Navigate Up
Sign In
 

CYBER SECURITY RESOURCES

NCUA recognizes the importance of cyber security and using the web safely and securely.

The information on this page is offered as resources for research and informational purposes. It may not reflect all of the requirements or guidance in this area and should not be construed as requirements except as noted. NCUA does not endorse any vendor, service, or product.

When you access the links below, you might leave NCUA's site.

 

 

NCUA Regulations and Guidance

 

IT Related Letters to Credit Unions
IT Related Legal Opinion Letters
IT Related Laws
IT Related Regulatory Alerts and Risk Alerts
IT Related Rules and Regulations

Examiner’s Guide

The Examiner's Guide sets out guidance for an examiner on NCUA's examination and supervision of credit unions. The primary goal is to ensure the overall safety and soundness of the credit union system via a risk-focused examination and supervision program. Chapter 6 provides guidance on information systems and technology.

AIRES IT Exam Questionnaires

NCUA has updated its IT examination questionnaires to facilitate an increased risk focused review of a credit union’s information technology environment. The updated IT questionnaire workbook consists of two tiers: Tier I questionnaires focuses on the highest priority review areas, including electronic banking, while Tier II questionnaires are designed to address more technical network, security, and related technology issues. The new IT questionnaires now include a second workbook with two questionnaires for generalist examiners to review credit union information security programs, electronic banking security, and website compliance. Please note that most questions include comments to provide additional context or terminology for better comprehension.

Federal Government Requirements and Guidelines

 

NIST Special Publications

Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

Security and Privacy Controls for Federal Information Systems and Organizations

Information Sharing Forums on Cyber Threats

 
 

Financial Services Information Sharing and Analysis Center

Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998's Presidential Directive 63. That directive - later updated by 2003's Homeland Security Presidential Directive 7 - mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure. 
 

United States Computer Emergency Readiness Team (US-CERT)

The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) leads efforts to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans. US-CERT strives to be a trusted global leader in cybersecurity - collaborative, agile, and responsive in a dynamic and complex environment.
 

FBI Infragard

InfraGard is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.

 
 

Best Practices

 

Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Infobase

The FFIEC Information Technology Examination Handbook is comprised of individual booklets. These booklets represent a series of updates to the existing 1996 FFIEC Information Systems Examination Handbook. They address significant changes in the financial institution technology since 1996.They incorporate changes in technology-related risks and controls and follow a risk-based approach to evaluating risk management practices. The booklets provide valuable information to both examiners and financial institution management.

IT Booklets
Resources

Twenty Critical Security Controls for Effective Cyber Defense

The Critical Security Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness. Standardization and automation is another top priority, to gain operational efficiencies while also improving effectiveness. The US State Department has previously demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls.

SANS Reading Room Best Practices

The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.

Technical Guide to Information Security Testing and Assessment

Additional Resources

 

Payment Card Industry (PCI)

FFIEC InfoBase Booklets

Audit
Business Continuity Planning
Development and Acquisition
E-Banking
Information Security
Management
Operations
Outsourcing Technology Services
Retail Payment Systems
Supervision of Technology Service Providers (TSP)
Wholesale Payment Systems

FFIEC InfoBase NCUA Resources

Audit
Business Continuity Planning
E-banking
Information Security
Management
Outsourcing Technology Services
Retail Payment Systems

Federal Reserve Financial Services – Federal Reserve Bank Operating Circulars

Federal Reserve System - Regulations

  • 12 CFR 205 – Electronic Fund Transfers (Regulation E)
  • 12 CFR 210 – Collection of Checks and Other Items by Federal Reserve Banks and Funds Transfers through Fedwire (Regulation J)
  • 12 CFR 229 – Availability of Funds and Collection of Checks (Regulation CC) (Check Clearing for the 21st Century Act)
  • 12 CFR 233 – Prohibition on Funding of Unlawful Internet Gambling (Regulation GG)
  • 31 CFR Chapter X - Financial Crimes Enforcement Network, Department of the Treasury (Bank Secrecy Act)

FFIEC Bank Secrecy Act / Anti-Money Laundering Examination Manual

NACHA Operating Rules

Uniform Commercial Code Article 4A

UCC Article 4A, Funds Transfers (1989) Summary UCC Article 4A Amendments (2012) Summary

Email: ociomail@ncua.gov
Phone: 703-518-6440
Fax: 703-518-6489

Mailing Address:
National Credit Union Administration
OCIO
1775 Duke St.
Alexandria, VA 22314

?