The NCUA’s primary mission is to ensure the safety and soundness of federally-insured credit unions. The NCUA performs this important public function by examining all federal credit unions, participating in the supervision of federally insured state-chartered credit unions in coordination with state regulators, and insuring federally insured credit union members’ accounts. The purpose of this document is to highlight the standards and controls that govern our Privacy and Information Security Programs.
Why the NCUA Collects Information from Credit Unions
In fulfilling the mission under the Federal Credit Union Act, NCUA collects and analyzes information from credit unions to assess their financial condition and evaluate existing and potential risks to the National Credit Union Share Insurance Fund.
Authority to Collect Information from Credit Unions
The act authorizes information collection to carry out supervision and insurance responsibilities. Information is collected in connection with activities such as safety and soundness examinations, periodic filing of call reports, insurance applications, and chartering requests.
Types of Information Collected from Credit Unions
The NCUA collects financial data, policies, risk reports and other relevant information from credit unions to evaluate the existing and potential risks. The collected information concerns balance sheet and income statement data and loan, investment, and share data at a macro level. Governance information such as credit union policies are also reviewed.
The majority of the information collected from credit unions consists of public, non-sensitive, or non-personal information. However, non-public, sensitive, or personally identifiable information may be needed to assess a credit union’s compliance performance and risk management or to aid in a criminal or other enforcement investigation. The amount of information collected and the length of time this information is held is limited to fulfill the collection purpose.
How the NCUA Handles Information Collected from Credit Unions
The NCUA exercises great care in protecting sensitive and personally identifiable information. As a general practice, personally identifiable information collected during the examination is not retained. Nearly all sensitive and personally identifiable information is automatically removed and destroyed when the examination file is prepared for transmission. However, when it is needed to maintain the integrity of the administrative record, a small amount of sensitive information is kept in the stored examination file.
An example of this information may include a small number of specific loan records that support a finding or corrective action. Similarly, an ongoing supervision or investigation may require a more complete audit trail. In these infrequent situations, a minimal amount of personally identifiable information necessary to support the accuracy and integrity of the administrative record may be retained. Retained information is stored in a manner consistent with the federal security and privacy controls applicable to the type of information. Once the retention purpose is completed, the information is destroyed.
Staff is provided with general and role-based training on their legal, reputational and ethical obligations to protect sensitive information. The training addresses appropriate information security practices, rules of behavior for access and use of data systems, responsibilities for protecting personally identifiable information, and ethics rules prohibiting unauthorized information disclosures.
Staff is trained on policies regarding:
- Collecting information necessary to perform their planned review.
- Collecting information in a secure manner using a hierarchy of secure methods that best suit the needs of the particular credit union.
- Transferring and storing any sensitive information only where there is an identified, authorized need to retain such information, and in a manner consistent with agency instructions for handling sensitive information.
- Destroying or returning all other non-public sensitive or personally identifiable information at the conclusion of the examination or review.
Security of Information Systems Used to Collect and Analyze Information from Credit Unions
All federal agencies must comply with mandatory security standards for federal information and information systems.1 The NCUA Enterprise Risk Management Committee (ERMC) has established the risk appetite for Information and Technology Management at LOW for operational IT/IT Systems and MODERATE for non-production innovation. The NCUA must meet these minimum information security requirements by using security and privacy controls recommended by the National Institute of Standards and Technology.2 The NCUA is also required to adhere to the Federal Cyber Security Framework (CSF)3 standards, guidelines and best practices for managing cybersecurity-related risk to include the appropriate implementation of the -following (18) Security Control Families and their associated (256) controls:
- Access Control (AC): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (AC-1) Access Control Policy and Procedure; (AC-2) Account Management; (AC-3) Access Enforcement; (AC-4) Information Flow Enforcement; (AC-5) Separations of Duties; (AC-6) Least Privilege; (AC-7) Unsuccessful Logon Attempts; (AC-8) System Use Notification; (AC-9) Previous Logon (Access) Notification; (AC-10) Concurrent Session Control; (AC-11) Session Lock; (AC-12) Session Termination; (AC-13) Supervision and Review for Access Control; (AC-14) Permitted Actions Without Identification or Authentication; (C-15) Automated Marking; (AC-16) Security Attributes; (AC-17) Remote Access; (AC-18) Wireless Access; (AC-19) Access Control for Mobile Devices; (AC-20) Use of External Information Systems; (AC-21) Information Sharing; (AC-22) Publicly Accessible Content; (AC-23) Data Mining Protection; (AC-24) Access Control Decisions; and (AC-25) Reference Monitor.
