SAN ANTONIO – The tech-heads in credit unions may have no problem sifting through security assessment reports full of wild acronyms and tech jargon, but board members and non-tech management personnel can't make heads or tails of it. That's an issue CU security firm Digital Defense is out to fix. With IT security permeating every aspect of a CU, CU directors and management members are being called on to become more involved in ensuring the CU's electronic systems are secure. This isn't just good management, it's being mandated by NCUA, mostly through carrying out Gramm Leach Bliley. Digital Defense's new Frontline 2.0 security subscription solution has been designed with tech and non-tech personnel in mind by providing plain language security assessments that can be drilled down deeper for the more specific, technical aspects, said Joe Cooper, president/CEO of Digital Defense. Cooper said a tech professional that needs more money or resources to ensure the CU's electronic security, is going to have to provide reasons why in language that the board or CEO can understand. Frontline 2.0 gives management a big picture look at where the CU stands from a security standpoint. For example, the Network Risk at a Glance report can be presented in a variety of graphical reports to give senior decision makers a high-level overall look at the CU's security. (See graphics). Management can see how many vulnerabilities exist in a system, how severe they are, what kind of manpower time they are taking to fix, and a host of other details that give management a wide-angle view to make decisions. "Let's say I had a system with 10 problems and I applied nine patches in one month. Then next month there are 10 more problems with the same system. That system may have chronic vulnerability syndrome, and these reports will give management cost justification to re-evaluate the system and consider replacing it," said John Turner, a co-founder of Digital Defense. Frontline 2.0 also provides a workflow update on all vulnerabilities. The system tells the IT department where a vulnerability is, and logs when it was fixed and by whom. Turner said this allows an IT admin employee to document when and how fixes are being done, which can be a valuable human resource tool. "If a fix is five minutes for one guy, and five hours for another, maybe I have a training issue for the guy taking five hours. Or maybe the guy doing it in five minutes isn't doing it correctly," said Turner, who took Credit Union Times through a guided demo of the new solution. Once a vulnerability is patched, the system retests it before giving it the all-clear. "You ever hear the saying, `in god we trust, in all others we verify.' That's this system, it doesn't believe that fixes have been completed, it verifies that they've been completed," said Turner. Costs vary per subscription depending on how often Digital Defense is performing scans. A small CU might opt for the $5,000 annual subscription which officers them 125 IP scans a year. On the high end, a CU can get 10,000 scans a year for about $4,600 a month. There are a number of price plans in between these two extremes. It also has on-demand IP scanning where the CU can dictate when systems are scanned. The scans can be performed for internal networks as well. The Frontline subscription also catalogs the types of operating systems and software being used at a CU and creates a list of potential vulnerabilities by solution. Frontline also rates vulnerabilities as either critical, high, medium or low to give the CU a feel for the severity of any vulnerabilities. NCUA now performs E-commerce exams (EC1, EC2) on CUs that are operating online. The hordes of reports now available in Frontline 2.0 can be presented to regulators that are considering looking more closely at a CU's security status, said Turner. Turner said Digital Defense can't take all the credit for the high level look his firm is now giving credit union management, because it was the firm's CU clients that demanded it. "Before this there was no vulnerability management, no trend analysis, no customized reporting. 2.0 is a huge quantum leap. We've taken it to a level now where a manager person might be able to oversee the system." [email protected]