SAN JOAQUIN POWER EMPLOYEES CREDIT UNION
The purpose of this policy is to establish a comprehensive information security program comprised of administrative, technical, and physical safeguards, and that is compliant with NCUA Rules and Regulations Part 748.0. The policy will ensure the security and confidentiality of member information; protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member; and ensure the proper disposal of member information.
Approval of the Policy
The board of directors shall approve the credit union’s written security program and policy. Furthermore, the board of director’s will oversee the development, implementation, and maintenance of the program.
The board of directors have appointed the CEO as the security officer and the CFO as the assistant security officer.
The security officer and assistant security officer are responsible for the following:
- Installing, maintaining, and operating security devices.
- Development and administration of the security program.
Security Plan Design and Implementation
The security plan will consist of a 5 step design and implementation process.
STEP 1: Assess risk to credit union ANNUALLY using THE CREDIT UNION “RISK ASSESSMENT SURVEY”. RISK ASSESSMENT WILL CONSIST OF the following steps:
a. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems.
b. Assess the likelihood and potential damage of these threats.
c. Assess the sufficiency of policies, procedures, member information systems, and other arrangements in place to control risks.
d. Risks will be rated on a scale of 1 – 5 in both the “Likelihood” and “Impact” categories with 5 being a high impact/likelihood and 1 being a low impact/likelihood.
e. A risk score and rating will then be generated by multiplying: Risk Likelihood X Risk Impact
f. Final risk ratings for each identified risk will be one of the following:
21-25 = Severe Risk
16-20 = High Risk
11-15 = Elevated Risk
6-10 = Guarded Risk
1-5 = Low Risk
STEP 2: CREATE THE INFORMATION SECURITY PROGRAM TO CONTROL THE IDENTIFIED RISKS AT A LEVEL DEEMED ACCEPTABLE TO BOTH THE BOARD OF DIRECTORS AND CREDIT UNION MANAGEMENT.
STEP 3: TRAIN THE STAFF TO IMPLEMENT THE SECURITY PROGRAM.
STEP 4: REGULARLY TEST THE KEY CONTROLS, SYSTEMS AND PROCEDURES OF THE INFORMATION SECURITY PROGRAM.
STEP 5: REVIEW AND ADJUST THE PROGRAM AS NECESSARY.
PHYSICAL LOCATION SECURITY
Building: There is only one single physical location of San Joaquin Power Employees Credit Union, a building located at 1080 W. Shaw Ave. in Fresno, CA. SJPECU owns the building and occupies one of three suites. The two other suites are leased to tenants, neither of which can access the credit union suite.
To access the credit union one must first pass through a set of doors accessing a common lobby, followed by a second set of doors accessing the credit union lobby. Both sets of doors are equipped with electronic magnetic locks.
- The first set of doors are unlocked on regular business days between the hours of 7:00 am and 5:30 pm. These doors remain locked at all other times and can only be entered into by a person possessing an authorization code which is set, distributed, and managed by the security officer.
- The second set of doors that open directly to the credit union lobby remain locked at all times and can only be passed through by someone who possesses an authorization code or who is allowed in by an employee of the credit union.
- Once inside the credit union a visitor is always greeted by the member of the staff who let them in.
- Members remain in the lobby unless instructed to meet with a loan officer or member of management in their respective office.
- A member of management will inspect all areas of the office after closing to make sure all documents, negotiable instruments, and cash are stored in their correct place.
SERVER AND COMPUTER SECURITY
- Server PC terminal is password protected and password is only known by necessary staff members.
- Door accessing computer server remains locked at all times.
- Staff PC’s are password protected, time out after 5 minutes of user inactivity, and require a password change quarterly.
- Server information is automatically backed up each night and stored by CMC at two separate geographical locations.
- Quarterly external and internal vulnerability assessments will be performed to analyze the security of the management information system. Assessments will then be reviewed by another 3rd party IT consultant to generate a report to the board of directors.
MEMBER INFORMATION REQUEST SECURITY MEASURES
Anytime a member requests information on an account in person a staff member should either:
a. Know the member to the point that he or she is 100% confident of the member’s identity.
b. Obtain a valid picture ID OR request that the member verbally provide two pieces of personal information (i.e. SS#, DOB, mailing address, etc.)
Anytime a member requests information by phone the credit union staff member must verbally obtain at least two pieces of personal information.
CREDIT UNION STAFF SECURITY MEASURES
Criminal background checks are run on all staff prior to being hired. Staff members are only granted access to accounts, GL’s, drives, and files necessary for them to complete their job duties.
- Access to computer drives, accounts and GL’s are managed by the security officer.
- Access to physical files is managed by holding restricted files under lock and key.
- All member files are required to be locked in the credit union vault at the end of every night.
- At no time is staff permitted to take member information home without management consent.
All incoming mail is opened in dual control when staffing levels permit. If two employees are not available to open the mail in dual control, any member of management or the Administrative Assistant is permitted to open the mail alone.
3RD PARTY VENDOR DUE DILIGENCE SECURITY MEASURES
Any person identifying themselves as a service contractor will not be allowed to conduct service work of any kind, be it building structure/fixture or computer hardware/software, until management approves them to do so. Furthermore, the service contractor will only be allowed to access necessary rooms and/or computer hardware/software systems necessary for them to complete their job.
Due diligence will be performed on vendors contracted to provide ongoing service to the credit union. Such vendors would include, but is not limited to management information system host, janitor, document destruction (shred) company, 3rd party underwriters, lead lenders, and IT consultant. See “Vendor Oversight Policy” for more information.
PHYSICAL DOCUMENTS (SECURITY AND DESTRUCTION)
- Unless approved for removal by management, physical documents containing sensitive member information are to remain within the credit union office at all times.
- All currency and negotiable instruments are stored in the vault during non-business hours.
- All member files are to be locked in the vault at the end of each work day.
- All personnel files are to be kept behind lock and key with access granted only to those with use for such access.
- Following a board meeting a digital copy of the board packet is saved on the server while a hard copy is retained in the vault and accessible only to management.
- All documents subject to disposal are kept for six (6) years in the credit union document storage room after which time they are shredded as permissible.
- Stored documents are clearly marked with the date and year of disposal.
- Loan documents are retained within the member file for at least six (6) years after the loan has been paid off and are then shredded as permissible.
RESPONSE TO A BREACH OF SENSITIVE CUSTOMER DATA
Should a physical or digital breach of sensitive member data be discovered, the credit union will promptly do the following:
- Advise the affected or potentially affected membership of the breach, highlighting:
- The nature of the breach – be it physical or digital and what was or is suspected to have been compromised.
- Measures taken by the credit union to protect member information from further unauthorized access.
- The need for the members to remain watchful over their accounts, promptly reporting any incidents of suspected identity theft to the credit union and credit bureaus as necessary.