Liam Kelly, MSc IT, MSCE NSF Rule 71 Credit Union Act 1997 71.—(1) Subject to subsection (2), during his term of office or at any time thereafter, an officer or voluntary assistant of a credit union shall not disclose or permit to be disclosed any information which concerns an account or transaction of a member with, or any other business of, the credit union. (3) As soon as practicable after the beginning of his term of office or, in the case of any person whose term of office began before the commencement of this section, after that commencement, every officer or voluntary assistant of a credit union shall, in such manner as the Registrar may determine— (a) be informed by the credit union of his obligations under this section; and (b) in writing acknowledge that he has been so informed and understands his obligations. (5) A person who contravenes subsection (1) shall be guilty of an offence. (6) In any proceedings for an offence under this section, the onus of proving that any of the paragraphs of subsection (2) excludes a disclosure from subsection (1) shall lie on the person who made or permitted the disclosure. Data Protection Act 1988 and 2003 The Eight Rules of Data Protection Obtain and process the information fairly Keep it only for one or more specified and lawful purposes Process it only in ways compatible with the purposes for which it was given to you initially Keep it safe and secure Keep it accurate and up-to-date Ensure that it is adequate, relevant and not excessive Retain it no longer than is necessary for the specified purpose or purposes Give a copy of his/her personal data to any individual, on request. Risk assessment of IT System IT Policy Risk 1 5 Impact 1 5 Does an IT Policy exist Does it meet legal requirements Is someone responsible to ensure a review of policy external independent IT consultant to review your IT policy Is data protection covered in the Policy Is there a named data controller – yes/no Are the functions of the data controller outlined yes/no Risk assessment of IT System IT Policy Is data encryption covered Is data recovery in the event your IT provider goes out of business Is there a service level agreement (SLA) Is the level of service specified for a SLA Is continuity/disaster recovery planning specified MIS reporting required from the IT system Risk assessment of IT System IT Policy CUSCO and ILCUnet ready login privileges policy account access policy Internet access Policy Back Office usage policy Is level of public liability insurance your IT provider should have specified Risk assessment of IT System Service Level Agreement (SLA) Is there a service level agreement (SLA) in place with your IT provider Who wrote SLA Has the SLA been independently assessed Is continuity/disaster recovery planning part of the SLA What level of staff/resources has the IT provider to cater for a crash What is your down time and who pays the cost Risk assessment of IT System Service Level Agreement (SLA) How long would the CU be out of business according to the SLA Who pays the cost of the outage – is this covered in the SLA Is hardware warranty covered in the SLA Is data protection covered in the SLA Is the data safe and recoverable in the SLA Is the data encrypted Is there an encrypted copy of the data on site also Risk assessment of IT System Service Level Agreement (SLA) What local hardware protection is in place to ensure recovery from disaster – operating system/application server – recommended mirror – data server – raid 5 recommended What firewalls exist to protect your data – internally and externally Is the data server separate to the application/operating system server Does the SLA meet IT policy requirement ie Who has login privileges Is there an account access policy – who can do what once logged on to your IT system Is there a login/user privilege policy – ie – can a teller set passwords Is there a notification system when a system’s policy is altered Is there notification system if account details is change in back office Risk assessment of IT System Service Level Agreement (SLA) Is there an upgrade/update agreement Is there a deployment policy for updates/upgrades Where is the backup data stored off site – one copy of an entire back up must be off site – what policy and procedure have the IT provider in place to ensure it is 100% not compromised. If the backup of the server is in the IT providers office – where does he backup his servers -after all your data is on his server What access does the IT provider have to your data Ownership of your data if the IT providers changes or goes out of Buisness Risk assessment of IT System High Risk /Low impact High Risk/High Impact Low Risk/Low Impact Low Risk/High Impact Risk assessment of IT System Cloud Computing IT providers are offering you an electronic document solution on a cloud. What is cloud computing 1) provision and storage of data electronically 2)via the internet 3)using a computer Two well know example - Google Docs, Microsoft Sharepoint Where sits the clouds – your data must exist on a harddrive somewhere – a cloud just mean you access the data in a different manner then if the server was sitting physically in your CU. Risk assessment of IT System Cloud Computing Operations side of CU IS Cloud Computing covered under an SLA Level of service Bandwidth Teller operation time Backups Access/login policy/backup policy Recovery policy Printing Firewalls Data encryption etc Security of traffic to and from cloud Standards specified and checked Continuity planning Risk assessment of IT System Cloud Computing Board/management side of CU Is Cloud Computing covered in the IT policy Who owns the data – data stored in some site can mean joint ownership Who has access to the data - some cloud providers computer systems are compromised Where is the server that your data sits on – your data must come under the European data legalisation - documents stored on sites in the USA are covered by their legalisation Where exactly is your cloud – if the provider is in England – it may not be the case that the cloud is in England as in a recent case the data was actually stored on a server in India. IT provider to the IT provider – what is your guarantee Public liability insurance – public liability of the IT providers providers Whose law covers the cloud Risk assessment of IT System In order to carry out a risk assessment Supervisors need to advise themselves of the appropriate question to ask. To this end we recommend you get an external independent advisor to ask the right question for you and give you’re the right answers. Remember the CU Board shall cover reasonable expenses necessary for you to carry out your job.