The OCC recently issued OCC Bulletin 2008-16. Yeah, yeah, yeah - I know. The OCC doesn't regulate credit unions. I understand that. But security guidance for banks usually is just as useful for us on the member-owned side of the fence.
The guidance centers on application security. In the OCC's words:
This bulletin reminds national banks and their technology service providers that application security is an important component of their information security program. All applications, whether internally developed, vendor-acquired, or contracted for, should be subject to appropriate security risk assessment and mitigation processes. Vulnerabilities in applications (see Appendix A) increase operational and reputation risk as unplanned or unknown weaknesses may compromise the confidentiality, availability, and integrity of data. Although this guidance is focused on the risks and risk management techniques associated with Web-based applications, the principles are applicable to all types of software.
Credit unions, via Appendix A of Part 748 of NCUA's rules and regs, must implement reasonable controls to safegard senstive member data against known risks. Guidance like the OCC's certainly seems to identify risks that might affect credit unions. I would pass the OCC Bulletin under the nose of your I.T. crew to see if your shop has reasoable mitigation controls to control this risk. (Do you have to? No. But I still think it is good stuff.)
Here's a photo of NAFCU Compliance Guru Steve Van Beek at the NAFCU picnic. Here are some possible captions:
A. Steve's so good, he can do his job blindfolded.
B. Let go, young Jedi. Let the regulation flow through you.
C. Dude, who turned the lights out?
I'll take any and all alternative captions. Have at it! Have a great weekend, everyone!