Establishing Secure Data Management Best Practices

“Data Breach Announced” is a headline no organization wishes to see, and yet, it appears more frequently year after year. Organizations have to handle a variety of different data sources in order to operate effectively. Financial institutions are no exception. Most organizations partner with vendors, and in all likelihood, those vendors have vendors of their own. Data management quickly escalates to include third-party (and in some cases, even fourth-party) data. You should be taking steps to ensure your organization is establishing secure data management best practices.

Four Important Data Management Tactics for Credit Unions

1.  Data Security

Security protocols should include a comprehensive management system that provides a proactive approach to building more stringent security measures and continues to keep your data secure. Here are some practical questions to ask:

• How is your data stored? Data should be housed in a physically secure environment with 24/7 monitoring that restricts access to authorized individuals and detects all access attempts. Systems and devices processing or holding data should also be protected with encryption, antivirus and/or antispyware software.
• How are you testing your network? Rigorous security testing provides opportunities to test the current protocols in place and create (or recreate) attack simulations. Security testing can include penetration testing, code scanning or vulnerability assessments as a few examples.
• What are your security operations and protocols? Security controls should be developed, operationalized and monitored to protect your data. These operations can include comprehensive control framework, playbooks and incident response preparedness activities to ensure that threats are prevented, detected, triaged and responded to.

2.  Data Compliance

Compliance protocols help establish vendor manager protocols and due diligence expectations for both internal and external use. It’s important to regularly review any updated regulations with your counsel to determine what additional steps and disclosures you may need to add to remain industry compliant. Here are some practical questions to ask:

• Do you have an established vendor management program? A third-party risk management program helps prevent data exposure that may originate from your vendor and vendors’ vendors through an established set of protocols.
• How often do you review audits? A comprehensive, independent risk audit (i.e. an SOC2) can help identify and resolve data security weaknesses or threats for your vendors. An independent external audit helps give assurance proper security controls are in place.
• Are you remaining educated on changing legislation? Stay educated on legislative requirements and how they impact your business operations. For example, recent legislation on data privacy requires consumer consent and disclosure notices to be shared.

3.  Data Privacy

Credit unions not only need to protect their data, they need to have processes that comply with privacy legislation and best practices. Here are some practical questions to ask:

• What is our privacy policy? Privacy policies should be implemented in day-to-day operations and regularly reviewed and assessed for compliance updates. In the wake of new data privacy laws like GDPR, CCPA and GLBA, organizations are being held accountable for their data management.
• How are we protecting member data? Establish a data governance program that helps data remain protected, private and secure. This includes placing safeguards, establishing internal employee controls, developing employee training and adapting technology solutions to help manage member data effectively and responsibly.

4.  Data Reliability

Data management systems need to be regularly accessible and reliable. This means regularly assessing the quality of the controls and protocols in place. You need to be prepared to act appropriately in the event of a data breach, so make sure you have a plan. Here are some practical questions to ask:

• Do we have a business continuity plan in place? A documented plan identifies processes for managing response activities and recovering operations without neglecting security or compliance. These plans ensure that the impact of a service disruption to consumers is minimized.
• What are our quality controls? Build and implement quality controls at key points within your data management system. Controls should be routinely audited by internal and trusted third parties to ensure that any defects are caught and remediated early. Processes such as code reviews, non-production environments, and both automated and manual QA testing can help find issues early in the process.

Data regularly expands outside of the credit union, and it remains an important responsibility to ensure employees and vendors follow data management best practices to keep consumers and your business protected.

Joshua Gideon is Manager of Audit, Risk & Compliance for Allied Solutions in Carmel, Ind.