Understanding NCUA IT Requirements

How to bring your network and data into compliance with the National Credit Union Administration Regulation

Background

This document provides a brief overview of Part 748 of the National Credit Union Administration’s Security Program. Within 90 days of the effective date of insurance, it requires each federally insured credit union to develop a written security program. The program is designed to:

  • Protect each credit union office from robberies, burglaries, larcenies, and embezzlement;
  • Ensure the security and confidentiality of member records, protect against the anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member;
  • Respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member;
  • Assist in the identification of persons who commit or attempt such actions and crimes, and
  • Prevent destruction of vital records, as defined in 12 CFR part 749.

Key IT Requirements

The following is a table containing sections of the National Credit Union Administration’s Security Program. Where applicable is an explanation describing how Varonis solutions can help enforce their security program.

Requirement Description Varonis Product/Feature
§748.1 Filing of reports (1) Reportable activity. Transaction for purposes of this paragraph means a deposit, withdrawal, transfer between accounts, exchange of currency, loan, extension of credit, purchase or sale of any stock, bond, share certificate, or other monetary instrument or investment security, or any other payment, transfer, or delivery by, through, or to a financial institution, by whatever means effected. A credit union must report any known or suspected crime or any suspicious transaction related to money laundering or other illegal activity, for example, terrorism financing, loan fraud, or embezzlement, or a violation of the Bank Secrecy Act by sending a completed suspicious activity report (SAR) to the Financial Crimes Enforcement Network (FinCEN) in the following circumstances: (i) Insider abuse involving any amount. Whenever the credit union detects any known or suspected Federal criminal violations, or pattern of criminal violations, committed or attempted against the credit union or involving a transaction or transactions conducted through the credit union, where the credit union believes it was either an actual or potential victim of a criminal violation, or series of criminal violations, or that the credit union was used to facilitate a criminal transaction, and the credit union has a substantial basis for identifying one of the credit union’s officials, employees, or agents as having committed or aided in the commission of the criminal violation, regardless of the amount involved in the violation;(4) Notification to board of directors. (i) Generally. The management of the credit union must promptly notify its board of directors, or a committee designated by the board of directors to receive such notice, of any SAR filed. (c) Suspicious Activity Report. A credit union must file a report if it knows, suspects, or has reason to suspect that any crime or any suspicious transaction related to money laundering activity or a violation of the Bank Secrecy Act has occurred. Reportable Activity for:

Insider Activity: Tracking insider behavior across multiple platforms can be complicated (e.g., email, financial files, etc) especially when necessary IT resources aren’t available. To prevent insider abuse, there are 6 tips to thwart insider threats –

1. Eliminate Global Access – Varonis DatAdvantage is able to identify which folders, SharePoint sites, mailboxes and other resources are globally accessible, and it also knows who has actually been accessing the data, so it can tell you exactly which users will be impacted if you were to remove global access.

2. Eliminate Excessive Permissions – enforce a strict least-privilege (or need-to-know) data security model.

3. Alert on changes in privileged groups – it is extremely helpful to setup alerts for additions or changes to those groups.

4. Alert on Behavioral Deviations – Creating profiles of normal behavior on a per-user basis helps build context. If you baseline each user’s normal activity, you can then alert when that activity spikes or they start behaving uncharacteristically.

5. Set up honeypots – create a honeypot – a shared folder with data that looks lucrative and is open to everyone and then watch and see what happens.

6. Monitor high-risk people and data – It’s very important to know where your crown jewels are, and that typically requires some sort of data classification technology, for instance our Data Classification Framework.

Notification to board of directors and Suspicious Activity Report

DatAlert can be configured to send real-time alerts on a number of actions including the granting of administrative rights to a user or group. This allows the organization as well as the board of directors to detect, in real-time, when privileged access has been granted erroneously and act before abuse occurs.

§748.2 Procedures for monitoring Bank Secrecy Act (BSA) compliance. (c) Contents of compliance program. Such compliance program shall at a minimum—(1) Provide for a system of internal controls to assure ongoing compliance; (4) Provide training for appropriate personnel. Internal Controls for Compliance Use DatAdvantage to run reports to identify, prioritize, and remediate excessive access to sensitive, high-risk data.DataPrivilege helps define the policies and processes that govern who can access, and who can grant access to unstructured data, but it also enforces the workflow and the desired action to be taken (i.e. allow, deny, allow for a certain time period). This has a two-fold effect on the consistent and broad communication of the access policy: it unites all of the parties responsible including data owners, auditors, data users AND IT around the same set of information and it allows organizations to continually monitor the access framework in order to make changes and optimize both for Dodd Frank and for continuous enforcement of warranted access. With DatAdvantage and DataPrivilege, compliance officers and auditors can receive regular reports of data use and access activity of privileged and protected information to ensure compliant use and safekeeping.Provide training for appropriate personnelVaronis staff are also avid learners and educators. Here are some of the educational opportunities we offer and provide: Professional Services: ensures our customers can effectively use the product to fulfill all their use cases and to use our products. Varonis Blog: learn more about security, privacy, IT Operations and more on our blog. We post approximately 4-5 blog posts per week Office Hours: 1 free hour one-on-one live web session with your local /li>
Appendix A to Part 748—Guidelines for Safeguarding Member Information III. Development and Implementation of Member Information Security Program B. Assess Risk. Each credit union should:1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems;2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of member information; and3. Assess the sufficiency of policies, procedures, member information systems, and other arrangements in place to control risks. Insider Threats – see above
C. Manage and Control Risk. Each credit union should:. Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the credit union’s activities. Each credit union must consider whether the following security measures are appropriate for the credit union and, if so, adopt those measures the credit union concludes are appropriate:a. Access controls on member information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing member information to unauthorized individuals who may seek to obtain this information through fraudulent means;c. Encryption of electronic member information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;d. Procedures designed to ensure that member information system modifications are consistent with the credit union’s information security program;e. Dual controls procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to member information;f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into member information systems;g. Response programs that specify actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems, including appropriate reports to regulatory and law enforcement agencies; Identifying Critical Financial DataThe Data Classification Framework incorporates content classification information produced by looking within files to find key finance related words, phrases and patterns (i.e., regular expressions) that are of interest to the organization. The IDU Classification Framework also identifies the highest concentrations of sensitive data that are most at risk and provides a clear methodology to safely remediate that risk without manual effort.Risk Assessment Varonis DatAdvantage identifies and prioritizes areas of risk by highlighting where sensitive information is located, overexposed and at risk, where employees have oversubscribed access, and alerts on abnormal behavior and potential abuse.Control Environment Varonis DatAdvantage also recommends the revocation of permissions to data for users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege.Information & Communication Varonis DatAdvantage provides data stewards with detailed reports, including: data use (i.e. every user’s every file-touch), user activity on sensitive data, permission changes that affect the access of a given file or folder, a detailed record of permission revocations including the users and the data for which permissions were revoked.Control Activities Varonis DataPrivilege is a web-based application that controls, monitors and administers a user’s requests to unstructured data (files, emails, SharePoint, etc.) Monitoring Varonis DatAdvantage monitors every user’s file touch and stores in a searchable format, all aspects of data use for information stored on file servers and Network Attached Storage (NAS) devices. Real-Time Alert DatAlert can be configured to send real-time alerts on a number of actions including the granting of administrative rights to a user or group. This allows the organization to detect, in real-time, when privileged access has been granted erroneously and act before abuse occurs.Attestations DatAdvantage and DataPrivilege give the means to conduct a full in depth data entitlement review by which all user privileges to data is reported. It also provides reports of historical access rights to data sets showing any trends toward overly permissive access.

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767