An intrusion detection/email encryption approach to information security (IS) just doesn't cut it for Thelma Snedaker, information security administrator at $4-billion United Airlines Employees' Credit Union (UAECU).
"I've got the impression that Information Security is in the same stages that IT was in early on- putting the technology before business instead of the other way around, Snedaker told The Credit Union Journal. "IS can't be summed up or solved with applications or systems."
Instead, IS comes "from a broader approach that includes process and people," she said.
So in addition to installing the technologies designed to deliver information security, CUs should encourage employees to incorporate the CIA process, which "protects the Confidentiality, Integrity, and Availability of sensitive and critical data, and the systems and media that house or move that data," said Snedaker.
Data is most vulnerable to a credit union's people, she continued. "People tend to cause problems with CIA unintentionally. This is usually the result of process changes aimed at streamlining some task, or the introduction of new systems."
Therefore, Snedaker holds all of UAECU's people responsible for information security. "The board of directors and senior management must wholeheartedly endorse the program, because without them it will never take definition and flourish. All employees must understand the value and purpose, because without them it will never happen."
New and existing employees must participate in the 167,000-member CU's InfoSec Awareness Program, Snedaker explained.
In adition, management conducts security policy reviews, and enforces appropriate usage-agreement signature forms. Business continuity planning and testing is a cross-departmental venture.
And even small credit unions can afford this large CU's security means to increased IS. "It doesn't cost anything for a CU to take the approach that everyone is responsible," she said.
CIA may come off as a rather abstract approach towards the very real threat credit unions encounter as they alter processes or install new systems. Snedaker exemplified the approach with a "CIA Checklist" that a CU might use when considering a new home banking service.
1. Is the system critical to the CU? If so, then according to management's uptime requirements, availability should be addressed via adequate hardware redundancies or failovers, circuit feeds, and disaster recovery provisioning, for example.
2. Can the system be identified as high-risk? With home banking, for example, increased risk derives from the systems being Internet-visible. "Website defacement, denial of service attacks, and malicious code dumps could cause availability and integrity to be adversely impacted," Snedaker said.
She suggested that patching routines, system configuration lockdown procedures, firewalls, IDS/IPS, Internet vulnerability scans, and log audit routines are a few methods that can help protect high-risk systems.
3. Does the system hold sensitive data? With home banking, possibly.
"But given Internet security guidelines, no sensitive member data should reside on the web server itself," Snedaker added. "Instead, it should be stored in a non-Internet-visible location and secured appropriately."
Nevertheless, sensitive data will be transmitted during every Internet session. Sessions should therefore be secured using SSL (HTTPS) and the site should be validated via digital certificate.
To mitigate unauthorized access and address confidentiality, Snedaker said CUs should employ additional measures, such as implementing maximum number of login attempts coupled with resulting lockouts, session timeouts. Additional authentication layers (PIN and password) should also be added.
CUs that adopt the CIA approach may reap the benefits of "an overall better understanding of the risks involved with a new system and potential mitigation strategies or solutions," Snedaker said.
Not to mention "broader understanding of and participation in information security across departments," she added. "In the home banking scenario," she continued, "depending upon your credit union's structure, it's likely that systems, marketing, senior management, and internal audit departments would be involved in this review."