Documents that users scan directly to email may not be secure because the multifunction printers (MFP) used to send them transmit email in clear text by default.  Clear text email could be intercepted by unintended parties resulting in the potential exposure of private information.  Regulatory compliance and good conscience dictate that sensitive, private information must be protected, so applicable email messages require encryption.

The problem is that many MFPs do not support email encryption, and for those that do, there is no guarantee the scans will be sent encrypted.  First, the MFP must be specifically configured to use TLS encryption for emailing scanned documents.  Secondly, the receiving email system must also be configured to accept TLS encryption.  If the MFP is configured to use TLS, but the receiving system does not accept TLS, the scanned document will likely be delivered anyway without encryption.  Configuring TLS on an MFP only ensures the scans will be offered over an encrypted channel.  In technical terms, this offer and accept sequence is referred to as opportunistic TLS, and it means TLS is not a fully reliable encryption method.   Additionally, it is not possible to be sure your MFPs are even configured to attempt using TLS without logging into each to validate.

For guaranteed encryption, scanned documents should be sent via Outlook in conjunction with an encryption service like ZixCorp full message encryption.  MFPs should be reconfigured to use ‘scan to folder’ instead of direct ‘scan to email’.  This way, users can attach the scanned documents to email messages they send via Outlook rather than emailing them directly from the MFP.  If Outlook is connected to an Exchange server, all messages sent to local employees will be secured by default.  For messages sent to external recipients with scanned attachments, the users should be trained to force encryption on all of those outgoing messages.

Scanned documents usually cannot be automatically encrypted because the attachment is a picture rather than a text-based document such as Word or Excel.  Encryption services are typically able to detect word patterns in the subject and body of messages in order to automatically encrypt them.  Attachments that contain readable text such as Word and Excel documents can also be scanned in the same manner; however, scanned attachments are actually a picture rather than machine readable text.  Encryption is typically forced by adding specific keywords to the subject line of new email messages.  For example, SafeSysMail and Escan use the keywords “secure delivery” (no quotes necessary) placed anywhere in the subject line of outgoing messages.

‘Scan to folder’ also provides financial institutions (FI) more precise control over the transmission of private information.  Access to the folder can and should be limited to only well-trained users that require the ability to email scanned documents.  ‘Scan to email’ may not offer the same level of control because any user typically has the permission to scan documents and email them from configured MFPs.  Even if the MFP is somehow restricted, the effectiveness is suspect due to the decentralized nature of configuring each MFP individually, and it may be possible for users to circumvent it via device modifications.  With ‘scan to folder’, the security is centralized via administrator control of shared folders on servers that users cannot modify.

The centralized nature and simplicity of ‘scan to folder’ also make it inherently more reliable than ‘scan to email.’  ‘Scan to email’ has complex interdependencies that extend beyond the MFP to include specialized mail server configurations, and Internet access to remote email servers for FI’s that outsource.  The Internet access required for scanning to outsourced email servers is also another example of the security risk associated with ‘scan to email.’  If any of these dependencies experience degradation, ‘scan to email’ failures may occur and go undetected for extended periods of time.  Senders may not realize their documents are failing to be delivered.  ‘Scan to folder’ depends only on the standard shared folder, and because the scanned document is sent as an attachment to an Outlook message, any delivery failures will be promptly reported directly to the sender.

In summary, here are 5 reasons ‘‘scan to folder’’ is better than ‘‘scan to email’’:

1. Documents scanned to email cannot  guarantee encrypted delivery
2. Documents scanned to a folder then attached to an Outlook email message can always be secured using an email encryption service
3. Users’ ability to email scanned documents can be better controlled with ‘scan to folder’
4. ‘Scan to folder’ is more reliable that ‘scan to email’
5. ‘Scan to email’ requires MFPs to have outbound Internet access over an unsecured port (SMTP)

Not all MFPs support ‘scan to folder,’ but for those that do, it should be used in place of ‘scan to email.’  The next best option is to use TLS and accept the risk or better yet avoid ‘scan to email’ altogether.  If TLS is used, verify the receiving system accepts TLS and avoid emailing scanned documents to external recipients.  Email only to internal recipients and be sure to validate the configuration of every MFP in your environment.

