ANAHEIM, Calif. – Keeping the good stuff in rather than the bad guys out is the idea behind a new security system undergoing scrutiny at Partners Federal Credit Union. Partners now is in the process of beta testing Compliance Commander, a regulated information monitor (RIM) from Intrusion Inc., a Dallas-area provider of IT security solutions best known for its SecureNet technology, deployed by hundreds of organizations worldwide, including the U.S. Army to protect sensitive data at facilities such as Fort Hood. "For us it's encryption, encryption, encryption, we're always looking at ways to lock down data, to make it secure, but it's the unencrypted data that can make its way out that you have to worry about, too," says John Christopoulos, vice president of technology at the $230 million institution that began as the CU for Disney employees. Intrusion Inc.'s vice president of sales, Eric Gore, says his company's system uses Dynamic Data Dictionary (D3) technology designed to alert – and block – only on exact matches of member's private information. It's available as a hardware device or in software version and can detect unencrypted member data such as addresses, Social Security and account numbers, even personal identifiers such as mothers' maiden names, in e-mail, instant messages, FTP file transfers that might include spreadsheets and Word documents "The paradigm shift here is that this is a tool to protect what's on the inside to make sure it doesn't go to the outside," Gore says. Compliance Commander is in the pilot phase now and is being evaluated "by quite a number of credit unions," Gore says. He adds, In these days of identity theft and hack attack concerns, credit unions and other financial institutions are under increasing pressure from regulations under Sarbanes-Oxley and Gramm-Leach-Bliley and regulators such as the Federal Trade Commission and the NCUA to protect the privacy of consumer information from being compromised, regardless of the direction of the attack, or simple mistake such as putting an account number in an e-mail to a member. "Even though you tell your staff over and over again, `Hey, don't send out data like this,' how many IT departments really know what's leaving the organization?" Christopoulos says. "This is a way of saying, this is valuable to us, these are the data that we consider most important to our business. We're going to monitor this data so they don't leave our organization unencrypted, even if inadvertently." Partners is using the hardware version of Compliance Commander and is in the process of setting up the rules for how the device will extract and read data from the CU's SQL database. "I've got to be forthcoming about this. We're only in the evaluation stage right now. We're not going out and endorsing it for other credit unions, but we see the validity in it and we're willing to take a look at it," Christopoulos says. He calls Compliance Commander, with a list price beginning at about $8,000, "one of the most promising products I've seen in this area" and says it may end up being part of his "long-term focus for us to create more of an e-branch situation here," one in which all electronic communications go through the CU's home banking system rather than e-mail, for example. "The five-year plan I have in mind also would include possibly cutting the network up into multiple LANs with multiple firewalls. We're starting with a centralized disk storage system that's not part of our primary LAN, accessible only from our computer room," Christopoulos says. Other security measures Partners FCU has undertaken – along with running anti-virus software, firewalls, IDS and the like – include measures such as blocking the use of keychain, or thumb drives, by putting in a registry fix that locks their access to PCs on the NT network. "Those drives are getting to the point where you can carry one, two, three gigs of data on them. Our database is not that large, so if someone socially engineered you, they could walk out with a pretty good chunk of data and potentially do a lot of damage," Christopoulos says. Christopoulous has been with Partners FCU for about a year and a half, coming over from Orange County`s Credit Union, and has been involved with IT security for about eight years, he says. "I've had a VP at another credit union tell me, `Gosh, you're a little paranoid.' I don't think I'm paranoid, I think I'm looking forward," he says. -

[email protected]