Credit union patching challenges with ongoing operations

Virtual CISO

Cybersecurity and risk management for your credit union, minus the overhead.

Security Leadership. On Demand. As a Service.

With budgetary and hiring constraints constantly under pressure, you may not have the resources for a full-time, on-site Chief Information Security Officer (CISO), but governance and risk management of your Information Security program are a top priority.

We get it.

Ongoing Operations’ Virtual CISO (vCISO) provides your credit union with a team of experts and a board-level leader that can help manage and steer your Information Security Governance, Regulatory and Compliance (GRC) program.

Our proven model builds and retains your institution-specific requirements, builds a relationship with your leadership team and assures that your information security has oversight by an industry heavyweight.

Cost-Effective Solutions for Your Credit Union

Simply fill out this form and select the topic(s) that you would like more information for, and our team will reach out shortly.

Short

Why use a Virtual CISO?

The scale and complexity of cyber security threats is increasing exponentially, while budgets are increasingly challenged. Competition for expert resources is at an all-time high.

Keeping up with cybersecurity assessments, risk assessments, scanning reports, firewall reviews, phishing reports, penetration testing reports, security policy reviews, vendor security assessments, and governance planning (just to name a few) is burdensome and can be overwhelming.

The Virtual CISO team at Ongoing Operations manages your cybersecurity program to be sure it is adequately protecting your credit union, your members’ data while meeting all NCUA and FFIEC compliance requirements.

The Value of Leveraged vs Dedicated Resources

As the threat landscape in cyber activity evolves, your Information Security practices need to keep pace.

Our named resources work with credit union of all sizes across the United States, with a continuously improving playbook of best practices that is constantly “learning” from a large community of clients.

As our team works with auditors and regulators representing our clients with unparalleled frequency, aligning your operational practices to regulatory requirements gains efficiency and most importantly, minimizes disruption to your business.

The best of both – Dedicated Team at a Leveraged Cost

Ongoing Operations will assign you a named information security expert to lead your cybersecurity program, with a dedicated team supporting and managing it.

Your Virtual CISO will become intimately knowledgeable with your Credit Union, your staff, and your cybersecurity program.

This allows the Virtual CISO to act as a member of your staff and help you build the best possible cybersecurity program for your credit union.

With a virtual solution, Ongoing Operations help de-risk organizations from losing their investment in a dedicated CISO to growing demand and wage pressures for this highly coveted skill set.

Solutions scoped and priced for your credit union.

As a CUSO, Ongoing Operations knows that not all Credit Unions are built the same. Our CISO programs are scoped to meet your needs and requirements based on your credit union’s size and priorities.

What does a Virtual CISO do?

Ongoing Operations CISO begins with a comprehensive information Security Program Assessment. This assessment sets a baseline and identifies the gaps and priorities as we build your cybersecurity program. We work with you to understand why processes have evolved in certain ways and look to find solutions to reduce the scope of your exposure with the goal of lessening the overall cost and burden of regulatory compliance.

We will assess:

Financial, reputational, and regulatory risk exposure to data loss
Comparative risk to peer organizations of a similar operation/scale
Risk assessment and risk profile of third parties
Alignment with security best practices and protection against known threats
Protection against emerging threats (e.g. social networking, crime ware, advanced persistent threats)
Scope of exposure to regulations such as the Data Protection Act, Financial Services Authority and Payment Card Industry Data Security Standard, by taking a data-centric approach, analyzing data flows, repositories, people, processes and third parties to ensure that your security program has a solid grounding.
Where your data resides and why it needs protecting

We provide a report to serve as a baseline for your project moving forward to enable you to re-scope, re-architect, and reduce exposure where appropriate.

The Ongoing Operations virtual CISO then works with your executive team to adopt an appropriate security posture for your credit union and lay out the plan to develop and mature your cybersecurity program.

Once started, the Ongoing Operations Virtual CISO provides ongoing Senior-level presentations of your credit union’s security posture and plans for the future to your organization. This keeps your key stakeholders, board, and NCUA examiners in the know and up to date on your credit union’s progress.

Weekly, Quarterly, and Annual Tasks

In addition to managing the ongoing improvement of your cybersecurity program, the Virtual CISO also maintains the weekly, quarterly, and annual tasks of a CISO such as:

Reporting

Ongoing quarterly assessments and reports of credit union security program.

Security Tool analysis and best practice guidance

Ongoing quarterly assessments and reports of credit union security program.

