risk-assessment-IT-system

advertisement
Liam Kelly, MSc IT, MSCE
NSF
Rule 71 Credit Union Act 1997
71.—(1) Subject to subsection (2), during his term of office or at any time thereafter, an officer or voluntary
assistant of a credit union shall not disclose or permit to be disclosed any information which
concerns an account or transaction of a member with, or any other business of, the credit
union.
(3) As soon as practicable after the beginning of his term of office or, in the case of any person whose term of
office began before the commencement of this section, after that commencement, every officer or voluntary
assistant of a credit union shall, in such manner as the Registrar may determine—
(a) be informed by the credit union of his obligations under this section; and
(b) in writing acknowledge that he has been so informed and understands his obligations.
(5) A person who contravenes subsection (1) shall be guilty of an offence.
(6) In any proceedings for an offence under this section, the onus of proving that any of the paragraphs of
subsection (2) excludes a disclosure from subsection (1) shall lie on the person who made or permitted the
disclosure.
Data Protection Act 1988 and 2003
The Eight Rules of Data Protection
 Obtain and process the information fairly
 Keep it only for one or more specified and lawful purposes
 Process it only in ways compatible with the purposes for which it was given to
you initially
 Keep it safe and secure
 Keep it accurate and up-to-date
 Ensure that it is adequate, relevant and not excessive
 Retain it no longer than is necessary for the specified purpose or purposes
 Give a copy of his/her personal data to any individual, on request.
Risk assessment of IT System
IT Policy
Risk 1
5
Impact 1 5
 Does an IT Policy exist
 Does it meet legal requirements
 Is someone responsible to ensure a review of policy
 external independent IT consultant to review your IT
policy
 Is data protection covered in the Policy
 Is there a named data controller – yes/no
 Are the functions of the data controller outlined
yes/no
Risk assessment of IT System
IT Policy
 Is data encryption covered
 Is data recovery in the event your IT provider goes out
of business
 Is there a service level agreement (SLA)
 Is the level of service specified for a SLA
 Is continuity/disaster recovery planning specified
 MIS reporting required from the IT system
Risk assessment of IT System
IT Policy
 CUSCO and ILCUnet ready
 login privileges policy
 account access policy
 Internet access Policy
 Back Office usage policy
 Is level of public liability insurance your IT provider
should have specified
Risk assessment of IT System
Service Level Agreement (SLA)
 Is there a service level agreement (SLA) in place with
your IT provider
 Who wrote SLA
 Has the SLA been independently assessed
 Is continuity/disaster recovery planning part of the
SLA
 What level of staff/resources has the IT provider to
cater for a crash
 What is your down time and who pays the cost
Risk assessment of IT System
Service Level Agreement (SLA)
 How long would the CU be out of business according
to the SLA
 Who pays the cost of the outage – is this covered in the
SLA
 Is hardware warranty covered in the SLA
 Is data protection covered in the SLA
 Is the data safe and recoverable in the SLA
 Is the data encrypted
 Is there an encrypted copy of the data on site also
Risk assessment of IT System
Service Level Agreement (SLA)
 What local hardware protection is in place to ensure recovery from
disaster – operating system/application server – recommended mirror
– data server – raid 5 recommended
 What firewalls exist to protect your data – internally and externally
 Is the data server separate to the application/operating system server
 Does the SLA meet IT policy requirement ie
 Who has login privileges
 Is there an account access policy – who can do what once logged on to
your IT system
 Is there a login/user privilege policy – ie – can a teller set passwords
 Is there a notification system when a system’s policy is altered
 Is there notification system if account details is change in back office
Risk assessment of IT System
Service Level Agreement (SLA)
 Is there an upgrade/update agreement
 Is there a deployment policy for updates/upgrades
 Where is the backup data stored off site – one copy of an
entire back up must be off site – what policy and procedure
have the IT provider in place to ensure it is 100% not
compromised.
 If the backup of the server is in the IT providers office –
where does he backup his servers -after all your data is on
his server
 What access does the IT provider have to your data
 Ownership of your data if the IT providers changes or goes
out of Buisness
Risk assessment of IT System
High Risk /Low impact
High Risk/High Impact
Low Risk/Low Impact
Low Risk/High Impact
Risk assessment of IT System
Cloud Computing
 IT providers are offering you an electronic document
solution on a cloud.
 What is cloud computing
 1) provision and storage of data electronically
 2)via the internet
 3)using a computer
 Two well know example - Google Docs, Microsoft
Sharepoint
 Where sits the clouds – your data must exist on a harddrive
somewhere – a cloud just mean you access the data in a
different manner then if the server was sitting physically in
your CU.
Risk assessment of IT System
Cloud Computing
 Operations side of CU













IS Cloud Computing covered under an SLA
Level of service
Bandwidth
Teller operation time
Backups
Access/login policy/backup policy
Recovery policy
Printing
Firewalls
Data encryption etc
Security of traffic to and from cloud
Standards specified and checked
Continuity planning
Risk assessment of IT System
Cloud Computing
 Board/management side of CU
 Is Cloud Computing covered in the IT policy
 Who owns the data – data stored in some site can mean joint






ownership
Who has access to the data - some cloud providers computer systems
are compromised
Where is the server that your data sits on – your data must come under
the European data legalisation - documents stored on sites in the USA
are covered by their legalisation
Where exactly is your cloud – if the provider is in England – it may not
be the case that the cloud is in England as in a recent case the data was
actually stored on a server in India.
IT provider to the IT provider – what is your guarantee
Public liability insurance – public liability of the IT providers providers
Whose law covers the cloud
Risk assessment of IT System
In order to carry out a risk assessment Supervisors need
to advise themselves of the appropriate question to ask.
To this end we recommend you get an external
independent advisor to ask the right question for you
and give you’re the right answers.
Remember the CU Board shall cover reasonable
expenses necessary for you to carry out your job.
Download