To help you better prepare, the August edition of The NCUA Report highlights the “Top 10” areas examiners look at during an IT security exam:
1. Information security policies: Do you have a boardapproved policy that meets the requirements of NCUA Rules and Regulations Part 748?
2. IT audit: Have you developed an audit plan addressing IT-related areas appropriate to the size and complexity of the credit union, including ongoing assessments of internal and external vulnerabilities?
3. Virus and malware: Is your network—and all critical components—running updated virus and malware protection soft ware?
4. Risk assessments: Have you recently performed and documented an information security risk assessment to identify and assess potential threats and their probability, potential effects, controls, and risk remediation plans?
5. Passwords: Do you enforce a strong password policy that meets or exceeds industry standards?
6. Business continuity planning and disaster recovery test: Is the plan sufficient, up-todate, and recently tested?
7. Patch management: Do your IT personnel manage the installation of all soft ware security patches and updates, and ensure replacement of all systems nearing the end of their service life?
8. Vendor management: Do you have a vendor management policy and program meeting the requirements of NCUA’s Part 748?
9. Information security training: Do you have an ongoing information security awareness program?
10. Incident response and crisis management: Do you have an updated incident response plan that complies with Appendix B to NCUA’s Part 748?
You should also review your insurance coverage to ensure you have adequate protection in place to reimburse costs associated with such things as business interruptions, hiring staff or vendors to assist the credit union following a breach, legal fees, and public relations initiatives to protect or rebuild your credit union’s reputation.
The NCUA Report’s “Top 10 Cyber Security Areas Examiners Look At” is available on ncua.gov.