systems;

f54f94e9-c030-4c23-afb4-ca938ae5e2bf.doc      -2-
                viii. Reporting – to provide appropriate reports to regulatory and law
                      enforcement agencies when the credit union suspects or detects that
                      unauthorized access has been made to information systems.

                 ix. Testing – to implement procedures to regularly test the controls and
                     systems of the information security program. The frequency and
                     nature of the tests will be determined by the level of risk to the credit
                     union. Tests will be conducted by independent third parties or by staff
                     independent of those that develop or maintain the security program.

                  x. The credit union will implement dual control procedures and
                     segregation of duties for employees with responsibilities for or access
                     to information systems. Ongoing training will be provided for staff
                     members regarding information security protection and procedures.

VI. Service Providers

         A. The credit union will exercise due diligence in selecting its service providers.
         B. The credit union will contractually require service providers to meet
            appropriate guidelines in safeguarding member information.
         C. The credit union will confirm that service providers have met their obligations
            with regard to B. and may require service providers to provide audits, test
            results or other evaluation tools to assure compliance with security

Approved by the Board of Directors on                                                 (date)

f54f94e9-c030-4c23-afb4-ca938ae5e2bf.doc      -3-

To top