Small banks and credit unions can easily meet some of the NCUA (National Credit Union Administration) cybersecurity requirements for log monitoring, detection, response and mitigation with the help of Blumira’s platform.
For credit unions to get started with cybersecurity compliance, they should first understand a few key terms.
The NCUA is a government-backed insurer of credit unions, created to regulate and supervise federal credit unions. The NCUA helps protect the credit union system by identifying, monitoring and reducing risks to the National Credit Union Share Insurance Fund. Part 748 of the Code of Federal Regulations outlines a number of items that each federally insured credit union should do as part of its security program.
Some of those include ensuring the security and confidentiality of member records; protecting against unauthorized access to or use of records that could result in harm; responding to these incidents; preventing the destruction of vital records and more – see the full list on NCUA’s Cybersecurity Regulations and Guidance.
The NCUA aligns closely with the FFIEC (Federal Financial Institutions Examination Council), which is a government body that aims to provide uniformity for supervising financial institutions. The FFIEC is composed of five banking regulators, one of which is the NCUA.
The NCUA’s ACET (Automated Cybersecurity Evaluation Toolbox) application enables credit unions to conduct a maturity assessment aligned with the FFIEC’s Cybersecurity Assessment Tool. This can help financial institutions determine and measure their own cybersecurity preparedness over time, according to NCUA.
Below is an image of the FFIEC’s five domains they use to assess an organization’s preparedness.
The FFIEC’s Cybersecurity Assessment Tool in the form of a PDF may be easier to use and doesn’t require downloading or installation. A few key components of the domains above include:
Domain 3: Cybersecurity Controls – Event Detection
Domain 5: Cyber Incident Management and Resilience – Detection, Response and Mitigation
One of the NCUA’s recommendations is to use a SIEM (security information and event management) system to provide a central logging repository of all network and host activities to enable timely and effective log analysis, as “log files are critical to the successful investigation and prosecution of security incidents” according to the FFIEC’s IT Examination Handbook on Information Security (PDF).
A more up-to-date FFIEC booklet named “Architecture, Infrastructure, and Operations” focuses on business structure, IT infrastructure and service delivery for customers. Its guideline V1.B.7 for Log Management under V1.B IT Operational Processes can be summarized as:
However, managing and getting value out of a typical SIEM is no small task and often out of reach of smaller banks and credit unions with limited resources or security expertise and personnel. The FFIEC outlines some of the log management challenges, including:
Getting all of these components right while tuning a typical SIEM for noisy false positives can require experienced security analysts. It can also take months to get fully operational and ongoing maintenance. Small banks and credit unions may turn to managed service providers to help.
Managed service providers (MSPs) may be popular choices for smaller banks and credit unions to leverage to manage their IT and security functions. Not only are credit unions responsible for meeting all required regulations, but they must ensure the MSPs they work with meet the regulations as well, as outlined in the NCUA’s statement about working with service providers:
Credit union officials are responsible for planning, directing, and controlling the credit union’s affairs. To fulfill these duties, the officials should require a due diligence review prior to entering into any arrangement with a third party. Each credit union should:
- Exercise appropriate due diligence in selecting its service providers;
- Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines; and
- Where indicated by the credit union’s risk assessment, monitor its service providers to confirm that they have satisfied their obligations
If you use an MSP and need an affordable solution that also satisfies these NCUA requirements, introduce us via email using msp@blumira.com or have your MSP get started at blumira.com/msp.
The FFIEC states “because logs can be large and difficult to analyze by humans, management should consider using tools to automate log analysis and extract important events or patterns. Automated tools can help identify anomalies and automatically alert management to potential issues or events.”
Blumira is made for smaller IT teams with limited security resources. By collecting, centralizing, and analyzing logs, Blumira helps smaller banks and credit unions with NCUA and FFIEC cybersecurity regulations, while providing guidance and support for threat response:
The FFIEC also states, “Management should implement controls to protect logs to preserve their integrity and prevent log information from being misused.”
Blumira protects log data both in transit and at rest to ensure attackers cannot gain access to log archives to read, and our platform maintains raw log data while tracking and identifying log messages to ensure data integrity and validation. We also validate incoming logs haven’t been tampered with and alert customers if any audit logs are cleared.
Learn more about how Blumira helps financial services companies and with FFIEC compliance.
SMBs and organizations of all sizes can sign up for the Blumira Free SIEM edition to get:
