When it comes to complying with the Gramm-Leach-Bliley Act (GLBA), technology is only part of the solution. After all, no matter how secure the data and systems, it's employees who provide the final line of defense when it comes to protecting customer information.
Educating users is critical, according to Craig Champion, senior vice president of bank operations at Cornhusker Bank, Lincoln, Neb. "Everyone plays a part in making sure information systems and customer information are maintained in a secure manner."
To provide that awareness, the bank contracted with CorpNet Security, a Las Vegas-based training firm. Prior to the GLBA deadline, Cornhusker employees were trained on privacy policies and procedures using CorpNet's PPS Aware. The goal: to protect the bank's systems and customer information.
"It's a combination of detection, prevention and awareness, that's really the key for these banks," said Rick Shaw, president of CorpNet, which offers a range of technology and training services called People Proof Security.
CorpNet's Web-based training and awareness program provides end users with core modules on e-mail and Internet usage, viruses, and accessing systems. It also instructs users on how to choose strong passwords, as well as some of the low-tech threats like dumpster diving and social engineering.
Employees use a unique user name and password to log in to the training, which is accessible 24 hours a day, seven days a week.
Not only does PPS eliminate the need for large classroom training sessions, but its modular format allows users to complete training in bite-sized chunks, or all at once, in less than two hours.
"This was really a much more preferable method of delivery, both from management's aspect, as well as from our employees viewpoint," said Jim Mastera, executive vice president at $224 million Cornhusker.
Administrative tools built into the system allow the bank to track employees' acceptance of policy information and awareness training. "As administrator, I could pull up every single user that was assigned to our bank and monitor completion," said Champion. "A user could go in and complete one or two or three sections, log out and then log back in and start right where they were. But I could monitor when they had completed everything."
Upon completion, employees are e-mailed a certificate, with an additional copy filed in Cornhusker's HR department.
"We were able to describe our training function to them and it was obviously accepted," said Mastera. "We provided them with a copy of how it worked and the series of questions and the nature of how this was put forth and the records that were kept, and that certainly satisfied the request."
The same training will be provided to new employees. There's also an annual training provision that allows the bank to provide updates to employees on an ongoing basis.
Cornhusker plans to add additional technology solutions to its information security arsenal. The bank has signed agreements with CorpNet for three other people-proof security solutions, which it offers through a reseller agreement with WatchGuard Technologies, Seattle.
CorpNet's PPS Server collects and maintains encrypted log information, which is analyzed for critical events 24 hours a day. PPS Scan performs regular scans of all systems visible from the Internet, testing for more than a thousand security vulnerabilities. PPS Lock was designed to prevent intruder access, modification and destruction.
The bank's investment in security technology and awareness training provides returns that can't be easily measured on a balance sheet, Mastera said. "One of those is having a well-informed staff. And if that keeps you out of problems, that's a pretty good return."
Institution: Cornhusker Bank
Assets: $224 million
Business Challenge: Ensure that employees are fully aware of privacy provisions of Gramm-Leach-Bliley Act.
Solution: CorpNet's PPS Aware
Keyquote: "Everyone plays a part in making sure information systems and customer information are maintained in a secure manner." -Craig Champion, Senior Vice President, Bank Operations