The NCUA needs to do a more thorough review of how it protects the privacy of its computer users and data, according to a report by the agency’s Office of Inspector General.
The report, which was released on Nov. 14, said the focus of the review should be on how often the agency relies on Social Security numbers and other “personally identifiable information” as a means of access to its data.
By performing this survey, the NCUA “will reduce the risk of exposing its sensitive data to a breach of confidentiality by an authorized or unauthorized entity. Ultimately, this could prevent public embarrassment for the agency and a loss of trust by the public.”
The agency agreed with the recommendation and noted that it has reorganized its Office of General Counsel to give greater emphasis to privacy issues; increased privacy training for its supervisors; and plans to take several steps in the next year to reduce the unnecessary use of personally identifiable information.
The report concluded that the agency had made progress in nine areas that had been problematic found in a similar survey last year.
Among the improvements were better security configurations; improved procedures for overseeing external service providers; improved contingency planning; better security for the NCUA’s servers and desktops; implementation of continuing education requirements for information technology employees; and greater ability to establish a fully integrated monitoring system.
The report also said the agency needed to make changes by improving the agency’s remote access controls; upgrading its continuous monitoring program; improving its security authorization packages; upgrading its contingency planning program; and improving its intrusion detection policies.
The agency agreed with the recommendations and said it was putting programs in place to address them.
The report, which was designed to evaluate the agency's compliance with the Federal Information Security Management Act, was conducted by Richard S. Carson Associates, a Maryland-based management and information consulting firm, at the request of the agency's inspector general.
The firm gathered information for the report by auditing the agency’s computer infrastructure between August and November. The focus was on areas mandated by the Department of Homeland Security.