CORPORATE CREDIT UNION GUIDANCE LETTER No. 2004-03

GuidanceNational Credit Union Administration (NCUA)Risk Management

Information technology (IT) and security continue to evolve at a rapid pace. New risks and threats arise quickly to challenge emerging and established technologies. Yet the essential elements of strong controls and sound IT practices remain the same despite the environmental changes. As part of our review of IT in corporate credit unions, the Office of Corporate Credit Unions (OCCU) IT examiners have focused on ensuring the adequacy of basic control elements such as firewalls, intrusion detection, penetration tests, and sound network architectures. I am pleased to note that corporates have been diligent in this regard and that many sound control practices have been implemented. OCCU IT staff will continue to verify that basic IT security control elements remain strong. However, the ever changing dynamics of the corporate credit union IT risk profile require that we also focus attention on the following critical information security areas: Information Security Risk Assessment; 2. Security Application Code Reviews; 3. Service Provider Oversight & Contracts; 4. Security Awareness of Employees; 5. Change Management for Applications & Infrastructure; and 6. Security for Remote Locations. Each area is briefly discussed below.

> Read entire regulation (log in required - registration is free)