by: Michele Dowis and Robin Remines
Regardless ofthe size of the Information Technology Team in your Credit Union – knowledge base and duties differ for everyone. You may have some team members that have “access to everything”. Without, separation of duties (requiring more than one person to complete particular tasks creating an internal control), that team is considered vulnerable or at risk of becoming an insider threat!
What is an “insider threat”? It’s a threat to your credit union from within your organization. Employees, former employees, contractors and your coworkers who have information regarding security practices, data and the computer systems. The threat could involve fraud, theft of confidential information or even intentional service disruption of computer systems. These insiders may have accounts, access to computer systems, know the timing of processes and transaction posting, and any other details that make it easier to sidestep security controls of which they are aware. Any attempt could be for personal gain but could also be shared externally possibly creating a data breach.
There’s an inherent trust that we place on our IT Teams. (As well there should be!) But, just like our front office employees who handle money,what happens if someone on that team isn’t as honest as you thought in the hiring process? We don’t want to go into those negative ways of thinking because it makes us uncomfortable. But let’s face it – money isinsurable where data/reputation are not. So how dowe protect against this threat?
Separation of duties is thelogical response inmitigating this riskand is discussed as a necessary strategy in the FFIEC IT Handbook. Protect your IT Team just like you do your tellers. You have dual control processes in place for cash, opening the branch and other high risk functions. Why not create similar controls over the actual systems? DATA/MEMBER Information is far more valuable that money. Money is insurable and replaceable – your credit union reputation isn’t!
