Security Practices

CUNA Mutual can support multiple mechanisms for encryption. Systems accepting data over the Internet are placed in the application hosting environment, separated from the Internet and the corporate network. CUNA Mutual utilizes industry standard encryption in all areas of transmission to ensure confidentiality of information. A minimum encryption level has been established for both transmission of data and credentials and storage.

Access Control

Management has established a security policy which has been communicated to all employees. The policy covers the following general concepts:

• Protection of assets within the organization’s custody by safeguarding the confidentiality, integrity and availability of data.
• Managemen t will fulfill its responsibilities by designing and implementing business practices based upon corporate standards to protect against unauthorized access, use, disclosure or destruction of corporate information and technology.
• All employees and independent contractors working on CUNA Mutual’s behalf are responsible for conducting day-to-day accountabilities in a manner that is consistent with this policy.

Access to CUNA Mutual’s online services and business functions is secured by a unique user ID and password. These passwords must be changed regularly and must adhere to restrictive parameters to decrease the risk of unauthorized access to data and business applications. A limited number of individuals have the authority to maintain these parameters and setup new user accounts.

Physical Security

All computer hardware and storage media is located in an environmentally controlled, limited access facility, commonly known as the computer room. Individual access is subject to management approval based on the individual’s job responsibilities. A key card system is in use that requires the use of a key card to gain access to the building, and both a key card and a PIN to access the computer room. All key cards contain pictures of the key card user. Regular audits are conducted to validate user access. The key card system logs all activity from the card readers. The system records the card number swiped, date and time, and action performed. These logs are reviewed periodically by Computer Operations management. CUNA Mutual monitors all facilities through digital video surveillance.

CUNA Mutual’s computer room contains a pre-action FM-200 fire suppression system with integrated smoke and heat detection. The system is centrally monitored on a 24/7 basis by onsite security staff. Power to the computer room is protected by a generator with two independent power feeds. If the generator itself fails, two UPS units provide power for approximately 45 minutes to allow for controlled shutdown of equipment. The generator and UPS units are configured to provide as much redundancy in power delivery routes as possible. Air handlers have adequate dust filtering systems, and static electricity is controlled by maintaining a maximum humidity level. All moving devices are enclosed to protect them from exposure to elements.

Data Encryption

We support 128-bit SSL (Secure Socket Layer) data encryption for our
online business services that require data transmission. We believe that this provides powerful data security.

Internet Service Provider Connectivity and Reliability

CUNA Mutual Group's web activity is routed through a local Internet Service Provider (ISP). This ISP™'s Network Operating Center features multiple high-bandwidth Internet connections and redundant power protection. We believe that this provides us robust and reliable Web capability.

The Network Operating Center is a controlled environment featuring physical and electronic security measures that include hand-scanning devices, digital video surveillance, multiple firewalls and electronic intrusion detection technology. Its team of security specialists understands our critical business need to be able to offer 24 x 7 Web capability to our customers.

Computer Viruses and Malicious Software

We attempt to ensure that all files coming in to the CUNA Mutual Group network are scanned for viruses and other malicious software. It is our custom to deploy anti-virus software on our mail, web and application servers as well as on all desktops. Our regular procedures call for regular updating of Virus "signature" files. In addition, emergency procedures designed to contain any virus outbreaks are in place.

Intrusion Detection Capabilities and Firewalls

Intrusion Detection systems are in place through which we attempt to monitor all network traffic both to and from the Internet. These systems are designed to note and intercept or block suspicious activities as deemed appropriate. In addition, our networks are also protected by firewalls, which further serve to filter and block suspicious traffic that is detected.

Incident Response

CUNA Mutual Group has established a process for evaluating and responding to potential security incidents. A core team from our Legal, Compliance, Security and Audit areas are available in the event an incident involving our electronic systems is detected. This team is charged with:

• Evaluating the incident
• Determining the appropriate mitigation strategy
• Determining the appropriate notifications to be made which may include law enforcement officials, credit union customers and other third parties.

Data Backup

Our policies require that all production data be backed up on a regularly-scheduled basis. The backups are done centrally. The data backup process is automated and monitored for any error situations. Our procedures call for each backup to be copied and stored off-site in a protected, climate-controlled environment.

Independent Security Assessments

CUNA Mutual Group employs the services of various external consulting and auditing firms to test our defenses and report on any vulnerabilities detected.

In addition, CUNA Mutual Group's online data security procedures have been certified by the Cybertrust, an internationally-recognized security consulting organization. This certification means that Cybertrust has tested us for vulnerabilities, and has determined that CUNA Mutual Group meets Cybertrust's standards for protection of systems and customer data.

Cybertrust's certification requires a series of evaluations and recommendations on overall network architecture, connectivity, physical security, redundancy and disaster recovery capabilities, environmental controls, system configurations and operational policy compliance. Once the site is officially certified, Cybertrust security analysts work with us to regularly monitor adherence to their practices and standards.

We are proud of our Cybertrust certification, and certification is not a function of simply letting Cybertrust technicians attempt to break into our systems. A team from CUNA Mutual Group's Information Security, Technical Services and Electronic Commerce areas worked with the Cybertrust consultants, and regularly works with them, to identify potential data security threats and to take what we believe to be appropriate actions to minimize or eliminate these threats. We take these measures to attempt to assure that the sensitive financial data we receive from our credit union customers and others is handled according to appropriate data security practices.

Additional Information

From time to time our customers, business partners and other interested parties ask for more detailed information about CUNA Mutual Group's information security infrastructure, including specific questions about the types of firewalls we use, how they are configured, operating systems on our servers and details on our Intrusion Detection and Response procedures. However, we do not believe that it is in the best interest of our customers and others with whom we do business to divulge this type of detail about our computer systems and defenses, nor the details of our audits or security reviews. If this type of information were to get into the wrong hands, it could potentially be used against us. The first step in any hacker attack is to determine what types of defenses are in place at the targeted site. Armed with this knowledge, the potential hacker has one less step to go through in order to breach any defenses in place.