Go to:

May 2018
< Apr Jun >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

What to Expect from Your Next IT Examination?
Wednesday, December 16, 2015 6:35 AM

Kevin Hood, CTGA, IT Consultant, Credit Union Resources

With the NCUA’s focus on cybersecurity, it's important that credit unions be prepared for what to expect during a specialized IT exam. NCUA is not simply focusing the IT exams on large credit unions. In fact, Chairman Debbie Matz has stated, “Credit unions of all sizes will be expected to implement appropriate risk-mitigation controls, including vendor due diligence, strong password processes, proper patch management, and networking monitoring to better prevent, detect, and recover from cyber-attacks.”

While the NCUA has not yet landed on exactly how they will implement the new FFIEC Cybersecurity Toolkit, the following will give you a listing of the five domains the NCUA is currently focusing on and some examples of items you will need to have in place for each domain.

Cyber Risk Management and Oversight

  • Board/IT committee minutes related to IT
  • Cybersecurity-related policies and procedures
  • Strategic plans
  • Cybersecurity job descriptions and personnel qualifications
  • Risk assessments/IT audits, along with exception tracking
  • Cybersecurity training

Cybersecurity Controls

  • Listing of physical access controls
  • Baseline security configuration standards
  • Vulnerability/patch management policies and procedures, along with patch management reports
  • Vulnerability assessment scans and penetration test results/reports

External Dependency Management

  • Listing of critical third parties and subcontractors
  • Inventory of all third-party connections, including connections to:
    • Customers;
    • Third party service providers;
    • Business partners; and,
    • Other Internet connections (i.e. web server, remote maintenance, etc.)
  • Network topology
  • Due diligence regarding third party’s security controls
  • Remote access logs
  • Vendor management policies and procedures

Threat Intelligence and Collaboration

  • List of threat intelligence resources (i.e. industry groups, consortiums, threat, and vulnerability reporting services)
  • Management reports on cyber intelligence

Cyber Resilience

  • Business impact analysis
  • Business continuity plan
  • Cyber incident response plans
  • Crisis management plans
  • Cybersecurity event log

Again, we expect things to change some, probably starting in 2016, as the NCUA begins using their variation of the FFIEC toolkit. We look forward to guidance from the NCUA, but having good, strong policies and procedures in place covering all five of these domains will ensure a smooth, successful IT exam for the foreseeable future.

If you would like more information on how we can help you develop a strong information security policy and program, please give us a call.