New NCUA Information Security Exam (ISE): What Credit Unions Need to Know

ANOTHER CONTROL SET?!!

The National Credit Union Administration (NCUA) recently announced the launch of a new information security exam aimed at helping credit unions better protect their data and assets. The exam is intended to help credit unions identify and eliminate information security vulnerabilities before they become a problem. The NCUA hopes that by using this new set of exam controls, credit unions will be better prepared to protect their data and assets from malicious attack. Credit unions are encouraged to take advantage of this opportunity to bolster their information security practices and become more resilient against cyber threats.

The good news: It’s not that different from the ACET controls and core security principles that you hopefully already have in place.

The bad news: It is another set of controls to review, track, map evidence to, and prep for.

The NCUA has been hinting at this for a while now and finally released the PDF of the control statements they will be using for their information security exams moving forward.

Like the ACET, the examination controls take a risk-based approach. There are three different levels of controls:

- Small Credit Union Examination Program (SCUEP) statements: Tailored for credit unions of asset sizes of $50 million and below.

- Core statements: Tailored for credit unions of asset sizes greater than $50 million.

- Core+ statements: Contains optional examination elements specialists may reference based upon risk.

 For those of you who like the numbers, each size has the following components (categories) and sub-statements (controls):

This may look daunting, but compared to the 497 ACET controls it’s not so bad. We would recommend you start by validating that you are meeting all Core requirements and start working towards Core+ controls depending on your risk and as maturity increases.

Included in the Core+ controls are a CISA Ransomware Readiness Assessment and Intermediate Ransomware Readiness Assessment. Due to the increase in ransomware and all of the changes to requirements for cyber insurance, we would recommend that all credit unions look at the ransomware assessment at least annually, 

Below are the 16 core components or control areas that the NCUA will be looking at.  

16 Core Components: 

1. Policies and Procedures
2. Governance
3. Asset Inventory
4. Risk Assessment
5. Controls Testing
6. Corrective Actions
7. Training
8. Incident Response
9. Third-Party Risk Management
10. Business Continuity / Disaster Recovery
11. Vulnerability & Patch Management
12. Anti-Virus / Anti-Malware
13. Access Controls
14. Network Security
15. Data Leakage Protection
16. Change & Configuration Management

These align very closely with the key testing areas of the ACET that the NCUA has been using in years past, with adjusted statements and sub-statements for each category. The biggest change will be around the 287 in-depth Core+ controls that they may be requiring.

How can I prepare? 

1. Review the statements and sub-statements to familiarize yourself with the new requirements that the NCUA will be looking at.
2. Go through each control and validate that you have evidence in place to show compliance to your examiner.

How can Rivial Help? 

We have built these controls into the Rivial Platform with all required evidence items pre-mapped to each SCEUP, Core, and Core+ control. Assigning and tracking these items will be a matter of minutes not hours and ease the transition to new controls.

If you have questions on the new exam controls, feel free to schedule a 30-minute meeting and we would be happy to review them with you to ensure you are prepped for your exam.

If you haven’t seen the new Information Security Examination (ISE) Procedures, reach out to lucas@rivialsecurity.com, and we will send you a copy.