Effective Credit Union Vulnerability Management

With the persistent waves of IT security breaches, credit unions increasingly seek more effective ways to protect their systems from attack and reach regulatory compliance.


With the persistent waves of IT security breaches, and a growing list of ever more complicated government regulations aimed at protecting members’ financial information, credit unions increasingly seek more effective ways to protect their IT systems from attack, and to reach regulatory compliance.

How well does your credit union’s IT vulnerability management and compliance program stack up?

Depending on size, and if a credit union is state or federally chartered, there is a spate of regulations a credit union could fall under—aimed at protecting member information from being breached and from the risk of identity theft. So it takes a sound security and vulnerability management program to ensure your credit union is in compliance with such stringent regulations as the Gramm-Leach Bliley Act, the National Credit Union Administration’s (NCUA) Reg. 748, and SB 1386, which requires credit unions with members in California to notify those customers, under certain circumstances, if sensitive financial information has been breached.

While all of these regulations affect the way credit unions approach the vulnerability management of their IT systems, they’re certainly not the only concern. According to the CERT Coordination Center, an information security watch group, 3,780 new software vulnerabilities were discovered in 2004. For the first quarter of 2005 alone, 1,220 such flaws were revealed. If that trend continues, the flaws discovered this year will far exceed last year’s. It’s these flaws that make it possible for viruses and worms to infect your infrastructure, and bring system performance and worker productivity to a halt. They’re also how hackers infiltrate systems to steal sensitive information.

The best and easiest way to achieve regulatory compliance, and keep systems safe from attack, is to establish a sound vulnerability management program.

Government regulations require credit unions to create an information security program that includes not only a thorough risk assessment, but also oversight by the board of directors, procedures for improving and changing the security program and continuous status and trend reporting to management.

There are several approaches your credit union can take to meet these criteria. It could decide to outsource much of the vulnerability management and remediation process to outside consultants who would conduct ongoing vulnerability scans and risk assessments, and provide reports to your internal security administrators and senior management. But consulting fees quickly add up, and this option can prove too expensive for an ongoing compliance and vulnerability management program.

Another option would be to hire several full time employees dedicated to managing your vulnerability management process. This team would have to review, on average, ten new software vulnerabilities every day to determine what systems are at risk and then prioritize the software patching process based on the criticality of each vulnerable system. It also would have to make sure each system was, in fact, successfully patched.

This option also is expensive, and difficult to manage without the proper vulnerability management tools in place.

There is a better way.

Innovative automated vulnerability management tools exist that are extremely accurate, up-to-date, easy to deploy, cost effective, and provide detailed, comprehensive reports tailored for security managers as well as senior management. QualysGuard, from Qualys, provides all of this, plus:

  • A comprehensive vulnerability knowledge base of more than 4,500 unique security checks that is updated daily with checks for newly announced threats. It’s the largest such database in the industry, and saves security managers from having to spend days each week researching new vulnerabilities.
  • Quick detection of all of your credit union’s servers, desktops, routers, wireless access points, and other networked devices that need to be secure and compliant.
  • The ability to schedule daily, weekly, or monthly vulnerabilities scans—at no additional cost—to make sure all systems are up to date.
  • The automatic generation, and tracking, of trouble tickets through remediation.
  • Trusted, automated third-party compliance auditing for GLB, Sarbanes-Oxley, SB 1386, and others.

For more information on Qualys, please visit us at www.qualys.com or you
can request a free trial at http://www.qualys.com/POS/confidence/form/?lsid=6488