In today’s technological landscape, where every computing resource is online and susceptible to attack and malicious activity, server hardening is an important process for financial institutions to have in place. Every day servers are targeted by harmful malware, ransomware, and other malicious attacks.
The best defense against these threats is to ensure that server hardening is a well-established practice within your community bank or credit union. Server hardening is the process of enhancing server security through a variety of means, which results in a more secure server operating environment due to the advanced security measures that are put in place during the hardening process.
One challenge financial institutions face is that running and maintaining server hardening services strains the resources of a limited IT staff. Banks and credit unions are already swamped with ensuring their servers are secure, which includes examining vulnerability assessment reports, fixing numerous findings, troubleshooting services, and addressing patch management, antivirus, and other activities on an ongoing basis.
To help streamline this time-consuming but essential process, Safe Systems designed its unique Security Baseline Service to work with its NetComply® One IT network management service to help automate the server hardening process. The Security Baseline Service leverages aggregate vulnerability scan data and remediates vulnerabilities across the service’s customer base. The service implementation includes a testing phase and ticketing notification to alert the institution of remediated vulnerabilities to help alleviate attacks and ensure networks are secure and up to date.
The Security Baseline process includes:
- Remediation of emerging security vulnerabilities
- Vulnerabilities identified by Safe Systems’ and its partners, which includes:
- Evaluating commonly found vulnerabilities on a monthly basis
- Determining significance of vulnerabilities
- Writing remediation procedures for significant commonly found vulnerabilities
- Monthly remediation across all subscribed devices
- Ticket generated detailing remediation application results
- Comprehensive report detailing individual fixes
- Remediation of vulnerabilities outside our sampling group available upon request at an hourly rate
Many of the vulnerability findings banks receive are often related to software issues that are addressed by updates or patches that pass Safe Systems’ testing procedure and then seamlessly executed on a daily basis. To ensure compliance, these patches and processes are implemented based on the FFIEC’s patch management guidelines outlined in the 2016 Information Security Booklet.
Financial institutions utilizing Security Baseline also benefit from the prolonged testing period Safe Systems uses to verify that Service Packs and new Windows builds will work with existing software. This ensures updates will be supported by the networks and any new features introduced will not cause problems for the institutions. The extra level of testing helps banks and credit unions avoid unnecessary IT challenges and network issues, reducing downtime and freeing up IT staff to focus on more pressing activities.
At Safe Systems, our goal is to reduce the amount of time internal IT staff must spend on time consuming activities such as examining vulnerability assessment reports, troubleshooting services and patch management issues. We are constantly working to create automation to provide the best experience to our customers and ensure all networks are secure and in compliance with government regulations.
7 Reasons Why Small Community Banks Should Outsource IT Network Management
This is a free white paper that addresses key issues smaller financial institutions face when managing their networks and the benefits of outsourcing these tasks to a provider who offers IT network management solutions exclusively tailored for community banks.
Knowing key dates in a product’s lifecycle helps organizations make informed decisions about when to upgrade or make other changes to software. Microsoft ended support in May 2017 for build number 1507, which means it no longer provides automatic fixes, updates, or online technical assistance for this version. Without Microsoft support, financial institutions will no longer receive important security updates that can help protect PCs from harmful viruses, spyware, and other malicious software that can steal information and infect networks. Because of this, we recommend systems be upgraded before they reach their end of life whenever possible. 
Conducting thorough due diligence includes demonstrating a strong understanding of a third party’s organization, business model, financial health, and program risks. To ensure the proper risk controls are in place, credit unions must understand a prospective vendor’s responsibilities and all of the processes involved. Examiners should evaluate if the credit union’s due diligence process includes background checks, examining the third-party’s business model, the determination of how cash flows move between all parties in the proposed third party arrangement, financial and operational controls, contract evaluation and accounting considerations. 
Furthermore, the bank is now able to centralize all documents in one location where staff and management can easily access them to provide detailed information for audit purposes and executive summaries for board review. Through this level of intelligent automation, paired with Safe Systems’ compliance support, the bank has significantly reduced the amount of time spent on vendor management processes, which has freed up resources to focus on additional revenue-generating activities for the bank. 
To properly assess risk exposure for vendors/services, establish consistent criteria to appropriately weigh the risk each poses to the credit union. This will help you grade or designate a level of criticality and risk for each service and each vendor. For example, will a vendor have access to private member data? Will it operate with our core system? The criticality will have a significant impact on the review process, as a more critical service or vendor will ultimately require more due diligence to be performed.
