Cybersecurity Compliance Bundle

The Cybersecurity Compliance Bundle is AdvantageCIO’s approach to providing all of the documentation and cybersecurity action items that credit unions need to complete. It consists of items directly noted in the Gramm Leach Bliley Act, as well as the NCUA’s ACET assessment. We will complete each of the items shown below on an annual basis. With AdvantageCIO guiding your team through the process, it will not only address the regulatory requirement, but it will help prepare you for your next examination or audit.

Included in the Cybersecurity Compliance Bundler are:

• Information Security Risk Assessment
• Comprehensive Information Security Program and Policies
• Incident Response Plan
• Business Continuity Plan
• Annual Report to the Board (GLBA)
• IT Audit and Exam Preparation

*Each item listed above is also available as a stand-alone service.

Cybersecurity Compliance Bundle

Information Security Risk Assessment

The purpose of the Information Security Program is to ensure the security and confidentiality of sensitive information, to protect against anticipated threats or hazards to the security or integrity of that information, to protect against unauthorized access to or use of that information, and to ensure the proper disposal of sensitive information. Designing an effective Information Security Program requires an understanding of how the information and information systems are used at the organization and the inherent and residual risk that threaten the security of that information.

Building on the information gathered during the Technology Assessment, the Information Security Risk Assessment reviews and evaluates the physical, logical/technical, and administrative controls currently in place to determine where deficiencies exist. These include policies and procedures, authentication and access controls, data security and encryption, security monitoring, service provider oversight, and much more. The results are provided in a detailed, NCUA-compliant report with categorized risk levels and prioritized recommendations for further mitigation.

Information Security Risk Assessment

Comprehensive Information Security Policies (CISP)

The true strength of the Information Security Program can often be found not just in the strategies implemented, but in the relevance and completeness of the polices used to maintain and enforce it. These policies are the guardrails along the sides of the highway that enable your business to operate effectively, efficiently, and securely.

Whether refining existing policies or designing them from scratch, our experienced information security professionals will work with you to develop NCUA-compliant policies including:

• Acceptable Use
• Access Controls
• Patch Management
• Social Media
• Data Encryption
• Security Training
• Incident Response
• Records Retention
• Vendor Oversight
• and more.

Business Continuity Plan with BIA

Business Continuity is defined as “the ability to maintain operations and services, both technology and business, in the event of a disruption to normal operations and services.” Having a recovery plan to “put things back together” when they fail is no longer sufficient. What’s now required is a plan to “continue serving” your members, even during a disruptive event.

Building on the information gathered during the (BIA) Business Impact Analysis, we are able to prioritize our efforts in developing continuity and recovery strategies to minimize the probability and impact of downtime to business operations. The results are a Business Continuity Plan tailored to your business operations and environment and a testing schedule to validate the procedures in the plan and train personnel on their roles and responsibilities within the plan.

Business Continuity Plan Development

Incident Response Plan

Credit unions large and small are required to develop and test an Incident Response Plan as part of their Information Security Program. The written plan should identify likely scenarios including the steps the credit union will take to identify the nature and scope of an incident, take appropriate steps to contain and control the incident, and to notify key stakeholders when warranted. The same certified professionals who currently oversee the Business Continuity and Response Program at CU*Answers will assist your credit union in the planning, development and implementation of your Incident Response Plan.
Incident Response Plan Development

Annual Report to the Board

The Board of Directors (or appropriate committee) is responsible for satisfying the requirements to ensure that the information security program is developed, implemented, and maintained under the supervision of those who are ultimately responsible. To meet this requirement, the members of the Board must be regularly informed of the overall status of the program and compliance with security guidelines. That’s the purpose of the annual report.

The annual report to the Board of Directors will include an ongoing risk management report, examination response and resolution plan, third-party audit results, and any incident response and breach activity.

IT Audit and Exam Preparation

On a regular basis, auditors and examiners will review the Information Security Program to ensure it meets regulatory compliance and security best practices. This process usually involves a list of pre-exam questions and requested documentation. Our information security professionals will assist you in answering the questions and preparing the requested documentation, as well as assist in developing the response to the provided report.

Board Literacy Training

Cybersecurity is top of mind for all financial institutions and AdvantageCIO would like to help your board with Cybersecurity Literacy Training. We have our fingers on the pulse of the strategic, board level concepts and emerging trends that your board will want to understand. We present and discuss in non-technical terms and can help bridge the areas of credit union business and technology and cybersecurity. We encourage CUs to use this training on an annual basis to stay up to speed on this quickly evolving landscape.
Cybersecurity Board Literacy Training

Tabletop Exercises

We will pick from a number of business continuity or incident response scenarios and then engage your team with questions, decisions and regular inputs as you gain information. At the end of the exercise, we’ll provide some gap analysis on where we think your next training and conversation should focus. These tabletop exercises are invaluable in raising awareness and dialing in your response time in the event you need to mobilize your credit union’s response plan. Remote engagements will be performed remotely over a ZOOM session. In person engagements will be subject to schedule availability and client will cover travel expenses.
Tabletop Exercises

General IT Consulting

Technology is in a constant state of change. Balancing the business needs for productivity and performance while at the same time managing security risk, all within the confines of a limited IT budget, what’s a credit union to do?  The General IT Consulting service was created to address those needs at the credit union that are not typically part of any other assessment or product bundle.