Case Study: Security in a MergerProtecting Critical Data During Transition is Key
"The biggest challenge we had to face was obviously the volume of data that was being processed," Romero says of the $4.75 billion merger with Addison Avenue Credit Union.
Both credit unions worked on the same core financial platform and had already established data protection processes and systems prior to the merger. "We just needed to ensure these processes and systems were adjusted relative to the merger activity and ... ensure our members' data was protected at all times," Romero says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
Electronic communications played a pivotal part in the planning process, Romero says, and e-mail encryption had to be established to secure confidential data exchanges through standard e-mail transport processes. Data leakage protection systems and access control lists were used to identify merger specific communication and route it via secure e-mail.
During this interview, Romero discusses:
- Challenges institutions face when combining networks and systems;
- Why merging e-mail and web-based platforms poses security risks;
- Steps institutions should take before merger processes begin to ensure they maintain overall system and enterprise security.
Romero, MBA, CISSP, CISA, GCIA, is the senior security architect for First Technology Federal Credit Union, previously Addison Avenue FCU, and has been with the company since fall 2009. Romero worked for 10 years in the credit union industry filling IT, IT audit and information security roles before working for a contractor at NASA's Dryden Flight Research Center as an IT Security Lead. Romero also has trained other security professionals in the area of computer forensics, computer operations security and business continuity/disaster recovery planning. He holds a bachelor's degree in IT and a master's degree in business administration.
TRACY KITTEN: Your institution recently faced some of the challenges we've talked about more and more over the last two years that result after mergers and acquisitions ensuring databases and platforms are secure. Could you give our audience a little background about your credit union and the merger, such as when it took place and maybe some of the challenges that you faced?
PHIL ROMERO: We only became First Technology Federal Credit Union Jan. 1 this year, but operationally we merged databases over the Memorial Day weekend, with June 1 being our first date of operations on our newly combined database. The major challenge when it comes to an acquisition of this size is keeping all of the data secure.
Security ChallengesKITTEN: Your institution currently has 38 branches and 335,000 members spanning a relatively large geographic area, at least larger than it was before the merger. What challenges did you face when it came to ensuring that sensitive member data was not compromised during the move?
ROMERO: As with any merging company, we had to figure out how to best protect confidential data that is being exchanged throughout the merger process. As our members expand both of our institutions had established data protection processes and systems in place prior to any merger activity. We just needed to ensure these processes and systems were adjusted relative to the merger activity and the needs throughout the planning introversion process to ensure our members' data was protected at all times.
KITTEN: Did you find it to be challenging when it came to disparate systems? I mean, were the platforms relatively similar between the two credit unions?
ROMERO: Disparate systems would have been a problem. Fortunately for us both institutions were on the same core financial platform. We were also on the same infrastructure platforms, so aligning was relatively easy. The biggest challenge we had to face was obviously the volume of data that was being processed. We needed to coordinate that in a way not to adversely affect our members or expose any confidential data.
KITTEN: The advent of web-based mail, social networking and cloud-based services have given rise to classified data exposure, whether that is intentional or by mistake. What steps did you take to mitigate exposure risks?
ROMERO: Although constantly evolving, web-based risks are not a new threat. Like most prudent companies today, we use products like firewalls, intrusion prevention systems, Internet content filtering systems, data leakage protection systems and e-mail scanning and filtering systems to help mitigate risks where exposed via Internet-based sites and services. We just needed to ensure that we continued running and managing the systems that were already in place.
KITTEN: I have asked you before about some of the disparate systems and platforms, and it sounds like you had a relatively easy job. But when it comes to some of these issues about protecting member data, did you have gaps at all in maybe merging the technology or ways that you were communicating with members?
ROMERO: The company that we merged with, Addison Avenue, had already been outsourcing their data services. So they were on the same platform as us, but there was an external company running their database and servers. That being said, it didn't make it more difficult to merge just because it was outsourced. Being on the same platform and having the same data structure, we were fortunate. There are other merging companies that I have seen coming up where they are on completely different core platforms, and having to restructure data based on disparate systems would definitely be extremely challenging. It just made sense to work with the technology we already had in place.
