Network Security is Risk Management

Risk management is the key to dealing with the sensitive issue of network security. Historically, Information System management has been an area relegated to the gurus who cast spells behind closed doors and speak in the weird language of bits and bytes. Learn how your credit union can deal with network security through risk management to protect your member information.


Think risk management. That is the bottom line. For so long there has been an aura of mystery surrounding computer systems. Historically, Information Systems has been an area relegated to the ''gurus'' who cast spells behind closed doors and speak in the weird language of ''bits and bytes''. Unfortunately, the world we live in is demanding that we now become fluent in this strange language. The paradox is that we are being forced to utilize that which we don't fully understand.

For example, if we were to build a new ''bricks and mortar'' branch for our members, we would not forgo the security system because we didn't understand the intricacies of the wiring diagram. We would not keep our cash in a suitcase rather than a fortified vault. We would not ask the guard to go unarmed, because it is intimidating and inconvenient for our members. However, I would argue that every day new ''virtual'' branches are being established without the same level of due diligence and foresight.

There is only one difference between the ''bricks and mortar'' and ''virtual'' worlds. The physical branch services a set number of individuals in proximity to the location. The e-branch services the entire Internet. The fact is that the entire world potentially has access to the services that we offer and we must realize the importance of diligently working to protect those assets and our member information. In that we apply risk management principles and procedures to dealing with the risks that our ''bricks and mortar'' credit unions are exposed to, we must exercise the same amount if not more due diligence in dealing with our online services.

Now that we better understand that Network Security is truly a Risk Management Issue, we are now able to start applying some basic Risk Management principles to the deployment and usage of on-line assets. Just as with managing other risks, we must:

  • Analyze the Risk
  • Mitigate the Risk
  • Transfer the Risk
These principals seem self evident, but unfortunately all too often when it comes to networked systems, they are not employed.

In that it is impossible to effectively mitigate and transfer risk of which we have no comprehension, the most important step in this process lies in the analysis and quantification of the risk at hand. We need to thoroughly understand the extent to which our organizations are leveraged in order to get a handle on how we can effectively control our exposure.

All too often we hear credit union executives say, '' We do not have home banking, so we couldn't possibly be at risk.'' Unfortunately this misconception is extremely dangerous. These well-intentioned organizations do not realize that any connectivity, whether it be web access at the desktop, email, or even dial-up activity can pose serious threats to the integrity of their privileged and very sensitive data.

The NCUA itself realizes the importance of ''self-evaluation'' or analysis as the first step in managing security risks. A good portion of the examiners' checklist for Ecommerce activity is devoted to internal assessments, policy and procedure development and risk awareness. To make progress along these lines, it is important to highlight a few critical questions that we should all be asking ourselves:

  • Are the services that we are currently providing (or planning to provide) our members potentially exposing our assets to risk?
  • What policies (if any) do we have in place to effectively govern the usage of our online assets?
    • Are these policies enforceable?
  • Do we train our employees on the proper usage of our data systems and reinforce that training frequently?
  • Does every employee in the organization understand the importance of taking network security seriously?
  • What (if any) procedures do we have in place to deal with incidents related to breeches of policy?
  • What are we doing to stay abreast of issues related to network security and to be proactive in managing problems?
  • Have we enlisted (or do we plan to enlist) the services of bonified security experts to assist us in this ongoing struggle?

Once we are able to address this list of questions, we will have effectively surmounted over 50% of the battle. By raising the level of awareness in our credit unions and keeping that level high, we build a security savvy culture.

By qualifying Network Security as a risk management issue, we can better handle the pressures of what can be a very perplexing issue. The fact is that we have to offer certain services to our members. The Market demands that we stay competitive. With those services comes an inherent level of risk; some of which will never be mitigated. Let us apply the Risk Management techniques that we have become experts at over the years to this issue. Not only will it bring a healthy dose of perspective to what for a lot of us is so foreign, but we will also make progress in securing our networks while we are at it.

To keep abreast of network security issues as they effect credit unions, please feel free to subscribe to our biweekly ''CUSecure'' email newsletter by clicking on the link below.

For more information on Digital Defense, Inc. and our suite of service offerings, please go to

For direct inquiries, please send requests to



This sponsored content article is provided to the credit union community for shared insights and knowledge from a recognized solutions provider in the industry. Please note that the views and opinions offered here do not reflect those of Callahan & Associates, and Callahan does not endorse vendors or the solutions they offer.

If you are interested in contributing an article on, please contact our Callahan Media team at or 1-800-446-7453.


July 30, 2001



No comments have been posted yet. Be the first one.