5 Things Credit Unions Need to Know about the Information Security Examination (ISE)

The NCUA's 2023 Supervisory Priorities stated that "to strengthen the examination process for cybersecurity, the NCUA developed and tested updated Information Security Examination procedures tailored to institutions of varying size and complexity. Examiners will use these new procedures in 2023." 

So, what exactly are these new Information Security Examination (ISE) procedures? How are they different from prior NCUA information security examination materials? Here are five things credit unions need to know about the ISE. 

1. Not every credit union will get the same exam.

There are three levels of the ISE. 

2. Each level is made up of several components.

Here is a list of the components, along with the levels in which they can be found.

*The "Cybersecurity Controls" component is not included in the CORE or CORE+ programs because the concepts introduced in this component are explored more thoroughly in the other levels. For example, instead of just checking to see if a credit union has anti-malware, as expected in the SCUEP, the CORE and CORE+ procedures feature an entire component dedicated to anti-malware configuration and best practices. 

3. Each component is made up of several statements.

This is similar to how the FFIEC Cybersecurity Assessment Tool (CAT) / NCUA Automated Cybersecurity Examination Tool (ACET) functions. Inside each component, there are several statements which explain what the examiner should… well, examine. Here's a tally of the statement count: 

• SCUEP: 43 Statements 
• CORE: 67 Statements
• CORE+: 284 Statements 

This is significant because one of the NCUA's goals with the ISE was to create an examination program that was scalable and suitable for small credit unions. When compared with the ACET, which featured 123 baseline declarative statements and 494 total declarative statements, it is clear the NCUA was successful in this regard. 

4. The ISE may not be as different from the ACET as you'd think.

One of the questions we've received since the release of the new ISE program is: "How different is this from the ACET?" It is different, but not in the ways you might think. 

The 2023 Supervisory Priorities state that the ACET "works in coordination with and will prepare you for an Information Security Examination." In fact, most of the SCUEP and CORE statements can be mapped back to the CAT declarative statements. Download our NCUA ISE Mapping here to see how. 

5. The ISE is still different from the ACET.

While there is definite overlap between the two, there are some things the ISE CORE+ procedures address that the ACET does not. For example: 

• Technology service providers and due diligence. While the ACET focused on third-party cybersecurity controls, the ISE CORE+ procedures dive deep into all-things-vendor-management, many of which are defined by the NCUA's Supervisory Letter 07-01, Evaluating Third Party Relationships.
• Cybersecurity controls and configurations. While the CAT / ACET had a domain for cybersecurity controls, this is one area where the tool is beginning to show its age. The ISE CORE+ procedures include modern best practices on topics like anti-malware, IDS/IPS, web and email filtering, browser configurations, and remote access.
• Architecture, infrastructure, and operations (AIO) concepts. While the CAT / ACET was originally published in 2015, the FFIEC's AIO booklet was released in 2021. The NCUA's ISE CORE+ procedures echo some of the concepts addressed in the FFIEC's latest booklet, including software development; change and configuration management; file exchange and sharing; logging and monitoring; and vulnerability and patch management.
• Information security concepts. While the ACET addressed information security by nature of it being a cybersecurity assessment, the ISE CORE+ procedures are clear and direct on the importance of information security. With components dedicated to "Data Leakage Protection" and "Data Governance," the ISE procedures focus on the heart of why there is an information security examination in the first place. 

While it may seem like the ISE is bigger and better than the ACET in every way, there is one topic addressed by the ACET that the ISE consistently leaves out: voluntary information sharing. While the ISE addresses reporting incidents to law enforcement, regulators, members, etc., the ACET talks a lot about information sharing (e.g., having policies for it, working with ISACs, etc.). The exact reason for the exclusion is unclear. Coordinating with information sharing groups, like FS-ISAC, NCU-ISAO, and CISA, is still a practice encouraged by security practitioners and examiners, even if it doesn't show up in the exam. 

What's Next? 

Prepare for your credit union's next exam to use the Information Security Examination procedures. Based on our current understanding, the ISE will be handled in the NCUA's web-based examination platform, MERIT. MERIT offers credit unions a place to securely upload, track, and share examination documents with their examiners. If you have not used MERIT before, you can expect to receive communications from your examiner prior to your next exam. 

If your credit union uses Tandem, one way to prepare for the new examination is to download our NCUA ISE Mapping. This mapping highlights areas in the Tandem governance, risk management, and compliance (GRC) products where items on the NCUA ISE are addressed. Learn more about how Tandem is helping credit unions improve their security and compliance practices at Tandem.App/Industries/Credit-Unions. 

To learn more about the NCUA ISE, watch a recording of a webinar we hosted on March 7, 2023. Fill out the form and get immediate access to the session recording at https://go.tandem.app/ise-webinar/.