Case Study: Choosing Outside Help to Meet Security Regulations

Finding just the right provider can be tricky. How one company made its decision.

Improve security and remain compliant with industry regulations at the same time—that was the challenge of Peter Simonson, chief of information technology at Arizona State Savings & Credit Union (ASSCU), two years ago, as he studied new regulations affecting the credit union.

Founded in 1951, ASSCU now includes 23 branches, and is Arizona’s largest state-chartered and federally insured credit union, with more than $800 million in assets. As a financial services company, ASSCU must comply with a myriad of regulations. Safeguarding customer data is paramount, of course, especially if the institution wants to maintain its customers’ trust.

The credit union, however, needed help securing its communications network, Internet offerings, software applications, and offices, especially if it wanted to meet new regulatory requirements. “Security is key in our industry, and legislation continues to address the privacy of consumer information,” notes Simonson. Yet he also realized “we do not have [the] internal resources [necessary] to fully stay focused on every facet of electronic security.”

Experts say ASSCU’s situation isn’t unusual, nor are the changes it made starting in 2002. The year was a watershed for many financial and healthcare companies, which grappled with how to meet new regulations that didn’t advocate specific hardware or software, but instead focused on processes. Many organizations sought outside, ongoing help to realize the needed policies, procedures, and technologies.

ASSCU was no different, and it researched and interviewed a variety of auditors, security firms, and consulting companies, ultimately selecting Internet Security Systems (ISS). “It really boiled down to expertise and best overall value, and not just price—although ISS is priced fairly,” says Simonson. The credit union liked that ISS focused only on security. Reference customers, whom the credit union interviewed, also spoke well of the firm. Finally, “we were also impressed with the significant investments they make in their X-Force [research and development], which really impacts the technical expertise provided to us,” he says. X-Force is ISS’s threat-analysis service.

The security assistance helps ASSCU’s IT staff not spend all of their time pursuing security matters. “ISS provides the additional components that complement our IT staff,” says Simonson, and also helps the credit union deal with higher-level security issues.

One of those ongoing issues --beyond maintaining the right technology to protect the corporate network—is keeping upper management in the security loop. For this, ASSCU also relies on ISS. “Reporting on the state of security to our board members, examiners, and auditors is mandatory, and ISS writes their reports in a way that is meaningful and valuable to [board members]. This is critical when one considers the implications of assessments on regulatory compliance, such as the Gramm-Leach-Bliley Act, and corporate governance issues, such as the Sarbanes-Oxley Act. [In addition], partnering with a respected security organization assures our board that the technical findings are sound.”

In particular, Sarbanes-Oxley mandates executives attest to their organization’s security controls. “It really boils down to the legal ramifications, and the fact that executives could be liable for damages and face criminal charges if they have not applied prudent business practices,” says Simonson. Being proactive can also keep insurance policy premiums down, he says. Though there haven’t been any Sarbanes-Oxley-related prosecutions yet, anything’s possible in the post-Enron world, and the business world is bracing for the first cases.

Since contracting with ISS, Simonson says the credit union began subscribing to ISS’s X-Force Threat Analysis Service. “As new attacks, worms and vulnerabilities surface, our need to be alerted 24-by-7 is critical.”

Still, the needed security processes are already in place, he says. “Overall, ISS gives us peace of mind that we’re addressing the security of our systems and our customers’ assets. At the end of the day, security is our responsibility, but ISS is our checks and balances.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.