Security compliance can be a baffling and costly task-but Palisades Federal Credit Union took control of the wheel in January with a product suite that speaks to NCUA guidelines, according to Adam Lambert, information systems coordinator.
Saving "weeks and weeks of research," $92-million Palisades FCU used PoliVec Builder and Scanner to build its security policies, format an implementation plan, and scan the network for compliance with the developed security policies in a matter of hours, said Lambert. Established in 1999 as e-business technology, Inc., Colorado Springs, Colo.-based PoliVec, Inc., provides policy-driven security management software.
When The Credit Union Journal asked him to describe his CU's security policy before PoliVec, Lambert responded, "We didn't have anything. We got audited last year and the audit reported that we had no security policy."
That audit made Palisades FCU scramble to act, and Lambert climbed out of the dark and found PoliVec. The cost was right up his alley-the CU paid $7,500 for the suite.
Lambert said the solution made compliance easy. "I wasn't expecting to find anything this specific," he said. Interactive dialogue screens guided Lambert as he wrote a 45-page, organization-wide security policy in compliance with the Gramm-Leach-Bliley Act (GLBA) of July 2001.
As directed by GLBA, the NCUA has implemented Phase I of its Information Systems & Technology Examination Program (ISTEP), which focuses on protecting member data related to electronic financial services and e-commerce. All CUs are subject to evaluation by the NCUA under ISTEP.
Once member log-ins, password policies and many other system configuration issues were addressed, PoliVec Builder generated operating system-specific implementation standards, which provided the one-man IT department with step-by-step instructions for implementing the security policy throughout the 9,000-member CU.
Next, PoliVec Scanner imported Palisades FCU's security document and scanned the network, checking to see if all policies were in place. "Scanner helps us to tweak the final policy in Builder," Lambert said, adding the auditing process took about an hour and a half.
Lambert now has the peace of mind afforded by satisfying the NCUA-with an additional perk. "When you follow NCUA guidelines, you tighten your system security tremendously," he said. "The product forces you to get very conscious very quickly with your credit union's security."
Whenever there is a new user added to the system or an application is reconfigured, Palisades FCU runs Scanner to make sure security is still in place. In addition, Scanner periodically checks the CU's security policy.
Lambert isn't sure how he could have tackled compliance from scratch and on his own. "My only other alternative would have been to adapt another credit union's policy or search the web for an appropriate model. And I didn't want to spend $10,000 on a consultant who might not know too much about credit unions."
Another issue is that while the Act is specific in what institutions must protect, it falls short of how to implement these guidelines in specific network configurations, operating systems or applications. "Even if I had gone through all the NCUA letters myself, I wouldn't have felt confident," Lambert explained. We checked the PoliVec Builder output against the NCUA letters and guidelines, and it was dead on," he added.
Lambert is sure that many CUs-in fact, much of the industry-drift in security ignorance. "Everybody beats the drum, but nobody really knows anything about security," he said.
Among other lessons learned, Lambert found that CUs are required to establish policy review committees. In addition, the CU "has to look at disaster recovery again. For example, our virtual private network has to be all secure socket. I knew that, but the product is making me do it."
