Last updated 22 Jun 2015 by Dan Hancock
Department of Homeland Security (DHS)
— The organization that leads the unified national effort to secure America, prevent and deter terrorist
attacks, and protect against and respond to threats and hazards to the nation —while ensuring safe
and secure borders, welcoming lawful immigrants and visitors, and promoting the free-flow of commerce.
The two main directorates of DHS most involved in
information security during 2013 are:
- Science & Technology Directorate
— This seeks to develop capabilities to detect and deter attacks on our information systems and
critical infrastructures. DHS promotes research and development of software and technology to
protect information systems and databases.
- National Protection & Programs Directorate
— This includes development of a national strategy to secure cyberspace and to strengthen the security
and resilience of America's critical infrastructure.
Office of Cybersecurity and Communications (CS&C),
created in 2006 within the National Protection and Programs Directorate, is responsible for enhancing the security,
resilience, and reliability of the Nation's cyber and communications infrastructure. The
United States Computer Emergency Readiness Team (US-CERT)
is the 24-hour operational arm of CS&C's National Cybersecurity and Communications Integration Center (NCCIC).
They serve as a 24/7 cyber monitoring, incident response, and management center and as a national point of cyber and
communications incident integration.
- Federal Bureau of Investigation (FBI),
created in 1908 as part of the U.S. Department of Justice, is an intelligence-driven and a threat-focused
national security organization with both intelligence and law enforcement responsibilities. The mission
of the FBI is to protect and defend the United States against terrorist and foreign intelligence threats,
to uphold and enforce the criminal laws of the United States, and to provide leadership and criminal justice
services to federal, state, municipal, and international agencies and partners. The FBI focuses on
threats that involve dangers too large or complex for any local or state authority to handle alone.
One of the FBI's priorities is to protect the United States from cyber-based attacks and high-technology crimes.
- Department of the Treasury
- Federal Deposit Insurance Corporation —
The FDIC is the America's deposit insurance agency for banks and thrifts.
- Federal Financial Institutions Examination
Council — The FFIEC is an interagency council comprised of representatives
of federal agencies that regulate savings associations, banks, and credit
unions (OTS, OCC, Federal Reserve, FDIC, NCUA). It promotes uniformity and
consistency in regulations, supervisory policies and procedures, examiner
training, and report forms.
- FFIEC Information Security Booklet: Information Security Guidance —
Provides revised guidance for examiners and financial institutions to use in
identifying information security risks and evaluating the adequacy of controls
and applicable risk management practices of financial institutions. The
booklet calls for financial institutions and technology service providers (TSPs)
to maintain effective security programs, tailored to the complexity of their operations.
This booklet is the first in a series of updates to the 1996 FFIEC Information Systems
(IS) Examination Handbook. January 29, 2003.
- FFIEC InfoBase — The InfoBase was created by the FFIEC Task Force on Examiner Education
to provide field examiners of the five-member financial institution
regulatory agencies a fast source of introductory training and basic
information on specific topics in information security and privacy.
The InfoBase is a good resource on many of the references mentioned
on this page.
Management of Technology Outsourcing — This is a guide to
key management issues when outsourcing technology.
These issues include risk assessment, service provider selection, contract
terms and oversight of outsourcing arrangements. The guidance is intended
to assist financial institutions that are increasingly relying on outside
firms for technology-related products and services to support an array
of banking functions. Institutions of all sizes are using these products
and services, as technology grows more complex and dynamic, creating a
greater impetus to outsource.
in an Internet Banking Environment — This is an updated guideline
for online customer identity authentication by financial institutions.
The guideline states that single-factor (i.e., ID/password) authentication
is not adequate for high-risk financial transactions. The guideline identifies
a variety of optional technologies and methodologies to mitigate the risks, including
PKI digital certificates, USB plug-ins, and biometric identification. The FFIEC
expects U.S. financial institutions' web sites are to be in compliance with the
guideline by the end of 2006. October 2005
- Federal Reserve Board —The central bank
for the U.S., which serves a wide range of functions, such as supervising and regulating
banking institutions, and maintaining the stability of the U.S. financial system.
- FRB SR 97-32 (SUP), Sound Practices Guidance for Information Security for
Networks — Advisory that active board and management oversight
are needed to ensure that information security risks are adequately
assessed, that spending on information security is appropriate to
reduce the risks, and that a comprehensive information security program
is in place to provide protection. December 4, 1997.
SR 01-11 (SUP), Identity Theft and Pretext Calling —Supervisory
guidance addressing how banking organizations should protect customer
information against identity theft. April 26, 2001.
Compliance Guide for Interagency Guidelines Establishing Information Security Standards —
Summarizes the obligations of financial institutions to protect customer information and
illustrates how certain provisions of the Security Guidelines apply to specific situations.
December 14, 2005.