- Awareness and Training (AT): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (AT-1) Security Awareness and Training Policy and Procedures; (AT-2) Security Awareness Training; (AT-3) Role-Based Security Training; (AT-4) Security Training Records; and (AT-5) Contacts with Security Groups and Associations.
- Audit and Accountability (AU): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (AU-1) Audit and Accountability Policy & Procedures; (AU-2) Audit Events; (AU-3) Content of Audit Records; (AU-4) Audit Storage Capacity; (AU-5) Response to Audit Processing Failures; (AU-6) Audit Review, Analysis and Reporting; (AU-7) Audit Reduction and Report Generation; (AU-8) Time Stamps; (AU-9) Protection of Audit Information; (AU-0) Non-Repudiation; (AU-11) Audit Record Retention; (AU-12) Audit Generation; (AU-13) Monitoring for Information Disclosure; (AU-14) Session Audit; (AU-15) Alternate Audit Capability; and (AU-16) Cross-Organizational Auditing.
- Security Assessment and Authorization (CA): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (CA-1) Security Assessment and Authorization Policy and Procedures; (CA-2) Security Assessments; (CA-3) System Interconnections; (CA-4) Security Certifications; (CA-5) Plans of Action and Milestones; (CA-6) Security Authorization; (CA-7) Continuous Monitoring; (CA-8) Penetration Testing; and (CA-9) Internal System Connections
- Configuration Management (CM): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (CM-1) Configuration Management Policy and Procedure; (CM-2) Baseline Configuration; (CM-3) Configuration Change Control; (CM-4) Security Impact Analysis; (CM-5) Access Restrictions for Change; (CM-6) Configuration Settings; (CM-7) Least Functionality; (CM-8) Information System Component Inventory; (CM-9) Configuration Management Plan; (CM-10) Software Usage Restrictions; and (CM-11) User-Installed Software.
- Contingency Planning (CP): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (CP-1) Contingency Planning Policy and Procedure; (CP-2) Contingency Plan; (CP-3) Contingency Training; (CP-4) Contingency Plan Testing; (CP-5) Contingency Plan Update; (CP-6) Alternate Storage Site; (CP-7) Alternate Processing Site; (CP-8) Telecommunications Services; (CP-9) Information System Backup; (CP-10) Information System Recovery and Reconstitution; (CP-11) Alternate Communications Protocols; (CP-12) Safe Mode; and (CP-13) Alternative Security Mechanisms.
- Identification and Authentication (IA): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (IA-1) Identification and Authentication Policy and Procedures; (IA-2) Identification and Authentication (Organizational Users); (IA-3) Device Identification and Authentication; (IA-4) Identifier Management; (IA-5) Authenticator Management; (IA-6) Authenticator Feedback; (IA-7) Cryptographic Module Authentication; (IA-8) Identification and Authentication (Non-organizational Users); (IA-9) Service Identification and Authentication; (IA-10) Adaptive Identification and Authentication; and (IA-11) Re-Authentication.
- Incident Response (IR): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (IR-1) Incident Response Policy and Procedures; (IR-2) Incident Response Training; (IR-3) Incident Response Testing; (IR-4) Incident Handling; (IR-5) Incident Monitoring; (IR-6) Incident Reporting; (IR-7) Incident Response Assistance; (IR-8) Incident Response Plan; (IR-9) Information Spillage Response; and (IR-10) Integrated Information Security Analysis.
- Maintenance (MA): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (MA-1) System Maintenance Policy and Procedures; (MA-2) Controlled Maintenance; (MA-3) Maintenance Tools; (MA-4) Non-Local Maintenance; (MA-5) Maintenance Personnel; and (MA-6) Timely Maintenance.
- Media Protection (MP): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (MP-1) Media Protection Policy and Procedures; (MP-2) Media Access; (MP-3) Media Marking; (MP-4) Media Storage; (MP-5) Media Transport; (MP-6) Media Sanitization; (MP-7) Media Use; and (MP-8) Media Downgrading.
