References & Resources

Banner image

Examination

Examiner’s Guide

The Examiner's Guide sets out guidance for an examiner on the NCUA's examination and supervision of credit unions. The primary goal is to ensure the overall safety and soundness of the credit union system via a risk-focused examination and supervision program.

National Supervision Policy Manual

This manual provides the credit union system with a better understanding of the NCUA’s rules and policies, helping to reduce possible misunderstandings that may occur during the examination process.

Manuals and Guides

Manuals provide guidance to better comply with the NCUA’s Rules and Regulations and those from other agencies. The manuals and guides are not definitive and must be used in conjunction with other supervisory guidance and information provided by the NCUA and other federal financial services regulators.

AIRES IT Exam Questionnaires

The NCUA has updated its IT examination questionnaires to facilitate an increased risk focused review of a credit union’s information technology environment.

Awareness

FFIEC Cybersecurity Awareness

The Federal Financial Institutions Examination Council (FFIEC) members are taking a number of initiatives to raise the awareness of financial institutions and their critical third-party service providers with respect to cybersecurity risks and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats.  The Cybersecurity Awareness webpage provides resources to help management and directors of financial institutions to understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing their institutions.

Cybersecurity & Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency (CISA) is the Nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future. CISA builds the national capacity to defend against cyber-attacks and works with the federal government to provide cybersecurity tools, incident response services and assessment capabilities that support the essential operations of partner departments and agencies.

FBI Infragard

InfraGard is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.

United States Computer Emergency Readiness Team (US-CERT)

The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) leads efforts to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans. US-CERT strives to be a trusted global leader in cybersecurity – collaborative, agile, and responsive in a dynamic and complex environment.

Common Best Practices

NIST Special Publications

Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

NIST Cybersecurity Framework

The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.

Center for Internet Security (CIS) Controls

The CIS is a community-driven nonprofit, responsible for the CIS Controls and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. Our CIS Hardened Images provide secure, on-demand, scalable computing environments in the cloud.

ISO/IEC 27001 Information Security Management

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

COBIT An ISACA Framework

Over the years, best-practice frameworks have been developed and promoted to assist in the process of understanding, designing and implementing enterprise governance of information and technology (EGIT). COBIT 2019 builds on and integrates more than 25 years of development in this field, not only incorporating new insights from science, but also operationalizing these insights as practices. From its foundation in the IT audit community, COBIT has developed into a broader and more comprehensive information and technology (I&T) governance and management framework and continues to establish itself as a generally accepted framework for I&T governance

Information Sharing

National Credit Union Information Sharing Analysis Organization (requires membership)

Following the signing of the Cybersecurity Information Sharing Act (CISA) into law, the National Credit Union ISAO was established in 2016 to address the unique needs of the nation’s Credit Unions, advancing cyber resilience through information sharing, education, operational guidance, and regulatory compliance.

Financial Services Information Sharing and Analysis Center (requires membership)

Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998's Presidential Directive 63. That directive - later updated by 2003's Homeland Security Presidential Directive 7 - mandated that the public and private sectors share information about physical and cybersecurity threats and vulnerabilities to help protect the U.S. critical infrastructure.

FBI’s Internet Crime Complaint Center (IC3)

The Internet Crime Complaint Center provides the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected internet-facilitated criminal activity and to develop effective alliances with law enforcement and industry partners. Information is analyzed and disseminated for investigative and intelligence purposes to law enforcement and for public awareness.

Additional Resources

CISA Good Security Habits (Security Tips (ST04-03)

Conference of State Bank Supervisors: Ransomware self-assessment tool (R-SAT)

Department of Treasury: Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments

FBI Field Offices/Regions

CISA’s Cyber Hygiene Services

Last modified on
10/28/21