ROME, Ga.-IT compliance is not a burden for $150-million Coosa Valley CU here-but that wasn't always true.
For years, an IT contractor arrived monthly and moved among the credit union's 70 computers applying software patches, one computer at a time, deep into the night, according to Sherry Presley, AVP-operations, Coosa Valley CU.
"The small IT company was manually touching every machine, working extra hours into the night, requiring credit union staff to stay during the process," Presley recalled. "That wasn't an economical way to handle security and compliance"-which also included other manual tasks, such as disk defragmentation, vulnerability remediation and system logging for remote access.
Even after the contractor completed the monthly visit, Coosa Valley CU had trouble proving to examiners that patches were current and systems were stable; CVCU was left without adequate documentation of how it achieved security and stability, Presley said.
"Auditors used to ask to look at our policies and procedures," she explained. "Now they also want to see proof, with documentation, that we've adhered to those policies and procedures."
Coosa Valley CU turned IT compliance and security around three years ago, switching from the small, do-it-all IT contractor to a team of experts who specialize in monitoring, maintaining, alerting and reporting on servers and devices for the financial industry-Safe Systems of Alpharetta, Ga., Presley said.
"We knew that we weren't quite large enough to pay a full-time expert," she continued. "The advantage of Safe Systems over an individual or small company is that you get that safety net of a vast team of engineers who are up-to-speed on compliance and information security and who only work within the financial industry. They speak our language. We can get remote assistance from them right away-we don't have to wait a month for the IT consultant."
Meeting The Documentation Challenge
Beyond keeping information secure, perhaps the most valuable service Safe Systems provides to credit unions is reporting, according to Tom Hinkel, director of compliance at the managed IT services firm.
"Documentation and validation of adherence to policies and procedures is what credit unions struggle with most," Hinkel said. For many, documentation is either "insufficient or nonexistent."
"A major concern was being able to provide examiners with documentation of required compliance," Presley agreed. To that end, Safe Systems conducts three quarterly reviews and an annual review of the health and compliance of systems at Coosa Valley CU.
Quarterly reviews address data vaulting and backups; antivirus protection; email encryption; remote access, patch management; server health and warranty; hardware and software inventory; information security training; vulnerability assessment; network policies; business continuity and security monitoring, Presley said.
The annual review prompts an in-depth test of the CU's system functionality, security and integrity, including validating data restoration and IT change management, she said.
After all reviews, the dedicated compliance account manager at Safe Systems "provides us with documentation of testing and system reviews and adherence to policies and procedures, and he recommends any new technology we may need before our next exam," Presley said. "He talks to us about hot topics in compliance and security."
Documentation of actual compliance practices often comes in the form of automated reports of inventory, utilization, patches and disk and operating system health, Hinkel said.
MORE INFO@CUJOURNAL.COM
Subscribers can read related stories at www.cujournal.com by searching the following headlines:
Fewer Tums Needed As Compliance Is Addressed-February 13, 2012
Electronic Workflow Engine Cuts Down On Compliance, Time Needed-February 13, 2012
How Mid-Hudson Valley Is 'Interpreting The Gray Area'-February 13, 2012
