As we prepare for our first annual Ongoing Operations User Meeting and the broader CU InfoSecurity Conference this June 15th – 17th in New Orleans, I am looking forward to hosting a panel on top NCUA examiner concerns. While we all know that cyber-security remains a key area of focus, this session will allow participants to collaborate and share best practices for addressing cyber concerns. For now, below is a breakdown of the top 10 cyber-security areas from our blog. We hope you find these tips useful and invite you to join us in New Orleans as we discuss top compliance and examiner concerns from across the nation.
Top 10 Cyber-Security Areas [NCUA Checklist]
It’s no surprise that Cyber-Security remains one of the top concerns and top exam priorities for NCUA in 2016. In addition to the self-assessment tool from the FFIEC, the NCUA Region IV identified “The Top Ten Cyber-Security Areas That Examiners Look At”.
Here’s a quick look at these 10 steps in more detail:
- Information security policies. Does the credit union have a board-approved information security policy commensurate with the credit union’s size and complexity and that meets the requirements of NCUA Rules and Regulations Part 748?
- This is SPOT ON – we saw at least 3 credit unions experience the pain of in-depth NCUA scrutiny of their ISP. Many have been left on the shelf (electronic shelf included) and have not been updated to include newer technologies like Mobile Device Management (MDM) or more alarming – there was no evidence that a member information inventory had been performed. You can’t protect it if you don’t know where it is.
- Risk assessments. Has management recently performed and documented an information security risk assessment to identify and assess potential threats, their probability, potential effects, and the existing controls and risk remediation plans that the credit union has in place?
- Key word here – IT (Information Technology) Risk assessment – not your earthquakes or tsunamis. It is expected that a detailed analysis has been completed and mitigation strategies are in place.
- IT audit. Has management developed an audit plan that addresses all IT-related areas appropriate to the size and complexity of the credit union? This audit plan should also include continuing assessments of internal and external vulnerabilities.
- I see too many credit unions that “audit” their IT related areas with IT personnel. Get your IA involved and create the same level of control over your member data as you do your cash.
- Virus and malware. Is the network and all critical components such as servers, desktops, laptops and other systems running updated virus and malware protection software?
- Seems like a no brainer right? Sadly many credit unions are still lacking on protecting the mobile assets of the organization OR do not have a strong BYOB policy in place.
- Having a anti-virus solution that is not integrated as a unified strategy also complicates the success because tech teams are busy going from box to box or appliance to appliance just to track down threats.
- Passwords. Does the credit union enforce a strong password policy based on its risk assessments that meets or exceeds industry standards? At a minimum, passwords should be at least eight characters with alphanumeric and special characters required for added strength and complexity.
- QWERTY, RR12345, Pa$$word … all easily guessable and still being used today. We know you have a lot of systems to access but you can’t skimp on password syntax.
- Business continuity planning and disaster recovery test. Is the plan sufficient, up-to-date and recently tested?
- I’ll refrain from writing a whole book on this one. As a professional planner, we see this all the time. Credit unions are still struggling to wrap their arms around the importance of establishing a culture of business continuity. This needs to change.
- Patch management. Do credit union IT personnel manage the installation of all software security patches and updates and ensure that all systems nearing or at the end of their service life are replaced?
- Its not from lack of trying that patch management isn’t a fine tuned science by now. Credit union CIOs are challenged with rollouts due to 3rd party vendor integration and lack of non-production testing resources.
- Vendor management. Is there a vendor management policy and program that meets the requirements of NCUA Rules and Regulations Part 748?
- Too often I see this is outsourced and while technically the work is getting done – the real knowledge of the process is lost on the credit union. Are their vendors protecting credit union assets in the same manner the CU would? Some of the best VM work I’ve seend was by a credit union tracking their vendors with a simple spreadsheet shared across the organization.
- Information security training. Does the credit union have a continuing information security awareness program?
- Credit union shave some many possible resources here whether it’s internal training or purchased from someone like Stickley.
- Incident response and crisis management. Is there an updated incident response plan that complies with NCUA Rules and Regulations Part 748, Appendix B?
- We recently added a tabletop scenario to help our credit unions develop their cyber incident response plan. The results have been nothing short of mind blowing as we defer the normal earthquake or hurricane and go straight for the data!
We hope you’ll review these 10 areas and be prepared for your next exam! But more importantly – you’ll be protecting your credit union data better!