Taming Compliance: How TCU Did It
VACAVILLE, Calif.-Compliance tasks soon will be so convenient and so complete at Travis CU here that other credit unions will look to the CU's Web-based program as a model, according to Richard Roark, SVP and CIO at the $1.6-billion CU.
"We manage all compliance from one convenient location"-that is, from one secure Internet site, Roark explained. Business continuity planning (BCP), vendor management, enterprise policy and procedure, and IT risk assessment tasks are controlled and automated from a single platform called Managed Compliance. The platform is delivered as software-as-a-service by HEIT, the Fort Collins, Colo.-based provider of managed IT services.
"Workflows make it very easy for us to keep on top of each of these critical areas," Roark said. "We receive enhanced notification via e-mail on tasks we must perform in real time. In working with HEIT, I believe we'll implement a truly automated and efficient IT risk management program that will be a model for other credit unions to follow."
Too often, credit unions suffer the burden of compliance in isolated departments, Credit Union Journal has learned. They struggle to understand and keep up with regulations as they change. They pull reports from a range of systems into separate spreadsheets to provide compliance information.
Managed Compliance unifies Travis CU's compliance tasks onto one platform and provides the additional expertise needed to stay ahead of the regulations, said Roark.
Travis CU now performs a risk assessment before deploying any new technology application, he continued. "The Risk Assessment Module allows us to keep track of all reviewers' responses and creates a complete report that we can give to our internal audit department and third-party reviewers."
HEIT compliance experts and software help Travis CU identify any threats or vulnerabilities that may affect the application and address them through controls and training.
Meanwhile, vendor information is housed in one system at HEIT, "allowing us to keep track of all our third-party relationships," Roark said. "Our vendors are categorized based on how critical their service is, which then drives a checklist to gather appropriate documentation, such as updated SAS-70s."
When Travis CU needs to send out a new or updated policy, paperwork can be launched to all employees at once from the HEIT platform, said Roark. "Wet signatures are no longer necessary, as every policy is now signed electronically."
Managed Compliance replaced Travis CU's "completely manual" compliance process in 2007. Managed Compliance is just one platform in the HEIT suite of managed services, all delivered "from the cloud" to credit unions and community banks. Other services include data security and systems performance.
HEIT Managed Security monitors Travis CU's internal and external network around the clock, Roark said. "Security events happen all the time. Having five to seven full-time employees on staff to respond to alerts doesn't make much sense. It's better to outsource this type of service."
Travis CU complements HEIT security monitoring with third-party internal and external penetration testing and social engineering engagement, he said. "That keeps HEIT always vigilant about the security of our network and member data."
The CU has elected not to use HEIT Managed Performance. "We have enough staff to handle this piece internally," said Roark. Managed Performance experts hold constant vigil over an organization's network to ensure maximum uptime and efficiency on all systems and applications, according to HEIT.