The National Credit Union Administration (NCUA) is the United States independent federal agency that supervises and charters federal credit unions.
Claude R. Marx reports:
The NCUA needs to do a more thorough review of how it protects the privacy of its computer users and data, according to a report by the agency’s Office of Inspector General.
The report, which was released on Nov. 14, said the focus of the review should be on how often the agency relies on Social Security numbers and other “personally identifiable information” as a means of access to its data.
By performing this survey, the NCUA “will reduce the risk of exposing its sensitive data to a breach of confidentiality by an authorized or unauthorized entity. Ultimately, this could prevent public embarrassment for the agency and a loss of trust by the public.”
Read more on Credit Union Times.
From the report’s Executive Summary:
NCUA has worked to further strengthen its information security and privacy programs during Fiscal Year (FY) 2011. NCUA’s accomplishments during this period include:
- Improved its security configuration for servers and desktops;
- Improved its ability to establish a fully integrated continuous monitoring program by implementing automated software, which includes intrusion detection, vulnerability scanning, and logging tools;
- Developed and implemented policies and procedures for overseeing external service providers;
- Improved its contingency planning program for its FISMA systems;
- Established, implemented and enforced security baselines for its servers and desktop devices;
- Improved its Plan of Action and Milestone process;
- Provided Business Impact Assessments (BIAs) for its FISMA systems and is currently extending the BIA study down to its regional/field offices;
- Improved its procedures for ensuring terminated users and inactive user accounts are disabled or removed from NCUA systems; and
- Implemented continuing education requirements for its information technology employees.
We identified two areas remaining from last year’s FISMA evaluation that NCUA officials need to address. NCUA needs to:
- Improve remote access controls; and
- Improve its privacy program (i.e., review its use of Personally Identifiable Information and Social Security Numbers).
In addition, we identified four new findings this year where NCUA could improve its information technology security controls. Specifically, NCUA needs to:
- Improve its continuous monitoring program;
- Improve its security authorization packages;
- Improve its contingency planning program; and
- Improve its intrusion detection policies and procedures.