...
It is the obligation of financial institutions to protect the security and confidentiality of member client information. To insure that resources will be adequate, management must be comfortable that the information and/or processing capabilities are adequately protected from loss, misuse, unauthorized access or modification, unavailability, or undetected activities.
...
Confidential - contains systems and data that requires protection against unauthorized access in the interest of protecting the organization’s and member’s client’s privacy.
Sensitive - includes systems and data that require some degree of protection due to integrity and or availability. This includes systems and data whose improper use or disclosure could adversely affect the ability of the organization to accomplish its mission.
...
The IT security verification audit team will work under the direction of the supervisory committee or its designated representative. This should assure the organization’s board of directors and management that the level of knowledge and control about the organization’s IT security program requirements are adequate. Team members clients should include personnel knowledgeable about physical and environmental security, personnel security, information security, application security, hardware and software, telecommunications, technical controls, procedural security, contingency and disaster recovery planning and risk management. The actual number of team members clients may vary and should be limited to the smallest number possible to cover all areas of concern.
...
Passwords. For larger systems and networks, user identification and passwords are the primary protection mechanism against malicious software. If the would-be perpetrators cannot get into the system, they cannot put malicious software on the system. When possible, all IT systems that are shared resources, including local area networks and multi-user stand-alone systems shall implement a user identification and verification system, such as a USERID and password. Procedures for establishment, structure, individual accountability, periodic changing and removal of USERID and passwords will be followed. Passwords to log in to the network and GBS will be required to be changed on a regular basis and must never be disclosed. Passwords to secure websites such as Members Clients United FCU will also have a password change requirement and also must never be disclosed.
...
Employees should notify their immediate supervisor, the Department Manager or any member client of management upon learning of violations of this policy. Employees who violate this policy will be subject to disciplinary action, up to and including termination of employment.
...