Anyone who has ever used a cloud-based storage service such as Dropbox or Box understands the usefulness and convenience that these types of solutions provide. On the other hand, anyone who has ever dealt with data leakage can also identify with the potential problems and risks of these types of solutions. New conveniences that services such as Dropbox and Box provide, also present new hurdles that Information Security Officers must overcome.

Just the possibility of data leakage alone is frightening, but recent events such as the recent seizure of Megaupload by federal authorities can be a horrific experience. However, these concerns don’t stop at just cloud storage services. They also extend into services like Google Talk, Google Docs, flickr, Skype, LogMeIn, and numerous other online cloud services.

The number of cloud-based services that are being used by end users has exploded over the last five years. This recent adoption of cloud solutions does not seem to be slowing. For this reason, Information Security Officers and administrators need new tools to address these new risks. Most of these new threats and concerns can be handled by a Next-Generation Firewall.

In the last five years, firewall manufacturers have changed the way firewalls interact with traffic that traverses the appliances. Historically, firewalls were only able to view packet information such as source IP, destination IP, and service port. This meant that a firewall administrator could only block traffic based on this packet information. Later, firewall vendors began packaging extra services, such as IPS and content filtering into their products. These new additions helped firewall administrators protect their networks from a myriad of ever-changing problems. However, new problems have arisen, and Next-Generation Firewalls can be used to address these problems.

Next-Generation Firewalls have changed the way firewall administrators can configure and protect their networks. As previously mentioned, former firewalls could only view packet information such as source IP, destination IP, and port. Next-Generation Firewalls on the other hand, can actually identify traffic at layer 7 of the OSI model. This means that the firewall can distinguish between YouTube and Google Docs traffic. Additionally, the new firewalls can integrate with Microsoft Active Directory. The merger of these new features and benefits are tremendous. Now administrators can direct which users can use which cloud services. For example, administrators can now configure the Next-Generation Firewalls so that employees of a management group could access Facebook, but tellers could not. This could be previously accomplished using web content filtering techniques, but it was a little more difficult. Also, web content filtering begins to fall apart when you start to discuss denying individual portions of a website. For instance, many financial institutions have blocked Gmail solely based on the Google Talk feature. With a Next-Generation Firewall, administrators can allow users to access Gmail, but deny their use of the Google Talk features. Additionally, these features lend themselves to better reporting. For those of you who have ever looked at firewall logs and reports, you know that it can be difficult to truly understand what your users are accessing. When a firewall can report on users rather than IP address and applications rather than ports, reports become much easier to comprehend. Administrators no longer have to determine which users were on specific workstations at different times of the day.

The first Next-Generation Firewalls began to appear roughly five years ago. Gradually over time, most firewall vendors have noticed the enhancements that Next-Generation Firewalls provide and they have developed their own versions that are available today. Many current firewalls that are in production only require a firmware update to obtain these features. Otherwise, a new firewall appliance would need to be obtained.

In conclusion, Next-Generation Firewalls give firewall administrators more granular control than previously available. With user and application identification, controls can be more clearly and easily defined. Many banks and credit unions have a Next-Generation Firewall in place, but they just need to update the appliance firmware. For the reasons identified, Information Security Officers and firewall administrators should evaluate if a Next-Generation Firewall has a place in their bank or credit union. An evaluation of Next-Generation Firewalls should be high priority if your financial institution is looking at a firewall replacement in the foreseeable future.

As I have discussed in our previous newsletters, we have incorporated a compliance topic to the Quarterly Self-Assessment (QSA) that we perform with your financial institution; the main objective being to present you with information on the latest compliance trends that we see throughout our client base. Our goal this year is to incorporate topics that address the latest IT trends, goals and challenges for financial institutions and give you the tools, resources, and recommended solutions to help meet these common challenges.

What I’ve seen in the field is that many examining bodies are reviewing vendor management with increased scrutiny. The question that I hear most often is: “how do I know what documentation to obtain from each vendor to ensure my vendor management program is complete?” With increased outsourcing and heightened regulatory concern, it is critical that you examine the vendor’s financials and third party assessments like the SOC 2 (in past years the SAS 70 report) at least annually. This is a control tool that can be used to assess the adequacy and effectiveness of the vendor’s security controls. If your institution is looking at bringing on a new vendor, it is important to evaluate the vendor in the pre-implementation phase. We have developed a couple of helpful checklists to assist in this process.

