Compliance Blog

Jul 23, 2014

July 2014 NCUA Report; Understanding the Basics of an Information Security Policy; June NCUA Board Meeting Video

Written by Bernadette Clair, Senior Regulatory Compliance Counsel

This week, NCUA released its July 2014 Report.  Featured articles include:


Understanding the Basics of an Information Security Policy. One of the articles in this month’s NCUA Report that caught my attention discusses seven elements found in effective information security policies that NCUA states credit unions should follow when developing or updating their information security policies.  Here's an excerpt from the article on the seven elements:

“General Policy Objectives — This section addresses the scope of the policy and applicability across the credit union. This is perhaps the simplest section to develop in a credit union’s information security policy because the scope and applicability is already defined by federal regulation.

Risk-Management Criteria and Expectations — This section defines a credit union’s commitment to risk management and clarifies general directions and intentions. In this section, the board of directors should delineate what constitutes acceptable risk, and by what process or authority a credit union accepts the remaining unmitigated risk. This helps to prevent the unnecessary acceptance of institutional risk by those lacking clearly delegated authority. Because of the great latitude found in this section, it is often the most difficult to develop.

Governance Roles and Responsibilities — This is the most important section because it is the lifeblood of a credit union’s information security program. This section outlines the roles for the information security program’s development and maintenance. An effective policy document defines the roles for the board of directors, senior management, a steering committee, and other key individuals for the day-to-day management of the program.

Summary of Security Strategies and Control Mechanisms —This section provides a set of information security policies. It outlines at a high-level a credit union’s security strategies and selected controls to mitigate any foreseeable and identified risks in operations, along with the managerial responsibility of those controls. The development and selection of the various controls to use should occur after a risk assessment. Credit unions should also use various recognized information security control standards. This section should outline controls for the reasonably foreseeable risk scenarios in the future.

Testing and Reporting Requirements — This section should address the frequency and nature of testing required to determine the controls’ effectiveness, along with any reporting requirements. At a minimum, NCUA regulations expect a comprehensive annual report to the board of directors about the effectiveness of a credit union’s information security program.

Incident Response — A response policy is a key part of a credit union’s information security policy and program. It is a cornerstone of an incident response program, mandated appendix B of Part 748. The policy addresses a credit union’s commitment, strategy, roles and responsibilities in response to natural disasters or security breaches to ensure operations will be resumed as planned.

Consequences of Non-Adherence — Lastly, this section outlines the consequence of non-adherence to the information security policy. Management should transparently state the legal and administrative avenues available to them to ensure the policy is adhered to and enforced.

These seven components of the information security policy provide the strategic foundation for standards and procedures. Procedures should be implemented for every control of the policy and should address how the control is deployed and managed on a day-to-day basis, including who is responsible for the management and maintenance. Also, effectively segregating policy from procedures simplifies the ongoing maintenance of the information security policy documents, as a policy necessitates board of directors’ approval, while procedures are subject to managerial approval only.”

The article is available in its entirety here.


June NCUA Board Meeting Video.  Lastly, the video recording of NCUA’s June open meeting, which we blogged about here and here, is now available. The June video, along with archived videos of past Board meetings, may be found on this page of NCUA’s website.