Dear Board of Directors:
NCUA recently updated its IS&T Examination Program. The program update results from significant technology changes and revisions to the National Credit Union Administration Rules and Regulations. The new questionnaires replace the e-Commerce I (EC1), e-Commerce II (EC2), and EDP Review (EDPR) used to review a credit union’s overall IS&T systems with more focus on Security, Audit, Information Technology, and Member Services. Examiners will use the IS&T Questionnaire workbook (enclosed) to complete their review. Examiners will tailor their review based on the credit unions risk and use appropriate questionnaires.
The questionnaires concentrate on credit union internal networks and services. In many cases, this oversight is not outsourced to third parties. Credit unions who internally managed networks and services should complete those questionnaires. This analysis can assist in the risk assessment process as discussed in the National Credit Union Administration Rules and Regulations, Part 748, Appendix A. Third-party providers could assist with questionnaires.
If you have any questions or concerns, please contact your NCUA Regional Office or State Supervisory Authority.
JoAnn M. Johnson