T examinations are not getting any easier on credit unions, especially with the rising demands from examiners to focus on cybersecurity.  With that in mind, below are 6 steps your credit union can take to ensure that you are prepared and IT Compliant:

1. DOCUMENT, DOCUMENT, DOCUMENT

The biggest mistake credit unions make is the easiest.  Not documenting IT policies and procedures, no matter what those policies and procedures are, shows to your examiner a lack of concern or attention.  It is also a violation of compliance.  According to the FFIEC Handbook, “It is the responsibility of an institution’s board and senior management to ensure that the institution identifies, assesses, prioritizes, manages, and controls IT risks as part of the business continuity planning process. The board and senior management should establish policies that define how the institution will manage and control the risks that were identified.”

2. Show documentation that you have tested your backup and recovery plan… and have done so recently.

Run tests of your data backup randomly through out the year to make sure your systems will survive, and be prepared with reports from the tests. Again, documentation, and not just a firm head nod to confirm your backup plan works, is important. The FFIEC Handbook states: “To maintain the effectiveness of the BCP (Business Continuity Plan), the board and senior management should ensure that enterprise-wide BCP tests are conducted at least annually, or more frequently depending on changes in the operating environment. Formal procedures should be established for reporting the implementation of the testing program and test results to the board and senior management.”

continue reading »