The NCUA needs to do a more thorough review of how it protects the privacy of its computer users and data, according to a report by the agency’s Office of Inspector General.
The focus should be on how often it relies on Social Security numbers and other “personally identifiable information’’ as a means of access to its data.
By performing this survey, the agency “will reduce the risk of exposing its sensitive data to a breach of confidentiality by an authorized or unauthorized entity. Ultimately, this could prevent public embarrassment for the agency and a loss of trust by the public.’’
The agency agreed with the recommendation and noted that it has: Reorganized its Office of General Counsel to give greater emphasis to privacy issues; increased privacy training for its supervisors; and plans to take several steps in the next year to reduce the unnecessary use of personally identifiable information.
The report concluded that the agency had made progress in nine areas that had been problematic when it performed a similar survey last year.
These included: Better security configurations; improved procedures for overseeing external service providers, and a greater ability to establish a fully integrated monitoring system.
The report also said the agency needed to make improvements in these areas: Improve the agency’s remote access controls; Upgrade its continuous monitoring program; improve its security authorization packages; upgrade its contingency planning program; and improve its intrusion detection policies.
The agency agreed with the recommendations and said it was putting programs in place to address them.