CUNA Mutual Group takes information security very seriously. This page is meant to give an overview of the practices that we follow in order to protect both our computer systems and the data that has been entrusted to us.

Access Control
Management has established a security policy which has been communicated to all employees.  The policy covers the following general concepts:

• Protection of assets within the organization’s custody by safeguarding the confidentiality, integrity and availability of data.
• Management will fulfill its responsibilities by designing and implementing business practices based upon corporate standards to protect against unauthorized access, use, disclosure or destruction of corporate information and technology.
• All employees and independent contractors working on CUNA Mutual’s behalf are responsible for conducting day-to-day accountabilities in a manner that is consistent with this policy.

Access to CUNA Mutual’s online services and business functions is secured by a unique user ID and password.  These passwords must be changed regularly and must adhere to restrictive parameters to decrease the risk of unauthorized access to data and business applications.  A limited number of individuals have the authority to maintain these parameters and setup new user accounts.

Physical Security
All computer hardware and storage media is located in an environmentally controlled, limited access facility, commonly known as the computer room.  Individual access is subject to management approval based on the individual’s job responsibilities.  A key card system is in use that requires the use of a key card to gain access to the building, and both a key card and a PIN to access the computer room.  All key cards contain pictures of the key card user.  Regular audits are conducted to validate user access.  The key card system logs all activity from the card readers.  The system records the card number swiped, date and time, and action performed.  These logs are reviewed periodically by Computer Operations management.  CUNA Mutual monitors all facilities through digital video surveillance.

CUNA Mutual’s computer room contains a pre-action FM-200 fire suppression system with integrated smoke and heat detection.  The system is centrally monitored on a 24/7 basis by onsite security staff.  Power to the computer room is protected by a generator with two independent power feeds.  If the generator itself fails, two UPS units provide power for approximately 45 minutes to allow for controlled shutdown of equipment.  The generator and UPS units are configured to provide as much redundancy in power delivery routes as possible.  Air handlers have adequate dust filtering systems, and static electricity is controlled by maintaining a maximum humidity level.  All moving devices are enclosed to protect them from exposure to elements.

Data Encryption
CUNA Mutual can support multiple mechanisms for encryption.  Systems accepting data over the Internet are placed in the application hosting environment, separated from the Internet and the corporate network.  CUNA Mutual utilizes industry standard encryption in all areas of transmission to ensure confidentiality of information.  A minimum encryption level has been established for both transmission of data and credentials and storage. 

Malicious Content Management
We attempt to ensure that all files coming in to the CUNA Mutual network are scanned for viruses and other malicious software.  Anti-virus software has been deployed on our mail, application and database servers, as well as on all desktops.  Live updates features are utilized to ensure virus “signatures” remain current, or can be deployed real-time as signatures become available during a crisis. In addition, incident response procedures have been developed to contain any virus outbreaks should they arise.

Intrusion Detection Capabilities and Firewalls
Intrusion Detection systems are in place to monitor all network traffic both to and from the Internet. These systems are designed to alert and intercept or block suspicious activities as deemed appropriate. In addition, our networks are also protected by firewalls which further serve to filter and block suspicious traffic that is detected.

Data Backup and Business Continuity
Our procedures require that all production data be backed up on a regularly scheduled basis. The backups are done centrally. The data backup process is automated and monitored for any error situations. CUNA Mutual utilizes an industry trusted 3rd party records storage and management service for our off-site storage needs.  This off-site storage facility provides highly secure transportation and destruction services and features 24/7 security and access control to their facilities. The records center is designed to offer extensive protection from flood or fire and is staffed by highly trained personnel.

Executive Management at CUNA Mutual actively supports a Corporate Business Continuity Program.  This program is dynamic in nature and at least annually consists of a full review and test of preparedness for our most critical business functions.  The program consists of the following:

• Emergency Response Teams addressing corporate-wide recovery functions including Incident Management, Damage Assessment, Salvage, Security, Corporate Communications, Personnel Relocation, Financial, Transportation, Employee Assistance and Technology.
• Departmental business continuity plans reviewed at least annually
• Annual business impact analysis which identifies the business functions to be recovered, the impact of their downtime to the organization and customers, and resulting recovery timeframes in the event of a disaster.
• Annual computer facility recovery exercise

Incident Response
CUNA Mutual has established a process for evaluating and responding to security events and potential incidents.  A core team from our Legal, Compliance, Security and Risk Management areas is available in the event an incident involving our electronic systems is detected.  This team is charged with:

• Evaluating the incident
• Determining the appropriate mitigation strategy
• Determining the appropriate notifications to be made which may include law enforcement officials, customers and other third parties.

Independent Security Assessments
CUNA Mutual employs the services of various external consulting and auditing firms to test our defenses and report on any vulnerability detected.  In addition, CUNA Mutual Group has passed the X-Force™ security certification requirements defined by IBM Internet Security Systems (ISS).  In order to become qualified for the ISS X-Force Security Program, CUNA Mutual’s security controls and practices must meet or exceed ISS’ best practices security criteria, based upon the ISO 17799 standard.  ISS performs the following tests to evaluate and verify that best practices are in place:

• Security Architecture Review
• External Vulnerability Assessment
• Internal Vulnerability Assessment
• Security Controls and Mechanisms Review
• Information Security Policy and Procedure Analysis
• War Dialing
• Wireless Assessment

Our enterprise certification has been in place since 2001.  This certification requires at least quarterly external vulnerability and penetration assessments, annual internal vulnerability and penetration assessment (Internal LAN and Wireless), annual desktop risk assessment, quarterly war dial assessment, and annual security governance review.

We are proud of our ISS certification, and certification is not a function of simply letting ISS technicians attempt to break into our systems.  Our team works closely with the ISS security analysts to identify potential security threats, and then take the appropriate actions in order to minimize the perceived risks. In addition, our specialists and the ISS consultants strive to ensure that proper procedures are in place to keep our site protected from these perceived threats.

WEBCU-0708-CDBE