It is also important that the financial institution document the risks associated with each vendor, the services the vendor will perform, and any residual risk of their services. This process should be documented in your Vendor Management Risk Assessment and updated annually. It is your goal to prove to your examiners that your vendors are being properly evaluated and managed effectively.

During this quarter’s QCSA I will be discussing and distributing a Service Provider Selection & Due Diligence Checklist as well as a Vendor Contracts Checklist. As always, please contact me directly if you have a compliance topic suggestion that you would like us to incorporate next quarter or if you would like to read more about a specific compliance topic in our Director of Compliance’s help site complianceguru.com.

While NetComply does a lot for your network automatically (patch management, AV, and machine inventory just to name a few), it does require some maintenance to make sure your network and reports are in tip top shape. Here are a few of my recommendations for making sure both NetComply and your network are running optimally.

Verify all machines are in NetComply: This is the most important step! If a machine is not in NetComply, it is almost certainly not being managed at all. This means that it is completely vulnerable since it is not getting patches, and may not have an AV product on it. The easiest way to verify if all your machines are in NetComply is to do a count of your machines and then check to make sure that matches the total number of devices in NetComply. If the numbers don’t match, use NetComply to help you find the missing machines. One trick is to show the Last Logged in User on the Agent Status page under the Agent tab and look for any missing users. Another trick is to sort by IP Address on the same page to separate your branches, this way you can verify your counts at each branch. If you’re missing either of these columns (IP Address or Last Logged in User), hit the Select Columns button to add these fields.

Make sure new machines are configured: Check Patch Management and AVG specifically. Make sure you have an automatic update time configured under the Patch Management tab -> Automatic Update. Also verify that AVG has been installed by going to the Security tab -> Install/Remove section and verify a check mark is present. It’s a good idea to also verify that a credential has been set under the Agent tab -> Set Credential section.

Run the built-in tests to verify configuration: It’s a good idea to periodically run a credential and patch management test to verify that machines are able to update properly. A credential test can be run by going to the Agent tab -> Set Credential area, selecting the machines you want to test, and hitting the Test button. You can test the Patch Management configuration by going to the Patch Management tab -> Patch Status, selecting the machines you want to test, and hitting the Test button. If either of these tests fail, review the configuration of the machine and make any necessary changes, then retest the machine.

Delete old machines: This is something often overlooked and it can really hurt your Patch Management report as well as all other reports. Make removing machines from NetComply part of your machine decommission process. You can do this by going to the Agent tab -> Delete -> Choose “Delete account now…”

By following these few simple guidelines you can ensure that your NetComply reports are accurate, your machines are being managed properly and you’ll be ready for your next audit or exam.

NetComply IT systems reports, combined with a self-assessment environment where the reports can be reviewed and documented (like the IT Committee), form the basis for a very powerful toolset to achieving higher URSIT scores. The URSIT (Uniform Rating System for Information Technology) ratings have been used by federal examiners for all IT examinations of financial institutions as well as technology service providers since 1978. They were revised in 1999 to bring them more in line with the CAMELS ratings. Similar to CAMELS, they also use a 5 point scale, with 1 being the highest or best score, and 5 being the lowest or worst. Most institutions want to score either a “1” or a “2”, as anything below that brings additional regulatory scrutiny.

There are four components to the ratings:

• Audit
• Management
• Development and Acquisition
• Support and Delivery

Each component is rated individually, and then together with the others in a composite. Notice what the Management component has to say about the subject of IT systems reports (taken in order from weakest to strongest compliance):

5. “IT systems do not produce management reports that are accurate, timely, or relevant.”

4. “IT systems do not routinely provide management with accurate, consistent, and reliable reports, thus contributing to ineffective performance monitoring and/or flawed decision-making.”

3. “IT systems provide requested reports to management, but periodic problems with accuracy, consistency and timeliness lessen the reliability and usefulness of reports and may adversely affect decision making and performance monitoring.”

