ALEXANDRIA, Va. (2/5/15)--The National Credit Union Administration's System Security Plan (SSP) for its own operations does not adequately address mobile device security controls, according to a report from the agency's inspector general.
The report details results of an audit to determine if the NCUA has adequate mobile device and other security controls in place.
"We determined that NCUA policies along with the agency's practices and controls associated with its NCUA-issued mobile devices provide adequate security to protect NCUA information, data and resources," the report reads.
"However, we also determined NCUA could improve security of its mobile devices by addressing the following issues: NCUA's System Security Plan (SSP) does not adequately address mobile device security controls; and NCUA could include additional or enhanced policies or controls in its SSP," it noted.
The report also determined that controls associated with managing and securing personal mobile devices within the NCUA "did not provide adequate protections over NCUA information, data and resources."
The audit consisted of interviews with NCUA staff; review of documentation pertaining to mobile device security; and consideration of National Institutes of Standards Technology and Office of Management and Budget policies and procedures.
The report comes on the heels of a data breach at the NCUA in December, where a thumb drive was lost during an examination of a California credit union. The NCUA's inspector general announced an investigation into that matter as well.
CUNA called on the NCUA to conduct a thorough investigation of the breach to ensure that future breaches that put safety and soundness of credit unions at risk do not happen.