- Department of Homeland Security (DHS)
— leads the unified U.S. effort to secure America, prevent and deter terrorist attacks, and protect
against and respond to threats and hazards to the nation — while ensuring safe and secure borders,
welcoming lawful immigrants and visitors, and promoting the free-flow of commerce. The vital mission
of the DHS is to secure the nation from the many threats we face. This requires the dedication of more than
240,000 employees whose jobs range from aviation and border security to emergency response, from cybersecurity to
chemical facility inspector. Their duties are wide-ranging, but their goal is clear: to keep America safe.
DHS was created in 2002, combining 22 different federal departments and agencies into a unified, integrated Cabinet
agency. The DHS began officially operating at the Nebraska Avenue Complex (NAC) in January 2003. DHS
selected the NAC because the large campus could house a headquarters operation — and the DHS would not need an
exemption from the statutory requirement that main government agency offices be located in the District of
Columbia. In the future, many DHS headquarters offices currently at the NAC will move to the St. Elizabeth's
Campus located in southeast Washington D.C., which will become the new Homeland Security Headquarters.
The NAC will continue to be a DHS-occupied facility.
The DHS has two directorates — and both are involved in
- Science & Technology Directorate — develops capabilities to detect and deter attacks
on our information systems and critical infrastructures. DHS promotes research and development of
software and technology to protect information systems and databases.
- National Protection & Programs Directorate (NPPD) — includes development of a national strategy
to secure cyberspace and to strengthen the security and resilience of America's critical infrastructure.
Included within the NPPD are CS&C, US-CERT, and NCCIC. The
Office of Cybersecurity and Communications (CS&C),
created in 2006 within the NPPD is responsible for enhancing the security, resilience, and reliability
of America's cyber and communications infrastructure. The
United States Computer Emergency Readiness Team (US-CERT)
is the 24-hour operational arm of CS&C's
National Cybersecurity and Communications Integration Center (NCCIC).
It serves as a 24/7 cyber monitoring, incident response, and management center and as a national
point of cyber and communications incident integration.
Federal Bureau of Investigation (FBI) —
created in 1908 as part of the U.S. Department of Justice, is an intelligence-driven and a threat-focused
national security organization with both intelligence and law enforcement responsibilities. The mission
of the FBI is to protect and defend the U.S. against terrorist and foreign intelligence threats,
to uphold and enforce the criminal laws of the U.S., and to provide leadership and criminal justice
services to federal, state, municipal, and international agencies and partners. The FBI focuses on
threats that involve dangers too large or complex for local or state authority to handle alone.
One of the FBI's priorities is to protect the U.S. from
cyber-based attacks and high-technology crimes.
The FBI employs 35,000 people, including special agents and support professionals such as intelligence analysts,
language specialists, scientists, and information technology specialists. They work from their headquarters
in Washington, D.C., 56 field offices located in major U.S. cities, more than 350 satellite offices in cities and
towns across the U.S., and more than 60 international offices called legal attachés in U.S. embassies
- Department of the Treasury
Treasury Directive 16-02 —
requires that electronic funds transfer (EFT) transactions in federal systems be properly authenticated
and conform to ANSI Standard X9.9.
Treasury Directive 85-01 —
documents the Treasury Information Technology (IT) Security Program which sets minimum standards and
requirements for the security of information technology in Treasury bureaus that
process, store, and communicate sensitive or classified information.
Federal Deposit Insurance Corporation (FDIC) —
is America's deposit insurance agency for banks and thrifts.
It provides Regulatory Guidance and Financial Institution Letters such as the following three:
FDIC Information Security and Privacy Strategic Plan: 2018-2021 — IS strategic plan.
Cybersecurity and Information Security — lists 43 FDIC Financial Institution Letters.
Interagency Guidelines Establishing Information Security Standards —
provides standards for developing and implementing administrative, technical, and physical safeguards
to protect the security, confidentiality, and integrity of customer information.
