ANOTHER Data Breach: Could this happen to you?
Posted by Mr. Idrees Rafiq, Jr., AVP IT Consulting, Credit Union Resources, Inc on 3/19/2014

Ok, so Sally Beauty is the latest to fall victim to a data breach and the PR nightmare that ensues. This happened of course at  the time I started writing this blog post. It looks as though retailers are getting slammed with data breaches, a factor, no doubt, due to the lack of regulations they have to follow. It is no secret who will incur the financial burden of this. This was a theme echoed at the last GAC. So make sure to document your losses on all breaches and report them to your representatives in congress.

Given that, let me address a regulation your credit union needs to follow to further reduce the chances of a data breach. Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect their customers’ information against security threats. Log management can be helpful in identifying possible security violations and resolving them effectively. Furthermore, per NCUA Regulation 748 Appendix A. III. C. 1.d., change control procedures should be in place designed to ensure that system modifications are consistent with the credit union's information security program.

On May 17th 2013, both http://www.federalnewsradio.com and www.wtop.com  were compromisedThe website was infected by an exploit kit type virus via a fake Flash installer. This problem could have easily been avoided via an effective patch management program.

Credit unions should be able to answer the following questions to demonstrate a strong patch management program:

  1. Is a patch management program written, practiced, and reviewed on a regular basis?
  2. Does management have a formal process to determine the types of changes to the information system that are allowed?
  3. Do you have written change management procedures addressing management approval, scheduled upgrades, testing, and implementation?
  4. Is there a change control log kept to reflect the most current status of the updated/patched environment?
  5. How often are patches and updates applied to operating systems, antivirus applications, spyware removal application, data processors, etc?
  6. Does the credit union subscribe to alert systems such as us-cert.gov?
  7. Are software updates to patch critical security holes in Microsoft Windows, Apple, Flash Player, Java, Adobe Acrobat and PDF Reader products monitored? (Microsoft, alone, addressed 23 vulnerabilities in the March 2014 patches.)
  8. Are software updates to patch critical security holes in hardware devices (e.g. firewalls, routers, switches)?
  9. Are updates installed and tested in a test environment prior to deployment? If a test environment is not applicable based on the size and complexity of your credit union, have you ensured the updates are certified by your respective vendors?

Retailers sharing the financial burden of breaches and having more regulatory oversight and standards is definitely an issue, and your voice should be heard by your local political representatives. However, it is important not to forget that we, as an industry, should continue to lead by example and demonstrate how to balance regulatory responsibility with a strong security posture.

Categories: Compliance, Technology Consulting & Compliance
Post a Comment
Name:
Email: (Email will not be published.)
Comment:
Subscribe to the Blog

Categories & Archives
Category Filter

Author Filter


 
 

 

Affiliates:

©  Credit Union Resources, Inc. All rights reserved.

 

Contact Us
4455 LBJ Freeway
Suite 1100
Dallas, Texas 75244-5998
Phone: (469) 385-6400
Toll Free: (800) 442-5762
Online Form