Get documents about "Information Technology Policies Credit Union
Description
Information Technology Policies Credit Union document sample
Document Sample
12.1 [Your] Credit Union
Information System/Technology Policy
12.2 INFORMATION SYSTEMS MANAGEMENT
The integrity of our computer and network resources are extremely important to the successful
operation of our business. This policy covers access through our on-line processor CUSA
Technologies and Personal Computer use. All computer equipment, peripherals, and software
are Credit Union property and are provided for business purposes. Proper use and control of
computer and network resources are the responsibility of all employees. Intentional or reckless
violation of established policies or improper use of our computers or networks would result in
corrective action up to and including termination. Employees should also be aware that any
work completed on Credit Union computers is subject to monitoring and review and they should
not expect their communications to be private.
DESIGN - Information Systems should be designed to promote the highest level of
security and function. Each Device should be protected from unwanted intrusions by
passwords and anti-hacker and anti-virus devices and software. Software and device
drivers should be kept up-to-date. Data should be protected and preserved using easily
obtainable backup and storage devices and software. [Your] Credit Union is committed
to complying with all State and Federal laws with regard to the security, storage and
destruction of all member, operational, and statistical information generated and stored
by the credit union.
SECURITY - [Your] Credit Union is committed to the proper security of all member,
operational, and statistical information generated and stored by the credit union. See
Security Policy, Privacy Policy, Disaster Recovery Policy.
BACKUP AND PRESERVATION - [Your] Credit Union is committed to the proper
backup and preservation of data, reports, and operational systems in order to maintain the
operational continuity expected of the credit union.
MANAGEMENT RESPONSIBILITIES - The President is responsible for the
operation, security, compliance and storage of the [Your] Credit Union information
systems and the data and reports generated and stored by those systems. The President
reports directly to the Board of Directors and the Supervisory Committee.
EMPLOYEE RESPONSIBILITIES - Each employee is required to maintain the
privacy and confidentiality of member information and information generated by the
credit union.
Page 1 of 8
INFORMATION SYSTEMS DESIGN - The credit union information systems are
divided into two areas, which include: (1) The data processing system, and (2) the
computer networking system.
12.2.1 CUSA Technologies Software & Computer Access
12.2.2 ACCOUNT DATA PROCESSING - Member account and data processing is
performed on an IBM AIX (Unix) RISC processing minicomputer system on software provided
by CUSA Technologies, Inc. The CUSA System is an in-house, stand-alone minicomputer. The
CUSA System is located in the Main Office. The CUSA system’s modems are only turned on
when we are actively communicating with a vendor or CUSA. The CUSA system is connected
to PC’s that are behind the Internet Firewall. The Teller Station and CTI Terminal access the
minicomputer by a network interface, using telnet terminal software.
12.2.2.1.1 COMPUTER NETWORKING - [Your] Credit Union operates personal
computer (PC) workstations which use Windows competitive operating systems, including,
but not limited to: MS/DOS, MS Windows 95, MS Windows 98. Computers are networked
together with Category 5 RJ-45 Cabling. There is a hub connecting the terminals at the main
sites.
12.2.2.1.2 WEB PRESENCE - [Your] Credit Union has a website through the Wisconsin
Credit Union League, with CyFi as its host. See E-Commerce Policy.
12.3 INFORMATION SYSTEMS SECURITY
12.3.1 ACCOUNT DATA PROCESSING SECURITY
12.3.1.1.1 ACCESS - There is no member access to the CUSA system terminals at the credit
union. CUSA Support personnel have access through dial-up and are only made available when
requested by CUSA and the connection is physically terminated when the session is over. Each
teller station CUSA screen does not have to be void of teller initials, when the terminal is not in
use, since a transaction requires a password at the end, before it can be transmitted. If the initials
and the password do not match, the screen flashes “unauthorized password”.
