Computer Software Patch Management

Dear Manager and Board of Directors:

The National Credit Union Administration (NCUA) is providing credit unions with the enclosed guidance, recently issued by the Federal Deposit Insurance Corporation (FDIC), in an effort to assist credit unions in the development of an effective computer software patch management program encompassing appropriate policies, procedures, and practices in order to mitigate risks associated with commercial software vulnerabilities.

During the past year, many companies and some credit unions have experienced security breaches that could have been prevented through the timely identification and patching of software vulnerabilities. This guidance provides information about the importance of maintaining an effective computer software patch management program and information technology (IT) infrastructure. In addition, the guidance provides credit unions with background information on the risks associated with software vulnerabilities and how they can be mitigated through an effective patch management program.

Many credit unions rely on commercially developed software to support business processes and an IT infrastructure. Common types of software include operating systems, core processing systems, business applications (e.g., word processing, spreadsheet, and database programs), and system services (e.g., anti-virus programs, firewalls, etc.). Commercially developed software may contain flaws that create security and performance vulnerabilities. These vulnerabilities may cause system unavailability or corrupt critical system components or data. Although software vendors often develop updates, or "patches," to correct identified weaknesses, it is the software user's responsibility to update systems or install patches in a timely manner.

If you have any questions or concerns, please contact your NCUA regional office or State Supervisory Authority.

Sincerely,

/S/

Dennis Dollar

Chairman