CU Assured FAQs

Q:  How does CU Assured access my credit union’s IT environment?

A:  We will consult with you to review your size, number of IT assets, and IT environment to recommend one of our two monitoring forms with CU Assured: Federated or Multitenant.

Federated – A CU Assured All-in-One (AIO) is installed at the credit union’s main office. The AIO collects logs and events from servers, PCs, switches, routers, firewalls, applications, and correlates the data looking for Indicators of Compromise (IoC).  The credit union accesses the CU Assured dashboard to monitor and address threats. The AIO also sends alerts to the CU Assured Team who monitors and analyzes events. When required, the CU Assured Team notifies the credit union concerning IoC and is available to help.

Multitenant – Sensors are installed at the credit union’s locations. These sensors collect logs and events from servers, PCs, switches, routers, firewalls, applications, and forwards all events to a CU Assured All-in-One (AIO) located at a PCI compliant Operation Center for correlation and analysis by the CU Assured Team. When required, the CU Assured Team notifies the credit union concerning IoC and is available to help.  The credit union accesses the CU Assured dashboard to monitor and address threats.

Q:  What is the definition of an asset on the credit union’s IT environment?

A:  An asset is one IP address under your environment. All assets are monitored  by  CU Assured.

Q:  Do I have to give you a list of all my IT assets before launch?

A:  We will scan your environment to determine the assets in your environment.

Q:  How does CU Assured work with my current security software?

A:  Logs are forwarded to the CU Assured AIO or Sensor.  A current list of products with prebuilt plugins can be found here:

Q:  Can I demo CU Assured for testing or demo?

A:  Yes. Please contact your Business Development Consultant or CUACG Auditor.


Q: Is my credit union required to have a Cyber Security program in place?

A:  NCUA Guidelines under Reg 748A require each credit union to “Implement a comprehensive written information security program that includes administrative, technical, and physical safeguards.” In addition, the program needs to be assessed on a regular/required basis and adjusted accordingly based on the results of the assessments.

Q:  How will my staff know how to implement these measures?

A:  PIVOT offers an education component to train all employees using the most up-to-date best practices for handling current threats and compliance requirements.

Q:  We must respond to an examiner in the next 30 days. Can PIVOT help?

A:  Yes. PIVOT’s services are provided based on your needs and time frames both pre-exam and post-exam.

Q:  How should our credit union begin assessing our needs?

A:  PIVOT has created a Road to Successful Information Security Methodology.

  1. The first step is to “Look.” You should do a business assessment to identify critical information assets and internal and external threats and should perform a vulnerability assessment to evaluate risks.
  2. The second step is “Plan” or create a strategy based on those assessments.
  3. The third step is “Act.” PIVOT Group works with your team and your roadmap from the above steps to maintain a safe environment and meet regulatory compliance at your credit union.
  4. The final step is “Repeat.” Information Security is a process requiring continual assessments and improvements.

Q:  How often is vulnerability, penetration and phishing testing done?

A:  It depends on the size of the credit union, the complexity and sophistication of the IT infrastructure, and if the credit union has experienced any material changes or data compromise. A baseline line requirement for smaller credit unions is they should be performed at least once a year. For the medium to the largest credit unions they are performed quarterly, monthly, and sometimes weekly depending on the results of their Risk Assessments.