The National Credit Union Administration or “NCUA” was established to “provide, through regulation and supervision, a safe and sound credit union system, which promotes confidence in the national system of cooperative credit.” As one could imagine, IT infrastructure and the information security program is one of the critical pillars that are required to be audited.
The short answer is NO, the NCUA does not require penetration testing, however, they do explicitly state:
“Credit unions are required by NCUA’s Rules and Regulations Part 748 to implement an information-security program and a vulnerability-management process. A vulnerability management process is essential to ensuring that every credit union is able to identify, manage and control for information security risks.“
They go on to state that the credit union can complete the scanning themselves or have a third-party complete the scanning, however, they come just short of stating that a penetration test is required:
However, vulnerability scanning is simply the first phase of the vulnerability-management process—it is not the end all, be all. A well-defined vulnerability-management process means that credit unions should be continuously evaluating the risks associated with their IT assets and make the investments necessary to ensure their systems are protected as security risks evolve.
As we have discussed in the past, while a vulnerability scan is a great start, it will not identify all of the risks to your organization. We highly recommend that an annual penetration test be a part of your institution’s information security program. Additionally, as a credit union, your NCUA Examiner may require that you undertake a penetration test in order to validate the effectiveness of your security controls. It would behoove you to have this already completed and provide the results, rather than having to scramble to complete one for an audit. Have a question on penetration testing? Feel free to contact us today and we would be happy to assist.