Best Things In IT Are Free
Credit unions spend millions to secure member data. But sometimes, some of the best security fixes are free.
Information security managers have to fill a lot of holes using expensive solutions such as multi-factor authentication, intrusion and virus detection and firewalls.
But often a free-and effective-solution is right under your nose, credit unions told The Credit Union Journal.
"You may already have purchased the best solution for your security problem," said Ray Carsey, vice president of technology, at $1.7-billion Mountain America Credit Union in West Jordan, Utah. "When a security issue comes to our attention the first question we ask is: 'Can we solve this security issue with the hardware and software the credit union currently has deployed?' The answer is often a resounding yes."
For example, credit unions that run on Microsoft networks are equipped with Active Directory, a service that can be used to block users and applications from selected resources, such as e-mail addresses, computers or printers. "Active Directory Policies is a powerful tool to limit user access to network resources," explained Carsey.
And to keep pace with the "daunting" task of patching Windows software, Carsey recommends Microsoft's free Software Update Services, which automatically installs critical fixes for vulnerabilities across the CU's PCs and servers.
iQ Credit Union offered an alternative approach to affordable information security. iQ Credit Union goes through its closets on a routine basis to identify solutions that are "keepers" and those that should be tossed, said Jim Morrell, chief information officer at the $332-million CU in Vancouver, Wash.
In effect, credit unions may find that they have multiple solutions that address a single security hole-possibly leading to "overkill," Morrell explained. "For instance, if a credit union is deploying an intrusion detection system, intrusion prevention system, and host-based intrusion prevention system and is also doing monthly penetration testing, there would be a lot of overlap," he said.
In fact, iQ recently decided that its network was well-protected with a log management platform and an intrusion detection system. The CU decided against adding intrusion prevention and host-based intrusion prevention systems, saving money on purchase and subscription costs.
"We reached the conclusion that adding them would be overkill from a security coverage standpoint as well as a financial standpoint," said Morrell.
CUs can also save security dollars by tossing solutions that aren't as effective as they should be, Morrell continued. "Perhaps the solutions have just gone out-of-date, but you are still paying for annual licensing or maintenance," he said.
For example, until recently iQ ran an internal e-mail server to filter spam in addition to paying for a managed service, said Morrell. iQ had to pay an annual licensing fee and manually download anti-virus updates for the server.
After realizing that the managed service automatically filtered spam and used up-to-date virus definitions, iQ discontinued the internal server, he said. The IT staff at iQ also finds gold in the results of its annual assessments and regulatory exams, Morrell said.
"After every assessment, regardless of how diligent we have been, there are always recommendations that come out of a security assessment," Morrell explained.
Though the recommendations don't point to "huge gaping holes," they offer "simple fixes and tweaks," he said. "It's prudent to follow through on any recommendations," said Morrell. "Assessments take a fair amount of time to prepare for and a fair amount of dollars to pay for but are not really complete until you follow through on the findings.
"I require our Network Administrators to provide a management response to each recommendation," he said. "Even if we choose for some reason to not do anything at all, at least at a later time we can understand why we chose not to act on a recommendation."
For info on this story:
* iQ CU at www.iqcu.com
* Mountain America CU at www.macu.org.