The basics of vulnerability management from the NCUA

Credit unions are required by NCUA’s Rules and Regulations Part 748 to implement an information-security program and a vulnerability-management process. A vulnerability management process is essential to ensuring that every credit union is able to identify, manage, and control information security risks.

First, let’s define some of the key terms that are associated with vulnerability management. The International Organization for Standardization defines a vulnerability as a weakness of an information technology asset or group of assets that can be exploited by one or more threats. Vulnerability management is the process in which IT vulnerabilities are identified and assessed. The assessment of the vulnerabilities leads to the correction of these vulnerabilities by either removing them or accepting the risk. The ability to fully understand and identify an institution’s technology assets and connections are critical to a successful vulnerability-management process.

Regular vulnerability scans are needed to identify any potential IT vulnerabilities. Credit unions can either scan for vulnerabilities themselves or hire a third-party vendor to conduct the scans. These scans must be done by qualified individuals because it involves an intricate knowledge of the infrastructure, components, and network design of the credit union. Scanning should be done on both internal- and external-facing IT assets.

However, vulnerability scanning is simply the first phase of the vulnerability-management process—it is not the end all, be all. A well-defined vulnerability-management process means that credit unions should be continuously evaluating the risks associated with their IT assets and make the investments necessary to ensure their systems are protected as security risks evolve.

There are a number of IT security frameworks available to help credit unions develop and manage their own vulnerability-management program. The SANS Institute outlines five phases of the vulnerability-management process. Other security frameworks are also available from the National Institute of Standards and Technology, the International Organization for Standardization, and the International Electrotechnical Commission.

For more information, click here.