American State Bank relies on Qualys
To conduct weekly scans of its critical banking systems to meet growing bank regulations and reduce risk
INDUSTRY: Financial Services
BUSINESS: Retail and Commercial Banking
SCOPE: Iowa, five branches
BUSINESS PROBLEM: American State Bank needed to secure its new online banking services and also meet internal and F.D.I.C. compliance demands.
SOLUTION: Qualys Express
In the first quarter of this year, 1,220 new software vulnerabilities were uncovered. More than 80 such vulnerabilities that place business-technology systems at-risk are discovered, on average, each week. Those facts from CERT aren't lost on Dan Gengler, Iowa-based American State Bank's assistant network administrator. "Security is our top priority," says Gengler.
That's why, when the bank launched online banking services for its customers, it sought a way to quickly find and remedy any software flaws that could affect their systems. Also, the bank's decision to host its own online banking, Web, and e-mail servers put increased security responsibility on the bank's two-person IT staff.
While the bank considered using its managed-services firewall provider to conduct its vulnerability assessments, FDIC regulators requestedit was decided that the bank separate those duties. "We needed someone other than the company that manages our firewall to be checking for potential vulnerabilities in our systems," says Marvin Sturing, the bank's network administrator.
Why American State Bank chose Qualys:
- Qualys provides the company the ability to centrally manage the risks associated with all of its networked assets, and quickly identify and remedy those that are out of policy, misconfigured, or otherwise vulnerable.
- As a PCI DSS-approved scanning vendor, Qualys makes it straightforward for ASH to conduct its annual self-assessments and quarterly network scans.
- Qualys provides ASH's system administrators with a proactive way to protect the company's network throughout the entire vulnerability management life cycle, including asset discovery, asset prioritization, vulnerability assessment and analysis, remediation planning, and fix verification.
After evaluating several vulnerability scanning applications and consulting firms, the bank chose Qualys, thus enabling the bank to control its entire vulnerability management lifecycle: asset discovery, vulnerability assessments, tracking security fixes, and meet federal, state, and internal policy compliance through comprehensive reporting. Other vulnerability remediation solutions proved too costly and lacked the on demand scanning flexibility that American State Bank wanted.
"Qualys helps us cost-effectively reduce business risk and meet financial regulations." Dan Gengler, Assistant Network Administrator, American State Bank
Along with meeting FDIC the regulatory demands requirements from federal examiners, the bank's IT department must work closely with its own internal audit department. The bank's audit department regularly relies on the reports from Qualys to make sure the bank's systems meet internal compliance requirements. "Our audit department looks at the Qualys scans in detail," says Sturing. Qualys reports are also used to inform the bank's board of directors during its quarterly meetings of the status of the company's IT systems.
The on demand Qualys service has provided the bank a clear return on its investment. Without Qualys, Sturing and Gengler estimate that it would have required an additional full-time employee to research and then remedy the software vulnerabilities that could affect the bank's systems. Automated scans setup by Sturing scans the bank's Internet-facing systems twice each week, while internal scans are completed once a week. Any software vulnerabilities found by Qualys can be fixed in days, rather than weeks. "That's a lot of risk cut out there," says Sturing. "Qualys gives us a security blanket. It's an extra layer of protection that lets us know we're keeping our systems as secure as possible," says Gengler.
“When we receive notifications from Qualys scans we instantly see a comparison to the previous scan and know if everything is okay, or if there is a new vulnerability we need to take care of right away.”
Marvin Sturing
Network Administrator, American State Bank