As part of NCUA’s Credit Union Vendor Review Program during 2001, the agency conducted ten credit union vendor information systems and technology (IS&T) reviews. Nine of these reviews were conducted under the authority provided by the Examination Parity and Year 2000 Readiness for Financial Institutions Act (Exam Parity Act)1 . The purpose of this letter is to provide you with a high-level summary of the issues, concerns, and trends evidenced from those reviews. The vendors reviewed were:
|Apex Data Systems, Inc.||Indianapolis, IN||12/17/2001|
|Computer Marketing Corp.||Salt Lake City, UT||12/31/2001|
|Computer Consultants Corp.||Salt Lake City, UT||01/14/2002|
|CU Solutions, Inc.||Fort Mill, SC||12/13/2001|
|EPL, Inc.||Birmingham, AL||09/24/2001|
|FedComp, Inc.||Fairfax, VA||07/20/2001|
|Liberty Enterprises, Inc.||Roseville, MN||12/08/2000|
|Share One, Inc.||Memphis, TN||11/05/2001|
|SOSystems, Inc.||Orem, UT||11/29/2001|
|Western New York Computing Systems, Inc.||Penfield, NY||12/19/2001|
The vendor IS&T reviews focused primarily on e-Commerce applications and initiatives provided and/or supported by the vendor. The IS&T scope also included a review of the vendor’s overall operations (management and technical), a high-level analysis of its current financial condition, the adequacy of its capital, and the ability of the enterprise to continue as an ongoing concern.
NCUA’s objectives for the on-site reviews were to:
- perform a high-level review of the vendor’s infrastructure;
- identify and assess the vendor’s information systems and technology risks, with
- specific emphasis on its network services, web-hosting, and Internet account services;
- gain insights on current issues that vendors and the credit union industry are facing regarding emerging technologies; and
- provide recommendations for areas of improvement.
During the on-site visit, we performed the following steps:
- conducted an introductory meeting to apprise management of the review objectives and process;
- interviewed key staff to identify and evaluate information systems risks, issues, and concerns;
- reviewed documentation regarding strategic information technology (IT) efforts;
- analyzed findings and developed the review report; and
- conducted an exit meeting with management to discuss observations and recommendations.
At the conclusion of the review process, NCUA issued a draft report to the vendor, provided the vendor the opportunity to comment on the observations noted in the report, and issued a final report to the vendor, its credit union customers of record, NCUA staff, and applicable State Supervisory Authorities (see Appendix B for a discussion on report distribution and other frequently asked questions). As part of NCUA’s risk-focused examination program, examiners may use the vendor reports to help them assess the technology and other related risks associated with outsourcing arrangements.
Overall, the vendors reviewed were committed to the goal of providing quality services and products to their customers. The vendors were also receptive to recommendations and suggestions and, when practical, implemented recommended changes prior to completion of the review.
Many vendors shared some similar common underlying weaknesses. It is noteworthy that the impact and associated risks of those weaknesses tended to vary from vendor to vendor due to each vendor’s unique operational environment (technical, managerial, financial, etc.). The key common weaknesses identified were:
- Risk Assessment – Eight vendors either lacked an enterprise-wide risk assessment process or the existing process did not encompass all operational areas.
- Information Security Policies & Procedures – Eight vendors needed to develop or improve their policies and/or procedures regarding the protection of information stored on, or transmitted through, their systems.
- Operating Policies & Procedures – All vendors needed to develop or update existing policies to reflect current operations.
- Disaster Recovery Plan Testing – All vendors needed to enhance their disaster recovery plan testing procedures and controls.
- Incident Response – Six vendors lacked a formal and detailed incident response plan and/or incident response procedures needed to be improved. In addition, eight vendors needed to improve their ability to detect an intrusion or other incident.
- Internet Commerce Application – Six vendors needed to revise their service level contracts with their credit union customers to include and/or cover rights and responsibilities for the Internet commerce product. Six vendors needed to improve session management controls to enhance security and privacy. Five vendors needed to improve the application’s member privacy controls.
- Financial Audit – Seven vendors did not have audited financial statements.
A further discussion on the preceding issues, as well as a list of additional common issues, may be found in Appendix A.
Each vendor received an overall rating (see Appendix C for the overall rating definitions) which we disclosed in the report. No vendors received an Unsatisfactory rating.
NCUA’s vendor report represents a high-level review as of the dates of the on-site contact at the vendor and should not be construed as an audit. Technology issues, concerns, threats, and vulnerabilities may change on a daily basis. The vendor report is another tool to assist you in managing your vendor relationships. NCUA’s vendor report does not alleviate your responsibility to oversee and manage your vendor outsourcing arrangements. Please review NCUA Letter to Credit Unions 00-CU-11, Risk Management of Outsourced Technology Services, for guidance on managing relationships with technology vendors. NCUA also encourages you to frequently visit its Information Systems & Technology web page (www.ncua.gov/Resources/CUs/IST/Pages/default.aspx) for additional IS&T related information, news, and guidance.
For 2002, NCUA is scheduling reviews for an additional ten vendors. Since NCUA’s authority under the Exam Parity Act has expired, we will conduct these reviews on a voluntary basis. For those vendors which elect not to participate, NCUA will provide notice that the vendor elected not to participate in NCUA’s Vendor Review Program.
If you have any questions or concerns, please contact your NCUA Regional Office or State Supervisory Authority.
1NCUA’s authority under the Exam Parity Act expired December 31, 2001. Any review conducted after that date was voluntary on the part of the vendor.