CORVALLIS, Ore.-A third-party security audit at OSU FCU here found deficiencies in five security-related areas, leading to the internal development of a program here called STOP.
"We had a security audit in 2010, which also includes social engineering, and we did not get as good of scores as we would have liked," acknowledged EVP/CIO Craig Cole.
In response, OSU FCU began work on its Security Training Operations Program (STOP), which focuses on security measures related to branch operations and allows front line staff to better recognize threats such as phising, smishing, and vishing, and also addresses fraudulent emails and onsite security.
The STOP program was developed and designed in-house by the credit union's Information Services and Employee Development departments and included the building of a new intranet accessible by all employees. The intranet contains detailed information related to the STOP program, including protocols, procedures and a glossary of terms. Every one of the credit union's 211 employees is required to take an online STOP exam each year. For new employees, STOP is a part of initial training.
The program was recognized recently by the CUNA Technology Council for Excellence in Technology.
Along with social engineering, security and phishing scams, employees are tested on physical access controls.
"Our 2011 audit survey also included an outsider trying to work their way past reception trying to access a computer, the server room, take information off a copier or basically be somewhere they shouldn't be," said Cole.
While Cole declined to offer the name of the independent auditing company due to security related issues, he reported that in 2011 no breaches were discovered. "They told us that they never had a company score 100% on their yearly test and they really tried everything."
To further instill the message being stressed by the STOP program, 10-minute skits are performed at the credit union's semi-annual staff meeting which reinforces the tent poles of the program while encouraging employees to ask questions and participate. "We are engraining STOP into our culture," said Cole.
Some Tweaks Are Made
As is the case with all new technologies and programs, there is a tweaking phase that often results in improving applications.
"In 2012, for example, we scored 100% on our telephone phishing, but we had a couple of instances this year where we didn't do so well with fraudulent e-mails, so we have taken a look at that aspect of the program," said Cole, adding that STOP is revisited on a monthly basis to determine if improvements are required.
The latest external audit resulted in OSU FCU having its core strengths highlighted as "employee phishing and on-site social engineering awareness," by the CUNA Technology Council.
Cole said that 2013 will include exciting developments to the STOP program. The credit union will implement the SANS Institute's Securing the Human Information Program. This includes social networking, mobile security, passwords, PCI, HIPPA, GLBA and ethics.
"Because of these programs we are more sensitive and aware of fraudulent activity than we have been in past years," said Cole.