2. “IT systems provide quality reports to management which serve as a basis for major decisions and a tool for performance planning and monitoring. Isolated or temporary problems with timeliness, accuracy or consistency of reports may exist.”

1. “IT systems provide accurate, timely reports to management. These reports serve as the basis of major decisions and as an effective performance-monitoring tool.”

I have written and spoken before about the importance of the “management” element, and how I believe we’ll continue to see increased regulatory scrutiny of this going forward. Clearly the regulators consider accurate, consistent, and timely IT reporting critical to effective management. And since higher URSIT scores contribute to higher CAMELS scores, everyone from your examiners to your Board of Directors and shareholders will see the benefits.

Managing 20,000 machines on a daily basis has its benefits and challenges. Due to this quantity of machines, Safe Systems is often one of the first to know if a Microsoft, core vendor, etc. update has had a negative unexpected consequence on machines or other software. This large quantity also gives us a unique view into the patch status, vulnerabilities, and virus status of our financial institutions as a whole. Keeping such a wide range of hardware and software secure while running at optimal performance with little interference is a goal we strive to attain on a daily basis. Addressing vulnerabilities on so many devices can be a challenging task. Even a fix on 99 machines can have devastating effects on 1 machine at any given time.

For years Safe Systems has applied mass fixes to their managed devices in an effort to keep all devices hardened for security purposes while also allowing them to perform their needed functions. We view this process as a security baseline that all our managed devices will meet if they are on a network we manage. And through these years our NetComply Service has enabled us to apply new fixes every month to our Platinum and Gold client servers. Silver clients also have an opportunity to have their servers meet this baseline through adding the Security Baseline Service to their NetComply contracts.

The graph below represents the dramatic decline in known issues across our client base through some enhancements to our Security Baseline Service. By automating and improving the way Safe Systems addresses vulnerabilities created by Java, Adobe, Flash, and QuickTime, the number of recognized vulnerabilities has dropped significantly by 80% across our managed devices in just 3 months. The Safe Systems security baseline team meets monthly to discuss vulnerabilities, breaking them out into categories of “no fix available,” “fix addressed by our automated systems,” and “fix needs to be created.” Often vulnerabilities cannot be fixed for various reasons. Three of the most common reasons are: 1) the software vendor has not created a fix 2) addressing the vulnerability will stop a needed function 3) the vulnerability listed is a non-issue due to other mitigating factors that exist. The improvements we have seen due to the enhancements we made to our Security Baseline Service now mean that a large majority of all issues fall into the category of “fix addressed by our automated systems.” This means that without any delay or any manual labor, each server will have the vulnerability addressed in one week or less of a fix being produced by the software vendor.

Safe Systems still writes manual fixes monthly, but now we have a more focused list of issues to address. There have been some institutions who reported to us that they receive monthly vulnerability scans by a third party company and the number of issues that were considered high risk have now dropped considerably and in some cases, all high risk issues have been addressed. This Security Baseline Service is an example of our efforts to help financial institutions address their needs in a secure, compliant and efficient way.

Safe Systems Client Referral Program—new iPad giveaway
Thank you for sharing your confidence in Safe Systems by sending us your referrals for our Safe Systems Client Referral Program. For every financial institution you refer to us, you are entered in our quarterly drawing for a new iPad (plus we donate an additional $100 to charity for each successful referral)! Our most recent winner was Russell Bailey from SouthCity Bank! Congratulations Russell! Our next drawing is right when we hit our minimum of only 10 total referrals so please keep those referrals coming for your next chance to win! www.safesystems.com/client-referral-program

Safe Systems Survey
In order for Safe Systems to exceed your expectations through superior service and advanced solutions, we are conducting a general survey for all our clients. This survey is confidential and should only take about 10 minutes of your time. By filling out the survey you will also be entered into a client drawing for a $50 Amazon gift card. You should have received an email regarding this survey yesterday. If you did not receive an email, please contact us.

Compliance Guru—2,000+ financial institutions visiting monthly- are you?
Our nationally acclaimed compliance help site “Compliance Guru” can keep financial institutions informed of current auditor & examiner trends & the latest FFIEC updates. “The Guru” is Safe Systems’ Director of Compliance, Tom Hinkel, with over twenty-five years of compliance expertise and a certified auditor. Follow this site today! Read three of the Guru’s hottest posts this quarter: FDIC changing annual IT report to Board?, “Data-flow diagrams,” and 2012 Compliance Trends, Part 4 – Risk Assessments.

