Let’s face it: no security plan is impenetrable. For every security measure put into place, there is an even more clever thief out there looking to crack the code.
Though confident about her own security program, Everett, Massachusetts-based Eagle Bank’s Senior Vice President and Director of Information Technology Paula Chesbrough wanted to be absolutely sure.

As Chesbrough puts it, there’s no end to the amount of money a company can spend to secure its network. But, being in business means profits are important – when it comes to compliance issues, you need to buy the most bang for the buck. To that end, Eagle Bank chose Waltham, Massachusetts-based, network security firm Security Management Partners (SMP) to perform an audit of the bank’s security processes to ensure GLB compliance.

User Profile
Few banks can boast the history of Everett, Massachusetts-based Eagle Bank.
On May 11, 1889, after the Massachusetts Senate and House of Representatives authorized its founding, Eagle Bank opened its doors for business. At the end of that first day, deposits totaled $4,570. Today, Eagle Bank’s assets are approximately $470 million.

Commitment to the community and its customers has been the bedrock of Eagle Bank’s mission. The bank has seven branches, one of which is located in a community supermarket. Eagle Bank offers a multitude of deposit and loan products, including mortgage programs and rates to satisfy every homebuyer.

While the bank is committed to its brick and mortar branches, it truly respects the importance of the “e-banker.” In 1998, it started 24-hour telephone banking and, in late 2000, Internet banking with Eagle OnSite was introduced.

The Problem
Enactment of the Gramm-Leach-Bliley Act drove banks to document detailed steps as to how they are securing customer information. As a result, many banks, such as Eagle Bank, have developed “Customer Information Security” programs, which spell out policies, the functionality needed to ensure compliance, and a validation process to make sure everything put in place is actually working.

However, according to Chesbrough, an audit of such a program cannot be performed internally. “You must go outside to break your own provisions and get the external expert review. Eagle Bank hired me and it trusts me to put a sound plan in place. But, in the end, the Eagle Bank board is responsible regarding GLBA and it needed the assurance from a third party.”

Bottom line, according to Chesbrough, is that Eagle Bank needed to perform an independent analysis and offer an expert opinion of the effectiveness of the bank’s security program. “Being on the inside, there is no way to simulate what someone else might do,” she explains. “Someone could try to crack passwords from the inside or there could be someone from the outside of our protective perimeter who might try to hack in.

I needed to pay someone to try to break the security prevention that I put into place and to evaluate the policies and procedures I put into place to protect the bank’s customer information.”

Since compliance with GLB is not specific regarding what steps need to be taken to secure a consumer’s financial information – just that the bank needs to be assured that the information is, in fact, secure – financial institutions are looking outside of their own internal IT staffs for confirmation.

Eagle Bank spoke to many consultants from accounting firms looking to take on the security plan audit. Chesbrough opted for SMP, a company that focused solely on the area of IT security area. “I wanted the expertise, knowledge and experience from a company dedicated to security concerns,” she said. “Plus, I wanted someone that wasn’t going to try to sell me other services. At the time, I wanted a security audit and that was all.”

The Solution
Eagle Bank gave the SMP team one element of the security plan to review – external perimeter assessment. Chesbrough was very pleased with the result.

“SMP was extremely thorough and their report was incredibly clear and written in a way that a non-techie could understand. After the review, they sat down with me and were willing to discuss the job in a way that made me confident that they knew what they were doing and would do a great job.”

SMP then took on the rest of the security audit including application testing, external perimeter assessments, and a complete and full review of Eagle Bank’s entire security program.

SMP has worked as an IT partner with Eagle Bank, providing a complete security assessment of the bank’s information network on an annual basis for the past three years. These assessments provide Eagle Bank with valuable data which is  used, in part, to complete its full annual organizational risk assessment.

Infrastructure Policy Assessment:

• Review of the Security Policies and Procedures: including a Network Architecture Vulnerability Assessment and a Firewall and rules assessment;
• External Vulnerability Assessment: including scanning of public IP address and selected web- based application testing;
• Internal Vulnerability Assessment: including internal scanning and penetration testing and selected internal application testing;
  

These reviews are followed by a comprehensive report of the results with specific recommendations for those items needing remediation.

Essentially, each year, SMP tries to crack the bank’s security plan. When they find a weak spot, they fix it. If the bank needs to deal with another vendor, SMP helps it “speak the technical language” to get the job done.

“I’ve gotten a partner in SMP,” said Chesbrough. “When I’m thinking about doing something new here – and we have a lot of IT initiatives -- I will call SMP and tell them what I’m thinking about doing. I use them as an IT sounding board. Having a partner like this is worth its weight in gold.”

********************************************

What to Look for in an IT/Security Auditor:

• Independence
  You need a company that isn’t trying to sell you hardware, software or monitoring tools when what you need is a security audit. A truly independent third party security consulting firm is rare to find but vital to the process.
• Experience
  Does the company have many financial customers with GLBA (Sarbanes-Oxley or HIPAA) compliance issues? Get references. Compliance issues across the board share similarities when it comes to information security.
• Expertise
  When a consultant has cutting-edge technical expertise, it can assess all information systems in use -- whether they are the latest releases or legacy systems.
  
• “Partnership” Qualities
  There’s really something to be said for partnering with a vendor who is able to act as part of your team. They can take your direction but aren’t afraid to add their expertise to the discussion.