What is NCUA Regulatory Compliance?
The National Credit Union Administration conducts audits of credit unions based on principles and standards outlined by the Federal Financial Institutions Examination Council (FFIEC). The FFIEC standards call for numerous security controls, including data access controls, encryption and key management and security monitoring.
Access Rights Administration
According to FFIEC:
Financial institutions should have an effective process to administer access rights. The process should include:
- Assigning users and devices only the access required to perform their required functions,
- Updating access rights based on personnel or system changes,
- Reviewing periodically users' access rights at an appropriate frequency based on the risk to the application or system ...
Encryption and Key Management
FFIEC also notes:
Financial institutions should employ an encryption strength sufficient to protect information from disclosure until such time as the information's disclosure poses no material threat. …. Decisions regarding what data to encrypt and at what points to encrypt the data are typically based on the risk of disclosure …. Encryption may also be used to protect data in storage. The implementation may encrypt a file, a directory, a volume, or a disk.
- Encryption Key Management
Since security is primarily based on the encryption keys, effective key management is crucial. Effective key management systems are based on an agreed set of standards, procedures, and secure methods that address Source: ISO 17799, 10.3.5.2
In addition, FFIEC offers guidelines for security monitoring.
Financial institutions should gain assurance of the adequacy of their risk mitigation strategy and implementation by:
- Monitoring network and host activity to identify policy violations and anomalous behavior;
- Monitoring host and network condition to identify unauthorized configuration and other conditions which increase the risk of intrusion or other security events;
- Analyzing the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events; and
- Responding to intrusions and other security events and weaknesses to appropriately mitigate the risk to the institution and its customers, and to restore the institution's systems.