Tips on Securing Confidential Data Internally and Across the Supply Chain

Recent high-profile security breaches highlight the need for financial institutions to concentrate on maturing and refocusing their existing security programs, both internally and across the supply chain. By starting with a comprehensive set of security expectations, rolling out risk-managed programs and facilitating their maturity over time, financial institutions will be better equipped to protect themselves against the ongoing security threats that impact their financial statements, and to maintain the trusted relationships they have with current and prospective account holders as well as third-party vendors.

A viable internal security program is the foundation for a solid vendor awareness and risk management process. The latter is a key component of a security program, because regardless of where a breach may occur in the supply chain or why it happens, members who have entrusted their confidential data to a credit union will likely see the financial institution as the party responsible for a breach—potentially impacting the relationship negatively.

Credit unions should look for the following in third-party vendors:

Financial stability
A vendor’s financial stability will impact its security efforts, including its ability to invest in the people, processes and technologies that help keep confidential data secure.

A documented information security management program
This should combine physical and logical control measures and use a layered security model to provide end-to-end security of confidential information. Controls should be consistent with the comprehensive requirements defined in ISO/IEC 27002:2005, an information security standard published by the International Standards Organization.

A mature internal security program
A mature program comprises the following elements: 1) a security program at a relative steady state that is embedded at all levels of the organization and that has been embraced as an integral part of the business; 2) the ability to address a changing set of variables related to risk; 3) the continuity of internal information security personnel who have significant depth and breadth of experience.

Visibility and control over the entire supply chain as they relate to data protection
A vendor should have its finger on the pulse of its security position constantly, in terms of both a point-in-time reference and a long-term view.

Assistance with meeting compliance expectations and visibility requirements
Through clear contract terms and a solid definition of confidentiality requirements, credit unions can set the stage for what a vendor should provide in terms of compliance documentation. Institutions can also set expectations that will help support their need to perform due diligence with the vendor, which may include on-site audits.

Performance of comprehensive annual external control evaluations
Key external evaluations to look for include SAS 70/SSAE 16 audits as well as third-party certifications, such as the Cybertrust® certifications currently provided by Verizon® Business and PCI (Payment Card Industry) certification. These types of audits represent a structured set of tests of the vendor’s control framework effectiveness that are performed under rigorous standards by an outside audit firm.

An integrated security strategy
Vendors that effectively combine the four elements of security—physical security, information security, business continuity and compliance—show that they have an understanding of the implications of security practices across their organizations.

Business continuity planning
Some key questions to ask: Does the vendor have a disaster recovery plan? Is that plan tested annually? If so, how did the company perform in its latest test? Does the vendor have more than one facility in case of unexpected service interruption?

With a comprehensive security approach that includes careful attention to risk management throughout the supply chain, credit unions can help ensure that the vendors they entrust with their members’ confidential data will protect it as diligently as the institutions do.

For more information about how Harland Clarke can help your credit union protect its member data, contact your Harland Clarke account executive or visit 


Questions? Contact Sales & Marketing Associate Craig Reed: 206.340.4789,

Posted in Advocacy News.