Your member's information must be protected! Recently, NCUA released their revised regulations to part 748, which becomes effective July 1, 2001. They made some significant changes that affect how a credit union should approach security, specifically, information security. These revised regulations will impact how credit unions approach, manage and monitor security and the protection of member information. With the increasing number of credit unions connecting to the Internet, especially those that are connecting via a high-speed connection (i.e., cable, broadband, DSL, T-1), the amount of exposure increases dramatically. As the credit union adds additional services and functions such as e-mail, Web sites and Internet banking, their risk of exposure escalates. When asked what they are doing to safeguard their member information, many credit unions respond with, "We don't offer home banking so we don't need to worry" or "We haven't been compromised yet so we must be okay." Both of these responses are incorrect. First, a credit union that doesn't have home banking but has Internet access is still as vulnerable if not more vulnerable to intrusion. A hacker will not attempt to come through the front door (home banking site). They are going to try to exploit your weaknesses through other points of entry into your system. These points of entry can be your high-speed Internet access, a dial-up modem or a simple email. Second, if a credit union is not actively monitoring their points of entry for intrusion, they have no way of knowing if they have been compromised. Only after an intrusion would they discover the breech, possibly never. Many credit unions approach information security as a game of chess in which they are constantly finding ways out of "Check." The true objective is to never put yourself into "Check." A credit union should be proactive in their approach to security. Security must be viewed as a business enabler a cost of doing business. James Christiansen, Senior Vice President of Information Security for Inovant, the IT and processing subsidiary of Visa International, recently noted in Information Security magazine, November 2000: "Traditionally, security has been regarded as a necessary expense that had little or no revenue component. Today, the new business paradigm view security as an enabler, a secondary revenue generator, a cost-savings mechanism and a key to safeguarding a company's reputation." Information IS a credit union's most valuable asset and a prized possession for identity theft bandits. Having this information stolen can be very serious. Members, competitors, and the press are levying harsh financial penalties in the form of lost business and revenues, class action lawsuits, and local and national headlines. Credit unions spend enormous amounts of money, time and resources to deploy vaults, time locks, cameras, motion detectors, and controlled access points for physical security. Many have yet to do this for their networks and member information. With the revised NCUA regulations Part 748 not only will it be required, but ignorance will no longer be a valid defense. For the longest time and still commonplace today, information security has been placed in the domain of the IT department. IT professionals have been responsible for investigating, implementing, monitoring and maintaining a security program and trying to make it successful on a shoestring budget. The responsibility and burden of an effective security program must shift if it is to be successful. In today's environment, it should be a management and overall business issue. Sunil Misra, Managing Principal for Unisys Corp.'s Worldwide E-Business Security and Privacy Practice notes: "It [security] is not a technical problem. The reality is this is a social and business problem, and some companies that are really doing it right are looking at it in this framework." In their revised regulations, NCUA discusses the various guidelines a credit union should follow to protect their members privacy. A credit union should approach these changes in much the same way they approach physical security. In my experience, credit unions are expertly prepared for a physical breach of their domain such as a robbery. They have policies and procedures in place to deal with every aspect of a robbery. Every employee knows what to do and how to react. Credit unions know who to notify and when and they are excellent at evaluating the event and learning from it. A credit union needs to apply the same commitment and resources to develop, maintain, monitor and evaluate an effective information security program. This program should include the policies and procedures necessary to enforce the program and a credit union should make the commitment to ensure that all of their employees understand these policies and procedures and their criticality to maintaining member privacy. If properly done, on-going risk assessment and training will help ensure the viability and success of an information security program. Just as a credit union routinely tests its financial stability through an independent audit, regular testing of the program must also be considered to ensure its success and soundness. An ineffective security program could have consequences far greater than poor financial management. Developing an effective security plan for a credit union requires more than technical expertise. There must be a commitment from all levels and an understanding of the implications of an improperly deployed security plan. Managing security is not about technology. It IS about the development, enforcement and maintenance of solid computing practices. Information IS your most valuable asset. You should determine the value of that information and protect it accordingly. Security is only as strong as its weakest link. You cannot sit back and relax. New vulnerabilities and attacks occur daily. Your credit union must stay focused and remain current. NCUA has escalated the responsibility of ensuring the safety of your member information by placing it squarely upon the board of directors and management. Part 748 (5 weeks and counting) is looming! It's time for credit unions to begin addressing these issues.