12.3.1.1.2 PASSWORDS – The CUSA System allows access into their program through teller
initials and passwords. Only CUSA Support, and the President know the root password.
Individual employee login passwords are chosen by the employee and are not recorded or known
by anyone else. Employees will be notified by the system to change their password every 3
months or an employee must change their password whenever their password secrecy is
compromised. Passwords do not print out or show on any CUSA screens. In the case of an
emergency, as confirmed by the Chairman of the Board or the President, a request to CUSA
Technologies to run a specific program to determine a password can be done.
12.3.1.1.3 PASSWORD CONTROLS – The CUSA System accommodates various
security levels by Password Levels through Menu 141 Teller Setup and also through menu
Page 2 of 8
password levels through Menu 155, Menu File Editor. The following is a list of Password
Level Access:
New hired employee Level 3
All other employees Level 2
Backup to the President Level 1
President Level 1
. It is the discretion of the President to allow access to otherwise non-accessible menu
for staff. This may be due to cross-training and coverage for an absent employee. Since
this is a small office, there is a need for the employees to have access to most menus at
the discretion of the President. If, however, a tighter system is needed, the Cusa
Technologies Inc system can accommodate it.
INTERNET ACCESS - The CUSA system does not have access to the Internet.
VIRUS PROTECTION - No uploads of any software are allowed on the CUSA System accept
through tapes provided by CUSA or during the restoration of a backup tape. Therefore no anti-
virus software is necessary since there is no opportunity for infection.
COMPUTER NETWORKING SECURITY
ACCESS – As our computer terminals are all networked, CUSA Technologies System is one of
the shared program. All terminals are logged off each night and shut down through the standard
shutdown procedures.
VERIFICATION – Some of our members choose to do their business by phone, mail, audio,
Internet, and over the counter. All employees processing changes for a member, including but
not limited to, change of address, withdrawal from an account, transfer between accounts, or any
other activity that affects the member’s account, must do so in writing. If the member is not
physically present to sign a receipt for the transaction, the credit union will maintain their copy
of the receipt for this purpose. Only employees with a password level of 3 or lower are
authorized to process any maintenance changes in the system. Once the transaction or
maintenance has been completed, when needed, another employee will verify the
change/transaction. All transactions are produced by the system on a daily transaction report
with the tellers initials indicating who did what. All maintenance changes show on a report
monthly. These reports are reviewed and maintained until audit and permanently on CDRom.
INFORMATION SYSTEMS BACKUP AND RECOVERY
ACCOUNT DATA PROCESSING BACKUP & RECOVERY - Backup of the CUSA
system has a high priority and is done on a daily basis. The backup tapes are protected from
fire or damage by storing them in a fireproof vault. There are 10 tapes, one for each day over
Page 3 of 8
a two week period. Plus there is a nightly backup by the Zip Drive on the President’s PC.
This Zip Drive backs up PC info as well as the CUSA System.
CUSA BACKUP - Each night, after closing, a daily backup tape, as prescribed by CUSA, is
created using data tapes. Each tape is verified after backup. Two weeks of daily backup
tapes are kept in a fireproof vault. This backup tape is a full system backup, and is taken
home (off-premise) for disaster recovery purposes. It is then brought back 2 days later. The
system is rebooted daily per the recommendations of CUSA Technologies.
CUSA RECOVERY - Contact CUSA disaster recovery group at 1-800-568-2872 for
instructions on how to proceed. Generally, the credit union will ship a current backup tape to
CUSA. CUSA will ship one terminal, a remote control unit, a modem and one printer overnight
to be set up at our current or temporary location.
Personal Computers Software and Access
Integrity of Computer Resources
MODIFICATION OR REMOVAL OF EQUIPMENT - Computer equipment, peripherals
and software may not be added, altered, or removed except as authorized by the President or
Board of Directors.
SOFTWARE - Employees shall not install personal software (including screen savers,
downloads from the Internet, or from any other source) on Credit Union computers for
business or any other purpose, unless authorized by the President.
