NCUA Discusses MFA, Disaster Recovery and Vendor Management at CUISPA Summit
FORT WORTH, Texas -- What will be the information security hot buttons for NCUA examiners in 2007? The audience had the opportunity to ask that question of NCUA officials during a special session at Credit Union Information Security Professionals Association's 2nd Credit Union IT Risk Management Summit last week.
NCUA panelists included: Dominic Nigro, Office of Examination and Insurance, information security officer; Gerry Wyland, Region II regional information security officer (RISO); Patrick Truett, Region II RISO; Wayne Trout, Region IV RISO, and Manny Centano, Region V RISO. The session was moderated by former NCUA official Joe Visconti, who now heads Visconti Consulting, Inc.
In a nutshell, areas that will be receiving additional attention are: security of member data and risk assessment, disaster recovery and business continuity plans, and vendor management programs.
Much of the discussion focused on multi-factor authentication. Credit unions wanted to know, "What's going to happen to credit unions that did not have multi-factor authentication implemented by the Dec. 31, 2006 deadline?"
"The NCUA is not going to take a one-size-fits-all regulatory approach. Examiners have been told to look at this issue on a case-by-case basis," said Dominic Nigro. "What has the credit union actually done to address the recommendations outlined in the guidelines? If implementation hasn't taken effect, it will be reflected on the exam report, but credit unions will be given due credit for actions taken to this point. If you've chosen the vendor and contracted with them and they have been unable to get you up and running that will be noted. The primary concern, the intent, is that the plan is in place."
"This applies to audio response and call centers, as well. Has the credit union done the risk assessment, performing and putting a plan in place, even if it's not implemented? Have they identified whether high risk transactions have been performed and determined how they will mitigate the risk, whether it's through hardware, software, training, etc. It's critical when an examiner comes in that those types of things are in place. Is the credit union taking steps to address strong authentication? MFA is only one solution to upgrading the authentication process. You can also use layered security."
Disaster recovery is a big issue, particularly in Regions III and IV hit by Hurricanes Katrina and Rita. What does NCUA expect in terms of disaster recovery plans? There is no set requirement for a backup site to be a specific distance away from a credit union's primary site. What is NCUA looking for in backup sites?
"Examiners want to know the rationale for a decision. Is this adequate for the credit union, especially since ROA has been lean the last couple of years? We want to know that a decision wasn't made purely based on budgetary restraints," said Centano.
"What are the potential obstacles to setting up quickly in that area? Identify the natural side and the human side," Trout said.
Wyland added, "Industry-wide there appears to be a lack of business impact analysis. Credit unions need this to identify and quantify risk to upper management. Examiners will be looking at the scope of testing. As networks grow, plans are not keeping up."
"The rule of thumb for determining how far away a backup site should be--would it be affected by a similar disaster? Consider power, water, telephone, etc., and it needs to be accessible to employees, too," said Nigro.
Concerning vendor management programs, NCUA indicated they will be looking for some type of security reports on vendors and evidence of ongoing evaluation of security precautions taken with members' sensitive information. They also want to see who within the credit union takes ownership of vendor selection, program criteria and documentation. "Board satisfaction ratings, comments on the vendor and a contract end date are also valuable to have," said Centano. --firstname.lastname@example.org