Four New Regulatory Frameworks in GRID Active Governance Program

Tuesday, August 23rd, 2022


Cyber security risk management solutions from DefenseStorm.

Within our DefenseStorm Governance Program, our clients can systematically collect evidence from across the platform to document adherence to regulatory frameworks and self-assessments.

DefenseStorm’s platform is built for banking. As such, we are committed to keeping pace with changing industry best practices and regulatory expectations that are uniquely relevant to financial institutions. Within the GRID Active Governance Program, clients can systematically collect evidence from across the platform to document adherence to regulatory frameworks and self-assessments. Using self-assessments and frameworks can help guide program design and help gauge your program’s maturity. As standards and expectations change, we will continue to update our library so that our clients maintain a stance of readiness.

DefenseStorm has added four new regulatory frameworks to our Governance Program product (formerly Active Compliance) within the GRID Active platform that include the three tiers of the NCUA’s new examination procedures, Information Security Examination Assessment (ISE), and the Cybersecurity and Infrastructure Security Agency CISA Ransomware Readiness Assessment (CISA RRA).

In late January 2023, the NCUA announced they would begin using their new Information Security Examination (ISE) procedures in the coming year. The NCUA believes these new procedures will better enable examiners to tailor the examination based on asset size and complexity of the FI, standardize the examination of information security and cybersecurity programs, and better enable their ability to identify control deficiencies and trends at the industry level. The ISE has three tiers:

  • Small Credit Union Examination Program (SCUEP) statements:
  • For credit unions of asset sizes of $50 million and below
  • Core statements:
  • For credit unions of asset sizes greater than $50 million
  • Core+ statements:
  • Contains optional examination elements that specialists may reference based on risk

In the GRID Active Governance Program, a CU will find each ISE tier as a separate framework. The Core+ tier was released from the NCUA with the Basic and Intermediate tiers of CISA’s Ransomware Readiness Assessment which can be accessed as part of the Core+ framework within the Governance Program.

The Cybersecurity & Infrastructure Security Agency (CISA)’s Ransomware Readiness Assessment (RRA) allows institutions to better assess how well they are equipped to defend and recover from a ransomware incident. The model encourages ransomware readiness in three stages. The practices are intended to be implemented from one tier to the next starting at Basic and working towards Advanced.

A bank or other financial institution will be able to access all three tiers of CISA’s RRA – basic, intermediate, and advanced – in the Governance Program as a standalone framework.

All Frameworks in the GRID Active platform are mapped to the Governance Program Task Schedule Library. By leveraging the library to build out Task Schedules, our clients benefit from the pre-built mappings that enable systematic evidence collection against our entire library of Frameworks. Check our libraries out today to start collection evidence against the ISE, CISA RRA, NIST, CIS Controls, and more.

Jessica Caballero

Jessica Caballero

Senior Product Manager - Compliance

Jessica Caballero, Senior Product Manager Compliance and Risk, CERP, CRCM. Jessica was an examiner for the Office of the Comptroller of the Currency (OCC). After leaving the agency, and also worked as both a banker and a consultant focused mainly on compliance and risk management. Since 2015, Jessica has applied her subject matter expertise to the creation of technology solutions that solve critical problems for financial institutions. At DefenseStorm, she leads product decisions specific to compliance and risk as a Senior Product Manager. Jessica earned her bachelor’s degree in business economics from Texas State University and achieved the Certified Enterprise Risk Professional (CERP) and Certified Regulatory Compliance Manager (CRCM) designations from the American Banker Association (ABA).