The current security measures provide layers of defense – from multiple firewalls to client-based security tools on each desktop – to ensure sensitive data from both AgFirst and the Associations is protected with best-of-breed technology and solutions. All of these technologies are jointly monitored and remotely managed 24/7/365 by an industry-leading Managed Security Service Provider (MSSP) and a skilled group within AgFirst.
The network environment is structured so that it supports a model of centralization and ensures all Internet inbound and outbound traffic is managed from the AgFirst security perimeter. This further enables the following technologies to be more effective in the protection of the system assets for the Bank and Associations:
- Third-party servicer for controlling SPAM and malicious content in email.
- Secure messaging for encrypted email.
- Monitoring for misuse and malicious sites.
- Bank and Association reporting.
Next Generation Firewalls
- Content filtering for early malware detection.
- Multi-vendor implementation for broad coverage of capabilities.
- Intrusion prevention capabilities.
Centralized Security Administration
- User moves, adds and changes.
- Annual attestation reporting.
- Automated provisioning.
Data Loss Prevention
- Detection of sensitive data being sent via email or file transfers.
- Automated email encryption.
- Endpoint capabilities to prevent data loss at the client.
Threat and vulnerability management
- Network firewall layer.
- Vulnerability and configuration scanning performed network-wide on any device attached and active on the network.
- Regular external penetration testing performed system-wide; overall security threat landscape frequently reviewed.
- Vulnerability tracking, metrics and reporting.
- Independent third-party audits and information assessments.
- Patch management for all devices.
- Secure storage maintenance of hard copy sensitive and confidential information.
- Trend monitoring for latest threats.
- Remote access security and wireless access point security.
- Network security devices, such as Intrusion Prevention System (IPS), Intrusion Detection System (IDS), web application firewalls and content filtering.
- Vendor risk management is considered in existing third-party relations that require access to sensitive data.
- AgFirst Incident Response Team responds to Bank and Association escalated alerts.
- Incident monitoring and response policies and procedures in place to cover the incident management process.
- Outside vendor support provided to enhance coverage for incident monitoring to include 24/7/365 active monitoring and notification for the systems security infrastructure.
- Client anti-virus and malware protection installed and actively managed at District-wide level.
- Centralized management and reporting for quicker response to alerts.
Mobile Device Management
- Centrally managed to enforce standards.
- Customizable security policies per Association.
- Remote wipe capabilities for lost or stolen devices.
- Employee and visitor ID badge access.
- Physical access restrictions to Bank buildings and sensitive areas, such as data centers, check printing areas, and areas where sensitive information or assets are housed or stored.
- Isolated functional areas, including:
- Telco demarcation (DMARC) room with own redundant cooling systems.
- Electrical room with uninterruptible power supply (UPS), power distributions units (PDUs), master electrical controls with self-contained cooling systems.
- Secure caged computer room air conditioning unit (CRAC) area with one-way door from Data Center server area.
- Secure technology storage closet and unwrap area.
- Segregation of duties and business user access restrictions in place.
- Citrix secure remote access portal for user access to applications.
- Utilizes two-factor authentication for added security.
- VPN support for technical resources and as needed by the Associations.