Does the NCUA require penetration testing

Kyle Bork Best Practice, Education Best Practice, Education

Does the NCUA Require Penetration Testing?

The National Credit Union Administration or “NCUA” was established to “provide, through regulation and supervision, a safe and sound credit union system, which promotes confidence in the national system of cooperative credit.” As one could imagine, IT infrastructure and the information security program is one of the critical pillars that are required to be audited.

The short answer is NO, the NCUA does not require penetration testing, however, they do explicitly state:

“Credit unions are required by NCUA’s Rules and Regulations Part 748 to implement an information-security program and a vulnerability-management process. A vulnerability management process is essential to ensuring that every credit union is able to identify, manage and control for information security risks.“

They go on to state that the credit union can complete the scanning themselves or have a third-party complete the scanning, however, they come just short of stating that a penetration test is required:

However, vulnerability scanning is simply the first phase of the vulnerability-management process—it is not the end all, be all. A well-defined vulnerability-management process means that credit unions should be continuously evaluating the risks associated with their IT assets and make the investments necessary to ensure their systems are protected as security risks evolve.

As we have discussed in the past, while a vulnerability scan is a great start, it will not identify all of the risks to your organization. We highly recommend that an annual penetration test be a part of your institution’s information security program. Additionally, as a credit union, your NCUA Examiner may require that you undertake a penetration test in order to validate the effectiveness of your security controls. It would behoove you to have this already completed and provide the results, rather than having to scramble to complete one for an audit. Have a question on penetration testing? Feel free to contact us today and we would be happy to assist.

Kyle Bork

Kyle is the Principal Account Manager at Triaxiom Security. He has a background in technical project management and customer service. Kyle has a BA in finance from the University of North Carolina at Wilmington.

