Information Security:
Enforcement Organizations

Department of Homeland Security (DHS) — The organization that leads the unified national effort to secure America, prevent and deter terrorist attacks, and protect against and respond to threats and hazards to the nation —while ensuring safe and secure borders, welcoming lawful immigrants and visitors, and promoting the free-flow of commerce. The two main directorates of DHS most involved in information security are:
1. Science & Technology — This seeks to develop capabilities to detect and deter attacks on our information systems and critical infrastructures. DHS promotes research and development of software and technology to protect information systems and databases.
2. Prevention & Protection — This includes development of a national strategy to secure cyberspace and to secure America's financial institutions.
The National Cyber Security Division (NCSD), created in June 2003, is part of these DHS directorates. The NCSD absorbed several prior U.S. government agencies — including the former National Infrastructure Protection Center (NIPC) that was under control of the FBI, the Department of Commerce's Critical Infrastructure Assurance Office (CIAO), and the General Services Administration's Federal Computer Incident Response Center (FedCIRC). The United States Computer Emergency Readiness Team (US-CERT) is the operational arm of the NCSD at the DHS.
Department of the Treasury
- Electronic Funds and Securities Transfer Policy — Policy that requires electronic funds transfer (EFT) transactions in Federal systems be properly authenticated and conform to ANSI Standard X9.9.
- Treasury Information Technology Security Program — Policy that sets minimum standards and requirements for the security of information technology in Treasury bureaus which process, store, and communicate sensitive or classified information.
Federal Deposit Insurance Corporation — The FDIC is the America's deposit insurance agency for banks and thrifts.
- Important Banking Legislation — A listing and description of the most important laws that have affected the banking industry in the U.S.
- Financial Institution Letters —Guidance addressing information systems and e-banking issues 1996 - 2005.
- FDIC FIL 99-68, Risk Assessment Tools and Practices for Information System Security — This paper provides financial institutions and examiners with background information and guidance on various risk assessment tools and practices related to information security. July 17, 1999.
- Interagency Guidelines Establishing Information Security Standards —Provides standards, per the Federal Deposit Insurance and Gramm-Leach-Bliley Acts, for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. December 28, 2004.
Federal Financial Institutions Examination Council — The FFIEC is an interagency council comprised of representatives of federal agencies that regulate savings associations, banks, and credit unions (OTS, OCC, Federal Reserve, FDIC, NCUA). It promotes uniformity and consistency in regulations, supervisory policies and procedures, examiner training, and report forms.
- FFIEC Information Security Booklet: Information Security Guidance — Provides revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. The booklet calls for financial institutions and technology service providers (TSPs) to maintain effective security programs, tailored to the complexity of their operations. This booklet is the first in a series of updates to the 1996 FFIEC Information Systems (IS) Examination Handbook. January 29, 2003.
- FFIEC InfoBase — The InfoBase was created by the FFIEC Task Force on Examiner Education to provide field examiners of the five-member financial institution regulatory agencies a fast source of introductory training and basic information on specific topics in information security and privacy. The InfoBase is a good resource on many of the references mentioned on this page.
- Risk Management of Technology Outsourcing — This is a guide to key management issues when outsourcing technology. These issues include risk assessment, service provider selection, contract terms and oversight of outsourcing arrangements. The guidance is intended to assist financial institutions that are increasingly relying on outside firms for technology-related products and services to support an array of banking functions. Institutions of all sizes are using these products and services, as technology grows more complex and dynamic, creating a greater impetus to outsource.
- Authentication in an Internet Banking Environment — This is an updated guideline for online customer identity authentication by financial institutions. The guideline states that single-factor (i.e., ID/password) authentication is not adequate for high-risk financial transactions. The guideline identifies a variety of optional technologies and methodologies to mitigate the risks, including PKI digital certificates, USB plug-ins, and biometric identification. The FFIEC expects U.S. financial institutions' web sites are to be in compliance with the guideline by the end of 2006. October 2005
Federal Reserve Board —The central bank for the U.S., which serves a wide range of functions, such as supervising and regulating banking institutions, and maintaining the stability of the U.S. financial system.
- FRB SR 97-32 (SUP), Sound Practices Guidance for Information Security for Networks — Advisory that active board and management oversight are needed to ensure that information security risks are adequately assessed, that spending on information security is appropriate to reduce the risks, and that a comprehensive information security program is in place to provide protection. December 4, 1997.
