<p>Who does your core processing? Who processes credit cards for your credit union? What do you know about these companies and their security practices and policies? Do they meet all the regulatory requirements? Are they an active part in improving your security posture or do they hinder and block your attempts to secure your network? Do these questions keep you up at night? They should. Third party vendors play a critical role in many credit unions. They often provide core financial platform computing services and make available to the membership other financial services. Even the very largest of credit unions have some form of third party relationship, from credit card processing to credit bureau services. In today's market, simply put, no institution can do everything that is needed to meet member business needs without the help of a third party. There are three main areas where third party vendors have had an impact on credit union security. First, many of these vendors require network connectivity to your credit union internal network. Second, these vendors may or may not have secured their systems that contain your member information, and lastly, they may have existing contractual limitations on your ability to manage and access the vendor's systems on your networks. Plug me in – you can trust me! Many third party vendors require the credit union to set up a network connection back to the vendors network. In most cases, these connections are done through private leased networks. Some utilize the Internet and Virtual Private Network (VPN) encryption technology to make the connection between the vendor and the credit union. Many will utilize a dedicated dialup connection to the core processing system in order to maintain the software and configuration of the machines. In a few cases, I've seen vendors have the credit union simply open a connection without encryption over the Internet. While these connections are vital, they are very often installed without any kind of restrictions between the parties involved. The ideal restriction device between these networks is a firewall that has been configured to only allow traffic from specified credit union machines going to specified vendor machines. This minimizes the cross flow of traffic between the organizations. They also typically aren't logged and the logs reviewed on a regular basis. How significant a problem can these third party connections be to your security? In one credit union I tested, I found that due to a network configuration error, a copy of each and every transaction sent to the core processing server was also being sent to each and every third party vendor on their network. Imagine every teller transaction, every ATM transaction, and every loan approval being sent to your credit card processor, your credit bureau, and your check printer. If that wasn't bad enough, it was sending the transaction out the Internet connection to their Internet Service Provider. It has never failed to amaze me how many organizations over the years have scrutinized every employee action and make employees submit several pages of justification to gain access to the systems they use in the performance of their duties and yet when the organization gets a new third party vendor, they give them total, unadulterated access to their core computing systems that contain all of their business and financial information. If at all possible, you should isolate the system that the third party vendor has to access from your network. As a minimum, ensure that the restriction device, e.g. firewall or access control list on the router, limits what devices can be access from the vendor's network. A fact that may disturb many credit unions is that very often they cannot fix security problems identified on third party vendors systems located within the credit union space without specific permission of the vendor. Some third party vendors may also restrict the types of testing that a credit union can perform on the vendor's systems. The kicker is, if the systems are compromised and member data is mishandled or misused, the credit union is liable under the Graham Leech Bliley Act. That's right, even if your data is exposed to compromise, the service agreements that you have with your vendor may prevent you from testing the system for vulnerabilities, fixing them if you find them, or even restricting how the vendor can access the system. The hammer these vendors use is that any changes you make to their system may affect how the system works, and that in it self may void the hardware and software maintenance agreements. However, these same service agreements often don't stipulate that the vendor is even required to identify and fix security vulnerabilities. They also don't call out access specifications on how and when the vendor can access the system for maintenance. Most credit unions properly interpret 12 CFR Part 748 to see that security testing should be performed on a periodic basis by a qualified third part vendor. I can't stress enough that this testing should be performed by a vendor that is different than the vendor who set up the network architecture. Often when we perform testing for our customers, we encounter third party vendors who are reluctant to have testing performed on their networks. They state that either they already have a company engaged to perform that testing and know that its secure or that they test their own networks or that if they let one company test their network, they would have to let everybody. I counter with the following challenge: If you are a third party vendor and either perform your security testing in-house or have a company providing your security testing, then provide a detailed copy of the vulnerability analysis report showing the found vulnerabilities and their applied fixes to the credit union, especially for those vendor assets that contain member data. This way the credit union can be assured that they are not being subject to excessive exposure of their member's data. What can I do about all this? As a credit union, you are ultimately responsible for protecting your members' information and financial resources. The single biggest thing you can do is to make your staff and members aware of legitimate security concerns. In today's world of security break-ins occurring at all levels, awareness of how to protect your information is vital. One of the best ways for the credit union to maintain awareness of their security posture is through recurring testing of their resources. Only you can put pressure on your vendors to meet or exceed your security needs. This comes through the use of vendor user groups, making sure that contracts address these security needs and developing your own in-house security policies that you require the vendors to follow. It will take a coordinated effort of not just the credit union, but also all the vendors that support that credit union to ensure that our networks are made safe.</p>