Checklist: Credit Union Information Security and Privacy Policies

Policy Description

Acceptable Use Policy Describes the permissible and prohibited uses of credit union’s information resources, including information assets, systems, and networks. Users typically must agree (in writing) to the terms of the Acceptable Use Policy prior to being granted access to the credit union’s network. Jurisdiction-specific provisions may be required to comply with foreign law.

Access Control and Password Management Policy

Provides a framework for preventing unauthorized access to information resources by implementing standardized authentication controls. The controls listed in this policy typically include password strength specifications, periodic mandated password changes, two-factor authentication requirements, and prohibitions on sharing authentication credentials, among others.

Background Check Policy

Describes the process the credit union follows when obtaining and reviewing background check material, including consumer reports that may contain criminal and financial records, with regard to prospective and current employees of the credit union.

Backup and Recovery Policy

Sets forth the requirements for the proper copying, storage, and handling of the credit union’s electronic records and other information resources.

Bank Secrecy Act/Anti-Money Laundering/OFAC USA Patriot Act Compliance Policy

This policy sets forth the requirements under the Bank Secrecy Act and other related money laundering regulations.

Change Management Policy

Policy that governs any changes to the credit union’s information systems and any software, hardware, or computing devices that connect to any such system.

Children’s Online Privacy Protection Act (COPPA) Compliance Policy

This program implements the provisions of COPPA and includes providing a privacy notice on the credit union’s website and a notice to parents regarding the inadvertent collection of a minor’s information and procedures for identification and deletion.

Compliance Audit Policy

Establishes how the credit union will monitor compliance with all applicable laws, regulations, contractual obligations, legal processes, and internal requirements with regard to data security and the security of the credit union’s information resources generally.

Contingency Funding Plan Provides strategies for addressing liquidity shortfalls in emergency situations.

Page 2 of 6 605974905.1

Policy Description

Data Retention and Disposal Policy/Vital Records Preservation Program Policy

Governs the manner in which the credit union stores data, and for how long, including by establishing guidelines and processes for securely destroying data that is no longer needed or is scheduled for disposal. Usually references the credit union’s retention schedules that detail the specific lengths of time for which different categories of records will be retained. Also includes the policy for the credit union’s retention of vital records.

Desktop Computer Security Policy

Addresses the processes and procedures the credit union implements to protect its desktop computing resources and related systems from unauthorized access.

Disaster Recovery and Business Continuity Policy

Establishes the credit union’s policies and procedures for protecting data and information resources, including communication systems, to help ensure that the credit union will have access to its information in the event of a natural or man-made disaster. Also outlines a plan to continue business operations with minimal impact in the event of disruptions caused by different types of disasters.

Email and Instant Messaging Policy

Defines permitted and prohibited uses of the credit union’s email and instant messaging resources.

Encryption and Key Management Policy

Sets forth requirements for the use of encryption techniques to prevent unauthorized disclosure of information resources, including personal data and proprietary information, when such information is transmitted electronically or stored by the credit union.

E-Sign Act Policy Provides policy and procedures regarding use of electronic records.

Fair Credit Reporting Act Policy Provides procedures for implementing and complying with the Fair Credit Reporting Act.

Fiduciary Duties Policy Provides for the fiduciary duties of the Board of Directors, which include the Board’s responsibilities for the credit union’s information security program as well as the Vital Records Preservation Program.

Firewall/Router Policy

Establishes the information security requirements for all firewalls and routers deployed on the credit union’s external- and internal-facing network interfaces.

Information Assets Policy

Provides a framework to identify and inventory the credit union’s information assets, which may include any type of records or data, software, physical assets (e.g., computer equipment), services, and internal know-how. Details how the credit union will respond to, and resolve, any variances with respect to information assets.

Page 3 of 6 605974905.1

Policy Description

Information Classification Policy

Describes the credit union’s criteria for classifying the data it collects, generates, processes, and stores for purposes of assigning the appropriate level of security protection to be applied to each class of data.

Information Handling Policy

Defines the requirements for handling and labeling electronic records, hard copy documents, and other media in accordance with how information is classified pursuant to the information classification policy.

Information Security Incident Response Policy

Outlines the processes by which the credit union, with appropriate leadership and technical resources, will act in a consistent manner to respond to an information security incident that threatens the availability, confidentiality, or integrity of the credit union’s information assets, systems, or networks.

Information Security Program Policy

Establishes the overall information security program for protecting member information from internal and external threats, preventing destruction of vital records, layered security, member account authentication, multifactor identification of members, and risk assessment process.

Information Security Program Governance Policy

Establishes the internal management structure within the credit union with respect to information security, and sets forth the requirements for defining, documenting, communicating, and assigning accountability for information security.

Mobile Computing Policy Sets forth the standards and processes the credit union has established to (1) protect and secure the credit union’s information resources from unauthorized access by mobile devices; and (2) reduce the risk of loss or theft of mobile devices connected to the credit union’s network.

Monitoring and File Integrity Policy

Identifies the internal control processes in place to monitor and protect the credit union’s information resources and infrastructure from intentional and unintentional unauthorized access, use, modification, disclosure, destruction, or other compromise.