- Federal Trade Commission — The Federal Trade
Commission enforces a variety of federal antitrust and consumer protection
laws. The Commission works to enhance the smooth operation of the
marketplace by eliminating acts or practices that are unfair or deceptive.
In general, the Commission's efforts are directed toward stopping actions
that threaten consumers' opportunities to exercise informed choice.
Report of the FTC Advisory Committee on Online Access and Security
— Report covers results of the Advisory Committee on Online Access and
Security. May 23, 2000.
- Consumer Protection in the Global Electronic Marketplace: Looking Ahead
— FTC recommendations the development of an international
system that protects online consumers and is fair and predictable for
online businesses. September 2000.
- ID Theft Home.
Your National Resource for Identity Theft — Provides detailed information
and guidance for persons whose identity has been stolen. The site has links
to useful information from other federal agencies, states, and consumer
organizations. July 20, 2005.
- Office of the Attorney General,
State of California, Dept. of Justice — The Attorney General operates five regional
Hi-Tech Crimes Task Forces and also administers the statewide Identity Theft Registry
to assist identity-theft victims who are wrongfully identified as criminals.
California Penal Code section 530.5 et. seq. makes it a crime to willfully obtain and use
the personal identifying information of another person for any unlawful purpose, including to obtain,
or attempt to obtain, credit, goods, services, or medical information without their consent.
- Office of the Comptroller of the Currency
— The OCC charters, regulates, and supervises national banks to ensure a
safe, sound and competitive banking system. An excellent
summary of electronic
banking advisories and bulletins is available on the OCC Web site.
for Safeguarding Customer Information — Interagency guidelines,
issued under Section 501(b) of the GLBA, establishing standards for
safeguarding customer information. January 17, 2001.
Advisory Letter 97-9, Reporting Computer Related Crimes — Explains
the federal criminal statute, 18 USC Sec. 1030, relating to computer crimes.
It is intended to facilitate timely and accurate reporting of apparent
statute violations to law enforcement agencies. November 19, 1997.
Bulletin 98-3, Technology Risk Management — Provides guidance on
how national banks should identify, measure, monitor, and control risks
associated with the use of technology. February 4, 1998.
Bulletin 99-9, Infrastructure Threats from Cyber-Terrorists —
Identified and raised awareness of the threats and vulnerabilities
created by cyber-terrorism to the financial services industry. March 5, 1999.
Note: Bulletin 99-9 was superseded by the
FFIEC Information Security Booklet on February 5, 2003.
Alert 2000-1, Internet Security: Distributed Denial of Service Attacks
— Institutions should review and update their capacity for responding
to these attacks and other emerging information security threats. Institutions
should periodically test network security; update risk assessment techniques,
risk mitigation controls, and policies and procedures. Feb. 11, 2000.
Bulletin 2000-14, Infrastructure Threats — Intrusion Risks —
Guidance to financial institutions on how to prevent, detect and
respond to intrusions into bank computer systems. May 15, 2000.
Bulletin 2000-25, Privacy Laws and Regulations — A summary
of existing laws and regulations relating to the disclosure of consumer
financial information. September 8, 2000.
Advisory Letter 2001-2, Privacy Preparedness —
Guidance to prepare management for the implementation of the Privacy of
Consumer Financial Information regulation, 12 CFR 40. The
regulation became fully effective on July 1, 2001, and it affects
all national banks, including most of their subsidiaries.
A questionnaire is attached to use in preparation and in performing
Alert 2001-4, Network Security Vulnerabilities — The alert is
to raise awareness regarding potential threats in electronic banking systems
and to remind banks and service providers to identify and correct network
security vulnerabilities. April 24, 2001.
Advisory Letter 2001-4, Identity Theft and Pretext Calling —
This advisory letter informs national banks about two areas of consumer bank
fraud (identity theft and pretext calling) and advises them about measures
to prevent and detect these types of fraud. April 30, 2001.
Bulletin 2001-26, Privacy of Consumer Financial Information —
Summary of the examination procedures to be used for assessing privacy
compliance for all national banks and federal branches. May 25, 2001.
Bulletin 2001-31, Weblinking — This bulletin highlights
the risks and provides risk management guidance concerning
banks' weblinking relationships with third parties. July 3, 2001.
Bulletin 2001-35 Attachment A, Examination Procedures to Evaluate Compliance with
the Guidelines to Safeguard Customer Information — These examination
procedures are derived from the interagency Guidelines Establishing Standards
for Safeguarding Customer Information, as mandated by Section 501(b) of
the Gramm-Leach-Bliley Act of 1999. The guidelines address standards for
developing and implementing administrative, technical, and physical safeguards
to protect the security, confidentiality, and integrity of customer
- Office of Thrift Supervision — The
primary regulator of all federal and many state-chartered thrift
institutions, which include savings banks and savings and loan associations.
The OTS was established as an office of the Department of the Treasury.