The NCUA is responsible for protecting the privacy of individuals who interact with the agency, whether the information about individuals is in electronic or physical form. These Rules of Behavior address privacy and security obligations and specific computer security controls that must be followed when collecting, maintaining, using, or distributing agency information in electronic or physical form. These apply to anyone issued an NCUA device, accessing NCUA data, or using an NCUA system.
External users of NCUA systems1 have a responsibility to protect government assets and NCUA proprietary information from loss, theft, and misuse. Users of NCUA owned or operated systems are responsible for ensuring that their activities do not circumvent NCUA information security controls or violate any rules described in this document. Any user having knowledge of or a reasonable suspicion that any individual is attempting to circumvent these rules or illegally gain access to an NCUA system must report the information immediately to the NCUA Technical Support Team (OneStop) at OneStop@ncua.gov.
Each user must securely transfer sensitive, confidential, or personally identifiable electronic information. NCUA provides and prefers the following tools for this purpose: the secure file transfer portal, encrypted email options, and MERIT.
These Rules of Behavior apply to use of NCUA information (in both electronic and physical forms) and information systems by any external user. By accessing NCUA systems, users attest they have read and acknowledge their understanding, and agree to these terms. Since these rules cannot account for every possible situation, users are expected to use their best judgment and highest ethical standards to guide their actions. By agreeing to and acknowledging these rules, the user signifies understanding and acceptance of NCUA security requirements. The NCUA verifies users who have or require access to NCUA information systems and associated data. The NCUA reserves the right to disable or prevent system access for security reasons if a suspected incident occurs and until it is investigated and resolved.
2. Network/Internet Security
- Do not attempt to gain unauthorized access to any computing system, circumvent data protection schemes, or uncover security loopholes. This includes creating or running programs that are designed to identify security loopholes or decrypt sensitive data sources.
- Consider all information from the Internet as suspect until confirmed by separate information from another source.
- Do not trust contacts made over the Internet with agency information unless a due diligence process and confirmation is performed.
- Do not send proprietary or private information over the Internet unless it is encrypted for security purposes, such as secure messaging or secure file transfer portals.
- Do not post non-public NCUA information on public websites.
3. Identification and Authentication Security
- Do not share your passcodes, passwords, software, or tokens with anyone.
- Immediately call your Technical Support Desk if you lose your device with the Multifactor Authentication Software installed.
4. Personally Identifiable Information (PII)2
The NCUA defines PII as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information, that is linked or linkable to a specific individual.3 Examples of PII include:
- Personal identification numbers (e.g., SSN, driver’s license number, credit card number);
- Address information (e.g., street address or email address);
- Telephone numbers;
- Personal characteristics (e.g., fingerprints, photos, x-rays);
- Information identifying personally owned property (e.g., vehicle registration, title number); and,
- Information about an individual linked or linkable to the foregoing (e.g., date or place of birth, race, religion, weight, activities, or employment, medical, education, or financial information).
5. Protecting PII
- You are responsible for protecting PII.
- Both electronic and physical records may contain PII and must be protected from unauthorized access and use.
- Managers are responsible for providing practical guidance to their employees in a job-related context, specifically identifying PII and its authorized collection, access, use, disclosure, storage, and destruction.
- Users are responsible for adhering to administrative, technical, and physical safeguards to ensure only authorized persons have access to records and information that is used and disclosed only as authorized.
- Users are responsible for reporting all suspected or confirmed breaches of PII from NCUA applications, systems, and solutions to the NCUA via email to OneStop@NCUA.gov upon discovery.
6. Enrollment and Identity Proofing
State Supervisory Authority and Credit Union Account Administrators are responsible for verifying their user’s identity. Identity proofing ensures the applicant is who they claim. This includes presentation, validation, and verification of the minimum attributes necessary to accomplish identity proofing including obtaining evidence that supports the real-world existence of the claimed identity and verifies the applicant is appropriately associated with this real-world identity4. For example, the identity proofing and enrollment processes will be performed according to an applicable written policy or practices that specifies the particular steps taken to verify identities.
- Account Administrators are responsible for adhering to administrative, technical, and physical safeguards to ensure only authorized persons have access to records and information that is used and disclosed only as authorized.
- State Supervisory Authority and Credit Union Account Administrators are responsible for removing access or requesting access removal from NCUA for users who no longer need access to NCUA systems.
Corrective action may be taken for failure to follow these Rules of Behavior including removal of access to NCUA applications. As with any disciplinary action, the particular facts and circumstances, including whether the incident was intentional, will be considered in taking appropriate corrective action.
The NCUA reserves the right to access and disclose the contents of NCUA applications as permitted by law or regulation.
If you have any questions, please contact the NCUA Information System Security Officer at email@example.com.
The NCUA is providing the following best practices to inform you of considerations that can be implemented to mitigate security incidents.
1. Computer Password Creation Best Practices
- Passwords should follow organizationally established password criteria.
- Passwords should not contain your username or any part of your username.
- You should not use any information easily obtainable when creating passwords such as your spouse’s or child’s name, license plate numbers, telephone numbers, social security numbers, name of the street, city or town where you live, etc.
- Consider using passphrases. A passphrase is similar to a password in usage but is generally longer for added security. A passphrase should be:
- Long enough to be hard to guess (e.g., automatically by a search program, as from a list of famous phrases).
- Not a famous quotation from literature, holy books, etc.
- Hard to guess by intuition -- even by someone who knows the user well.
- Easy to remember and type accurately.
- Consider adding a “space” after the phrase to be even more secure.
2. Computer Data Security Best Practices
- Install updates in a timely manner.
- Do not store IDs and passwords in plain text. If you must store passwords, use password protected files.
- Never log onto your system while other individuals are able to see your keyboard.
- Treat all credit union and examination data as sensitive and nonpublic.
- Data should be encrypted in transit and at rest (for example, email, SFTP, removable media and other storage devices).
3. Virus Prevention Best Practices
- If you receive a message that your computer has been infected and the virus could not be purged, please contact your Technical Support Desk.
- Carefully read system alert messages and call your Technical Support Desk if you have questions concerning an alert or how to respond to an alert.
- Quarantine your system if you discover that your system has been infected, immediately isolate it from other systems. Disconnect from the network and do not allow anyone to copy files from it to another system.
- Install security patches. Contact your Technical Support Desk for the appropriate procedures for system updates.
4. Email Best Practices
- Never give out your email address to anyone that you do not know or trust.
- Users should be aware that “attackers” can forge messages to appear as if messages originated from somewhere else, spreading false information and contributing to the release of sensitive, proprietary data. If a message is suspect, its authenticity should be verified via telephone or fax.
- Only open an email attachment or link from a source you believe to be safe. Attachments received in an email message can compromise your system.
5. Mobile Device Best Practices
- Secure your mobile device when left unattended. If your mobile device is left in a vehicle, it should be hidden from view.
- Contact your Technical Support Desk immediately if your mobile device is lost or stolen, no longer than 24 hours after being aware of the loss or theft.
- Where possible, create a strong passcode required for access to your mobile device to prevent unauthorized users from gaining access to data.
- Do not share your mobile device passcode or give access to the multifactor authentication client.
- Only open an email attachment or link from a source you believe to be safe. Attachments or links received in a message can compromise your device.
1 Access to CUOnline:
Access to CUSO Registry:
Access to NCUA Connect and Admin Portal:
User guide for NCUA Secure File Transfer for Credit Unions:
3 Office of Management and Budget Circular A-130
4 Additional guidance is provided in NIST Special Publication 800-63.