AUSTIN, Texas – Good ol' fashioned shoe leather was one reason for the success of the Credit Union Information Security Professionals Association 2006 IT Risk Management Summit Jan. 29-31 at the Driskill Hotel. CUISPA Executive Director Kelly Dowell has traveled countless miles over the past 12 months rallying support for a credit union-specific knowledge exchange among information technology professionals, industry leaders, regulatory agencies and IT vendors. The result was impressive. About 115 credit union IT professionals attended from small and large credit unions across the country; representatives from 11 corporate credit unions and U.S. Central showed up; and NCUA sent representatives from the Office of Examinations and Insurance, the Office of Corporate Credit Unions and from all five NCUA regions. In addition, 30 security vendors participated at CUISPA's invitation. With the face of security changing at a breakneck pace, risk management is an increasingly difficult and time-consuming task. Patch management, e-mail security, and incident response are pressing issues. Phishing attacks are becoming more sophisticated, and IT professionals face new challenges with multi-factor authentication and encryption of member data. CUISPA is a knowledge sharing resource for IT professionals in the credit union industry. Focused on improving security management through collaboration, CUISPA provides peer communication, education, awareness, threat and compliance monitoring, support services and coop-purchasing discounts for its members. Just a year old, the organization was the brainchild of Dowell, who previously owned an IT consulting firm that called on credit unions. To date, CUISPA has about 160 members and has organized 17 local chapters across the country. The conference was brimming with information. Topics covered included security program management, IT risk management and assessment, encryption solutions, secure member communication, disaster recovery and business continuity, phishing, ID theft, malware and spyware prevention, strong authentication, incident response, biometrics, and regulatory compliance. A hot topic for the entire conference was raising the accountability standard of third party vendors providing information security products and services to credit unions. As credit unions must perform due diligence to comply with federal regulations that require the safeguarding of member data, IT professionals want assurance their vendors are conforming to similar practices and procedures. On opening day of the conference, Joseph Visconti, a former 30-year NCUA veteran who now has his own consulting business, outlined a proposal for a vendor certification program. The proposal sets performance criteria for IT vendors in the areas of hardware, software, operations and audits of company performance. Reviews would be performed by independent third party contractors, not CUISPA. But once certified, a vendor's name would be posted on the CUISPA @eb site (www.cuispa.com), and the company would earn the ability to advertise their CUISPA certification. "When performing due diligence for a security services provider, the low bid isn't really low if there are security issues that could compromise member data," said Visconti. While a few attendees questioned the necessity of the program, most voiced their support. "For smaller credit unions such as ours, a program like this would mean I could review three vendors instead of 50," said Tamara Hudson, Community Resource Credit Union. Having gained a consensus to move forward on the certification program, CUISPA will be fine-tuning certification requirements and alerting vendors that the program is in the works, Dowell said. Another highlight of the conference was a panel discussion devoted to identifying emerging threats to computer security. As security programs become more effective and users begin to better recognize email attacks, malicious activity will trend toward other communication methods, such as instant messaging, http sites, and wireless portable devices. Malicious attacks will become more sophisticated and systematic as "big money" funds criminal activity, said Pierluigi Stella, a panelist with Network Box. "It's no longer just the guy on his bedroom computer that you have to worry about, it's the Russian mafia paying a room full of individuals to get information." Panelists offered many suggestions on protecting credit unions and their members, including controlling employee outbound Internet access. "Why do you allow javascript or other active content in email? Stop original code from coming into your network. Configure outbound connections so that only what is absolutely needed is allowed," Stella urged credit unions. Moderated by Bill Podborney, IS manager, Alliant Credit Union, Chicago, Ill., other panelists included computer security solutions vendor representatives: Brent Huston, MicroSolved; Andrew Vesay, Compushare; Joe Brown, Ciphertrust; Justin Mitzimberg, Info@Risk; and Richard Flemming, Digital Defense. Kurt Lykins, chief technology officer of Corporate One Federal Credit Union, Columbus, Ohio, gave an inspiring presentation, encouraging credit unions to protect and advocate for the credit union "brand" and vigilantly oppose credit union taxation by promoting the credit union difference. He hinted at several upcoming initiatives that would be supported by corporate credit unions and directed toward natural person credit unions, including a study of issues relative to moving from the Federal Reserve's DOS-based to Fedline program; a white paper for multi-factor authentication; and the development of a business continuity framework. "The 29 corporate credit unions compete very aggressively, but we see the value of getting together here. The safety of our members and identity of brand are important," Lykins said. "I'm issuing a corporate call to action. If you found this conference valuable, go back to your respective states and share what you learned. If you have a community without a CUISPA organization, start one." An interactive session with NCUA on information security compliance was another conference highlight. Moderated by Visconti, the NCUA panelists were: Dominick Nigro, ISO, Office of Examination and Insurance; Elias Perez, ISE, Office of Corporate Credit Unions; and Regional Information Security Officers (RISOs) Gail Marotti-Hossan, Region I; Gerry Wyland, Region II; Patrick Truett, Region III; Wayne Trout, Region IV; and Manny Centeno, Region V. Discussion focused on several key topics: the NCUA's revision of the IT examination program, vendor roles in complying with FFIEC guidelines, risk assessment criteria and data encryption. NCUA said its new IT examination program is being tested now and will be implemented in 2006. It will consist of 19 new technology control questionnaires that focus on security, Part 748, Appendix A&B. NCUA did offer credit unions some consolation. "Don't expect examiners to use all the questionnaires at one credit union. They're simply tools for the examiners to choose from based on what needs to be addressed," Nigro said. Prior to implementation, credit unions will receive a file from NCUA with a copy of all the questionnaires. Concerning FFIEC compliance, a conference participant said, "You tell us we have to do something, but you don't give us help in finding vendors or other credit unions who do it right." NCUA responded that it can't endorse products or vendors because cookie cutter solutions don't exist in credit union security, but urged participants to take advantages of more forums, such as the CUISPA Summit. What criteria does NCUA use when reviewing risk, another participant asked. Nigro offered three generalities: "Is sufficient data gathered, has data been analyzed to see if controls are in place, and have vulnerabilities and assets been prioritized so that items of highest importance can be addressed the soonest." NCUA panelists noted that management support is critical to risk assessment. "Management buy-in is key. If you're preparing risk assessment just because the regulator said this is what you have to do, there is no benefit. Documentation will prove valuable to the whole organization. IT understands the risk but needs to convey it to the management and the board," said Gerry Wyland. Summit attendees tried to reconcile the Appendix A requirement for encrypting sensitive data with the fact that most core system providers don't have that capability yet. While recognizing the dilemma, NCUA would not downplay the importance of encrypting at least the social security number field of member data files. "Gramm-Leach-Bliley predicated this requirement. If you have that information, whether in transit or in storage, you need to encrypt." CUISPA organizers enthusiastically predict a much larger response to the Summit next year. In the meantime, they will continue to organize local chapters throughout the country. -

[email protected]