By separating data sets and stratifying the levels of security accordingly, credit unions can more easily grant and manage appropriate access levels for third parties.

With the list of sensitive data sets and their corresponding locations in hand, credit unions should next identify which vendors have access to those protected assets. If blanket access levels have been established, there will likely be a subset of vendors with login credentials that grant them access to information far beyond their needs. In addition, there exists a potential that vendors who no longer provide services may still have network access.

Employees should never share login credentials with each other or with vendors or visitors. And, the vendor should immediately notify you if a previously credentialed employee leaves so that access can be terminated. Implementing automatic account expirations and requiring affirmative renewals of third-party account access from the individual managing the contractor or vendor, as well as periodic audits, are recommended as methodologies to remove access for those no longer working with your credit union.

Next Page: Spotting Potential Gaps

Spotting Potential Gaps

With the most valuable information assets segregated and identified, security assessments may be focused on these areas to identify potential security gaps along those access pathways. Take the time to periodically examine how vendors gain access to your network and what is accessible once they have been authenticated. Consider exposures beyond just the point of connection as a vendor's “BYOD” or remote access policy may provide an attack vector into your organization if that vendor does not have adequate security measures in place to monitor and block attacks from these points that then pivot into your network.

Along with internal measures, credit unions should attend to any potential security exposures that may exist on the vendors' side of the equation. Require that external partners employ security safeguards commensurate with the value of the data you are entrusting to them and that they conduct security training for their employees and contractors. If your sensitive data leaves your network, ensure that strong encryption is used during transit as well as during storage and track the return or final disposition of your data.

Any security gaps can now be closed, either with technology or with process. If the responsibility for a security measure falls to the vendor and is not in your control or line of sight, it is best to specify in the legal agreement with that vendor exactly what protocol is to be followed, how you will be able to audit or confirm that it is being followed, and what should occur if it is not followed. Ensure that workers and vendors alike understand that they are not to share their account ID or password, and instruct them on the proper procedure for refusing and, if the refusal is not accepted, reporting any request to share credentials as well as other potential security breaches.

Finally, in this era of ever-tightening compliance mandates, it's important that credit unions never rely solely on compliance as assurance that information is secure. It is fairly common for “compliant” organizations to experience a data breach. Regulations, which are necessarily slow to develop and evolve, typically trail technology, which changes rapidly. Compliance often falls below the threshold of sufficient security, and it is incumbent upon the individual organizations to determine and communicate to their vendors how their information and their customers' information are to be protected.

Deena Coffman is CEO of IDT911 Consulting in Scottsdale, Ariz. CONTACT: 1-888-682-5911 or [email protected].