The OGO Blog

What Events Could Trigger An Information Security & Technology (IS&T) NCUA Exam?

how do i identify and mitigate threats

We are all super busy in our Credit Union lives helping members, improving our service, adding new products and getting more efficient.  All of this constant change and improvement means that we also are regularly re-introducing risk back into our technology operations.  The regular business improvement cycle demands that we reexamine our processes and procedure every so often just to make sure we didn’t leave the back door wide open.  Here are some key events that should cause your Credit Union to rehire or reexamine an operational segment of your Credit Union.

Information Security & Technology Exam Triggers

  • Move Data Center
  • Change Telecom Providers
  • Change Firewalls
  • Significant change in the IT Team
  • New Core System
  • Attack Mitigation Sensors notice significant probing activity

Table Top Exam Triggers

  • Key Management Team changes
  • Pending Predictable Threat (hurricane or snow storm)
  • New Threat Emergence (DDOS)
  • New System or Recover Strategy

Disaster Recovery Test Triggers

  • New Data Vaulting Solution
  • New Failover Component
  • New Replication Technology
  • Retest a prior problem
  • New Threat Emergence

So, you’ve been notified you will have a full blown NCUA IS&T exam? What should you do to get ready for the examiners?

  • First and foremost, if you’ve had a finding – understand what it is that has caused concern. Ask questions of the examiner until you completely understand what is not meeting the requirements (outdated policies, lack of board approval, etc.)
  • The best reference to prep for an IS&T exam is the Chapter 6 of the auditors examination guide – you can find it here.

Once you’ve covered EVERY SINGLE LINE ITEM that applies to you, take it a step further with these action steps:

  • Download the AIRES IS&T Questionnaires and review every single line.
  • Review Critical and Vital business processes as part of the BIA.
  • Test an individual process for a department or a process that crosses multiple departments – especially those impacted by new technologies or new threats.
  • Update procedures and verify policies are still applicable.
  • Make sure your network diagrams are updated – this makes sense on SO many levels. By updating your diagrams you are more likely to identify single points of failure of other risks not exposed during the implementation process.
  • When any major change occurs in your Credit Union (new technologies, loss of key personnel, etc) – Make updating the DR/BCP a required part of the project management or HR processing effort.
  • Keep a log of all tests and the outcomes to provide to the examiners to show the company’s awareness, training and testing (continuous improvement process)
  • Reach out to your peers who have also gone through the IS&T. Is there a “hot topic” in your region right now? Cyber-threats/DDoS? Get the low down on what others are hearing.
  • Engage outside assistance to review mitigation strategies. With a pending IS&T exam, you do not want to procrastinate on preparations.


Credit Union Compliance and Credit Union Risk Management

Still need more information on meeting the IS&T requirements?  Want to know what the FFIEC has to say about new technology projects?? Check out our post here!