Welcome Guest. | Log In| Register | Membership Benefits

News In Review

February 15, 1999

First Union: Rigorous Standards

By Bob Violino and Amy K. Larsen

Related links:
And from our sister publications:
  • Network Computing Seven Firewalls Fit For Your Enterprise

  • Network Computing RFP: Managed Firewalls Services
    • T o get an idea of the importance First Union places on IT security, scan its organizational chart. Browne, the IT security chief, reports to the same senior executive as do the CIO and chief technology officer-putting security on the same level as IT management and strategy at the nation's sixth-largest bank.

    "There are a lot of organizations that have buried the security function," says CTO Tom Fogarty. "But here it's one of the most prominent aspects of our business. In fact, we can't do business without it." That's especially true as First Union moves rapidly into new ventures that will let its customers do online nearly everything they can do in a brick-and-mortar bank, including opening and closing accounts, transferring funds, and applying for loans and mortgages. This year, First Union expects to be one of the first banks to introduce an online stock-trading service.

    With Browne and his unit of about 50 people leading the charge, IT security permeates every facet of First Union. The company is using a wide assortment of security tools to protect its information assets on Unix, Windows NT, VAX, and other platforms. This infrastructure includes a software suite from Internet Security Systems that collects and integrates data from multiple points in the organization and from other security tools such as firewalls, intrusion and detection systems, and vulnerability detection systems.

    First Union is using multiple internal and external firewalls-Browne declined to identify the vendors-to protect its networks and Internet connections from external and internal breach. It employs highly secure virtual private networks for direct connections to its business partners.

  • Security: An E-Biz Asset

  • First Union: Rigorous Standards

  • E-Trade: An Absolute Priority

  • Equifax: Who Goes There?

  • Catholic Healthcare West: Healthy Security
    • Browne says First Union's goal is to use encryption for all external communications, including

    E-mail. "In the old IBM SNA environment, security was not as big an issue," he says. "But now with TCP/IP being so prominent in our networks, we're going to encrypt whenever we can."

    In one of its most innovative efforts, First Union has built security-compliance software tools for all of its hardware and software platforms. The tools test security levels on given systems or network components against a standard that the company created. The programs take into account the inherent risk of a system-so, for example, if a system supports funds transfers, the risk factor is higher and therefore greater security is needed. The tools regularly report compliance levels so security personnel can determine if systems are meeting certain compliance goals.

    In a deal announced earlier this month, First Union is using 4,000 authentication tokens from Vasco Data Security International Inc. to strengthen the security of its Internet offerings and PC-based funds-transfer services. The tokens generate one-time passwords for added security. Other tools include single-sign-on access-control software, virus scanners for multiple platforms, and lock-down devices to prevent hardware theft. The bank is also testing digital certificates to authenticate users and encrypt transmissions; it plans a major rollout of the technology this year, Browne says. First Union is also experimenting with smart cards and could begin using them this year for network access and other applications.

    Also on the horizon are biometric devices to authenticate employees and customers. Products under consideration include fingerprint, face, and iris scanners, for applications such as employee access to data centers. First Union, which operates the world's second-largest automated teller machine network, may someday use biometric technology to authenticate customers at its ATM machines, Browne says.

    First Union relies heavily on outside vendors such as Cisco Systems to test its security on a regular basis and brings in consultants to test security whenever it acquires another bank. Browne says First Union spends about $600,000 a year on security consulting out of a total IT security budget of more than $5 million.

    But tools and services are only part of the bank's security strategy. As part of its approach to security, First Union has created training programs for new employees. Ongoing training is provided through videos, books, and on the Web. Managers must take IT security training sessions several times a year. The company posts security updates on its intranet, and its Web site has a feature that lets IT managers and administrators download security standards for specific computing platforms.

    The bank's head of systems management has said he'll hold managers accountable by means of pay cuts if the systems they run don't comply with the bank's security standards, Browne says. "If people's pay depends on this, they'll pay attention to it," he adds.

    Everyone at First Union seems to be paying attention. CTO Fogarty says security touches all facets of IT, including keeping the infrastructure running, making new product purchases, and granting access to certain applications. "When we look at products, we look at how they meet a set of security standards," he says. "Security is not after the fact but before the fact."

    Adds Kellie Scott, director of Internet financial services: "We have full-time security people participating in all our projects, so we're thinking about it and planning for it. Exposure and risk are always a factor." Scott says the use of digital signatures and secure browsers can inconvenience some customers by slowing down transactions, "but they want to know they're going into a safe server."

    When First Union considers mergers or acquisitions, which it has been doing a lot lately, it first reviews the security measures in place at the other company. Before First Union acquired the Money Store last June, for instance, it did a thorough analysis of the lender's network infrastructure, says Becky Wanta, deputy CTO at the Money Store. Although the Money Store "came through with flying colors," she says, some areas had to be bolstered with the help of Browne's group.

    "One benefit of the merger is that we've been able to shore up security even more," Wanta says. "We've adopted their policy and are deadly serious about security." She says someone from the security team acts as a conduit between the two companies to make sure security is adequate.

    Browne says First Union also expects all of its business partners to adhere to an equally high level of security, and it provides guidelines when the companies make joint arrangements, such as the creation of an extranet. "They tell us, 'You guys are tough,'" Browne says. "Our standards are a lot more rigorous than they expected."




    Back to This Week's Issue

    Send Us Your Feedback

    Top of the Page