Liam Kelly, MSc IT, MSCE NSF

meatcologneInternet και Εφαρμογές Web

3 Νοε 2013 (πριν από 4 χρόνια και 1 μήνα)

106 εμφανίσεις

Liam Kelly, MSc IT, MSCE

NSF

Rule 71 Credit Union Act 1997


71
.

(1) Subject to subsection (2), during his term of office or at any time thereafter, an officer or voluntary
assistant of a credit union
shall not disclose or permit to be disclosed any information which
concerns an account or transaction of a member with, or any other business of, the credit
union.


(
3) As soon as practicable after the beginning of his term of office or, in the case of any person whose term of
office began before the commencement of this section, after that commencement, every officer or voluntary
assistant of a credit union shall, in such manner as the Registrar may determine



(
a) be informed by the credit union of his obligations under this section; and


(
b) in writing acknowledge that he has been so informed and understands his obligations.


(
5) A person who contravenes subsection (1) shall be guilty of an offence.


(
6) In any proceedings for an offence under this section, the onus of proving that any of the paragraphs of
subsection (2) excludes a disclosure from subsection (1) shall lie on the person who made or permitted the
disclosure.



Data
Protection
Act

1988 and
2003

The
Eight Rules of Data Protection


Obtain

and process the information fairly



Keep

it only for one or more specified and lawful purposes



Process

it only in ways compatible with the purposes for which it was given to
you initially



Keep it

safe and secure



Keep it
accurate and up
-
to
-
date



Ensure that it is
adequate, relevant and not excessive



Retain it
no longer than is necessary

for the specified purpose or purposes



Give a copy of his/her personal data

to any individual, on request.


Risk assessment of IT System

IT Policy



Risk 1

5

Impact 1 5


Does an IT Policy exist


Does it meet legal requirements


I
s someone responsible
to ensure a review of
policy


external independent IT consultant to review your IT
policy


Is data protection covered in the Policy


Is there a named data controller


yes/no


Are the functions of the data controller outlined
yes/no







Risk assessment of IT System

IT Policy


I
s
data encryption
covered


Is data recovery in
the event your IT provider goes out
of
business


Is there a
service level
agreement (SLA)


Is the level of service specified for
a SLA


Is continuity/disaster recovery planning
specified


MIS reporting required from the IT system


Risk assessment of IT System

IT Policy


CUSCO and
ILCUnet

ready


login privileges policy


account access policy


Internet access Policy


Back Office usage policy


Is level
of public liability insurance
your IT provider
should have specified

Risk assessment of IT System

Service Level Agreement (SLA)


Is there a service level agreement (SLA) in place with
your IT provider


Who wrote SLA


Has the SLA been independently assessed


Is continuity/disaster recovery planning part of the
SLA


What level of staff/resources has the IT provider to
cater for a
crash


What is your down time and who pays the cost


Risk assessment of IT System

Service Level Agreement (SLA
)


How long would the CU be out of business according
to the SLA


Who pays the cost of the outage


is this covered in the
SLA


Is hardware warranty covered in the SLA


Is data protection covered in the SLA


Is the data safe and recoverable in the SLA


Is the data
encrypted


Is there an encrypted copy of the data on site also


Risk assessment of IT System

Service Level Agreement (SLA)


What local hardware protection is in place to ensure recovery from
disaster


operating system/application server


recommended mirror


data server


raid 5 recommended


What firewalls exist to protect your data


internally and externally


Is the data server separate to the application/operating system
server


Does the SLA meet IT policy requirement
ie


Who has login
privileges


Is there an account access policy


who can do what once logged on to
your IT system


Is there a login/user privilege policy


ie



can a teller set
passwords


Is there a notification system when a system’s policy is altered


Is there notification system if account details is change in back office


Risk assessment of IT System

Service Level Agreement (SLA
)


Is there an upgrade/update agreement


Is there a deployment policy for updates/upgrades


Where
is the backup data stored off site


one copy of an
entire back up must be off site


what policy and procedure
have the IT provider in place to ensure it is 100% not
compromised.


If the backup of the server is in the IT providers office


where does he backup his servers
-
after all your data is on
his
server


What access does the IT provider have to your data


Ownership of your data if the IT providers changes or goes
out of
B
uisness


Risk assessment of IT System

High Risk /Low impact

High Risk/High Impact





Low Risk/Low Impact





Low Risk/High

Impact

Risk assessment of IT System

Cloud Computing


IT providers are
offering
you an electronic document
solution on a cloud
.


What is cloud computing


1) provision and storage of data
electronically


2)via the internet


3)using a computer


Two well know example
-

Google
Docs, Microsoft
Sharepoint



Where sits the clouds


your data must exist on a
harddrive

somewhere


a cloud just mean you access the data in a
different manner then if the server was sitting physically in
your CU.


Risk assessment of IT System

Cloud Computing


Operations side of CU


IS Cloud Computing covered under an SLA


Level of service


Bandwidth


Teller operation time


Backups


Access/login policy/backup policy


Recovery policy


P
rinting


F
irewalls


Data encryption
etc


Security of traffic to and
f
rom cloud


Standards specified and checked


Continuity planning

Risk assessment of IT System

Cloud Computing


Board/management side of CU


Is Cloud Computing covered in the IT policy


Who owns the data


data stored in some site can mean joint
ownership


Who has access to the data
-

some cloud providers computer systems
are compromised


Where is the server that your data sits on


your data must come under
the European data legalisation
-

documents stored on sites in the USA
are covered by their legalisation


Where exactly is your cloud


if the provider is in England


it may not
be the case that the cloud is in England as in a recent case the data was
actually stored on a server in India.


IT provider to the IT provider


what is your guarantee


Public liability insurance


public liability of the IT providers
providers


Whose law covers the cloud

Risk assessment of IT System


In order to carry out a risk assessment Supervisors need
to advise themselves of the appropriate question to ask.

To
this end we recommend you get an external
independent advisor to ask the right question for you
and give you’re the right answers.

Remember
the CU Board shall cover reasonable
expenses necessary for you to carry out your job.