NCUA Information Security Examination (ISE) Requirements

The NCUA has developed new procedures for their risk-based Information Security Examinations (ISE) for credit unions. Your examiner will be using these new procedures for your regulatory examination this year, and we’re here to help you navigate the new normal. We’ve taken the official NCUA regulatory statements and broken them down into the assessments and testing that your examiners will be looking for this year.

Based on your credit union’s asset size, you will fall into one of two categories:

1. Small Credit Union Examination Program (SCUEP) – less than $50M in assets
2. CORE Examination Program (with additional CORE+ requirements) – over $50M in assets

Small Credit Union Examination Program (SCUEP)

The SCUEP applies to credit unions below $50 million in assets. This is the NCUA’s lowest threshold for “small” credit unions to date. If you fall in this category, your requirements are as follows:

• Risk Assessment
• IT Security Audit
• Vulnerability Assessment
• External Penetration Test
• Security Awareness Training
• Remote Social Engineering – Phishing & Vishing
• Tabletop Testing of Disaster Recovery and/or Business Continuity Plans

TraceSecurity has developed a SCUEP cybersecurity roadmap of assessments and testing that directly align with the NCUA requirements. With specialized services for smaller credit unions, our hope is to make these increased requirements as painless for you as possible.

CORE & CORE+

The CORE Examination Program applies to credit unions over $50 million in assets. CORE represents the minimum requirements, with CORE+ additions if applicable. Credit unions that fall under CORE are required to do the following:

• Risk Assessment
• IT Security Audit
• Vulnerability Assessment – Annual
• Vulnerability Management
• External Penetration Test
• Internal Penetration Test
• Security Awareness Training
• Remote Social Engineering – Phishing & Vishing
• Onsite Social Engineering
• Tabletop Testing of Disaster Recovery and/or Business Continuity Plans

As we get to credit unions of higher asset sizes and more complex IT environments, your examiner may have some additional requirements under CORE+. If applicable to your credit union, CORE+ could include some or all of the following requirements:

• Vulnerability Assessment – Quarterly, Authenticated
• Remote Social Engineering – Smishing
• Physical Security Control Testing
• Web Application Testing
• Wireless Controls Testing
• Remote Access Control Testing
• Password Security Testing
• Firewall Security Testing
• Ransomware Readiness Assessment

To provide some examples, Web Application Testing is only required if your credit union has a web application, like for online banking. Remote Access Control Testing is only necessary if you have employees that remotely access company systems, like through a VPN.

TraceSecurity has developed a CORE cybersecurity roadmap and a CORE+ cybersecurity roadmap of assessments and testing that directly align with the NCUA requirements. Based on your size and complexity, we can help determine which additional compliance statements do or do not apply to your credit union to establish your custom ISE roadmap.

The Good News

TraceSecurity has already begun preparing credit unions for their examinations under the new ISE requirements. With this being the NCUA’s most structured examination process to date, you need to make sure your cybersecurity requirements are properly handled. If you have any questions about the new requirements, or if you would like some guidance on what your credit union needs, you can reach us at info@tracesecurity.com.