UNAUTHORIZED OR DESTRUCTIVE PROGRAMS - Employees shall not develop or
use programs, which disrupt computer resources, access restricted areas or files, or damage
software and hardware.
SYSTEM ADMINISTRATOR RESPONSIBILITIES - The President will act as the
System Administrator and is responsible for overseeing the configuration and use of Credit
Union computer and network resources. The President shall use reasonable efforts to
implement:
Security - Protect the security of the system and the information contained within it.
Protection - Institute policy and procedures to guard against theft or damage to system
components or integrity.
Licensing – Implement all licensing agreements and ensure that all related laws are
adhered to.
Page 4 of 8
Software - Oversee and approve all software installations.
Equipment - Establish equipment auditing, maintenance, and upgrading procedures.
Policies - Develop policies and procedures, which govern the acceptable operation, use
and maintenance of computer resources.
Support - Provide training and assistance to users as needed.
Help Assistance - Maintain an “open door policy” so that employees can quickly report
problems or make suggestions.
Strict Enforcement - Given the importance of our computer resources and the potentially
serious consequences of security violations, we will strictly enforce these policies.
Employees shall report all security violations to the President. All reported or identified
security problems will be quickly investigated and resolved by the System Administrator and
reported to the Chairperson of the Board of Directors.
Corrective Action - Any Credit Union employee found to have violated these policies would
be subject to corrective action, which may include formal probation, suspension or
termination, based on the circumstances of the violation.
No Employee Expectation of Privacy - The Credit Union maintains the right to monitor
when and how computer and network resources are used through maintenance of activity
logs, review of files, and other security means. As equipment is owned by the Credit Union;
employees should have no expectations of privacy regarding their computer files.
Employee Duty to Report Problems - All employees shall immediately report any potential
or actual computer or network problems or concerns to the System Administrator.
PC WORKSTATIONS - The credit union maintains numerous PC workstations for the
exclusive use of [Your] Credit Union employees. These workstations all run Microsoft
operating systems and are protected by Norton or Mcafee Anti-virus software. All workstations
are connected with 10/100 Ethernet network cards and CAT-5 RJ-45 connecting cables. A D-
Link DSS-24 Network Switch connects all the PC workstations and the LAN server together.
ACCESS – Each workstation in the credit union is equipped with a Personal Computer.
These computers are used for both the CUSA Technologies System Software and for various
licensed Windows based Desktop Applications. Use of unauthorized or unlicensed software
is strictly prohibited.
Protection of Computer Networks - The Credit Union will periodically review and
document all network systems and connections. Network connections, such as modems, that
allow access to Credit Union systems from remote devices will be controlled and monitored.
Control will take the form of adequate password protection and, where feasible, the powering
Page 5 of 8
down of the devices when not in use by the Credit Union. The Credit Union will look into
perpetual network connections to outside systems, such as Internet links or sponsor systems,
by the use of a “firewall” that effectively limits outside access to Credit Union systems and
data. If or once installed, the design, configuration and performance of the “firewall” will be
periodically reviewed and tested to ensure it is functioning as intended.
VIRUS PROTECTION - Norton or Mcafee Antivirus Software protects PC Workstations.
The anti-virus software automatically updates itself at each workstation. There is nothing
directly running on the main server, so no virus protection is needed.
INTERNET ACCESS - All non-teller PC Workstations have Internet Access through MS
Internet Explorer and NetScape. The encryption level should be 128 bit and the latest
compatible version of Internet Explorer and NetScape is updated as needed for security.
Only one PC Workstation, the President’s, uses Core-Com (Execpc) web based e-mail
system for e-mail.