- Physical and Environmental Protection (PE): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (PE-1) Physical and Environmental Protection Policy and Procedures; (PE-2) Physical Access Authorizations; (PE-3) Physical Access Control; (PE-4) Access Control for Output Devices; (PE-6) Monitoring Physical Access; (PE-7) Visitor Control; (PE-8) Visitor Access Records; (PE-9) Power Equipment and Cabling; (PE-10) Emergency Shutoff; (PE-11) Emergency Power; (PE-12) Emergency Lighting; (PE-13) Fire Protection; (PE-14) Temperature and Humidity Controls; (PE-15) Water Damage Protection; (PE-15) Water Damage Protection; (PE-16) Delivery and Removal; (PE-17) Alternate Work Site; (PE-18) Location of Information System Components; (PE-19) Information Leakage; and (PE-20) Asset Monitoring and Tracking.
- Planning (PL): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (PL-1) Security Planning Policy and Procedures; (PL-2) System Security Plan; (PL-3) System Security Plan Update; (PL-4) Rules of Behavior; (PL-5) Privacy Impact Assessment; (PL-6) Security-Related Activity Planning; (PL-7) Security Concept of Operations; (PL-8) Information Security Architecture; and (PL-9) Central Management.
A Privacy Impact Assessment is a decision tool used by NCUA to identify and mitigate privacy risks by assessing (1) what personally identifiable information (PII) is collected; (2) why the PII is being collected; and (3) how the PII will be collected, used, accessed, shared, safeguarded and stored. Armed with this information per applicable information systems the goal is to (1) ensure conformance with applicable legal, regulatory and policy requirements for privacy; (2) determine the risks and effects; and (3) evaluate protections and alternative processes to mitigate potential privacy risks. The PIA is conducted when NCUA is (1) developing or procuring any new technology or system that handles or collects PII; (2) creating a new program, system, technology, or information collection that may have privacy implications; (3) updating a system that results in new privacy risk; and (4) issuing a new or update rulemaking that entails the collection of PII.
- Personnel Security (PS): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (PS-1) Personnel Security and Policy and Procedures; (PS-2) Position Risk Designation; (PS-3) Personnel Screening; (PS-4) Personnel Termination; (PS-5) Personnel Transfer; (PS-6) Access Agreements; (PS-7) Third-Party Personnel Security; and (PS-8) Personnel Sanctions.
- Risk Assessment (RA): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (RA-1) Risk Assessment Policy and Procedures; (RA-2) Security Categorization; (RA-3) Risk Assessment; (RA-4) Risk Assessment Update; (RA-5) Vulnerability Scanning; (RA-6) Technical Surveillance Countermeasures Survey.
- System and Services Acquisitions (SA): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (SA-1) System and Services Acquisition Policy and Procedures; (SA-2) Allocation of Resources; (SA-3) System Development Life Cycle; (SA-4) Acquisition Process; (SA-5) Information System Documentation; (SA-6) Software Usage Restrictions; (SA-7) User-Installed Software; (SA-8) Security Engineering Principles; (SA-9) External Information System Services; (SA-10) Developer Configuration Management; (SA-11) Developer Security Testing and Evaluation; (SA-12) Supply Chain Protection; (SA-13) Trustworthiness; (SA-14) Criticality Analysis; (SA-15) Development Process, Standards and Tools; (SA-16) Developer-Provided Training; (SA-17) Developer Security Architecture and Design; SA-18) Tamper Resistance and Detection; (SA-19) Component Authenticity; (SA-20) Customized Development of Critical Components; (SA-21) Developer Screening; and (SA-22) Unsupported System Component.