Independent reviews and analysis

An independent review and analysis of audit and assessment reports, assisting with prioritization of key issues, and reporting on the following:

IVA Scan reports
EVA Scan reports
SIEM reports
AV reports
Asset Reports
Firewall Reviews
IDS reports
IPS Reports
Phishing reports
Penetration Test Reports

Ongoing security configuration reviews

Office 365
Server and workstations
Web filtering
DLP
Firewalls and more

Security policy & procedure reviews

Policy & procedure creation

Security policy and procedure creation in line with NCUA / FFIEC requirements and best practices

3rd party vendor security assessments

Skills and regulation assessments

Assessment of the information security skills of your personnel and maintaining a governance plan consistent with your credit unions Information Security Program, best practices and applicable regulations

Our Areas of Technical Expertise

Ongoing Operations Virtual CISOs are experts in FFIEC, NCUA and GLBA requirements.

However, we are also experts in practical technology that allows credit unions to meet, fulfill, mitigate and manage requirements around these compliance requirements including:

Network Segmentation
Secure Architecture and Configurations
Encryption and Tokenization
End-to- end and point-to- point encryption
Holistic anti-malware and rootkit detection
Secure Messaging, MDM, Anti-Malware, EDR, Anti-SPAM, DLP, Archiving/Journaling
Application security
Access control and privilege auditing
Security Information and Event Management (SIEM), file integrity monitoring (FIM)
Intrusion Detection and Prevention (IDS/IPS)
Incident response, risk assessment and security policies and process

Goal setting. Continuous review.

Let Ongoing Operations support your credit union’s Information Security Program with KPIs focusing on programs like:

Patch Management Program

A healthy, well-functioning patch management program is one of the foundational pieces to mitigating risk and vulnerabilities in a Credit Union network. These KPIs provide a measurement to validate that devices are up to date and that the system is operating as expected.

Anti-malware Program

Anti-malware software helps to protect our information systems and data by preventing malicious programs from running. A healthy program ensures that all servers, workstations, and laptops have current, updated anti-malware software installed.

Security Information and Event Management (SIEM)

A Security Information and Event Management (SIEM) collects logs from our information systems and devices and analyzes them for potential security threats. With the massive amount of log data generated, an automated system enables an efficient review of the logs. Having the logs centrally stored also allows the credit union to investigate security incidents and track malicious activity through the environment.

Security Incident Response

With this set of KPIs, we want to evaluate the effectiveness of our Security Incident Response process and team as it relates to Severity 1 and 2 incidents.

Change Management

Change management is a key part of information security and reducing new risks being introduced to the environment.

Vulnerability Management

Finding and managing vulnerabilities in our information systems is a key way that we protect our member data. It is important for managing risk that we understand what vulnerabilities are unmitigated on our networks and the potential impacts of those vulnerabilities. We also need to ensure that our processes and procedures for mitigating vulnerabilities are healthy and working as expected.

Training and Testing

Our credit union employees are one of the best lines of defense for protecting our member data. Frequent training, awareness and testing helps ensure that security is part of our culture and an important part of everyone’s daily routine. Identifying those behaviors that we want employees to engage in as well as the ones we want them to avoid is an important part of our security program.

Virtual CISO A-la-Carte Services

Ransomware Risk Assessment

Provides insight into the state of controls that can help prevent business disruption due to a ransomware attack.

General Information Security Assessment

Overall review and report on your ability to protect member data

Office 365 Security Assessment

Review and report of your current O365 security configuration and settings.

Bring Your Own Device (BYOD) Risk Assessment

Review and report of your BYOD policies, troubleshooting access, configurations, technology and risk.

Firewall Best Practices and Rule Review

We will perform a review of your firewall configuration to help ensure that your perimeter is secure and that your firewall is configured with best practices.

Sensitive Information/PII Assessment

We will perform a scan on your servers, laptops, and workstations to help you identify the location of PII/NPI, card data and other sensitive information on your network. We will analyze the data and provide you with recommendations to reduce your risk to disclosure of that information.

Remote Working Comprehensive Security Assessment

Has the pandemic forced you to create a flexible work environment at your credit union? No problem.

Our security team can complete an in-depth evaluation and report of your credit union’s remote work program, covering six key areas:

- Policy
- Technical Architecture
- Security Controls
- BYOD (Bring Your Own Device)
- Governance
- Training

Upon completion of the evaluation, we’ll provide the following deliverables:

Ongoing Operations Remote Work Scorecard which will evaluate your credit union in the six key areas.

Report of your remote work program, including:

Detailed gap analysis for each of the six key areas
Gap analysis against the NCUA guidance – Cybersecurity Considerations for Remote Work
Remediation guidance for all gaps identified in the assessment
Prioritized action plan to reduce credit union risk