The OGO Blog

February 2020: Credit Union Cybersecurity Tip from the OGO CISO Office

cybersecurity for credit unions

Do you know what’s on your network? Why hardware asset inventory is important to your Credit Union.

 

Credit Union networks are becoming increasingly more complex.  The number and types of devices that we must support in our environments expands almost daily.  Workstations, servers, firewalls, mobile devices, receipt printers, kiosks, the list goes on and on.  How do we keep track of all of the devices at our credit unions?  How can we leverage that information when we do have it?  Read on for strategies and best practices, and how an accurate hardware asset inventory can help keep your credit union secure.

Building and maintaining an accurate hardware inventory is a vital part of an Information Security Program.  Without an accurate inventory we cannot properly assess risk in our environments and design controls to protect those assets. All major frameworks around Information Security Programs, (ISO, NIST, CIS) prescribe controls for maintaining an accurate and detailed asset inventory.  A strong asset inventory program also keeps us in regulatory compliance. It is addressed in the FFIEC Information Technology Examination Handbook, and the NCUA’s ACET tool.   Additionally, from a financial perspective an accurate asset inventory helps assure that the devices that our credit union purchases are properly accounted for.

So how can we get and maintain an accurate and detailed hardware asset inventory? 

First, we need to establish a baseline of the devices that respond on our network.  This can be accomplished with any basic inventory tool that performs network scans.  Then, we cross reference the inventory with other tools and systems in our environment, ensuring we account for all systems.  Some of the systems we should refer to include, but are not limited to are:

  • Vulnerability Scanner
  • IDS/IPS system - This can help identify devices that talk on the network but don’t respond to the scanners
  • Mobile device management (MDM) system
  • The SIEM
  • Accounting/Purchasing records
  • Change Management records

Once we have all assets in our inventory system, we want to ensure the data tracked on the system is accurate.  Our scanning system should populate most of the information we need such as device name, network address, device type, operating system, etc.  We should verify that information and supplement it with information such as business owner, technical owner, system(s) supported by this device, type and classification of data processed, and criticality of the system.

Now that we have an accurate inventory of our hardware assets, what can and should we do with it?

  • First, review asset inventory to help ensure we are assessing risk across all of our devices and systems when performing our IT risk assessments. This will help us to design and build appropriate controls to protect those devices.
  • Start performing periodic reconciliations of our asset inventories as part of our governance program.
  • The reconciliation should compare the inventories across reconciliation periods to identify new devices that are discovered on our networks and devices that have been removed. We want to ensure that all additions and removals are expected, approved, and accounted for.  If we find unexpected changes, those should be investigated immediately.
  • The reconciliation should validate all current and new devices are:
    • Included in patch management
    • Have anti-malware installed
    • Are logging to the SIEM
    • Included in appropriate monitoring systems

While creating and maintain and asset inventory can be one of the more mundane aspects to managing our technology environment, doing it properly can help us secure our networks and keep our member’s data safe.  What can you do today?

  1. First, review your policies and procedures to ensure inventory is adequately addressed and part of your governance program.
  2. Second, make sure your credit union has the tools and are using them to appropriately inventory your hardware assets. If you don’t have a device discovery tool, make that investment.
  3. Lastly, make sure your information security governance program includes monitoring the periodic reviews of your hardware asset inventories.

 

Want to learn more about cybersecurity for credit unions? Click here for related blog content.

Ready to speak to a cybersecurity expert about your credit union’s business needs? Please fill out the short form below and we will be in touch.