NCUA work to strengthen info security noted, more recommendations presented in OIG report

The federal regulator of credit unions has addressed and closed 13 recommendations remaining from the two previous years for improving its information security program and will be reviewed for one final, outstanding recommendation in 2019, according to an Oct. 31 report of the agency’s inspector general office.

The NCUA OIG engaged an outside firm for its 2018 Federal Information Security Modernization Act review, which offers 10 more recommendations for improvements.

The report also offers 10 additional recommendations. They address the continuous monitoring program; security impact analysis for system changes (no such analysis was documented); personnel background investigations not yet completed; and remaining network vulnerabilities.

The National Credit Union Administration (NCUA) Office of Inspector General (OIG) engaged the firm CliftonLarsonAllen LLP (CLA) to conduct the independent review. The review focused on NCUA’s information security and privacy management programs and controls for compliance with the Federal Information Security Modernization Act of 2014 (FISMA 2014) and federal regulations and standards.

CLA evaluated the NCUA’s information security and privacy management programs through interviews, documentation reviews, technical configuration reviews, and sample  testing. This year, CLA also conducted a vulnerability assessment of NCUA’s network. CLA evaluated the NCUA against such laws, standards, and requirements as those provided through FISMA 2014, the E-Government Act, National Institute of Standards and Technology (NIST) standards and guidelines, the Privacy Act, and Office of Management and Budget (0MB) memoranda and privacy and information security policies.

Regarding issues cited in fiscal 2016 and 2017 FISMA reports, the review found that all except one had been addressed and closed.

The one outstanding recommendation, from 2017, was that the agency’s system owners, in coordination with the Office of the Chief Information Officer, document and implement role-based account management procedures, including – but not limited to – authorizing, creating, modifying, disabling, removing, logging and reviewing system accounts in accordance with NCUA’s policy. A portion of this work was done, but recommendations for improving on that weren’t completed in time for the 2018 report and will be addressed in next year’s, the report says.

NCUA OIG-18-07– FY2018 Independent Evaluation of the National Credit Union Administration’s Compliance with the Federal Information Security Modernization Act of 2014 (Oct. 31, 2018)