ALEXANDIA, Va.–NCUA should implement an enterprise-wide cloud computing strategy and develop and implement associated policies, procedures, and standards, according to a new report from the agency’s Office of Inspector General, which issued the report as part of a review of NCUA’s cloud computing services.
The OIG said it undertook the initiative to determine whether the NCUA was adequately addressing risk when contracting cloud computing services, and whether it was effectively managing operational and security risks of implemented cloud computing services.
“Our audit determined that the NCUA needs an enterprise-wide approach to cloud computing to effectively contract and manage cloud computing services. Additionally, the NCUA should align policies and procedures with the enterprise-wide approach,” the OIG report states. “Our audit also determined the NCUA implemented cloud computing services as the situation or business need occurred. This approach, we believe, has not allowed the NCUA to clearly address federal guidance, has created inconsistent processes, and allowed for decisions and implemented services to be made unsystematically.”
Two Recommendations Made
The report offers two recommendations for the agency:
First, finalize and implement a comprehensive formalized enterprise-wide cloud computing strategy that, at minimum, addresses the following:
- Alignment with federal guidance and directives such as Cloud Smart and Executive Order 14028
- Prioritization of the use of FedRAMP-authorized systems
- Identification of workforce requirements needed to support cloud procurement, implementation, and risk management
- Management of risks related to the use of cloud computing services such as secure cloud architecture, data governance, and incident management processes
Second, develop and implement policies, procedures, and standards that are consistent with the NCUA’s cloud computing strategy and address, at minimum, the following:
- Coordination, identification, and clarification of responsibilities and processes across all stakeholders for IT service contract reviews, service-level agreements alignment and monitoring, and cloud service incident management
- Specific criterion for the prioritization, selection, and use of cloud computing services
- Periodic review of contract clauses included for cloud computing services to confirm documentation supporting security requirements are clearly identified to the vendor and security and operational risks are appropriately managed.
In response, the agency said it expects to complete the first recommendation by year-end and the second by June 30, 2025.
Now With Free Shipping! The CUToday.info Daily News Email Keeps Getting Better!
The biggest, best and freshest news reporting in credit unions remains free, and now has an added bonus---free shipping to your email address! That’s right. Each morning CUToday.info delivers its daily Fresh Today news update offering the latest headlines and breaking news right to your email, with the easy-to-read headlines format allowing you to click on the stories that interest you most in order to learn more. So stop paying those bank-fee-like subscription prices from other so-called “news” publications!
If you haven’t yet signed up for the new email solution on which CUToday.info has partnered with ResponseGenius, you can do so here. Signing up requires less than one minute of your time—and it’s free!
Please note that after signing up you may need to go to your Spam/Junk folder and mark the morning headlines email as safe. CUToday.info does not provide its list of readers and emails to outside parties, and we will not be contacting you to sell you an extended warranty or sending you any links so you may cash in on an inheritance you didn’t know was coming.
And did we mention it’s free?