Think risk management.
That is the bottom line. For so long there has been an aura of mystery
surrounding computer systems. Historically, Information Systems
has been an area relegated to the ''gurus'' who cast spells
behind closed doors and speak in the weird language of ''bits
and bytes''. Unfortunately, the world we live in is demanding
that we now become fluent in this strange language. The paradox
is that we are being forced to utilize that which we don't fully
if we were to build a new ''bricks and mortar'' branch for
our members, we would not forgo the security system because we didn't
understand the intricacies of the wiring diagram. We would not keep
our cash in a suitcase rather than a fortified vault. We would not
ask the guard to go unarmed, because it is intimidating and inconvenient
for our members. However, I would argue that every day new ''virtual''
branches are being established without the same level of due diligence
There is only
one difference between the ''bricks and mortar'' and ''virtual''
worlds. The physical branch services a set number of individuals
in proximity to the location. The e-branch services the entire Internet.
The fact is that the entire world potentially has access to the
services that we offer and we must realize the importance of diligently
working to protect those assets and our member information. In that
we apply risk management principles and procedures to dealing with
the risks that our ''bricks and mortar'' credit unions are
exposed to, we must exercise the same amount if not more due diligence
in dealing with our online services.
Now that we
better understand that Network Security is truly a Risk Management
Issue, we are now able to start applying some basic Risk Management
principles to the deployment and usage of on-line assets. Just as
with managing other risks, we must:
seem self evident, but unfortunately all too often when it comes to
networked systems, they are not employed.
- Analyze the
In that it is
impossible to effectively mitigate and transfer risk of which we
have no comprehension, the most important step in this process lies
in the analysis and quantification of the risk at hand. We need
to thoroughly understand the extent to which our organizations are
leveraged in order to get a handle on how we can effectively control
All too often
we hear credit union executives say, '' We do not have home
banking, so we couldn't possibly be at risk.'' Unfortunately
this misconception is extremely dangerous. These well-intentioned
organizations do not realize that any connectivity, whether it be
web access at the desktop, email, or even dial-up activity can pose
serious threats to the integrity of their privileged and very sensitive
The NCUA itself
realizes the importance of ''self-evaluation'' or analysis
as the first step in managing security risks. A good portion of
the examiners' checklist for Ecommerce activity is devoted to internal
assessments, policy and procedure development and risk awareness.
To make progress along these lines, it is important to highlight
a few critical questions that we should all be asking ourselves:
- Are the services
that we are currently providing (or planning to provide) our members
potentially exposing our assets to risk?
- What policies
(if any) do we have in place to effectively govern the usage of
our online assets?
- Are these
- Do we train
our employees on the proper usage of our data systems and reinforce
that training frequently?
- Does every
employee in the organization understand the importance of taking
network security seriously?
- What (if
any) procedures do we have in place to deal with incidents related
to breeches of policy?
- What are
we doing to stay abreast of issues related to network security
and to be proactive in managing problems?
- Have we enlisted
(or do we plan to enlist) the services of bonified security experts
to assist us in this ongoing struggle?
Once we are
able to address this list of questions, we will have effectively
surmounted over 50% of the battle. By raising the level of awareness
in our credit unions and keeping that level high, we build a security
Network Security as a risk management issue, we can better handle
the pressures of what can be a very perplexing issue. The fact is
that we have to offer certain services to our members. The Market
demands that we stay competitive. With those services comes an inherent
level of risk; some of which will never be mitigated. Let us apply
the Risk Management techniques that we have become experts at over
the years to this issue. Not only will it bring a healthy dose of
perspective to what for a lot of us is so foreign, but we will also
make progress in securing our networks while we are at it.
To keep abreast
of network security issues as they effect credit unions, please
feel free to subscribe to our biweekly ''CUSecure'' email
newsletter by clicking on the link below.
For more information
on Digital Defense, Inc. and our suite of service offerings, please
go to www.digitaldefense.net.
For direct inquiries,
please send requests to email@example.com.