Xerox FCU Deploys Deep-Diving Risk Management Assessment Tool

EL SEGUNDO, Calif. – Xerox Federal Credit Union is keeping a constant watch on its IT security with a broad-based solution that’s also found its way into high-end users such as the Pentagon and the U.S. Treasury. Xerox FCU is using IT risk assessment software from Xacta Corp. to get a round-the-clock, system-wide look at its security posture while complying with industry best practices and standards and NCUA regulations. Xacta, a subsidiary of Telos Corp., is a suburban Washington-based provider of what it says is the industry’s first automated enterprise risk assessment and management solution “to go beyond compliance with information security regulations and best practices to assessing and managing risk posture on an ongoing basis,” says Emmett Wood, Xacta’s director of credit union sales. The software automatically detects what software systems are in place, runs tests against the architecture for security weaknesses and backdoors, and provides updates about potential problems, the company says. A new offering also includes the capability to automatically trigger remediation measures ranging from e-mail alerts to integrated patch deployments. “It’s no longer enough to perform a security audit periodically,” Wood says. “Given the evolving threats, constant security diligence is a must, and an automated security offering helps the overtaxed technology employees.” Available as an ASP or in-house deployment, the software also automatically generates process documentation to help credit unions ensure compliance with NCUA Regulation Part 748 and other industry standards such as BS 7799/ISO7799 and the Gramm-Leach-Bliley Act, the company says. There are 20 credit unions among Xacta’s 250-plus clients, the company says, including Xerox FCU, United Nations FCU, Affinity FCU, U.S. Senate FCU, Congressional FCU and Kaiperm FCU. At Xerox FCU, the Xacta solution segues with dual firewalls from Cisco, Norton anti-virus software and GFI e-mail filtering, among other protections. “We also still do periodic external penetration tests to help ensure security in addition to the continuous monitoring from Xacta,” says Bill Cheney, president/CEO of $765 million, 77,000-member Xerox FCU in El Segundo, Calif. “At the time we chose Xacta, we knew of no other product like it,” Cheney says. “We can assess our systems for vulnerabilities on a frequent basis, which is important since changes are happening to the network on an almost continuous basis. Sometimes those changes introduce new vulnerabilities that can now identify and correct quickly.” Depending on the deployment, a client typically spends $7,500 to $85,000 on an Xacta solution, the company says. Countering that, it says, are reducing things like the time it takes to perform security testing and analysis from about an hour per server to a minute per server, and reducing the time it takes to create a security test plan from 320 hours to a single hour. “We found that we would break even on costs for the Xacta system after about one year and enjoy weekly assessments instead of semi-annual assessments,” Cheney said, adding that benefits also include some intangibles. “It’s difficult to measure the ROI on ongoing maintenance and staff costs because we’ll never know how many times an attempted hack – or virus, worm or Trojan horse – was thwarted,” Cheney says. “We understand just how devastating the impact is on a credit union that finds itself in a situation where it must inform its members that information was compromised or perhaps that the server was successfully brought down by an attack,” the credit union CEO says. “That’s something we don’t want to have happen to us.” -