Patch Management Policy

Describes how the credit union maintains a consistently-configured network environment that is secure against known vulnerabilities in operating systems and software, in pertinent part by requiring that systems be updated promptly and accurately with security protection mechanisms (patches).

Physical and Environmental Controls Policy

Sets forth the standards and processes by which the credit union mitigates risks posed by threats to relevant physical environments, particularly the facilities owned or leased by the credit union that house information technology assets.

Page 4 of 6 605974905.1

Policy Description

Privacy Policy Provides for the non-disclosure of nonpublic information, to determine whether nonpublic information will be shared and proper delivery of disclosures.

Privilege Management Policy

Describes the varying levels of user access privileges for different types of users of a credit union’s network, provides a formal authorization process for granting privileges, and mandates periodic reviews of access to such privileges.

Protection from Malicious Software Policy

Sometimes referred to as an “anti-virus” policy, this document establishes how the credit union safeguards and controls its information systems and infrastructure through vigilant, continuous monitoring and remediation of viruses, malware, and other software-related vulnerabilities that may impact the credit union’s information systems.

Remote Access and Mobile Computing Policy

Provides the framework for the protection of the credit union’s information resources from unauthorized remote access to the credit union’s network. Describes how the credit union formally reviews and approves remote access connections before any access is granted to the credit union’s information technology infrastructure, and how the credit union maintains and monitors the security of remote access connections on an ongoing basis.

Removable Media Policy

Establishes standards and processes to protect the credit union’s data, systems, and other information resources from unauthorized access through the use of removable media devices such as USB thumb drives, memory sticks, external hard drives, MP3 players, CD-R/RW devices and DVD-R/RW devices.

Security Audit Policy

Dictates how the credit union implements systematic evaluation processes to (1) analyze the security of its information systems; and (2) measure how well the credit union complies with established criteria.

Security Awareness and Training Policy

Outlines the ways in which all authorized users of the credit union’s information systems and networks are made aware of policies regarding the classification of, access to, and appropriate use of, the credit union’s information resources.

Selection, Retention, and Evaluation of Service Providers Policy

Provides criteria for evaluating the privacy and information security posture of potential third-party service providers, establishes specific terms concerning privacy and information security that must be included in service provider agreements, and describes how the credit union monitors its service providers’ compliance with the relevant contract terms and applicable legal requirements.

Page 5 of 6 605974905.1

Policy Description

Software Installation/Download Policy

Sets forth how the credit union minimizes the risk of malicious code infecting its information systems by controlling how software is downloaded and installed on network devices. This policy is typically directed towards departments that evaluate, test, or install new tools and facilities.

System Assurance and Risk Assessment Policy

Establishes standards for the continuous monitoring of information security processes and controls, and describes how the credit union conducts internal risk assessments (and engages third parties to perform risk assessments) to verify that the mechanisms in place to protect the credit union’s information resources are operating effectively.

Third Party Connectivity Management Policy

Dictates the credit union’s requirements for reviewing and approving electronic or technical connections between the credit union and third parties that require access to the credit union’s systems, before any third party devices are permitted to connect to the system.

Vulnerability Management Policy

Defines the level of security the credit union is to maintain over its information resources and network, sets guidelines for vulnerability management practices, classifies various types of credit union-specific vulnerabilities, and mandates periodic scans of the network for vulnerabilities.

Website Policy Written policies or procedures to address implementation and ongoing management of the credit union’s website.

Wireless Policy

Sets security control requirements for the implementation and use of wireless devices and wireless networks used by the credit union and its employees.

Workforce Security Responsibilities Policy

Establishes which departments, groups, and individuals within the credit union are responsible for specific information security safeguards, and describes how the credit union verifies that only appropriately trained and vetted parties have access to systems or processes that may create information security risks for the credit union.

PRIVACY POLICIES

Privacy Governance Policy Establishes the governance structure for the credit union’s privacy program and outlines the requirements for defining, documenting, updating, communicating, and assigning accountability for the credit union’s privacy policies and procedures.

Member Notice Policy Sets forth the requirements for providing appropriate notice to members regarding the credit union’s privacy policy and practices with respect to the collection and use of members’ personal information.

Page 6 of 6 605974905.1

Policy Description

Member Information Collection Policy

Describes the circumstances under which, and the means by which, the credit union collects members’ personal information, and identifies situations in which the credit union must provide notice and obtain consent from members before collecting such personal information.

Member Consent and Preferences Policy

Identifies the requirements for obtaining and managing member consent and preferences with regard to the collection, use, disclosure, or any other processing of their personal information.

Member Access and Amendment Policy (Canada / EU)

Describes how the credit union provides access to, and allows for amendment of, members’ personal information that is processed in, or which originates from, Canada or the European Union.

Member Personal Information Integrity Policy

Details the steps the credit union takes to keep members’ personal information accurate, complete, and current, and describes how the credit union amends inaccurate personal information of any member who so requests.

Member Inquiries and Complaints Policy

Establishes the process by which the credit union manages member complaints and inquiries regarding its policies for collecting, storing, and processing members’ personal information.

Privacy Violations Policy

Mandates the reporting of violations of the credit union’s privacy policies, and any applicable privacy laws or regulations, and details the sanctions that may be imposed for such violations.