Information security controls are an essential part of operations for all financial institutions. Members expect that their local Credit Union is just as secure as the "big bank" located a few hundred feet away in the same parking lot at the mall. The only difference is that the local Credit Union information security budget pales in comparison to the multi million that the big bank will spend.
When a limited budget is combined with a lack of understanding proper security controls, many Credit Unions turn to local consulting companies who often times roll out ineffective "security programs" that can be costly and don't add much value to increasing their security posture.
Paying a vendor to monitor your IDS and firewall may get you a check mark on this year's audit (at least for now) but I challenge the fact that it is an effective solution. Every credit union needs an employee on staff that has a deep understanding of information security or at a minimum a vendor or consultant that can steer them in the right direction. If you completely outsource you information security program the balance between operations and security is "broken".
The key to an effective information security program is to establish clear and open channels of communication between IT and business operations. Operations needs to have confidence that the information security program is not an obstacle but an opportunity to incorporate methodology that will benefit the credit union and its members. Security concepts need to be broken down in terms the business will understand. The main job function of an effective information security manager is to be a sales person for information security. He/she will need to change the way business executives think and make sure security is integrated into their thought process.
I am proud to say that with the support of its executives, TruMark Financial Credit Union has positioned itself as a Credit Union information security leader. My staff and I have spent the last year and a half identifying risk and evaluating products to mitigate those risks. I would like to share our results with you in hopes it will increase the information security posture of the industry to match or exceed that of the "big banks".
An effective Information security program with mitigating controls does not have to break the bank. Below are 7 common ways data can leak from your organization. I have taken the opportunity to share with you the compensating controls we have implemented which have not only increased out security posture but impressed external auditors and effectively raised the bar across the Credit Union industry.
7 Data Leaks You Can't Ignore
Sensitive information can leave your organization through USB mass storage devices such as thumb drives, IPODs and Digital cameras or other removable media.
Risk Mitigation: Block all USB mass storage devices
Approximate cost for hardware and 300 licenses: $50,000
Implement the Trigeo SIM. Their product comes with USB defender which detaches USB drives when mass storage capability is detected. Their product configuration is very granular so permitting USB license keys or hardware tokens is no problem. The employees also receive a pop-up indicating that the use of USB mass storage devices is prohibited. Trigeo can also be easily configured to send an email notification to any email address you like. This is only one of the many features offered with their product.
Sensitive information can leave your organization when copied to a CD or DVD
Risk Mitigation: disable all burners and removeburning software
The solution is 3 fold:
- disabling the default windows burning capability through an AD GPO push to all workstations
- Uninstalling all 3rd party burning software Removing all employees from the PC local admin group and power users group (best standard practice anyway). This prevents anyone from copying info to a CD without submitting a formal request to do so. When a legitimate request comes into your ticketing system, you can RDP to their workstation and install the 3rd party software. The software would then be uninstalled when they were finished. Another more manageable option is to assign the CD burning functionality to a smaller group of users which mitigates risk by requiring a "standard" user to go to a trusted employee such as a supervisor to have information copied.
Sensitive information can leave your organization when a laptop is lost or stolen
Risk Mitigation: enable whole disk encryption on all laptops
Approximate cost per laptop: $200
If you are running disk encryption and a laptop is lost or stolen you can rest easy if you have deployed PGP desktop. It will take more than several lifetimes to crack disk encryption even with the right software and computing power to do so. Make sure the password is complex or the encryption is pointless.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.