January is often viewed as a chance to start fresh andto improve on the previous year by making modest resolutions thathopefully we keep throughout the year.

For credit unions, January presents an excellent opportunity tostep back and consider ways to strengthen our overall securityposture. Following that review, our New Year's resolutions will nodoubt include something beyond a promise to eat better and exercisemore.

Perhaps a resolution to invest in security training, moreeffectively probe for vulnerabilities, or re-evaluate monitoring ofcritical IT systems?

The following ideas, based on situations we have encountered inour core processing service, should contribute to a brighter, moresuccessful and secure year ahead.

Invest inSecurity Training

A major security takeaway from last year: The realization thatgreat information security requires genuine enthusiasm and astrong, ongoing commitment to learning. Can you imagine astagnant security effort protecting your credit union from threats?I can't.

As a New Year's resolution, consider expanding your securitytraining to include all staff. Ask your senior management team toencourage training activities, and to ensure that the training isappropriate for the trainees. There are many flavors ofsecurity training – from awareness to deep system analysis. Hereare a few recommendations:

For Everyone – SecurityAwareness Training

Far too often, human beings are the weakest link in our securitychain. No wonder that security awareness training is a criticalcomponent of any successful security program. Training enables youto educate the entire staff about current issues – from phishingattacks to the importance of shredding sensitive documents.

It's also a great opportunity to remind staff to treat sensitiveinformation as if it were their own, and to educate them on thesignificant costs associated with security breaches. Everyoneshould walk away with a fresh appreciation for the importance ofsecurity to your organization.

For SecurityStaff

Security personnel should consider taking the General Security(GSEC) course and certification offered by the SANS Institute, themost trusted source for information security training and securitycertification in the world. The course covers the mostimportant topics in information security, from defense-in-depth toWeb application security. It's a great foundation for addressingsecurity challenges in a broad range of business situations.

For theTechies

Your technical staff should be enriching their skills withcourses and certifications offered by the SANS Institute andInternational Council of E-Commerce Consultants (EC-Council). Thesecourses dig into operating system security, network security andfirewalls, incident handling, penetration testing, wirelesssecurity and much more. Consider using these certifications tobuild expertise where you need it most.

For AuditingStaff

Greater familiarity with information technology and securityissues can only help your personnel involved in auditing and ITgovernance. Consider courses offered by ISACA (InformationSystems Audit and Control Association), ISC2 and the SANSInstitute. Certifications earned through these programs canstrengthen your auditing capability.

Probe forVulnerabilities

I'm sure you have contracted for vulnerability assessment scansto ensure that your systems are not susceptible to maliciousattacks. My question for 2013 – Do you use more than one scanningsolution? In our experience, no single scanner catches all thevulnerabilities. Cross checking your scans with a second solutionalways scores well with auditors and regulators.

Also this year, ask yourself if third parties who host serviceson behalf of your organization have been scanned forvulnerabilities. Do you have the results of those scans? Thisyear, resolve to run your own scan of your third-party vendors aswell.

Beyond vulnerability scanning, make sure that you follow uppromptly on findings. Look for inbound and outbound access, andreview your access controls. While no one wants vulnerabilities, wehave to admit they are unavoidable. The best vulnerability is theone that's been identified and remediated before it becomes aproblem.

Performance& Availability Monitoring

Too often, we tend to forget about our computer systems untilthey go down and our alert mechanisms don't work as expected. This year, resolve to review and test each platform's monitoringconfiguration, both at the network and application level.

For example, start with the most basic health check: “Can I pingthe Exchange server?” Find out what happens if the CPU spikes forlong periods of time, or the disks are almost full. Will your staffbe alerted? Are monitoring rules relatively consistent across allinfrastructure? Where do the alerts go? Hopefully tothe appropriate hardware and application owners.

More Resolutions?

The suggestions above represent a short list of securityrecommendations for the year ahead. More important than any singleresolution is the vision of security as a focus and discipline,where suggestions for improvement are encouraged throughout theyear. With that mindset, let me wish you a very happy and secureNew Year!

Matt Lidestri is Internet and securityproduct manager at COCC in Avon, Conn.