This document summarizes a discussion on data protection for credit unions. It introduces the moderator and peer panelists, who work in credit union IT. The agenda includes discussing the increasing complexity of IT environments and data growth, compliance requirements, data loss threats, and methods to protect data. Technologies mentioned that can help include backups, determining recovery time objectives, onsite vs offsite storage, cloud storage, and site replication. The discussion emphasizes the need to identify all data to protect, have multiple recovery points, ensure data is encrypted and unattended, and out of region in accordance with compliance. Questions from attendees were taken at the end.
2. MEET YOUR MODERATOR
Lee Bird, President, Btech
Btech specializes in affordable, managed IT
security services for credit unions.
Btech works with over 120 credit unions throughout the United
States. Btech helps credit unions meet compliance goals by
implementing and managing security services.
3. John Lockie, AVP of Infrastructure and Security
Caltech Employees FCU
Rick Menjivar, Chief Information Officer
Chaffey FCU
PEER PANELISTS
7. Determine RTO (Recovery Time Objective)
Define RTO for all data
Use the appropriate data protection technology based on the required RTO
Protect all data
1.
Determine Onsite vs. Offsite Requirements
Onsite for DR’s or data loss where site is still available
Offsite for DR’s where access to data center isn’t possible
“Out of the region” – Compliance requirements
HOW SHOULD I START PROTECTING DATA?
2.
8. WHAT DO I NEED TO KNOW ABOUT COMPLIANCE?
NCUA Rules –
Do you know them?
Encryption of
electronic member
information
Measures to protect
against destruction,
loss or damage of
member information
Regularly test the key
controls, systems
and procedures of
the InfoSec program
Gramm-Leach-Bliley
Act (GLBA)
9. DO THESE TECHNOLOGIES COVER ALL
MY DATA PROTECTION NEEDS?
Challenges with these technologies
10. • Regularly scheduled backups
• Unattended
• Multiple Copies of the same data
• Multiple retentions over a
pre-defined period of time
- Daily, weekly, monthly,
annual retentions
POINT-IN-TIME BACKUP
11. Slow
WHAT ABOUT BACKING UP TO TAPE VERSUS DISK?
CHALLENGES WITH TAPE
Tapes need to be
replaced annually
Transfer of tapes off-site
Are they out of the region? The
cost for an offsite storage vendor
Security
How many people are
touching my tapes?
Tape audit
All tapes must be accounted
for, all the time, otherwise
must report possible loss of
member information.
12. • Cloud for DR if region is affected
• Cloud so that protected data is out of the region
• Site replication or CDR for low RTO
• Can have a local copy for quick recovery
WHAT DOES CLOUD BACKUP BRING TO THE TABLE?
vs.
PUBLIC PRIVATE
13. • Identify all data to be protected
• Break down data recovery into RTO’s
• Have multiple data points for recovery
• Data must be out of the region
• Data must be encrypted
• Solution must be unattended – What does this mean?
SUMMARY: WHAT ARE DATA
PROTECTION “MUST-DOs” FOR CREDIT
UNIONS?
17. THANK YOU!
Lee Bird, President, Btech
221 E. Walnut Street, Suite 138
Pasadena, CA 91101
626-397-1045 | leebird@btechonline.com
Editor's Notes
Moderator introduces himself
I’m Lee Bird, President of Btech. I started Btech in 1989, and since 2000, we have worked exclusively with credit unions – providing IT security services using “best of breed” technology.
We currently work with over 120 credit unions throughout the United States.
--Introduce John
--Introduce Rick
Thank you John and Rick and let’s dive right in
Today we’ll be taking a look at these Agenda Items as we learn how today’s Credit Union IT professionals and managers can succeed in a quickly changing and complex environment. We’ve got two great guest panelists – they are YOUR PEERS – TWO CONSUMER CREDIT IT PROS – who will share their recent experiences.
Here’s a look at the Credit Union Landscape today. These are just some of the challenges CU professionals face.
We are all seeing a lot of data growth! Is it all just imaging data? Or, are you seeing other areas – like maybe email or email archive – with lots of data growth.
John, let’s get started by asking you “Why has data protection surfaced as such a huge challenge for CU professionals?”
(Answer)
Rick, what about you? Is there ONE SINGLE factor that is making your job tougher these days?
Let’s start with data loss. We need to remind ourselves that there are so many ways that credit unions can lose on-premise data.
Better hardware has made some of us complacent in our data protection strategies. We just don’t see crashed HDD’s or broken RAID arrays like we used to.
Human error remains the number one way that valuable data is lost. And these days of course, everyone is talking about ransomware, the malware that can encrypt your data while cyber crooks demand payment to unlock it. That’s before we get to the havoc Mother Nature can wreak on systems and the outages and failures that are part of doing business.
Here are some thoughts on looking at your data protection strategies. Do you ever consider RTO? What about Onsite vs. Offsite?
Rick, how difficult is it to determine what you are able to keep on premise?
John how have you met or tried to meet offsite compliance requirements?
Rick and John, what do you feel is best practice for “out of the region” compliance? After all, Hurricane Sandy affected 4 of the 10 FEMA Zones.
What’s the number one challenge compliance poses for credit unions?
Does anyone else feel that some of the rules are ambiguous?
What about the FFIEC’s requirement for data encryption? That counts as data protection, right?
Goes over the NCUA Basics. What it means for Credits Unions.
Do you feel like we have started forgetting about basic “data backup” because of all of the new technologies out there?
While newer data protection technologies may offer a lower RTO, do they have limitations in their ability to protect all data?
Asks panelists for their experience with any of these, or challenges
Let’s talk about Point-in-Time Backup and Why It’s so Important to Today’s Credit Unions.
I strongly feel that there is still a need for point in time backups, even though I’m seeing some CU’s get rid of them in favor of other technologies. This leaves a big gap in the ability to recover data based on certain scenarios.
John, how does point-in-time factor into your strategy?
Rick, can you explain how these factor into NCUA compliance?
I won’t ask for a show of hands – but, how many of you still have a tape drive? It’s still out there!
Backing up to a portable USB is like a tape – isn’t it?
What about backing up to a disk vault – an appliance.
Lee highlights pros and cons of tape. Moderator’s choice on whether panelists have input here. Lee likely hears plenty of ‘tape’s stories as most attendees do. Tape isn’t dead and a lot of you in audience may be using it. But there are significant challenges.
Let’s talk about cloud backup.
I think the Examiners are comfortable with the Cloud now, as long as the vendor is doing their due-diligence, like SSAE-16.
Is your CEO, or the Board comfortable with the Cloud yet? I still see some Executives that aren’t comfortable with the Cloud.
Rick how has it helped you? Do you test it regularly? Challenges
John, what did you learn about cloud backup as it relates to credit union landscape?
Lee summarizes key points or MUST DO’s
For panelists:
Do our panelists have any final takeaways?
Or what do panelists think is biggest challenge moving forward for all credit unions
Now it’s time for your questions for me, or our panelists
We created a quick checklist for you to get a real Data Protection Score
Thank panelists and audience
Contact information
Question for MZ: How do we want to offer up more extended cheat sheet or detailed Best Practice List?