PERSONAL COMPUTER BACKUP & RECOVERY - [Your] Credit Union maintains
regular backups of all critical data files, and documents for the preservation and easy
restoration of computer software and data. Full backups of computers are usually
unnecessary since they all use generic operating programs that can be easily restored from
software copies in the fireproof records vault. The critical files of the PC workstations are:
(1) the document, spreadsheet, database, presentation and e-mail files found in the My
Documents directory, (2) graphic files and (3) other program data files. Regular daily
backups of all non-teller PC’s, My Document Files, will be done on Zip Disks. There will be
one for each working day. The backup Zip Disks are protected from fire or damage by
storing them in the fireproof vault. In the event that they are destroyed, if necessary,
Commercial programs can be repurchased and/or replacement software and licenses can be
obtained from most vendors with proof of destruction of software. Data and files should be
restored from backup, CDROMs and Zip Disks stored in records vault.
12.3.1.1.3.1 E-Mail
12.3.1.1.3.2 CORE-COM (EXECPC) E-MAIL PROVIDER – Core-Com (Execpc)
maintains e-mail accounts for [Your] Credit Union. These accounts require name and
password for access.
E-MAIL ACCOUNT – Selected employees are issued an e-mail address for company
business only. The following are authorized for an e-mail address through Core-Com:
President
EMPLOYEE RESPONSIBILITIES - Each employee should use his or her version of
Core-Com (Execpc) for official [Your] Credit Union business. OPECU reserves the right to
monitor employee’s e-mail to ensure that the Internet service is being used appropriately.
Page 6 of 8
12.3.1.1.3.3 Unacceptable E-Mail - Employees should refrain from unacceptable
e-mail generation and reception. No e-mail should be generated or forwarded that
another employee, member or vendor would find offensive.
12.3.1.1.3.4 Junk Mail - Employees should not sign up for automatic e-mails or
listserv’s that generate timewasters such as daily jokes, lotto, stories, specials,
sales, or advice that are not beneficial to the credit union.
12.3.1.1.3.5 Attachments: No e-mail attachment should be opened without first
knowing who sent the attachment. Whenever possible, the attachment should be
saved to a disc for scanning by the virus protection first.
12.4 INTERNET WEB BROWSING - [Your] Credit Union employees have access to
the Internet from their non-teller PC Workstations. Internet access is a privilege and should be
used to enhance an employee’s job and duties. [Your] Credit Union reserves the right to monitor
employee web browsing to ensure that the Internet service is being used appropriately. The
following guidelines should be followed regarding the Internet.
12.4.1 PROPER USE OF THE INTERNET - The Internet should be used to enhance
an employee’s job or seek knowledge regarding the employee’s job. An employee may use
the Internet for personal browsing on their personal breaks, lunches and after hours
12.4.2 IMPROPER USE OF THE INTERNET - [Your] Credit Union employees
should not use the Internet connection for any of the following: violence/profanity,
partial/full nudity, sexual acts, gross depictions, intolerance, satanic/cult, drugs/drug culture,
militant/extremist, sex education, questionable/illegal, gambling, and alcohol & tobacco.
Unlawful or Inappropriate Messages - Use of electronic communication to send
harassing, obscene, threatening or other inappropriate messages violates Credit Union
policy as well as other applicable laws.
Mailing Lists - Employees must respect the privacy of mailing lists and ensure that they
are used for authorized credit union business.
Advertisements - Communication resources shall not be used for transmission of
commercial, political or personal advertisements, solicitations, or promotions.
12.4.3 EXCESSIVE USE OF THE INTERNET - Time spent on the Internet during
work hours should not interfere with or take time from an employee’s regular credit union
duties. Files retrieved from the Internet should not encumber the space available for credit
union programs and data. Employees should avoid the excessive use of job-related listservs
and newsgroups and not participate in unrelated listservs or browse unrelated newsgroups.
Adopted: September 19, 2002 Comment:
Page 7 of 8
Page 8 of 8
Related docs
Other docs by mit32962
Informal Proposal Sample Instructions for developing an Informal Solicitation are
Views: 861 | Downloads: 0
