Principle Security Principle Security.

NCUA · Part 748 Program

A security program examiners can trace

Appendix A requires a written information security program that safeguards member information — board-involved, risk-based, tested, and adjusted. We build programs that do all four, visibly.

The requirement

What Appendix A actually demands

12 CFR Part 748, Appendix A implements the Gramm-Leach-Bliley safeguards for credit unions: identify reasonably foreseeable threats to member information, assess their likelihood and impact, implement controls commensurate with risk, train staff, test controls, oversee service providers, and keep the board engaged — with the program adjusted as the business and threat landscape change.

Appendix B adds the response-program expectation: when unauthorized access to member information occurs, you need a documented process for containment, investigation, member notification, and regulator communication.

Our approach

Risk-based, board-visible, actually operated

We build (or rebuild) the written program from a genuine risk assessment — not a template with your logo. Policies map to controls, controls map to evidence, and a compliance calendar keeps testing, training, vendor reviews, and board reporting on schedule. Delivered standalone or operated continuously through our vCISO and Resident Engineering models.

How it runs

The engagement

Delivered fixed-scope, or operated continuously through our vCISO and Resident Engineering models.

What you get

  • Board-approved written information security program (Appendix A-aligned)
  • Risk assessment with documented threat identification and control mapping
  • Response program per Appendix B — containment through member notification
  • Compliance calendar: testing, training, vendor review, and board-reporting cadence
  1. 01

    Risk assessment

    Weeks 1–3

    Threats to member information identified and rated; existing controls mapped; gaps quantified.

  2. 02

    Program build

    Weeks 4–8

    Policies and the written program drafted around your real environment, sized for your staffing.

  3. 03

    Board adoption

    Week 8+

    Leadership briefing and board approval with minutes — the governance evidence examiners look for first.

  4. 04

    Operate & adjust

    Ongoing

    The calendar runs: testing, training, vendor reviews, and annual program adjustment, all evidenced.

Your next exam is already on the calendar.

A 45-minute conversation tells you where you stand — and what to fix first.