- FRB SR 01-11 (SUP), Identity Theft and Pretext Calling —Supervisory guidance addressing how banking organizations should protect customer information against identity theft. April 26, 2001.
- Small-Entity Compliance Guide for Interagency Guidelines Establishing Information Security Standards — Summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. December 14, 2005.
Federal Trade Commission — The Federal Trade Commission enforces a variety of federal antitrust and consumer protection laws. The Commission works to enhance the smooth operation of the marketplace by eliminating acts or practices that are unfair or deceptive. In general, the Commission's efforts are directed toward stopping actions that threaten consumers' opportunities to exercise informed choice.
- Final Report of the FTC Advisory Committee on Online Access and Security — Report covers results of the Advisory Committee on Online Access and Security. May 23, 2000.
- Consumer Protection in the Global Electronic Marketplace: Looking Ahead — FTC recommendations the development of an international system that protects online consumers and is fair and predictable for online businesses. September 2000.
- ID Theft Home. Your National Resource for Identity Theft — Provides detailed information and guidance for persons whose identity has been stolen. The site has links to useful information from other federal agencies, states, and consumer organizations. July 20, 2005.
Office of the Attorney General, State of California, Dept. of Justice — The Attorney General operates five regional Hi-Tech Crimes Task Forces and also administers the statewide Identity Theft Registry to assist identity-theft victims who are wrongfully identified as criminals.
Office of the Comptroller of the Currency — The OCC charters, regulates, and supervises national banks to ensure a safe, sound and competitive banking system. An excellent summary of electronic banking advisories and bulletins is available on the OCC Web site.
- Standards for Safeguarding Customer Information — Interagency guidelines, issued under Section 501(b) of the GLBA, establishing standards for safeguarding customer information. January 17, 2001.
- OCC Advisory Letter 97-9, Reporting Computer Related Crimes — Explains the federal criminal statute, 18 USC Sec. 1030, relating to computer crimes. It is intended to facilitate timely and accurate reporting of apparent statute violations to law enforcement agencies. November 19, 1997.
- OCC Bulletin 98-3, Technology Risk Management — Provides guidance on how national banks should identify, measure, monitor, and control risks associated with the use of technology. February 4, 1998.
- OCC Bulletin 99-9, Infrastructure Threats from Cyber-Terrorists — Identified and raised awareness of the threats and vulnerabilities created by cyber-terrorism to the financial services industry. March 5, 1999. Note: Bulletin 99-9 was superseded by the FFIEC Information Security Booklet on February 5, 2003.
- OCC Alert 2000-1, Internet Security: Distributed Denial of Service Attacks — Institutions should review and update their capacity for responding to these attacks and other emerging information security threats. Institutions should periodically test network security; update risk assessment techniques, risk mitigation controls, and policies and procedures. Feb. 11, 2000.
- OCC Bulletin 2000-14, Infrastructure Threats — Intrusion Risks — Guidance to financial institutions on how to prevent, detect and respond to intrusions into bank computer systems. May 15, 2000.
- OCC Bulletin 2000-25, Privacy Laws and Regulations — A summary of existing laws and regulations relating to the disclosure of consumer financial information. September 8, 2000.
- OCC Advisory Letter 2001-2, Privacy Preparedness — Guidance to prepare management for the implementation of the Privacy of Consumer Financial Information regulation, 12 CFR 40. The regulation became fully effective on July 1, 2001, and it affects all national banks, including most of their subsidiaries. A questionnaire is attached to use in preparation and in performing a self-assessment.
- OCC Alert 2001-4, Network Security Vulnerabilities — The alert is to raise awareness regarding potential threats in electronic banking systems and to remind banks and service providers to identify and correct network security vulnerabilities. April 24, 2001.
- OCC Advisory Letter 2001-4, Identity Theft and Pretext Calling — This advisory letter informs national banks about two areas of consumer bank fraud (identity theft and pretext calling) and advises them about measures to prevent and detect these types of fraud. April 30, 2001.
- OCC Bulletin 2001-26, Privacy of Consumer Financial Information — Summary of the examination procedures to be used for assessing privacy compliance for all national banks and federal branches. May 25, 2001.
- OCC Bulletin 2001-31, Weblinking — This bulletin highlights the risks and provides risk management guidance concerning banks' weblinking relationships with third parties. July 3, 2001.
- OCC Bulletin 2001-35 Attachment A, Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information — These examination procedures are derived from the interagency Guidelines Establishing Standards for Safeguarding Customer Information, as mandated by Section 501(b) of the Gramm-Leach-Bliley Act of 1999. The guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
Office of Thrift Supervision — The primary regulator of all federal and many state-chartered thrift institutions, which include savings banks and savings and loan associations. The OTS was established as an office of the Department of the Treasury.

Home Page

Information Security:Enforcement Organizations

Information Security:
Enforcement Organizations