E-mail EncryptionKITTEN: During the merger, you were dealing with more than 50,000 merger-related e-mails that you had to route and encrypt. Can you tell us a little bit about that process?
ROMERO: Electronic communications played a large part in the planning process. For most of the planning process there was a need to ensure that our merger planning activities stayed secure and confidential data exchange during the process would not be exposed through standard e-mail transport processes. We used our data leakage protection systems to identify merger specific communications, in addition to normal confidential identifiers to ensure communications were routed via a secure e-mail transport. Data leakage protection systems are designed to identify types of information, and identifying the merger with specific information was relatively easy with the system we use.
KITTEN: And these e-mails were all related to executives or employees within the credit unions themselves, right? These were not e-mails that were going to members?
ROMERO: No, but our member communication does also go through the same secured transport and any confidential information that we exchange with members is all secured via the same process. We just configured it specifically for the merger activity to make sure that was caught every time.
KITTEN: When you take a step back and look at how everything played out when you were going through this merger, what was the most challenging part of the merger? Was it merging e-mail platforms for instance, or was it databases?
ROMERO: As previously stated, both our institutions were on the same platform going into the merger. I would have to say based on sheer volume, merging the database was definitely the most challenging part of our process. When merging that many accounts into a single database, we had to ensure that every "I" was dotted and every "T" was crossed. I can't go into the specific details, but we ensured our member's databases were protected at all times.
Mitigating RisksKITTEN: And what steps did you take to ensure that employee access to sensitive files was limited, as a way to ensure that information was protected either from an intentional or unintentional leak?
ROMERO: Access control lists and data leakage protection systems were standard at both institutions. All we needed to do was ensure we managed our systems and processes consistently throughout our merger activities. You can think of ACL as explicit controls of data to allow only authorized activities and deal with these systems as a catchall to ensure unintentional leaks don't occur. Having these employees prior to any merger activities made adjustment for merger specific needs significantly easier.
KITTEN: And what about reliance on third-party service providers? How did you work with those types of providers to enhance security during the merger?
ROMERO: Since we don't make technology, all of our IT could be considered third-party. The security around any application would rely on the venders that provide those applications and systems. This would include core operating systems and applications that update patching for known bugs or security exposures. Vendors also provide definition updates for things like anti-virus applications, content categories for content and filtering applications and data classification structures for DLP systems. We, like most companies, rely on third parties to provide these updating services on a regular basis to enhance our security.
KITTEN: You make a good point when you talk about the reliance on third-party service providers. This is something that has come up quite often over the course of the last several months as we've been anxiously awaiting the release of the new FFIEC authentication guidance, and you kind of hit the nail on the head here. A lot of institutions do rely on service providers to be the ones to provide those updates, to provide those patches, and it plays such a critical role in enhancing security. Are there any checks and balances from your perspective, or is it just a good trusted relationship that you have with these service providers to know that they are keeping you up-to-date?
ROMERO: We do monitor vulnerabilities from independent reporting companies. We do testing internally to ensure that any of the patches that are being applied don't adversely affect our systems. Unfortunately in the past, security patching has inadvertently broken an application's functionality in some instances. So the checks and balances need to really be on both sides. We need to be diligent enough to apply the security patches in a timely manner, but ensure that it works the way it's intended to work. We've got a fully staffed QA department that makes sure we validate all of our applications, including patching before it's implemented into production. This is, again, an attempt to mitigate any adverse actions that our members would see.
KITTEN: Before we close, what final thoughts would you like to leave our audience with when it comes to ensuring that data isn't exposed or that risks are mitigated when it comes to mergers and acquisitions?
ROMERO: In closing, I would just like to reinforce that technology isn't so much a solution. It's not a silver bullet as much as a tool and resource that we need to use. And just like any tool and resource, we need to manage it properly. The security features of products and applications available are there for us to consider and use, not to blindly implement and think that we're safe. We really need to identify the information that is important for us to protect and manage our systems accordingly.