- System and Communications Protection (SC): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (SC-1) System and Communications Protection Policy and Procedures; (SC-2) Application Partitioning; (SC-3) Security Function Isolation; (SC-4) Information in Shared Resources; (SC-5) Denial of Service Protection; (SC-6) Resource Availability; (SC-7) Boundary Protection; (SC-8) Transmission Confidentiality and Integrity; (SC-9) Transmission Confidentiality; (SC-10) Network Disconnect; (SC-11) Trusted Path; (SC-12) Cryptographic Key Establishment and Management; (SC-13) Cryptographic Protections; (SC-14) Public Access Protections; (SC-15) Collaborative Computing Devices; (SC-16) Transmission of Security Attributes; (SC-17) Public Key Infrastructure Certificates; (SC-18) Mobile Code; (SC-19) Voice Over Internet Protocol; (SC-20) Secure Name / Address Resolution Service (Authoritative Source); (SC-21) Secure Name / Address Resolution Service (Recursive or Caching Resolver); (SC-22) Architecture and Provisioning for name Address Resolution Service; (SC-23) Session Authenticity; (SC-24) Fail in Known State; (SC-25) Thin Nodes; (SC-26) Honeypots; (SC-27) Platform-Independent Applications; (SC-28) Protection of Information at Rest; (SC-29) Heterogeneity; (SC-30) Concealment and Misdirection; (SC-31)Covert Channel Analysis; (SC-32) Information System Partitioning; (SC-33) Transmission Preparation Integrity; (SC-34) Non-Modifiable Executable Programs; (SC-35) Honey-clients; (SC-36) Distributed Processing and Storage; (SC-37) Out-of-Band Channels; (SC-38) Operations Security; (SC-39) Process Isolation; (SC-40) Wireless Link Protection; (SC-41) Port and I/O Device Access; (SC-42) Sensor Capability and Data; (SC-43) Usage Restrictions; and (SC-44) Detonation Chambers.
- System and Information Integrity (SI): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (SI-1) System and Information Integrity Policy and Procedures; (SI-2) Flaw Remediation; (SI-3) Malicious Code Protection; (SI-4) Information System Monitoring; (SI-5) Security Alerts, Advisories, and Directives; (SI-6) Security Functions Verification; (SI-7) Software, Firmware and Information Integrity; (SI-8) SPAM Protection; (SI-9) Information Input Validation; (SI-10) Information Input Validation; (SI-11) Error Handling; (SI-12) Information Handling and Retention; (SI-13) Predictable Failure Prevention; (SI-14) Non-Persistence; (SI-15) Information Output Filtering; (SI-16) Memory Protection; and (SI-17) Fail-Safe Procedures.
- Program Management (PM): NCUA leverages this control family to address the establishment of policy, procedures and practices for the effective implementation and operations of (PM-1) Information Security Program Plan; (PM-2) Senior Information Security Officer; (PM-3) Information Security Resources; (PM-4) Plan of Action and Milestone Process; (PM-5) Information System Inventory; (PM-6) Information Security Measures of Performance; (PM-7) Enterprise Architecture; (PM-8) Critical Infrastructure Plan; (PM-9) Risk Management Strategy; (PM-10) Security Authorization Process; (PM-11) Mission/Business Process Definition; (PM-12) Insider Threat Program; (PM-13) Information Security Workforce; (PM-14) Testing, Training and Monitoring; (PM-15) Contacts with Security Groups and Associations; and (PM-16) Threats Awareness Program.
These managerial, operational and technical controls are leveraged according to system categorization and comply with industry controls such as the Gramm-Leach-Bliley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Sarbanes-Oxley Act and the Payment Card Industry Data Security Standards.
In addition to NIST standards and guidelines, the NCUA is subject to federal statutes such as the Federal Information Security Modernization Act of 2014, the E-Government Act of 2002, the Privacy Act of 1974 and various OMB policies and guidance concerning federal information management and privacy.
Office of Inspector General (OIG) Program Audit
The OIG conducts independent audits, investigations and other activities to verify NCUA’s compliance with applicable standards, laws and regulations related to privacy and information security and informs the NCUA Board and U.S. Congress. Annually, the OIG conducts a FISMA audit to determine whether the NCUA effectively implemented all appropriate security and privacy controls. In addition, as indicated in the Financial Statement Audits, the NCUA is in compliance with the requirements of the Federal Managers’ Financial Integrity Act of 1982 because management has established and maintains controls over their programs and financial systems. The results are reported both internally and externally to ensure completion of all remedial findings. Credit unions and their members can review OIG audit reports, semiannual reports and letter to Congress at https://www.ncua.gov/About/Pages/inspector-general/reports.aspx.
1 FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems; FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.
2 NIST Special Publication 800-53 (Rev. 4), Security and Privacy Controls for Federal Information Systems and Organizations
3 NIST Cybersecurity Framework, Federal Framework for Critical Infrastructure and Other Sectors Associated with the Economy and National Security