Information Systems and Technology (IS & T) Exam

We know it is not fun to go through an NCUA IS&T exam – but examinations don’t always have to be painful! Being prepared for exam is key to not only passing the exam but also protecting your critical member information.  If you’ve undergone  significant infrastructure changes during the last year it is especially important to perform a detailed assessment against known NCUA guidelines.

Information you'll want
Why Do I Need It?The regulators sometimes require a third-party to review your security program and make recommendations
What Are The Likely Outcomes?
A report that you can provide your board or management on the status of the Credit Unions IT Security program
Why OGO?OGO knows FFIEC guidelines inside and out and has 8 former Credit Union CTO’s on staff who are intimately familiar with the NCUA’s process

IS & T Examination Readiness Assessment:

Ongoing Operations will partner with you to perform an in-depth review/assessment of the IS&T Program and perform the necessary risk assessments to prepare your Credit Union for the IS & T exam.

  1. Conduct a high-level review/assessment of Information Security Program (ISP) will include:
    • Assessment of the proficiency of current policies and procedures with focus on identifying GAPS where recent technology changes have impacted in place mitigation strategies.
    • Work with your personnel to update applicable policies and procedures where necessary.
    • Make recommendations for improvements in overall IS&T program
  1. In-Depth Risk Assessment(s) will be conducted by gathering information from the your team through surveys and onsite/remote meetings to:
    • Identify reasonably foreseeable internal and external threats that could result in misuse, alteration, or destruction of member information
    • Assess the likelihood and potential damage (impact) of these threats
    • Assess the proficiencies of policies, procedures, and other mitigation strategies to control risks.
    • Inventory critical assets (hardware, software, hardcopy, transmission paths) that touch member data
    • Assess current controls and make recommendations for improvement
    • Establish testing strategies to include responsible party (i.e., internal audit, 3rd party, etc.) and schedules
    • Address changes to the internal and external threat environment as discussed in the Appendix to the FFIEC Supplement to Authentication in an internet banking environment
    • Assess risks resulting from changes to member functionality offered through the electronic banking channel; and
    • Inventory/Document actual incidents of security breaches, identity theft, or fraud experienced by the Credit Union.