KENSINGTON, Md. – Compliance with IT security regulations is becoming a major undertaking for credit unions, along with the actual defense against hackers and viruses, and Lafayette Federal Credit Union has taken that bull by the horns by deploying risk-assessment software its chief technology manager says will ensure the D.C.-area CU meets and exceeds the increasingly tough demands of federal examiners. The $300 million credit union is using the IA Manager solution from Xacta Corp. to conduct rigorous self examinations that ensures "we have everything completely locked down" and can prove it, says John Straub, the CU's vice president of information technology. Xacta is a subsidiary of Telos Corp., a suburban Washington provider of automated enterprise risk assessment and management solutions whose client list includes the U.S. Treasury and the Pentagon. Xacta has about 20 credit unions among its 250 or so customers. Xacta's offerings range from its standard risk-assessment documentation solution to software that provides automated risk assessment, alerts and remediation around-the-clock. Lafayette is using what Emmett Wood, the company's credit union sales director, calls Xacta's "standard solution, the former Commerce Trust product that now is part of IA Manager. It allows them to do risk assessment and produce documentation that helps ensure compliance with both NCUA Regulations Part 748 and the ISO17799 standards." Wood says he sees a growing interest in such capabilities as NCUA examiners get "more rigorous in what they are looking for," including what he calls a "living security document", which Wood says shows "your credit union has a way to continuously monitor and understand how you are meeting regulations and standards." He adds that "the regulators are getting more educated and they're really looking for a more educated discussion" from the credit unions they're sent to oversee. Straub has seen that growing interest, too. ("They used to just pretty much look at paper records. Now they want to spend time really looking at the data," he observes.) He says the Xacta software is helping his 16,000-member CU be prepared, not just for examiners but for the evil-doers in cyberspace who would do his institution harm. Deployed alongside the firewalls, intrusion-detection services and other defenses, Lafayette's IT staff runs its servers and PCs through a detailed series of questions and recommended tests provided by the regularly updated Xacta software. "Depending on how many criteria you list and adhere to, you can wind up with a pretty good, long list of questions and tests for each server and workstation," Straub says. They range from the micro (can you log onto this particular PC with a bad password?) to the macro (is your credit union in a stormy area prone to flooding?) and if the software is satisfied, then those responsible, both internally and externally, for making sure things are as they should be, should be, too. "It does quite a good job and we get things pretty locked down," Straub says. "For example, right now we are showing no vulnerabilities on our servers at all, because we systematically go through and eliminate every one of them." Straub, like Wood at Xacta, sees the growing interest in IT security by regulators as an ongoing process, and as a result of the evolution of the credit union industry itself. "Credit unions have advanced a lot in the last five years and we're now offering bank-like services, just from a different perspective," he says. "So the same sort of examinations and regulating that banks have seen is now being applied to us, too." -

[email protected]