As we learn more about themechanisms behind the massive Target data breach, the very realrisks posed by third-party network access come into sharper focus.Credit unions, like organizations in nearly every other sector,often rely on vendors and other external partners to perform avariety of functions, such as payroll processing, benefitsadministration, facility maintenance and even employeetraining.

While these outside relationships are crucial, vendors' accessto sensitive data must be closely managed as part of theorganization's broader breach prevention strategy. Fortunately,credit unions have a number of tools available that can reduce therisk of vendor access and help the company maintain a strongsecurity posture.

The implementation of effective security protocols begins with adetermination of which data sets require the highest levels ofprotection. Credit unions and other financial institutions manageand store many different types of highly confidential data – memberaccount numbers, Social Security numbers and other personalinformation.

Different types of information require different levels ofprotection, and a strategy that assumes all data should receive thesame level of protection quickly becomes either prohibitivelyexpensive or unworkable. These systems either apply weak securityto sensitive information or they make routine, non-confidentialinformation too secure and, therefore, difficult to access. Thatinhibits daily activities that are essential to operations andcustomer service.

By separating data sets and stratifying the levels of securityaccordingly, credit unions can more easily grant and manageappropriate access levels for third parties.

With the list of sensitive data sets and their correspondinglocations in hand, credit unions should next identify which vendorshave access to those protected assets. If blanket access levelshave been established, there will likely be a subset of vendorswith login credentials that grant them access to information farbeyond their needs. In addition, there exists a potential thatvendors who no longer provide services may still have networkaccess.

Employees should never share login credentials with each otheror with vendors or visitors. And, the vendor should immediatelynotify you if a previously credentialed employee leaves so thataccess can be terminated. Implementing automatic accountexpirations and requiring affirmative renewals of third-partyaccount access from the individual managing the contractor orvendor, as well as periodic audits, are recommended asmethodologies to remove access for those no longer working withyour credit union.

Next Page: Spotting Potential Gaps

Spotting Potential Gaps

With the most valuable information assets segregated andidentified, security assessments may be focused on these areas toidentify potential security gaps along those access pathways. Takethe time to periodically examine how vendors gain access to yournetwork and what is accessible once they have been authenticated.Consider exposures beyond just the point of connection as avendor's “BYOD” or remote access policy may provide an attackvector into your organization if that vendor does not have adequatesecurity measures in place to monitor and block attacks from thesepoints that then pivot into your network.

Along with internal measures, credit unions should attend to anypotential security exposures that may exist on the vendors' side ofthe equation. Require that external partners employ securitysafeguards commensurate with the value of the data you areentrusting to them and that they conduct security training fortheir employees and contractors. If your sensitive data leaves yournetwork, ensure that strong encryption is used during transit aswell as during storage and track the return or final disposition ofyour data.

Any security gaps can now be closed, either with technology orwith process. If the responsibility for a security measure falls tothe vendor and is not in your control or line of sight, it is bestto specify in the legal agreement with that vendor exactly whatprotocol is to be followed, how you will be able to audit orconfirm that it is being followed, and what should occur if it isnot followed. Ensure that workers and vendors alike understand thatthey are not to share their account ID or password, and instructthem on the proper procedure for refusing and, if the refusal isnot accepted, reporting any request to share credentials as well asother potential security breaches.

Finally, in this era of ever-tightening compliance mandates,it's important that credit unions never rely solely on complianceas assurance that information is secure. It is fairly common for“compliant” organizations to experience a data breach. Regulations,which are necessarily slow to develop and evolve, typically trailtechnology, which changes rapidly. Compliance often falls below thethreshold of sufficient security, and it is incumbent upon theindividual organizations to determine and communicate to theirvendors how their information and their customers' information areto be protected.

Deena Coffman is CEO of IDT911 Consulting inScottsdale, Ariz. CONTACT: 1-888-682-5911 or [email protected].