- Federal Financial Institutions Examination Council
(FFIEC) — is an interagency council comprised of representatives of federal agencies
that regulate savings associations, banks, and credit unions (OTS, OCC, Federal Reserve, FDIC, NCUA).
It promotes uniformity and consistency in regulations, supervisory policies and procedures, examiner
training, and report forms. Its many publications include the following four:
FFIEC Information Security Awareness —
initiatives to raise the awareness of financial institutions and their critical third-party service
providers with respect to cybersecurity risks and the need to identify, assess, and mitigate those risks.
FFIEC Cybersecurity Assessment General Observations —
presents general findings from a pilot cybersecurity assessment conducted during the summer of 2014 by
FFIEC members at over 500 financial institutions to evaluate their preparedness to mitigate cyber risks.
FFIEC Cybersecurity Assessment Tool (Updated May 2017) — to help institutions identify
their risks and determine their cybersecurity maturity.
FFIEC Cybersecurity and Resilience Against Cyber Attacks Booklet —
to provide guidance to use in identifying information security risks and evaluating the
adequacy of controls and applicable risk management practices.
- Federal Reserve Board (FRB) —
is the central bank of the U.S. It serves many functions, such as supervising and regulating
banking institutions, and maintaining the stability of the U.S. financial system. It has a
public database (access it here)
that gives online access to 483 documents, as of 1 Sep 2018, that contain either the word cybersecurity
or the phrase information security. The following are examples of these documents:
FFIEC Information Technology Examination Handbook – Information Security Booklet —
The FFIEC revised the July 2006 version of the Information Security booklet of the
FFIEC Information Technology Examination Handbook (IT Handbook). The Information
Security booklet is one of 11 booklets that make up the IT Handbook. This revised booklet
provides guidance for assessing the level of security risks to an institution’s
information systems. SR 16-14. September 19, 2016
Information Security Booklet SR 16-8 Off-site Review of Loan Files.
Information Security Booklet SR 15-9 FFIEC Cybersecurity Assessment Tool —
provides guidance on the following areas related to IT: Information Technology
Examination Process, Cybersecurity, Business Continuity/Disaster Recovery, and Operational Resilience.
Last Update: June 22, 2018
Interagency Guidelines Establishing Information Security Standards —
provides the following: Introduction, Important Terms Used in the Security Guidelines,
Developing and Implementing an Information Security Program, Designing Security Controls, Training Staff,
Testing Key Controls, Overseeing Service Providers, Adjusting the Program, Responsibilities of and Reports to
the Board of Directors, and an Appendix. Last Update: August 02, 2013
- Federal Trade Commission (FTC) —
enforces a variety of federal antitrust and consumer protection laws.
The FTC enhances the smooth operation of the marketplace by eliminating acts or
practices that are unfair or deceptive. It is the only federal agency with both
consumer protection and competition jurisdiction in broad sectors of the economy.
The FTC pursues vigorous and effective law enforcement — and advances consumers’ interests
by sharing its expertise with federal and state legislatures and U.S. and international
government agencies. The following are examples of four popular areas of concern
in which the FTC is active.
Let's talk about cyberbullying —
Last week, the FTC joined several other agencies and the First Lady for an important conversation
about cyberbullying. August 28, 2018.
Protecting Kids Online —
is important because of the opportunities kids have to socialize online come with benefits
and significant risks. Adults can help reduce the risks by talking to kids about making
safe and responsible decisions.
Identity Theft Home. Your National Resource for ID Theft —
provides detailed information and guidance for persons whose identity has been stolen.
The website has links to useful information from other federal agencies, states, and consumer
Scams — Learn about recent scams and how to recognize the warning signs.
Read the FTC’s most recent alerts or browse scams by topic. August 21, 2018
- Office of the Attorney General,
State of California, Dept. of Justice — The Attorney General operates five regional
Hi-Tech Crimes Task Forces and also administers the statewide Identity Theft Registry
to assist identity-theft victims who are wrongfully identified as criminals.
