The NCUA had been issuing agency-owned iPhones to employees and contractors since April 2012, which could access the agency's exchange server.

Despite the ban on personal mobile devices accessing the NCUA's servers, the IG found that the NCUA's System Security Plan did not adequately address mobile device security controls specific to National Institutes of Standards and Technology policy and procedure publications and Office of Management and Budget policy.

“NIST Controls requires agencies to: (1) enforce a limit of consecutive invalid logon attempts by a user during a specified period; and (2) to automatically (a) lock the account for a specified period; (b) lock the account until released by an administrator; or (c) delay next logon prompt when the maximum number of unsuccessful attempts is exceeded,” the audit report said. “NCUA's SSP includes the policy to lock NCUA mobile devices after [redacted] consecutive invalid logon attempts. In addition, NCUA implements this security control via its MobileIron MDM solution.”

In response to the audit, NCUA Executive Director Mark Treichel said the Office of the Chief Information Officer will update the SSP to incorporate all applicable existing security policies, controls and configuration settings as well as the improvements outlined in the report. Treichel said OCIO will fully address this recommendation by May 31, 2015.

“We consider protecting NCUA's systems and safeguarding information critically important and as such, we concur with the report recommendations,” the letter said.

The NCUA's management also told the IG that guidance will be issued to all staff and contractors by March 31, 2015 instructing them to remove any NCUA accounts from all personal devices. Staff and contractors will also be told to remove any NCUA data from personal devices including mobile phones, personal computers and personal “dropbox-type” applications.

A copy of the letter is posted on page 2. Click on the letter to expand.

Read more: Additional security issues and the NCUA response …

In addition, the IG report said, “NIST controls requires agencies to: (1) Establish usage restrictions and implementation guidance for specified information systems components based on the potential to cause damage to the information system if used maliciously; and (2) Authorize, monitor and control the use of such components within the information system.”

The audit found that the NCUA's SSP did not include this control.

The IG recommended the NCUA's management “incorporate NCUA's existing mobile device security policies, controls and configuration settings into the agency's System Security Plan as required by NIST.”

The audit found that neither the NCUA's SSP nor its other mobile device policies addressed delay times between log-on attempts.

The report said the NCUA's mobile device security policy established configuration settings for iPhones specific to passcode, auto lock, access to lock screen, location services and fingerprint features. However, the agency's SSP only included the auto configuration control setting. The SSP also did not include restrictions for AirDrop file sharing or iCloud.

The IG also pointed out that the SSP only indicated that the iPhones were encrypted.

“Considering the functions and capabilities of mobile devices with stored data, NCUA could use this control to address such issues as how the agency facilitates protecting NCUA data from personal use functions and applications (e.g., container-based encryption),” the report said.

The IG recommended that the NCUA supplement or enhance its existing mobile device security policies, controls and configuration settings by addressing the security measures, such as passcode guidance or controls, unauthorized applications, container-based encryption, bluetooth controls and QR codes.