What must be addressed in the written information security program? When must it be updated?
- Protects the credit union from crime.
- Keeps member information secure and confidential.
- Responds to incidents of unauthorized access to member information.
- Assists in the identification of bad guys.
- Prevents destruction of vital credit union records.
The program must change and be amended as the credit union’s operations change.
What are the three reporting requirements in Part 748?
- The credit union’s president or managing official certifies Part 748 annually
- A credit union must send a Catastrophic Act Report to its Regional Director within 5 business days of any catastrophic act impacting the credit union
- SARs must be filed, when appropriate under the BSA requirements
What does NCUA require from credit unions in the event of a catastrophic act?
Must make and retain a record of the catastrophic act, including:
- Information about when and where it occurred
- The amount of loss or damaged
- Whether any mechanical, operational or technical deficiencies made it worse
- How the credit union is correcting those deficiencies.
How should a credit union certify compliance with NCUA’s security program requirements?
The President/Managing Official must certify compliance with Part 748 annually.
What is the role of the credit union’s board in the information security program? What is their role with regard to IT oversight?
The credit union’s board of directors and senior management will
- analyze potential risks
- formulate appropriate risk management techniques to mitigate risks
- determine action steps to take if the credit union’s security is compromised
Board and senior management are responsible for overseeing the business continuity management process, including establishing and updating policies, allocating sufficient personnel and resources to implement those policies, ensuring the BCP is independently reviewed and approved annually, and ensuring the BCP is tested regularly and that those tests are reviewed.
What must be addressed in the response program for unauthorized access to member information? When does the response program apply? Is member notice required? If so, what must be included in the notice?
WHAT. Assess the nature and scope of an incident to identify what member information has been accessed and the extent of the breach.
WHEN. When the credit union becomes aware of an incident, it should conduct an investigation to determine the severity and why members have potentially been impacted
Member Notification Required? Notification is only required where misuse of the information has already occurred or is reasonably possible. Notice must include:
- The general nature of the incident
- Steps the credit union is taking to protect members from harm
- Steps members can take to protect themselves from harm
- Review periodic statements
- Report unauthorized transactions,
- Place fraud alerts on their credit report
- Obtain and review a copy of their credit report
- The notification must also provide some FTC guidance (e.g., identity theft).
What is the structure and purpose of the FFIEC Cybersecurity Assessment Tool?
The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.
Inherent Risk Profile - Identifies the inherent risk (before any controls or mitigations are in place) to the credit union’s operations by looking at its types of technologies and connections, delivery channels, online and mobile product offerings, organizational characteristics and the external threats experienced by the credit union.
Cybersecurity Maturity - Assesses the credit union’s controls and risk mitigations across five domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependence Management
- Cyber Incident Management and Resilience
Are IT audits required? What is necessary for an IT audit to be valid?
Yes. Risk-based IT audit programs should:
- Identify the institution’s data, application and operating systems, technology, facilities, and personnel
- Identify the business activities and processes within each of those categories
- Include profiles of significant business units, departments, and product lines, or systems, and their associated business risks and control features, resulting in a document describing the structure of risk and controls throughout the institution
- Use a measurement or scoring system that ranks and evaluates business and control risks for significant business units, departments, and products
- Include board or audit committee approval of risk assessments and annual risk-based audit plans that establish audit schedules, audit cycles, work program scope, and resource allocation for each area audited
- Implement the audit plan through planning, execution, reporting, and follow-up
- Include a process that regularly monitors the risk assessment and updates it at least annually for all significant business units, departments, and products or systems