Safe Systems is Growing
Safe Systems is expanding and we are looking into additional space to enhance the customer service experience for our financial institution clients. More details to follow at our Safe Systems National User’s Conference.

Safe Systems experiences record quarter!
Safe Systems is excited to announce a record quarter for Q1 2012! This was a great start to the year and we’ll continue our efforts toward ensuring Safe Systems’ strong financial growth in the future. Additional details to follow at our Safe Systems National Users Conference.

In the News
This quarter Safe Systems was published in several national industry journals:

Safe Systems’ Hosted Email Exchange Solution Drives Down Total Cost of Ownership for Financial Institutions

Bankers as Buyers report

Safe Systems’ Compliance Services Remove the Challenge of Dealing with IT Compliance Examinations

Social Media’s Passive Risk

With New Bank-Security Guidance, How Safe from Cybercrime Is Your Firm?

Bank Directors and Officers targeted in 2011

Safe Systems Ranks on MSPmentor’s Top 100 MSPs for Three Years Running

Safe Systems Launches Critical Application Patching Service (CAPS), Adds Vital Layer of Security

Faster Patches, Happier Regulators

How One CU Patched Up Its IT Compliance Efforts

Rethinking the Process Behind Compliance

New Employee and Appointments
We are very excited to announce the addition of Mason Yaksh to the Account Management department. Mason was previously employed at IBM as a Service Delivery Manager in IBM’s Managed Security Services and is currently pursuing a Computer Information Systems Degree at Georgia State University.
We are also thrilled to announce the addition of Philip Giltman to the growing Safe Systems team. Philip was hired for the position of NOC Analyst with previous experience at Advanced Technology Group with A+ and Network+ expertise and is a graduate of Emory University.

Another talented member that we are adding to our growing team is Kevin Bowers. Kevin has been hired as a NOC Analyst and comes to us with previous experience as a Tier III Support & Data Center Technician at the National Christian Foundation and North Point Ministries, and an IT consultant for Booster Enterprises. Kevin is a Georgia State graduate in Computer Information Systems.

We are also happy to welcome Benjamin Jacoby to the Safe Systems team. Ben has been hired as a NOC Analyst and is a graduate of Georgia State University in Computer Information Systems. He served as a team lead for a project team at a Georgia Pacific co-op prior to joining Safe Systems.

Congratulations to Frank Berry on his recent promotion to NOC Team Leader. Frank has been with the company for 2+ years and he has consistently gone the extra mile for clients of Safe Systems. He does all this with a smile, a positive attitude, and just a willingness to do whatever it takes to get the job done. We’re proud of you Frank!

As someone who makes a living in the IT industry, I always find new technologies interesting. Most of the time, my interest centers around the new capabilities an innovative technology promises, the efficiencies it can provide, or the cost savings it can deliver. Sometimes, however, a technology comes along that doesn’t really provide any of these benefits but catches on anyway. Such is the case with the tablet PC revolution today.

It seems that everyone has iPad fever these days. Chances are good that either you or a family member has some type of tablet device on their wish list this holiday season. The Apple iPad has generated most of the demand for tablet devices, but lower-priced alternatives such as the Kindle Fire are attracting customers as well. Most (if not all) of the capabilities of a tablet computer are available on a laptop. A tablet just provides a new form factor and a streamlined operating system.

So what is driving the “need” for all of these devices? I would argue that the primary driver for tablets is, basically, that they are REALLY cool! The manner and ease in which you can now consume content and install apps on an iPad is amazing, which is why the trend toward tablet devices has been catapulted by the consumer market. There was, originally, very little you could do with an iPad in the office – at least in terms of being productive anyway. In fact, using an iPad to access the corporate network is typically much less efficient than using your laptop or PC and provides less functionality. The skyrocketing popularity of the tablet platform, however, has sparked many new technology adaptations which make it somewhat more feasible to use tablets at work, leading many business executives to push for technologies such as application virtualization and VDI. These technologies can add significant cost and complexity, but many organizations are opting to implement them anyway to address the growing demand to use the popular new tablets in the office. What I find most interesting about this technology however, is how it has helped further change corporate mentality toward a trend known as “the consumerization of IT.”

