American State Bank relies on Qualys to conduct weekly scans of its critical banking systems to meet growing bank regulations and reduce risk.

In the first quarter of this year, 1,220 new software vulnerabilities were uncovered. More than 80 such vulnerabilities that place business-technology systems at-risk are discovered, on average, each week. Those facts from CERT aren't lost on Dan Gengler, Iowa-based American State Bank's assistant network administrator. "Security is our top priority," says Gengler.

That's why, when the bank launched online banking services for its customers, it sought a way to quickly find and remedy any software flaws that could affect their systems. Also, the bank's decision to host its own online banking, Web, and e-mail servers put increased security responsibility on the bank's two-person IT staff.

While the bank considered using its managed-services firewall provider to conduct its vulnerability assessments, FDIC regulators requestedit was decided that the bank separate those duties. "We needed someone other than the company that manages our firewall to be checking for potential vulnerabilities in our systems," says Marvin Sturing, the bank's network administrator.

After evaluating several vulnerability scanning applications and consulting firms, the bank chose Qualys, thus enabling the bank to control its entire vulnerability management lifecycle: asset discovery, vulnerability assessments, tracking security fixes, and meet federal, state, and internal policy compliance through comprehensive reporting. Other vulnerability remediation solutions proved too costly and lacked the on demand scanning flexibility that American State Bank wanted.

"Qualys helps us cost-effectively reduce business risk and meet financial regulations." Dan Gengler, Assistant Network Administrator, American State Bank

Along with meeting FDIC the regulatory demands requirements from federal examiners, the bank's IT department must work closely with its own internal audit department. The bank's audit department regularly relies on the reports from Qualys to make sure the bank's systems meet internal compliance requirements. "Our audit department looks at the Qualys scans in detail," says Sturing. Qualys reports are also used to inform the bank's board of directors during its quarterly meetings of the status of the company's IT systems.

The on demand Qualys service has provided the bank a clear return on its investment. Without Qualys, Sturing and Gengler estimate that it would have required an additional full-time employee to research and then remedy the software vulnerabilities that could affect the bank's systems. Automated scans setup by Sturing scans the bank's Internet-facing systems twice each week, while internal scans are completed once a week. Any software vulnerabilities found by Qualys can be fixed in days, rather than weeks. "That's a lot of risk cut out there," says Sturing. "Qualys gives us a security blanket. It's an extra layer of protection that lets us know we're keeping our systems as secure as possible," says Gengler.