Patching A Problem: 1 CU's Strategy For Handling Updates
Richard Lie used to give his IT staff a few weeks to install each new software patch on Los Angeles Federal Credit Union's 140 PCs, 20 servers and two firewalls.
"All I saw was the IT staff trying to maneuver their time schedule so that they could get the patches installed before our deadlines," every time a vendor released a service pack or patch, said Lie, chief financial officer at the $560-million LAFCU.
Last year, that meant LAFCU's busy IT staff of seven had to install more than 30 security updates-on each of the CU's machines at five locations-for the Microsoft Windows operating system alone.
Tired Of Waiting
Ergo, the manual patch installation process often went down to the wire, Lie said. "We had a certain goal to try to implement each new patch within a certain amount of days," he explained. "IT sometimes had to wait until the last day to complete the patches."
The time lag was a drag on LAFCU's security risk, according to Lie. Without up-to-date software patches, networks are vulnerable to viruses and worms-and to criticism from the NCUA.
Vulnerabilities can bring down a server hard. If a worm or virus succeeds, network administrators may need up to five days to bring up a failed server, according to Compushare, a South Coast Metro, Calif., firm that provides IT consulting and solutions to community financial institutions. Associated costs for labor and materials run about $10,000 during those five days, Compushare reported.
"We had to make sure we were always secure and compliant," Lie said.
Lie's solution was to implement Compushare's Compliance Manager, maintenance software that automatically updates servers and PCs with service packs and patches and provides the documentation needed to meet NCUA recommendations, he said.
Six months later, "the time savings for my IT staff is tremendous," Lie said. "We spend less than two hours on each new patch. Now our patching process runs like clockwork and we do it right away."
Two weeks ago during an audit, Lie was able to hand the NCUA summarized and detailed network maintenance reports that meet FFIEC guidelines. Compliance Manager also provides monthly reports on disk space usage, memory utilization, error log reporting and verification of backups.
The in-house solution is especially timely, Lie continued, as LAFCU staff is in the throes of a converting to a thin client environment as well as a new core processing system, which is slated to go live April 1.
"We need all the staff on the system conversion, not running patches," he said.
Compushare often recommends that a credit union first complete a network and system evaluation to determine the network's capabilities and vulnerabilities. However, the 42,000-member CU is under so many network changes that the assessment is scheduled for six months after the system conversion, said Lie.
Two more CUs are using Compliance Manager. The $118-million TexasOne Community CU in Houston runs the program on an application service provider basis, while $750-million University and State Employees CU in San Diego brought the solution in-house.
For additional information on this story:
* LAFCU: www.lafcu.org
* Compushare at www.compushare.com