[data-tf-src]{opacity:0;}.tf_svg_lazy{content-visibility:auto;opacity:1;background-size:100% 25% !important;background-repeat:no-repeat !important;background-position:0 0,0 33.4%,0 66.6%,0 100% !important;transition:filter .3s linear !important;filter:blur(25px) !important;transform:translateZ(0);}.tf_svg_lazy_loaded{filter:blur(0) !important;}[data-lazy]:is(.module,.module_row:not(.tb_first)),.module[data-lazy] .ui,.module_row[data-lazy]:not(.tb_first):is(>.row_inner,.module_column[data-lazy],.module_subrow[data-lazy]){background-image:none !important;}[data-lazy]:is(.module.nitro-lazy,.module_row:not(.tb_first)).nitro-lazy,.module[data-lazy] .ui.nitro-lazy,.module_row[data-lazy]:not(.tb_first):is(>.row_inner.nitro-lazy,.module_column[data-lazy].nitro-lazy,.module_subrow[data-lazy]).nitro-lazy{background-image:none !important;}img{max-width:100%;height:auto;}:where(.tf_in_flx,.tf_flx){display:inline-flex;flex-wrap:wrap;place-items:center;}.tf_fa,:is(em,i) tf-lottie{display:inline-block;vertical-align:middle;}:is(em,i) tf-lottie{width:1.5em;height:1.5em;}.tf_fa{width:1em;height:1em;stroke-width:0;stroke:currentColor;overflow:visible;fill:currentColor;pointer-events:none;text-rendering:optimizeSpeed;buffered-rendering:static;}#tf_svg symbol{overflow:visible;}:where(.tf_lazy){position:relative;visibility:visible;display:block;opacity:.3;}.wow .tf_lazy:not(.tf_swiper-slide){visibility:hidden;opacity:1;}div.tf_audio_lazy audio{visibility:hidden;height:0;display:inline;}.mejs-container{visibility:visible;}.tf_iframe_lazy{transition:opacity .3s ease-in-out;min-height:10px;}:where(.tf_flx),.tf_swiper-wrapper{display:flex;}.tf_swiper-slide{flex-shrink:0;opacity:0;width:100%;height:100%;}.tf_swiper-wrapper{content-visibility:auto;}.tf_swiper-wrapper>br,.tf_lazy.tf_swiper-wrapper .tf_lazy:after,.tf_lazy.tf_swiper-wrapper .tf_lazy:before{display:none;}.tf_lazy:after,.tf_lazy:before{content:"";display:inline-block;position:absolute;width:10px !important;height:10px !important;margin:0 3px;top:50% !important;inset-inline:auto 50% !important;border-radius:100%;background-color:currentColor;visibility:visible;animation:tf-hrz-loader infinite .75s cubic-bezier(.2,.68,.18,1.08);}.tf_lazy:after{width:6px !important;height:6px !important;inset-inline:50% auto !important;margin-top:3px;animation-delay:-.4s;}@keyframes tf-hrz-loader{0%,100%{transform:scale(1);opacity:1;}50%{transform:scale(.1);opacity:.6;}}.tf_lazy_lightbox{position:fixed;background:rgba(11,11,11,.8);color:#ccc;top:0;left:0;display:flex;align-items:center;justify-content:center;z-index:999;}.tf_lazy_lightbox .tf_lazy:after,.tf_lazy_lightbox .tf_lazy:before{background:#fff;}.tf_vd_lazy,tf-lottie{display:flex;flex-wrap:wrap;}tf-lottie{aspect-ratio:1.777;}.tf_w.tf_vd_lazy video{width:100%;height:auto;position:static;object-fit:cover;}body{--wp--preset--color--black:#000;--wp--preset--color--cyan-bluish-gray:#abb8c3;--wp--preset--color--white:#fff;--wp--preset--color--pale-pink:#f78da7;--wp--preset--color--vivid-red:#cf2e2e;--wp--preset--color--luminous-vivid-orange:#ff6900;--wp--preset--color--luminous-vivid-amber:#fcb900;--wp--preset--color--light-green-cyan:#7bdcb5;--wp--preset--color--vivid-green-cyan:#00d084;--wp--preset--color--pale-cyan-blue:#8ed1fc;--wp--preset--color--vivid-cyan-blue:#0693e3;--wp--preset--color--vivid-purple:#9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple:linear-gradient(135deg,rgba(6,147,227,1) 0%,#9b51e0 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan:linear-gradient(135deg,#7adcb4 0%,#00d082 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange:linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red:linear-gradient(135deg,rgba(255,105,0,1) 0%,#cf2e2e 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray:linear-gradient(135deg,#eee 0%,#a9b8c3 100%);--wp--preset--gradient--cool-to-warm-spectrum:linear-gradient(135deg,#4aeadc 0%,#9778d1 20%,#cf2aba 40%,#ee2c82 60%,#fb6962 80%,#fef84c 100%);--wp--preset--gradient--blush-light-purple:linear-gradient(135deg,#ffceec 0%,#9896f0 100%);--wp--preset--gradient--blush-bordeaux:linear-gradient(135deg,#fecda5 0%,#fe2d2d 50%,#6b003e 100%);--wp--preset--gradient--luminous-dusk:linear-gradient(135deg,#ffcb70 0%,#c751c0 50%,#4158d0 100%);--wp--preset--gradient--pale-ocean:linear-gradient(135deg,#fff5cb 0%,#b6e3d4 50%,#33a7b5 100%);--wp--preset--gradient--electric-grass:linear-gradient(135deg,#caf880 0%,#71ce7e 100%);--wp--preset--gradient--midnight:linear-gradient(135deg,#020381 0%,#2874fc 100%);--wp--preset--font-size--small:13px;--wp--preset--font-size--medium:20px;--wp--preset--font-size--large:36px;--wp--preset--font-size--x-large:42px;--wp--preset--spacing--20:.44rem;--wp--preset--spacing--30:.67rem;--wp--preset--spacing--40:1rem;--wp--preset--spacing--50:1.5rem;--wp--preset--spacing--60:2.25rem;--wp--preset--spacing--70:3.38rem;--wp--preset--spacing--80:5.06rem;--wp--preset--shadow--natural:6px 6px 9px rgba(0,0,0,.2);--wp--preset--shadow--deep:12px 12px 50px rgba(0,0,0,.4);--wp--preset--shadow--sharp:6px 6px 0px rgba(0,0,0,.2);--wp--preset--shadow--outlined:6px 6px 0px -3px rgba(255,255,255,1),6px 6px rgba(0,0,0,1);--wp--preset--shadow--crisp:6px 6px 0px rgba(0,0,0,1);}body{margin:0;}.wp-site-blocks > .alignleft{float:left;margin-right:2em;}.wp-site-blocks > .alignright{float:right;margin-left:2em;}.wp-site-blocks > .aligncenter{justify-content:center;margin-left:auto;margin-right:auto;}:where(.wp-site-blocks) > *{margin-block-start:24px;margin-block-end:0;}:where(.wp-site-blocks) > :first-child:first-child{margin-block-start:0;}:where(.wp-site-blocks) > :last-child:last-child{margin-block-end:0;}body{--wp--style--block-gap:24px;}:where(body .is-layout-flow) > :first-child:first-child{margin-block-start:0;}:where(body .is-layout-flow) > :last-child:last-child{margin-block-end:0;}:where(body .is-layout-flow) > *{margin-block-start:24px;margin-block-end:0;}:where(body .is-layout-constrained) > :first-child:first-child{margin-block-start:0;}:where(body .is-layout-constrained) > :last-child:last-child{margin-block-end:0;}:where(body .is-layout-constrained) > *{margin-block-start:24px;margin-block-end:0;}:where(body .is-layout-flex){gap:24px;}:where(body .is-layout-grid){gap:24px;}body .is-layout-flow > .alignleft{float:left;margin-inline-start:0;margin-inline-end:2em;}body .is-layout-flow > .alignright{float:right;margin-inline-start:2em;margin-inline-end:0;}body .is-layout-flow > .aligncenter{margin-left:auto !important;margin-right:auto !important;}body .is-layout-constrained > .alignleft{float:left;margin-inline-start:0;margin-inline-end:2em;}body .is-layout-constrained > .alignright{float:right;margin-inline-start:2em;margin-inline-end:0;}body .is-layout-constrained > .aligncenter{margin-left:auto !important;margin-right:auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width:var(--wp--style--global--content-size);margin-left:auto !important;margin-right:auto !important;}body .is-layout-constrained > .alignwide{max-width:var(--wp--style--global--wide-size);}body .is-layout-flex{display:flex;}body .is-layout-flex{flex-wrap:wrap;align-items:center;}body .is-layout-flex > *{margin:0;}body .is-layout-grid{display:grid;}body .is-layout-grid > *{margin:0;}body{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}a:where(:not(.wp-element-button)){text-decoration:underline;}.wp-element-button,.wp-block-button__link{background-color:#32373c;border-width:0;color:#fff;font-family:inherit;font-size:inherit;line-height:inherit;padding:calc(.667em + 2px) calc(1.333em + 2px);text-decoration:none;}.has-black-color{color:var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color:var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color:var(--wp--preset--color--white) !important;}.has-pale-pink-color{color:var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color:var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color:var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color:var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color:var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color:var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color:var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color:var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color:var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color:var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color:var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color:var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color:var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color:var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color:var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color:var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color:var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color:var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color:var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color:var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color:var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color:var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color:var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color:var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color:var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color:var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color:var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color:var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color:var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color:var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color:var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color:var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color:var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background:var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background:var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background:var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background:var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background:var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background:var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background:var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background:var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background:var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background:var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background:var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background:var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size:var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size:var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size:var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size:var(--wp--preset--font-size--x-large) !important;}.wp-block-navigation a:where(:not(.wp-element-button)){color:inherit;}.wp-block-pullquote{font-size:1.5em;line-height:1.6;}