Boosting Security Through Snapshots
Security risk assessment shouldn't just happen a couple times a year, which is why Xerox Federal Credit Union is better protected by real-time security snapshots.
In June, the $726-million Xerox FCU installed Commerce Trust, provided by Ashburn, Va.-based Xacta Corporation, to help protect Xerox FCU's technology infrastructure from unauthorized access and to conduct daily vulnerability scanning.
"The most important thing about Commerce Trust is that you have a tool you can run in-house to make sure there are no new vulnerabilities after new devices are added to the network or after system configuration changes have been made," said Executive VP Jon Fate.
"We run the software whenever we want to determine the risks resulting from any change, such as when we reconfigure a server," he continued. "It's not like your third-party, once-a-year penetration test."
Of particular concern is data exposed to the general public, Fate said. Such data derives from website-based services, such as homebanking, bill pay, electronic statements and email correspondence.
"We can determine immediately, and prior to going live, if changes to our electronic commerce platform would result in any increased risk," Fate said. "If they do, we can implement mitigating recommendations or even decide not to go live."
Commerce Trust monitors more than the 78,000-member CU's website, however. The enterprise-wide software resides on a network server and automatically detects security weaknesses of "anything with an IP address," said Tom Dimtsios, director of Commercial Consulting at XACTA.
Xerox FCU management can generate reports of security flaws, which also suggest a framework of remedies. "The written reports are fairly detailed in describing the risk-level of different areas," Fate said.
The credit union can customize the assessment tool to calculate threat levels according to the location or relative priority of a machine or application, said Dimtsios.
Initial assessment at the 19-branch CU revealed a low-risk security profile, Fate said. "Mainly, the assessment was affirmation that we are on the right track."
Dimtsios agreed. "We found some internal issues, but nothing that we don't find on all of the credit unions we assess. Credit unions tend to trust their employees."
"Xacta's physical assessment enforced the idea of a 'clean-desk policy,'" Fate explained. "We revisited our policies and procedures and made some minor changes.
Credit unions need to make sure they know how to protect information beyond the IT department, Dimtsios added.
Xerox FCU also relies on Commerce Trust for ongoing compliance checks against NCUA Part 748, Appendix A, and Part 716 requirements for safeguarding member information in association with Gramm-Leach-Bliley, as well as the Information Systems and Technology Examination Program (ISTEP) checklists EC-1 and EC-2, said Dimtsios.
"We were able to consolidate our information security efforts to better meet the requirements of NCUA part 748, Appendix A," said Dave Price, Xerox FCU director of IT. "Additionally, the security assessment highlighted areas of information security management where efforts and guidance were conflicting or missing. We are better prepared for external audits because we can conduct vulnerability scans prior to the third party coming in."
In addition, "Xerox has gone the next step" in checking for compliance against the international standard for security management of the International Organization for Standardization (ISO), Dimtsios said.
Commerce Trust allows Xerox FCU to "graphically depict our information security posture to our executive committee and our board of directors," Price added. "We can demonstrate that we are actively managing our information security posture and proactively addressing risks as they may occur."
Ongoing security assessment as provided by Commerce Trust is just one part of Xerox FCU's overall information security program, said Fate. Additional components include firewalls, scheduled third-party penetration tests, and internal and external audits.
Though Xerox FCU has never suffered a technology security breach, Commerce Trust provides ongoing insurance and the possibility of preventing security incidents, according to Bill Cheney, president and CEO at Xerox FCU.
About 20 credit unions nationwide, ranging in assets from about $80 million to $1.4 billion, use Commerce Trust.