NCUA · Part 748 Program
A security program examiners can trace
Appendix A requires a written information security program that safeguards member information — board-involved, risk-based, tested, and adjusted. We build programs that do all four, visibly.
The requirement
What Appendix A actually demands
12 CFR Part 748, Appendix A implements the Gramm-Leach-Bliley safeguards for credit unions: identify reasonably foreseeable threats to member information, assess their likelihood and impact, implement controls commensurate with risk, train staff, test controls, oversee service providers, and keep the board engaged — with the program adjusted as the business and threat landscape change.
Appendix B adds the response-program expectation: when unauthorized access to member information occurs, you need a documented process for containment, investigation, member notification, and regulator communication.
Our approach
Risk-based, board-visible, actually operated
We build (or rebuild) the written program from a genuine risk assessment — not a template with your logo. Policies map to controls, controls map to evidence, and a compliance calendar keeps testing, training, vendor reviews, and board reporting on schedule. Delivered standalone or operated continuously through our vCISO and Resident Engineering models.
How it runs
The engagement
Delivered fixed-scope, or operated continuously through our vCISO and Resident Engineering models.
What you get
- Board-approved written information security program (Appendix A-aligned)
- Risk assessment with documented threat identification and control mapping
- Response program per Appendix B — containment through member notification
- Compliance calendar: testing, training, vendor review, and board-reporting cadence
- 01
Risk assessment
Weeks 1–3Threats to member information identified and rated; existing controls mapped; gaps quantified.
- 02
Program build
Weeks 4–8Policies and the written program drafted around your real environment, sized for your staffing.
- 03
Board adoption
Week 8+Leadership briefing and board approval with minutes — the governance evidence examiners look for first.
- 04
Operate & adjust
OngoingThe calendar runs: testing, training, vendor reviews, and annual program adjustment, all evidenced.
Your next exam is already on the calendar.
A 45-minute conversation tells you where you stand — and what to fix first.
Explore
Also from Principle Security
ISE / ACET Readiness
Walk into the Information Security Examination with your maturity already measured, gaps a…
NCUA programIncident Reporting
Since September 2023, reportable cyber incidents must reach NCUA within 72 hours of reason…
Case studyFrom no CISO to examiner-ready
A federal credit union's four-quarter program, delivered by resident engineers.