California Penal Code section 530.5 et. seq. makes it a crime to willfully obtain and use
the personal identifying information of another person for any unlawful purpose, including to obtain,
or attempt to obtain, credit, goods, services, or medical information without their consent.
- Office of the Comptroller of the Currency
— The OCC charters, regulates, and supervises national banks to ensure a
safe, sound and competitive banking system. An excellent
summary of electronic
banking advisories and bulletins is available on the OCC Web site.
for Safeguarding Customer Information — Interagency guidelines,
issued under Section 501(b) of the GLBA, establishing standards for
safeguarding customer information. January 17, 2001.
Advisory Letter 97-9, Reporting Computer Related Crimes — Explains
the federal criminal statute, 18 USC Sec. 1030, relating to computer crimes.
It is intended to facilitate timely and accurate reporting of apparent
statute violations to law enforcement agencies. November 19, 1997.
Bulletin 98-3, Technology Risk Management — Provides guidance on
how national banks should identify, measure, monitor, and control risks
associated with the use of technology. February 4, 1998.
Bulletin 99-9, Infrastructure Threats from Cyber-Terrorists —
Identified and raised awareness of the threats and vulnerabilities
created by cyber-terrorism to the financial services industry. March 5, 1999.
Note: Bulletin 99-9 was superseded by the
FFIEC Information Security Booklet on February 5, 2003.
Alert 2000-1, Internet Security: Distributed Denial of Service Attacks
— Institutions should review and update their capacity for responding
to these attacks and other emerging information security threats. Institutions
should periodically test network security; update risk assessment techniques,
risk mitigation controls, and policies and procedures. Feb. 11, 2000.
Bulletin 2000-14, Infrastructure Threats — Intrusion Risks —
Guidance to financial institutions on how to prevent, detect and
respond to intrusions into bank computer systems. May 15, 2000.
Bulletin 2000-25, Privacy Laws and Regulations — A summary
of existing laws and regulations relating to the disclosure of consumer
financial information. September 8, 2000.
Advisory Letter 2001-2, Privacy Preparedness —
Guidance to prepare management for the implementation of the Privacy of
Consumer Financial Information regulation, 12 CFR 40. The
regulation became fully effective on July 1, 2001, and it affects
all national banks, including most of their subsidiaries.
A questionnaire is attached to use in preparation and in performing
Alert 2001-4, Network Security Vulnerabilities — The alert is
to raise awareness regarding potential threats in electronic banking systems
and to remind banks and service providers to identify and correct network
security vulnerabilities. April 24, 2001.
Advisory Letter 2001-4, Identity Theft and Pretext Calling —
This advisory letter informs national banks about two areas of consumer bank
fraud (identity theft and pretext calling) and advises them about measures
to prevent and detect these types of fraud. April 30, 2001.
Bulletin 2001-26, Privacy of Consumer Financial Information —
Summary of the examination procedures to be used for assessing privacy
compliance for all national banks and federal branches. May 25, 2001.
Bulletin 2001-31, Weblinking — This bulletin highlights
the risks and provides risk management guidance concerning
banks' weblinking relationships with third parties. July 3, 2001.
Bulletin 2001-35 Attachment A, Examination Procedures to Evaluate Compliance with
the Guidelines to Safeguard Customer Information — These examination
procedures are derived from the interagency Guidelines Establishing Standards
for Safeguarding Customer Information, as mandated by Section 501(b) of
the Gramm-Leach-Bliley Act of 1999. The guidelines address standards for
developing and implementing administrative, technical, and physical safeguards
to protect the security, confidentiality, and integrity of customer
- Office of Thrift Supervision — The
primary regulator of all federal and many state-chartered thrift
institutions, which include savings banks and savings and loan associations.
The OTS was established as an office of the Department of the Treasury.