Apple has been the single largest force behind this trend. Before the iPhone was released, most organizations had strict mobile device policies and security requirements that governed their use. BlackBerry grew to become the number one smartphone for enterprises largely due to the robust capabilities it provided for managing and securing these devices. The release and popularity of the iPhone however, slowly began a gradual acceptance of less corporate control in exchange for more features, functionality, and personal choice. This trend has continued with the many software-as-a-service (SaaS) offerings that have been created over the last few years. Solutions such as Dropbox, Gmail, Skype, GoToMyPC, and iCloud, among many others, make great capabilities available to end users with little or no technical ability required to use them. Many of them provide some level of free access and can be implemented quickly without getting IT involved. Now, tablet devices are driving organizations to approve budget dollars for large IT projects involving VMWare, Citrix, and wireless communications – all so employees can access the same applications on their tablet that they have on their corporate pc or laptop. This type of acceptance would not have been likely prior to the beginning shift in corporate mentality caused by the iPhone.

So is the consumerization of IT a good or a bad thing for businesses? I believe it is good thing overall, but not without its drawbacks. It’s good from the standpoint that non-technical employees have finally found great technology that they can understand and utilize. Now that they have found it, employees (especially executives) will not accept a lower standard of technology in the office than they can setup and use themselves at home. This mindset has created a more demanding group of IT users, which should lead to technology that is more user-friendly while still delivering amazing functionality.

The drawback to this mentality however, is a broad acceptance of additional corporate risk that would have been unacceptable only a few years ago. Many of these newer consumer-driven technologies sacrifice control for the sake of ease of use. Corporate users are now using many software-as-a-service solutions with no centralized management whatsoever and often without even the knowledge of the IT department. Because these solutions can be accessed through a web browser, blocking access to them is difficult to accomplish effectively. IT departments are being overwhelmed trying to address the security and manageability of smartphones, tablet devices, and publicly hosted applications without proper tools that have been designed specifically for this task. Overall, this lack of control and increased risk seems to be getting either overlooked or underemphasized.

Ultimately, the days of rigid corporate device policies and software procurement processes seem to be coming to an end. The overwhelming demand from all levels of the organization to utilize the latest devices and apps in the office are breaking down the barriers that historically protected organizations against technology risks. Institutions that choose to accept this trend need to recognize the additional risk that it can expose them to, and develop alternative plans to address this risk. The process of performing a risk analysis on new technology implementations has not changed from the days of old. What has changed, in many cases, is the tolerance for IT departments to dictate the way that end users consume their IT.

Happy Holidays from all of us at Safe Systems!  It is hard to believe that another year has gone by and now we are quickly approaching 2012.  I would like to take the opportunity to reflect on 2011 and share some of the operational improvements we have made this year.

One of the most recent changes we have made was the implementation of a tiered system in our Network Operations Center (NOC).  This change allows us to effectively grow with our customers and to continue to be sensitive to your technology needs.  To begin our new system, we implemented a Tier 1 and a Tier 2 with plans to further expand to a Tier 3 group in 2012.  Tier 1 is primarily responsible for being extremely responsive, quickly scoping/documenting an issue, and as a last resort, to escalate when defined escalation criteria are met.  Tier 2 is committed to ownership and issue resolution for all escalated tickets.  Some of the key benefits of a tiered system include:  better utilization of engineer resources, quick response to questions and quick fixes, and increased customer satisfaction.

One of the noticeable deliverables that came from the implementation of our tiered system is the publication of our NOC Credo and Service Values.  The Credo and Service Values can be seen posted on each engineer’s desk and this serves as a reminder to each of us that our customers are our biggest priority.  We hold our Credo and Service Values with high regard and strive to maintain them as your technology partner:

The NOC Credo

At Safe Systems, we pledge to be the premier national technology services partner for community financial institutions.

We are committed to and it is our utmost priority to provide quality customer service.

