Staying Ahead of the Bad Guys: Working with Third-Party Information Security Assessment Firms

Karen Bankston
January 28, 2008 | COMMENTS

The challenges of information security are continuous and ever-shifting. Hackers and identity thieves are constantly looking for ways to infiltrate the data systems of credit unions, large and small, and members' accounts. Federal regulations, such as the Gramm-Leach-Bliley Act and the Fair and Accurate Credit Transactions Act, require financial institutions to head off breaches through regular risk assessment and development and maintenance of a formal information security program. Credit unions may hire a third-party security assessment firm to evaluate the effectiveness of their policies and procedures and to test their technological and physical security.

This white paper reviews the federal regulations requiring that financial institutions provide adequate information security and explores how credit unions can develop effective partnerships with security assessment providers to evaluate their security measures and to test how well their data is protected. It reviews considerations in hiring a security firm and discusses checks and balances needed to ensure that their assessments are effective and thorough. It also explores the “human element” of information security and some of the ways security firms test to ensure that employees adhere to training on keeping information off-limits to thieves in branches, over the phone and online.

Identity thieves remain a persistent and widespread danger, always on the lookout for ways to gain access to data via technological services and any entry point at a branch. The challenge for credit unions today is to secure their electronic channels, train employees to make information security their highest priority, and help educate members about the dangers of identity theft and what they can do to protect themselves.

Many credit unions accomplish those necessary measures by working with third-party security assessment firms that provide a variety of services to help comply with federal and state requirements and stay at least one step ahead of the bad guys.

Audits and assessments may have started with a focus on the computer network, but the scope has widened over the years to encompass personnel practices and physical security of hardware and data access. The vast majority of security issues today can be traced back to the human element—people making mistakes. Credit unions need to make sure they have information security policies in place and that everyone is complying with those policies.

Many third-party security assessment firms offer a full host of services to help credit unions audit information security online and via more traditional channels, including:

• Helping credit unions conduct required risk assessments
• Developing policies and procedures to alleviate identified risks
• Conducting regular vulnerability assessments and penetration tests to seek out security flaws
• Developing recommendations to correct any potential security breaches
• Assisting in the development of reports to the board on the credit union's security policies, procedures, and responses to threats

There's no shortage of information security companies willing to work with credit unions. The challenge then is to come up with a list of companies that can best serve your credit union's needs and conduct a thorough and complete assessment of their services. Networking with peer credit unions, through league and chapter meetings and organizations like the CUNA Technology Council, is a productive first step. Technology publications, websites, and trade shows also offer plenty of useful background on information security services and solutions.

For many business operations, working with a single vendor that can provide a variety of services is an efficient and cost-effective approach, and a long-term relationship with that vendor can often yield additional benefits. The same dynamics are not necessarily at work when it comes to information security and assessment of that security. In this area, credit unions need to consciously create a system of checks and balances by establishing relationships with different vendors that reduce the risk of one vendor gaining too much, unmonitored access to critical data. In addition, credit unions may need to consider how often they need to “switch it up” with security assessment firms to ensure that their security measures are effective, thorough, and up to date.

This summary is from a CUNA Technology Council white paper by Karen Bankston entitled “Staying Ahead of the Bad Guys: Working with Third-Party Information Security Assessment Firms.” Read the complete paper in the " White Papers" section of the CUNA Technology Council website.