FORT WORTH, Texas -- Established two years ago, Credit Union Information Security Professionals Association, or CUISPA, offers credit union information technology professionals resources through a collaborative peer network. High on its list of priorities is serving as a platform for knowledge exchange. More than 100 industry professionals participated this year in the organization's leading knowledge exchange event, CUISPA's 2nd Credit Union IT Risk Management Summit, at the Worthington Hotel Jan. 29-31.
Industry experts discussed topics including IT security program strategies, enterprise risk management, managing service providers, multi-factor authentication, the latest phishing techniques, social engineering, incident response planning, disaster recovery and business continuity planning.
In its progress report to the membership, CUISPA Executive Director Kelly Dowell announced that the organization will continue to establish chapters around the country. CUISPA currently has 21 chapters in 12 states, and a number of requests pending. Chapters meet quarterly for education and discussion of current issues.
CUISPA is looking at additional educational delivery channels. It will be surveying its membership to determine "hot topics" for one-day regional educational workshops this year. The organization also will consider expanding the use of Webcasts for its members, an option piloted in 2006. In addition, CUISPA is evaluating the possibility of holding an additional IT risk management conference in 2007 on the east coast.
A leading organizational initiative for 2006 was trying to establish a set of security standards that information technology vendors must meet to be evaluated for contracts with credit unions. Performing due diligence on these companies is a tedious undertaking, and credit union IT professionals, for the most part, have been unable to receive assurance that their vendors are taking the same precautions with member data that are required by credit unions. Joe Visconti, of Visconti Consulting and formerly the NCUA, is heading up the project.
SAS 70 certification, while perhaps a step in the right direction, has no established standards and no performance checklist. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants.
"SAS 70s are general reviews that are practitioner focused and rely on the third party to establish control objectives," Visconti told the audience.
"After a substantial amount of research on the topic, CUISPA has found that a publicly available standard already exists through BITS, a nonprofit CEO-driven consortium of 100 of the largest financial institutions in the United States. We have performed a trial with a credit union using the BITS standard to assess one of its potential vendors, and it worked well. We are in the early stages of talking with BITS to see how we can cooperate in getting this standard out to more vendors."
"The BITS program is financial institution focused with measurement based on known standards (the ISO 17799), established control objectives and procedural test checks," Visconti said. --jfwrite@aol.com
