A man checking computer servers


AgFirst provides security management services to over 4,200 users on more than 1,600 servers who work through three separate Wide Area Network providers. The support of this secure and complex environment requires teamwork and a substantial set of tools dedicated to ensure sensitive borrower data is well protected. Our security measures are designed to mitigate risk and inspire confidence from our customers.

Running diagnostic testing on a harddrive

Security Architecture

The current security measures provide layers of defense – from multiple firewalls to client-based security tools on each desktop – to ensure sensitive data from both AgFirst and the Associations is protected with best-of-breed technology and solutions. All of these technologies are jointly monitored and remotely managed 24/7/365 by an industry-leading Managed Security Service Provider (MSSP) and a skilled group within AgFirst.

The network environment is structured so that it supports a model of centralization and ensures all Internet inbound and outbound traffic is managed from the AgFirst security perimeter. This further enables the following technologies to be more effective in the protection of the system assets for the Bank and Associations:

Email Security

  • Third-party servicer for controlling SPAM and malicious content in email.
  • Secure messaging for encrypted email.

Web Filtering

  • Monitoring for misuse and malicious sites.
  • Bank and Association reporting.

Next Generation Firewalls

  • Content filtering for early malware detection.
  • Multi-vendor implementation for broad coverage of capabilities.
  • Intrusion prevention capabilities.

Centralized Security Administration

  • User moves, adds and changes.
  • Annual attestation reporting.
  • Automated provisioning.

Data Loss Prevention

  • Detection of sensitive data being sent via email or file transfers.
  • Automated email encryption.
  • Endpoint capabilities to prevent data loss at the client.

Threat and vulnerability management

  • Network firewall layer.
  • Vulnerability and configuration scanning performed network-wide on any device attached and active on the network.
  • Regular external penetration testing performed system-wide; overall security threat landscape frequently reviewed.
  • Vulnerability tracking, metrics and reporting.
  • Independent third-party audits and information assessments.
  • Patch management for all devices.
  • Secure storage maintenance of hard copy sensitive and confidential information.
  • Trend monitoring for latest threats.
  • Remote access security and wireless access point security.
  • Network security devices, such as Intrusion Prevention System (IPS), Intrusion Detection System (IDS), web application firewalls and content filtering.
  • Vendor risk management is considered in existing third-party relations that require access to sensitive data.

Incident monitoring

  • AgFirst Incident Response Team responds to Bank and Association escalated alerts.
  • Incident monitoring and response policies and procedures in place to cover the incident management process.
  • Outside vendor support provided to enhance coverage for incident monitoring to include 24/7/365 active monitoring and notification for the systems security infrastructure.

Managed anti-virus/anti-malware

  • Client anti-virus and malware protection installed and actively managed at District-wide level.
  • Centralized management and reporting for quicker response to alerts.

Mobile Device Management

  • Centrally managed to enforce standards.
  • Customizable security policies per Association.
  • Remote wipe capabilities for lost or stolen devices.

Physical Security

  • Employee and visitor ID badge access.
  • Physical access restrictions to Bank buildings and sensitive areas, such as data centers, check printing areas, and areas where sensitive information or assets are housed or stored.
  • Isolated functional areas, including:
    • Telco demarcation (DMARC) room with own redundant cooling systems.
    • Electrical room with uninterruptible power supply (UPS), power distributions units (PDUs), master electrical controls with self-contained cooling systems.
    • Secure caged computer room air conditioning unit (CRAC) area with one-way door from Data Center server area.
    • Secure technology storage closet and unwrap area.
  • Segregation of duties and business user access restrictions in place.

Remote Access

  • Citrix secure remote access portal for user access to applications.
  • Utilizes two-factor authentication for added security.
  • VPN support for technical resources and as needed by the Associations.
Team gathered around table collaborating

Association Assurances

For customer assurances, AgFirst issues an American Institute of CPA’s Service Organization Controls 2 (SOC2) report, which ensures a high level of service in the following areas: security, availability, processing integrity, confidentiality and privacy. The current focus is in the areas of security and availability. This report is provided annually to serviced customers and meets FCA requirements for 3rd party vendor attestation.