PORTLAND, Ore.-In an effort to address compliance regulations and threats to member data security, OnPoint Community CU has gotten proactive and developed an in-house Technology Risk Assessment program that it reports has proven to be effective.
"In the past we had contracted the task out to audit firms, but it was expensive and did not always align with the results we were looking for," said OnPoint Community CU SVP-Human Resources and Technology, Jim Armstrong. "Our examiner was the main supporter of us building an in-house solution instead of paying the high cost for an audit process."
Member data security has long been a priority for OnPoint, and with the Dodd-Frank Act and the Gramm-Leach-Bliley Act creating more compliance requirements, Armstrong said it was imperative that the credit union seek a cost-effective solution.
"To offset some of the burden of development on internal staff we enlisted a college intern to do most of the department interviewing and documentation," said Armstrong. "This was a huge help."
OnPoint's proprietary, in-house program has three segments. The first piece is an analysis that inventories each department and the programs they use both in-house and third parties.
Pieces In Place
"Here we look at each one and rate the level of member data and whether or not it needs to be incorporated into the risk program. The startup on this can be time consuming to collect all the information and different programs. Once in place it's pretty much the same from year to year," said Armstrong.
The second piece is a the program that monitors a certain number of systems using internal penetration testing. "This gives us a better efficiency than trying to do bulk scans annually," said Armstrong.
The third piece of its in-house program is rating the residual risk of each system; a process derived from the testing results and includes the likelihood of threat, the degree to which controls are implemented, and the impact if the control is not implemented. "The residual risk is then reviewed by the security committee to see if the risk is acceptable or action needs to be taken to mitigate."
With $3.2 billion in assets, 247,000 members and 22 branches, a project of such magnitude doesn't happen in weeks or months, and has instead taken three years, noted Armstrong. "Anyone who has gone through this process will tell you it does not end," he noted. "It becomes more manageable but it is a living program and there are always changes and additions."
During the initial stages, OnPoint Community's main goal was to start small and grow the program gradually so as to be transparent as possible while not impacting users. As a result, there wasn't a traditional hard rollout. "It's been very low key and easily accepted by users."
Audits & Recognition
To ensure that the in-house program was exceeding expectations, OnPoint looked to outside vendors to confirm internal findings.
"The program has done well in our state exams and we continue to build and enhance where necessary. We also partner with a third-party audit firm to review the program every three years," said Armstrong. "By utilizing a third party we are able to have an outside view and look at suggestions on what we might be missing."
Armstrong explained that the offering is intuitive, adding that if someone can use Excel they could use the program with ease.
The success of the initiative was recognized by the CUNA Technology Council, which awarded OnPoint with an Excellence in Technology award.
"My boss is very proud of the program and he had asked if we could enter it in one of the award programs. I put together the entry requirements and sent it in," said Armstrong. "I received word a few weeks later that I had been selected as one of the winners. It was a proud day for me and the credit union."
Initiatives Planned For 2013
Building on its success, OnPoint is in the process of researching and developing new programs with a possible 2013 launch date.
"We are looking at and developing a few more in-house initiatives including an Enterprise Risk Management solution. We are following a similar path as we did with our Technology Risk Assessment and starting off with a small team and evaluating the environment to see where we should start," said Armstrong. "We have found that a grassroots effort that includes staff that has a stake in seeing the program grow will go farther and be more successful than any off-the-shelf program."
MORE@CUJOURNAL.COM
www.onpointcu.com Subscribers can read related stories by going to www.cujournal.com and typing the following headlines into the search function:
Compliance Checklist For Interest Rate Risk Management
NCUA Issues Guidance On Cloud Computing
Looking To Technology To Lighten Dodd-Frank Compliance Loa
