January is often viewed as a chance to start fresh and to improve on the previous year by making modest resolutions that hopefully we keep throughout the year.
For credit unions, January presents an excellent opportunity to step back and consider ways to strengthen our overall security posture. Following that review, our New Year’s resolutions will no doubt include something beyond a promise to eat better and exercise more.
Perhaps a resolution to invest in security training, more effectively probe for vulnerabilities, or re-evaluate monitoring of critical IT systems?
The following ideas, based on situations we have encountered in our core processing service, should contribute to a brighter, more successful and secure year ahead.
Invest in Security Training
A major security takeaway from last year: The realization that great information security requires genuine enthusiasm and a strong, ongoing commitment to learning. Can you imagine a stagnant security effort protecting your credit union from threats? I can’t.
As a New Year’s resolution, consider expanding your security training to include all staff. Ask your senior management team to encourage training activities, and to ensure that the training is appropriate for the trainees. There are many flavors of security training – from awareness to deep system analysis. Here are a few recommendations:
For Everyone – Security Awareness Training
Far too often, human beings are the weakest link in our security chain. No wonder that security awareness training is a critical component of any successful security program. Training enables you to educate the entire staff about current issues – from phishing attacks to the importance of shredding sensitive documents.
It’s also a great opportunity to remind staff to treat sensitive information as if it were their own, and to educate them on the significant costs associated with security breaches. Everyone should walk away with a fresh appreciation for the importance of security to your organization.
For Security Staff
Security personnel should consider taking the General Security (GSEC) course and certification offered by the SANS Institute, the most trusted source for information security training and security certification in the world. The course covers the most important topics in information security, from defense-in-depth to Web application security. It’s a great foundation for addressing security challenges in a broad range of business situations.
For the Techies
Your technical staff should be enriching their skills with courses and certifications offered by the SANS Institute and International Council of E-Commerce Consultants (EC-Council). These courses dig into operating system security, network security and firewalls, incident handling, penetration testing, wireless security and much more. Consider using these certifications to build expertise where you need it most.
For Auditing Staff
Greater familiarity with information technology and security issues can only help your personnel involved in auditing and IT governance. Consider courses offered by ISACA (Information Systems Audit and Control Association), ISC2 and the SANS Institute. Certifications earned through these programs can strengthen your auditing capability.
Probe for Vulnerabilities
I’m sure you have contracted for vulnerability assessment scans to ensure that your systems are not susceptible to malicious attacks. My question for 2013 – Do you use more than one scanning solution? In our experience, no single scanner catches all the vulnerabilities. Cross checking your scans with a second solution always scores well with auditors and regulators.
Also this year, ask yourself if third parties who host services on behalf of your organization have been scanned for vulnerabilities. Do you have the results of those scans? This year, resolve to run your own scan of your third-party vendors as well.
Beyond vulnerability scanning, make sure that you follow up promptly on findings. Look for inbound and outbound access, and review your access controls. While no one wants vulnerabilities, we have to admit they are unavoidable. The best vulnerability is the one that’s been identified and remediated before it becomes a problem.
Performance & Availability Monitoring
Too often, we tend to forget about our computer systems until they go down and our alert mechanisms don’t work as expected. This year, resolve to review and test each platform’s monitoring configuration, both at the network and application level.
For example, start with the most basic health check: “Can I ping the Exchange server?” Find out what happens if the CPU spikes for long periods of time, or the disks are almost full. Will your staff be alerted? Are monitoring rules relatively consistent across all infrastructure? Where do the alerts go? Hopefully to the appropriate hardware and application owners.
The suggestions above represent a short list of security recommendations for the year ahead. More important than any single resolution is the vision of security as a focus and discipline, where suggestions for improvement are encouraged throughout the year. With that mindset, let me wish you a very happy and secure New Year!