Hearing that NCUA is coming onsite can often be a stressful situation, especially if you are in the Information Technology area. So many new threats have cropped up and there is no indication that things will be slowing down anytime soon. That’s why I think it’s awesome that NCUA in a recent report out of Region IV has identified “The Top Ten Cyber-Security Areas That Examiners Look At”.
So get out your pencils and your network engineers and let’s walk thru these top 10!
- Information security policies. Does the credit union have a board-approved information security policy commensurate with the credit union’s size and complexity and that meets the requirements of NCUA Rules and Regulations Part 748?
- This is SPOT ON – we saw at least 3 credit unions experience the pain of in-depth NCUA scrutiny of their ISP. Many have been left on the shelf (electronic shelf included) and have not been updated to include newer technologies like Mobile Device Management (MDM) or more alarming – there was no evidence that a member information inventory had been performed. You can’t protect it if you don’t know where it is.
- Risk assessments. Has management recently performed and documented an information security risk assessment to identify and assess potential threats, their probability, potential effects, and the existing controls and risk remediation plans that the credit union has in place?
- Key word here – IT (Information Technology) Risk assessment – not your earthquakes or tsunamis. It is expected that a detailed analysis has been completed and mitigation strategies are in place.