Time for Transition: From ACET to InTREx-CU

Time for Transition: From ACET to InTREx-CU

Time for Transition: From ACET to InTREx-CU 2048 1366 Mark Arnold

The Transition from ACET to InTREx-CU for Credit Union Examinations

The National Credit Union Association (NCUA) Chairman Rodney Hood discussed changes to the credit union (CU) CyberSecurity and Technology examination program before Congress in early December 2019. Hood announced the adoption of the Information Technology Risk Examination (InTREx) solution to this end. InTREx is utilized by the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve System (FRS), and the State Liaison Committee members of the Federal Financial Institutions Examination Council (FFIEC). As of July 2020, changes in the NCUA cybersecurity priorities reflect will transition away from the Automated Cybersecurity Examination Tool (ACET) to InTREx based examinations to measure the effectiveness of critical security controls.

Information Security Examination Program

The first phase of the adoption involves an InTREx pilot. The pilot will focus on statements and questions, examination procedures, and associated job aids. Furthermore, the InTREx-CU will encourage “examination harmonization” across the financial services sector. As a result, the InTREx-CU will help CUs identify gaps in security controls. Also, examiners and credit unions will be armed with tools to identify potential high-risk areas in security programs and address program deficiencies. Ultimately, the NCUA will achieve joining the rest of the financial sector by standardizing on a common cybersecurity examination framework. Experienced financial services risk assessors will be familiar with the InTREx audit process documentation that will now serve as the basis for CU cybersecurity examinations.  The InTREx Program helps financial services organizations enhance identification, assessment, and validation of IT in financial institutions and address identified risks.

The 4 Core Analysis Sections of the InTREx

InTREx has four main Core Analysis sections (plus Information and Cybersecurity supplemental guides):

  • Audit
  • Management
  • Development and Acquisition
  • Support  and Delivery

The new InTREx-CU proposal covers the requirements of the five ACET domains: Cyber Risk Management & Oversight (Audit, Support & Delivery), Threat Intelligence & Collaboration (Management), Cybersecurity Controls (Management, Support & Delivery), External Dependency Management (Management, Development & Acquisition), and Cyber Incident Management & Resilience (Management). 

Risk/Threat Profile Management

According to Hood, the InTREx-CU initiative will improve upon the collection of intel regarding hostile threat actors targeting CUs. As a result of this information, the NCUA hopes to gain ins the tactics, techniques, and procedures (TTPs) of hostile actors. and, in turn, improve the industry’s defensive posture. The CU threat landscape has changed due to financial services technological advances and a growing remote workforce. By understanding the diverse threats of nefarious adversaries, the NCUA hopes to curate a best-practice cybersecurity repository for credit unions. Other intended outcomes of the new initiatives are more prescriptive regulatory guidance and an information sharing and analysis function for CUs. 

Cybersecurity & Technology

“Safe and sound” credit unions are a cybersecurity “priority” of the NCUA. To this end, Hood eyes the InTREx-CU as a critical cybersecurity CU initiative.  The initiative helps CUs prepare for attacks and build resilience in their security programs as a result. The InTREx-CU represents the next phase towards this reality. Further alignment with the NIST National Initiative for Cybersecurity Education (NICE) Framework will spread security awareness across the broader CU space.

How Lares Can Help CUs Adopt InTREx-CU

Lares continues to stay informed of the cybersecurity initiatives proposed by Chairman Hood and the NCUA. The InTREx-CU will vastly improve the safety and resiliency of CUs.  That is why we are supporting CUs adopting the new program updates. From both a program advisory and assessment (cloud, application, Red Team/Blue Team/Purple Team) practices, Lares’ services align with the new cybersecurity program initiatives underway at the NCUA.  Further, our combined services use industry best practices (ISO, NIST, CIS, BSIMM) to build comprehensive security programs. By doing so, we help clients identify, manage, and mitigate risk.  Most importantly, we can help CUs meet the new InTREx-CU standards.

Where There is Unity, There is Victory

[Ubi concordia, ibi victoria]

– Publius Syrus

Contact Lares Consulting logo (image)

Continuous defensive improvement through adversarial simulation and collaboration.

©2019 Lares, LLC | All rights reserved.
    Privacy Preferences

    When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Some types of cookies may impact your experience on our website and the services we are able to offer. It may disable certain pages or features entirely. If you do not agree to the storage or tracking of your data and activities, you should leave the site now.

    Our website uses cookies, many to support third-party services, such as Google Analytics. Click now to agree to our use of cookies or you may leave the site now.