The OCC recently issued OCC Bulletin 2008-16. Yeah, yeah, yeah - I know. The OCC doesn't regulate credit unions. I understand that. But security guidance for banks usually is just as useful for us on the member-owned side of the fence.
The guidance centers on application security. In the OCC's words:
This bulletin reminds national banks and their technology service providers that application security is an important component of their information security program. All applications, whether internally developed, vendor-acquired, or contracted for, should be subject to appropriate security risk assessment and mitigation processes. Vulnerabilities in applications (see Appendix A) increase operational and reputation risk as unplanned or unknown weaknesses may compromise the confidentiality, availability, and integrity of data. Although this guidance is focused on the risks and risk management techniques associated with Web-based applications, the principles are applicable to all types of software.
Credit unions, via Appendix A of Part 748 of NCUA's rules and regs, must implement reasonable controls to safegard senstive member data against known risks. Guidance like the OCC's certainly seems to identify risks that might affect credit unions. I would pass the OCC Bulletin under the nose of your I.T. crew to see if your shop has reasoable mitigation controls to control this risk. (Do you have to? No. But I still think it is good stuff.)
***
Here's a photo of NAFCU Compliance Guru Steve Van Beek at the NAFCU picnic. Here are some possible captions:
A. Steve's so good, he can do his job blindfolded.
B. Let go, young Jedi. Let the regulation flow through you.
C. Dude, who turned the lights out?
I'll take any and all alternative captions. Have at it! Have a great weekend, everyone!
Survivor NAFCU - "If I don't win this challenge I'll have to go to Tribal Council."
Posted by: Southernmost Sue | June 06, 2008 at 08:50 AM
Brad of IBM Southeast FCU writes in:
"Steve's impersonation of a 1960's version of Jordy (from Star Trek)"
Posted by: Anthony Demangone | June 06, 2008 at 09:05 AM
Tona writes in:
"Let the blind, lead the blind."
Posted by: Anthony Demangone | June 06, 2008 at 10:49 AM
Rusty sends in this gem:
I can't figure out if that's an "Attorney stumbling blindly through the maze of regulations," or
"NAFCU compliance expert navigates regulatory hazards blindfolded."
Posted by: Anthony Demangone | June 06, 2008 at 02:17 PM
Take your pick...
1. Yeah, this makes sense... a blind-folded guy walking through the woods - guys need directions to get around without the blind-fold!! (sorry)
2. Great... now they expect me to find that stupid donkey and pin a tail on it no less!
3.Hum Manfred Mann's "Blinded by the NIGHT"...
Posted by: Joyce | June 06, 2008 at 03:13 PM