NATIONAL CREDIT UNION ADMINISTRATION FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 AUDIT - FISCAL YEAR 2024

View Report

Date Issued

Thursday, September 12, 2024

Submitting OIG

National Credit Union Administration OIG

Other Participating OIGs

National Credit Union Administration OIG

Agencies Reviewed/Investigated

National Credit Union Administration

Report Number

OIG-24-08

Report Description

This report summarizes the results of Sikich’s independent evaluation and contains nine new recommendations that will assist the agency in improving the effectiveness of its information security and its privacy programs and practices. NCUA management concurred with and hasidentified corrective actions to address the recommendations.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Additional Details

https://ncua.gov/files/audit-reports/oig-audit-compliance-fisma-2024.pdf

Open Recommendations

This report has 9 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1.OIG-24-08Recommendation	No	$0	$0
Conduct refresher training for the PCs regarding documenting and maintaining asset management system records in accordance with NCUA policy and procedures.
2.OIG-24-08Recommendation	No	$0	$0
Update the accountable property policy to implement a process for the PMO to complete a periodic review of the IT asset inventory to validate that the inventory is documented and maintained in accordance with NCUA policy and procedures.
3.OIG-24-08Recommendation	No	$0	$0
Complete the PRISM risk assessment review on an annual basis and document the results.
4.OIG-24-08Recommendation	No	$0	$0
Ensure that the annual risk assessment reviews for all third-party NCUA services are completed.
5.OIG-24-08Recommendation	No	$0	$0
Document and implement a process to track and complete supply chain risk assessments for all third-party systems and service providers.
6.OIG-24-08Recommendation	No	$0	$0
Implement improved processes for leveraging dashboards in order to monitor and manage patch compliance and remediation of vulnerabilities including the tracking of approved and unapproved software.
7.OIG-24-08Recommendation	No	$0	$0
Complete the 2024 backlog of overdue reinvestigations.
8.OIG-24-08Recommendation	No	$0	$0
Document and implement a process for notifying OHR to add the initial role-based security training requirement to the learning profile in the learning management system for new hires requiring the training
9.OIG-24-08Recommendation	No	$0	$0
Complete implementation of the new alternate processing and storage site to a fully operational state.