Motto

The Technology Partner for Financial Institutions

Service Values:

1. Exceptional customer service is our highest mission and the fundamental principle for all other values.
2. I will not negotiate the quality of my work.
3. I consistently treat customers and team members with uncompromising courtesy.
4. I maintain an infectious exuberance and positive outlook.
5. I am proud of my professionalism.
6. Every decision I make is important.
7. I own customer technology issues and see each issue to resolution.
8. I have the opportunity to continuously learn and grow.
9. I regularly look for opportunities to innovate and improve the Safe Systems experience.

In addition to the tiered system, our NOC has introduced a new Knowledge Base (KB) that is integrated into our ticketing system.  This KB is used as a central repository of customer specific notes and information on your particular network.  The KB is also used to document troubleshooting steps and can be used for the continual transfer of knowledge among our engineering group.

Safe Systems also has implemented an internal alerting system that integrates with our ticket system to facilitate better communication between functional departments.  This provides a mechanism to alert our engineers in the NOC when an implementation project is taking place.  For instance, if a customer is a Continuum disaster recovery customer, the alerting system will notify our NOC engineers while this test is being performed.  As we continue to grow, this will help us better communicate and manage your technology systems.

Another recent change is that our NOC engineers will have increased opportunities for involvement in project implementations.  This will reintroduce a standard approach for training engineers in new technology solutions and will provide a more seamless approach for the integration of these solutions into our NOC.  Furthermore, this will provide a better method for providing post installation support as engineers will be available after installs to quickly address outstanding items.  Implementation projects include standard contract installations such as server virtualizations/replacements, Citrix implementations, branch additions, PC refresh projects, router replacements, etc.

Additionally, we’ve expanded our surveys to include a more focused NOC survey and we added implementation surveys.  The NOC surveys have been modified to be more selective and this will help avoid inundating you with additional emails.  All of these surveys are anonymous and used to measure our effectiveness in the delivery of our services.  This is also another way for your voice to be heard, so I encourage your participation, honesty, and continued help with the refinement of our services.

I’ve reviewed several improvements that Safe Systems has implemented in 2011.  These have all largely been developed as a result of your feedback and with the intentions of allowing us to better serve you.  I am proud to say that we are focused on changing for the better and continuously look to improve the delivery of our services.  As always, we appreciate your feedback and look forward to 2012 as we continue to focus on partnering with you for all your technology needs.  Thank you again for your business and we hope you have a wonderful and safe holiday season.

Best Regards,

Brent J. Moore
Director of Client Services

If you haven’t heard yet, CAPS is Safe Systems’ newly developed Critical Application Patching Service. It is used to patch non-Microsoft critical applications such as Adobe Reader, Adobe Flash, Java, and QuickTime. For every Network Admin in the financial industry, patching (of some form or another) always seems to be at the forefront of their mind. Whether it’s vulnerability assessments, examiners, or internal auditing; Network Admins are constantly focusing on how effective they are at getting their machines patched. Rarely do they get the opportunity to take a step back to actually see what real world advantages are coming from these up-to-date applications.

I wanted to take this opportunity to point out the real numbers that we are seeing in our NOC since the implementation of CAPS. In CAPS’ first full month of use alone, the number of hours spent in our NOC on malware tickets dropped by 90% from its peak in May earlier this year. On average, the time spent in our NOC on malware since CAPS was introduced has dropped by 75% compared to the previous months of this year. This means that executives, loan officers, CSRs, and tellers were able to work with more customers and complete their jobs quicker since they didn’t have to hassle with malware. All of this comes with little to no additional work from the Network Admin since they are using CAPS. In fact, on our CAPS report, we list how much time the Network Admin has saved by using CAPS to update these applications instead of doing them manually. Keep in mind though, our estimate does not include the increased productivity from the entire organization since this is hard to quantify, but it’s obvious they no longer have to deal with the malware infestations that accompany these out of date applications.

The reality is that malware makers are no longer focused on exploiting Microsoft vulnerabilities. Keeping up with all of the third party applications, testing the patches, and then installing the patches on your network is almost an insurmountable task. With CAPS, all of this is automated and the institution can enjoy the benefits of up-to-date software without having to incur the cost of labor involved in trying to accomplish the same thing manually or the cost of the loss of productivity. If you’d like to hear more about CAPS or if you’re interested in purchasing CAPS, please contact your Account Manager and let them know.