Agencies

Anti-Money Laundering

Business Continuity & Disaster Recovery

Compliance

Emerging Technology

Governance and Standards

Identity Theft

Leadership Management

Physical Security

Risk Management

Training & Education

Webinar Calendar

Vendor Directory

Content Library

Products

Events

About Us

Resources

Evaluation of Government Information Security Reform Act (GISRA) - NCUA

Government Information Security Reform Act (GISRA)National Credit Union Administration (NCUA)Risk Management

NATIONAL CREDIT UNION ADMINISTRATIONOFFICE OF INSPECTOR GENERAL EVALUATION
GOVERNMENT INFORMATION SECURITY REFORM ACT

The Government Information Security Reform Act (GISRA), Public Law 106-398, requires Inspectors General (IG) to perform independent evaluations to:

•Assess compliance with GISRA and agency security policies and procedures; and
•Test effectiveness of information security control techniques for a subset of the agency’s information systems.

The Office of Management and Budget (OMB) has requested IGs to submit the results of their independent evaluation by responding specifically to questions 2 through 13 of OMB Memorandum M-01-24. The following presents our evaluation of the National Credit Union Administration’s (NCUA) compliance with GISRA.

The NCUA Office of Inspector General (OIG) has determined that NCUA is not yet in compliance with GISRA. The following represents the agency’s status toward compliance with key GISRA provisions as of August 2001:

•NCUA needs to develop an agency-wide security program. NCUA developed a draft security policy that will be incorporated in the security program. However this policy has not been approved by the agency head or disseminated to personnel with key responsibilities.
•NCUA needs to perform formal risk assessments.
•NCUA program managers need to perform periodic management testing of controls and perform their annual program review as required by GISRA.
•For the reporting cycle, NCUA has provided some security training to personnel with significant security responsibilities, and security awareness training is provided to all employees on a 3-year cycle coinciding with equipment replacement. New examiners are provided with basic computer training, which includes security awareness. Contractors and new non-examiner personnel are not provided any security awareness training.
•NCUA needs to formalize an incident response program.
•NCUA’s Office of the Chief Information Officer (OCIO) needs to perform the annual security program review required by GISRA.
•NCUA has not yet determined the resources required to implement the security program and incorporate this program in the budget and strategic planning process.

> Read entire regulation (log in required - registration is free)