PURPOSE OF THIS POLICY:The purpose of this policy is to ensure that the ORLEX Government Employees Credit Union complies with existing federal and state laws with respect to the privacy and security of member's nonpublic personal information.
GENERAL PROVISIONS:ORLEX Government Employees Credit Union shall protect the confidentiality, security, and integrity of each member's nonpublic personal information in accordance with existing state and federal laws. The credit union will maintain physical, electronic, and procedural safeguards that comply with federal standards to guard members' nonpublic personal information. The credit union will not gather, collect, or maintain any information about its members that is not necessary in order to offer its products and services, to complete member transactions or for other relevant business purposes. The credit union does not, and will not, sell or provide any member information to third parties including list services, telemarketing firms, or outside companies for independent use.
INFORMATION SECURITY PROGRAM:Management of the ORLEX Government Employees Credit Union shall be responsible for developing, implementing, and maintaining an effective information security program to:
- Ensure the security and confidentiality of member records and information,
- Protect against any anticipated threats or hazards to the security or integrity of such records
- Protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any member. Management shall regularly (no less than annually) report to the board on the current status of the credit union's information security program.
ASSESSMENT OF RISK:In order to assess the risks that may threaten the security, confidentiality, or integrity of member information or member information systems, the credit union shall:
- Identify all reasonably foreseeable internal as well as external threats that can result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems.
- Determine the likelihood as well as potential damage of the internal and external threats.
- Determine the sufficiency of the credit union's policies, procedures and member information systems to control the identified risks.
MANAGEMENT AND CONTROL OF RISK:In order to manage and control the risks that have been identified, the credit union shall:
- Limit access to the credit union's member information systems to authorized employees only
- Establish controls to prevent employees from providing member information to unauthorized individuals.
- Limit access at the credit union's physical locations containing member information, such as buildings, computer facilities, and records storage facilities to authorized individuals only.
- Provide encryption of electronic member information including but not limited to information in transit or in storage on networks or systems to which unauthorized individuals may have access.
- Ensure that member information system modifications are consistent with the credit union's information security program.
- Implement dual control procedures and segregation of duties of employees with responsibilities for or access to member information.
- Monitor the credit union's systems and procedures to detect actual and attempted attacks on or intrusions into the member information systems.
- Establish response programs that specify actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems, including appropriate reports to regulatory and law enforcement agencies.
- Implement measures to protect against destruction, loss, or damage of member information due to environmental hazards, such as fire and water damage or technical failures.
- Regularly test, monitor, evaluate, and adjust as appropriate, the information security program in light of any relevant changes in technology, and internal or external threats to the credit union's information security systems.
- Regularly test the key controls, systems, and procedures of the information security program.
- Ensure that all contracts with service providers contain appropriate provisions requiring the service providers to protect the confidentiality of the credit union member's nonpublic personal information.
EMPLOYEE TRAINING:Employees will be trained with regard to their responsibilities under this policy. In addition, employees will be trained to recognize, respond to, and where appropriate, report any unauthorized or fraudulent attempts to obtain member information.
ONLINE PRIVACY STATEMENTThe ORLEX Government Employees Credit Union shall protect the confidentiality, security and integrity of each member's nonpublic personal information in accordance with existing state and federal laws. We are committed to protecting the privacy of our members. In general, you can visit us on the World Wide Web without disclosing to us who you are or revealing any information about yourself. There are some areas, however, that collect certain information about you and we want you to know how we handle that information.
If you send an e-mail, we will collect and store personally-identifying information in order to process your e-mail. This information is not sold to any third parties. Due to the volume of e-mail activity, messages are deleted after they are answered or completed.
If you link to another site from any of our pages, you are leaving our site pages, and we cannot be held responsible for any information that may be gathered at a linked site.