OIG: Weaknesses flagged in latest review of NCUA info security program, practices

An inadequate information technology inventory, inconsistency in risk reviews and more are flagged in a recent, independent audit of the National Credit Union Administration’s (NCUA) information security program and practices.

The agency’s Office of Inspector General (OIG) said it contracted with Sikich CPA LLC to perform this evaluation, which covered the period from Oct. 1, 2023, through July 9, 2024. The review was conducted from March through July of this year and resulted in nine recommendations for improvement, which agency management said it supported, the OIG stated.

The auditing firm focused in this review on selected controls outlined by the NIST that support the fiscal year 2024 IG Federal Information Security Modernization Act (FISMA) reporting metrics, focusing on a sample of four of the 63 NCUA-managed and third-party information systems in the agency’s system inventory as of Jan. 19 of this year.

“Although we concluded that the NCUA implemented an effective information security program overall, its implementation of a subset of selected controls was not fully effective. We identified seven new weaknesses that fell in the Risk Management, SCRM [supply chain risk management], Configuration Management, Identity and Access Management, Security Training, and Contingency Planning domains of the FY 2024 IG FISMA Reporting Metrics,” the firm stated.

The firm also noted several prior-year recommendations that remained outstanding.

National Credit Union Administration Federal Information Security Modernization Act of 2014 Audit – Fiscal Year 2024