ANOTHER CONTROL SET?!!
The National Credit Union Administration (NCUA) recently announced the launch of a new information security exam aimed at helping credit unions better protect their data and assets. The exam is intended to help credit unions identify and eliminate information security vulnerabilities before they become a problem. The NCUA hopes that by using this new set of exam controls, credit unions will be better prepared to protect their data and assets from malicious attack. Credit unions are encouraged to take advantage of this opportunity to bolster their information security practices and become more resilient against cyber threats.
Schedule a 30 min consultation with Rivial today.
The good news: It’s not that different from the ACET controls and core security principles that you hopefully already have in place.
The bad news: It is another set of controls to review, track, map evidence to, and prep for.
The NCUA has been hinting at this for a while now and finally released the PDF of the control statements they will be using for their information security exams moving forward.
Like the ACET, the examination controls take a risk-based approach. There are three different levels of controls:
- Small Credit Union Examination Program (SCUEP) statements: Tailored for credit unions of asset sizes of $50 million and below.
- Core statements: Tailored for credit unions of asset sizes greater than $50 million.
- Core+ statements: Contains optional examination elements specialists may reference based upon risk.
For those of you who like the numbers, each size has the following components (categories) and sub-statements (controls):
This may look daunting, but compared to the 497 ACET controls it’s not so bad. We would recommend you start by validating that you are meeting all Core requirements and start working towards Core+ controls depending on your risk and as maturity increases.
Included in the Core+ controls are a CISA Ransomware Readiness Assessment and Intermediate Ransomware Readiness Assessment. Due to the increase in ransomware and all of the changes to requirements for cyber insurance, we would recommend that all credit unions look at the ransomware assessment at least annually.
Schedule a 30 min consultation with Rivial today.
Below are the 16 core components or control areas that the NCUA will be looking at.
16 Core Components:
These align very closely with the key testing areas of the ACET that the NCUA has been using in years past, with adjusted statements and sub-statements for each category. The biggest change will be around the 287 in-depth Core+ controls that they may be requiring.
How can I prepare?
Schedule a 30 min consultation with Rivial today
How can Rivial Help?
We have built these controls into the Rivial Platform with all required evidence items pre-mapped to each SCEUP, Core, and Core+ control. Assigning and tracking these items will be a matter of minutes not hours and ease the transition to new controls.
If you have questions on the new exam controls, feel free to schedule a 30-minute meeting and we would be happy to review them with you to ensure you are prepped for your exam.
If you haven’t seen the new Information Security Examination (ISE) Procedures, reach out to lucas@rivialsecurity.com, and we will send you a copy.
Schedule a 30 min consultation with Rivial today
Lucas Hathaway: 22 Apr 2024
Flying under the radar for years, BEC attacks have been slowly climbing the ranks as one of the most popular tactics amongst cybercriminals to...
Lucas Hathaway: 22 Mar 2024
Originally launched in 2014 and updated in 2018. NIST CSF 2.0 (released in February 2024) builds on ten years of cybersecurity progress. It expands...
Lucas Hathaway: 11 Mar 2024
Year after year, the responsibilities of security leaders seem to grow. They must develop and implement security policies, train their organization...
.png?width=755&height=205&name=Rivial%20Logo%202020%20(72dpi).png "Rivial Logo 2020 (72dpi)")
Lucas Hathaway