SECURITY POLICY DEFINED
A credit union's security policy is the foundation upon which all information security
related activities are based. In order for a security policy to be effective, it
must receive senior management approval and support. The security policy must keep
up with the information systems technology that provides access to credit union
resources. ECCT's e-SCOPE Security Engineers will create or update your credit
union's security policy to help balance the operational requirements with the state-of-the-art
in security solutions.
SERVICE DESCRIPTION
ECCT's steps to create or update a security policy:
- Information Classification Definitions / Methodology - Before credit union resources
can be protected, it must first be understood what is being protected and why. The
"what" is derived from data classification of credit union proprietary data (e.g.,
very confidential, confidential, internal, and public). The "why" is based on how
important the information is to Management and the Board of Directors and what the
cost and/or the effect of loss would be.
- Employee Responsibility / Function Identification - Once the corporate information
has been defined and valued, then the method of access needs to be addressed. An
employee or job function needs to be defined in order to grant access to and distinguish
responsibility for the credit union resources. Since access to information is accountable,
there must be layers of management in the approval chain.
- Risk Assessment / Strategy Testing - A risk is defined to be a vulnerability inside
or outside the network environment that has the potential to be exploited and thus
cause harm to information or a system. Assessing risk for all aspects of the network
is paramount in maintaining a secure environment. A strategy must be formulated to perform
periodic testing of the network's vulnerabilities. Test results should then be used
to perform remediation on found vulnerabilities. This is an on-going process that
is a routine security measure.
- Monitoring and Compliance - A security policy is considered a moving target. It
should be updated at regular intervals and periodic audits should be conducted to
test its compliance.
ECCT's e-SCOPE Security Engineers will customize and develop a comprehensive security
policy tailored to your credit union's specific network environment. All aspects
of network security will be detailed in a complete policy. Areas of interest covered by
the policy will include:
- Information Resource Technology Management
- General Definitions
- Classification of Data
- General IS Security Policy and Goals
- IS Security Principles of Behavior
- IS Security Rules for Specialized Users
- Information Systems Security Audit Reviews
- Perimeter Security / Firewall Management
- Vulnerability Assessments, Internal and External
- Intrusion Detection and Prevention Systems
- Data Center Access Security Policy
- Network Equipment Security Policy
- Data Protection Security Policy
- Data Backup Security Policy
- User Accounts Management Policy
- Operating Procedures for Specialized Systems
- Password Policy
- Electronic Mail Policy
- Malicious Code Policy
- Web-Based Services Policy
- Internet / Intranet Usage Policy
- Computer Security Incident Response Capability
- IS Security Awareness, Training and Education
- Remote Access Policy
- Wireless Access Policy