ALEXANDRIA, Va.–NCUA’s Office of Inspector General has made two recommendations it said it would improve the effectiveness of the agency’s information security and its privacy programs and practices.
The recommendations were included in a new audit report compiled by the audit firm CliftonLarsenAllen to help NCUA IT’s office assess its compliance with the Federal Information Security Modernization Act of 2014 (FISMA) and the agency’s information security and privacy policies and procedures.
“We concluded that the NCUA has, for the most part, formalized and documented its policies, procedures, and strategies; however, the NCUA faces certain challenges in the consistent implementation of its information security program and practices,” the report states.
Among the areas where improvements can be made, according to the report, are effective controls related to training, incident response, and contingency planning.
It also identified weaknesses in three of the eight domains of the FY 2020 IG FISMA Reporting Metrics related to risk management, configuration management, and identity and access management.
Other Recommendations
“These control weaknesses effect the NCUA’s ability to preserve the confidentiality, integrity, and availability of the agency’s information and information systems, potentially exposing them to unauthorized access, use, disclosure, disruption, modification, or destruction,” the report states.
CliftonLarsenAllen recommended focusing on ensuring system accounts for separated employees and contractors are disabled within the time frame established by agency policy.
The report states NCUA has concurred and set a target of Dec. 31, 2021, for completing thee steps. The report also noted that nine of the 21 prior FISMA open recommendations (detailed here last year) related to the NCUA’s security program and practices remain open.