The National Institute of Standards and Technology (NIST) has issued version 1.0 of its Framework for Improving Critical Infrastructure Cybersecurity. The report outlines a core of five key elements of data security: identify the risks; protect the data and systems; detect any breaches; respond to any breaches; and recover the losses. NIST advises that businesses act on and/or prepare for all of these points all of the time.
The truth is that computer hackers probably are not your greatest risk. Vulnerabilities that exist within your own operations frequently lead to accidental privacy violations. These include people taking work home with them via laptops or portable USB devices, etc. Or how about the chance that your monthly statements are accidentally diverted to the wrong address? As a result of these possibilities, it is important to determine how well your credit union identifies and tackles all the risks.
For improved efficiencies, many credit unions have chosen to outsource their electronic document processing, billing, and distribution solutions to a third-party provider. But how can you be certain that your outside partners are certified in operational excellence and security?
Any provider of electronic billing solutions must possess the industry standards in certification that are mandatory to security compliance. The top three certifications pertaining to credit unions are:
- SSAE 16, (Statement on Standards for Attestation Engagements No. 16) Certification is an accreditation awarded by the American Institute of Certified Public Accountants (AICPA) and ensures that all outsourced documents are handled in a secure, reliable and stable environment with tight process controls in place.
- PCI DSS 2.0 (Payment Card Industry Data Security Standard) is a globally instituted security standard for all merchants and service providers who accept credit card information; it is designed to keep customer payment card data secure.
- Sarbanes-Oxley (SOX) — Any organization fully trained in SOX regulations ensures its clients are compliant with all corporate accounting controls required by federal law.
On top of the compliancy accreditation, credit unions, at a minimum, should make sure the service provider they choose has stringent internal security measures in place to protect members' data. Check on whether production areas are locked and monitored at all times. Make sure FTP servers are protected by a well-rated hardware firewall to eliminate unwanted intrusions. Additionally, all electronic payment options need to be encrypted and performed over a secure SSL Internet connection.
Lastly, it is imperative the company has a comprehensive disaster recovery program in place to safeguard against fire and other natural and environmental hazards.
Protecting and ensuring security compliance is an ongoing process. Unfortunately, as we hear time and again in the news, there is no magic bullet to ensure that your member' and your own information is safe. This requires 24/7 monitoring of all data, networks and internal processes. To avoid potential fines, loss of members, bad publicity and legal action, make sure you have covered all your security bases and that your program is well executed and monitored by third-party auditing and testing.
Harry Stephens is president/CEO of DATAMATX, Atlanta, a provider of printed and electronic billing solutions, www.datamatx.com.
