Information Security:
Enforcement Organizations

Department of Homeland Security (DHS) — leads the unified U.S. effort to secure America, prevent and deter terrorist attacks, and protect against and respond to threats and hazards to the nation — while ensuring safe and secure borders, welcoming lawful immigrants and visitors, and promoting the free-flow of commerce. The vital mission of the DHS is to secure the nation from the many threats we face. This requires the dedication of more than 240,000 employees whose jobs range from aviation and border security to emergency response, from cybersecurity to chemical facility inspector. Their duties are wide-ranging, but their goal is clear: to keep America safe.

DHS was created in 2002, combining 22 different federal departments and agencies into a unified, integrated Cabinet agency. The DHS began officially operating at the Nebraska Avenue Complex (NAC) in January 2003. DHS selected the NAC because the large campus could house a headquarters operation — and the DHS would not need an exemption from the statutory requirement that main government agency offices be located in the District of Columbia. In the future, many DHS headquarters offices currently at the NAC will move to the St. Elizabeth's Campus located in southeast Washington D.C., which will become the new Homeland Security Headquarters. The NAC will continue to be a DHS-occupied facility.

The DHS has two directorates — and both are involved in cybersecurity and information security:
1. Science & Technology Directorate — develops capabilities to detect and deter attacks on our information systems and critical infrastructures. DHS promotes research and development of software and technology to protect information systems and databases.
2. National Protection & Programs Directorate (NPPD) — includes development of a national strategy to secure cyberspace and to strengthen the security and resilience of America's critical infrastructure. Included within the NPPD are CS&C, US-CERT, and NCCIC. The Office of Cybersecurity and Communications (CS&C), created in 2006 within the NPPD is responsible for enhancing the security, resilience, and reliability of America's cyber and communications infrastructure. The United States Computer Emergency Readiness Team (US-CERT) is the 24-hour operational arm of CS&C's National Cybersecurity and Communications Integration Center (NCCIC). It serves as a 24/7 cyber monitoring, incident response, and management center and as a national point of cyber and communications incident integration.
Federal Bureau of Investigation (FBI) — created in 1908 as part of the U.S. Department of Justice, is an intelligence-driven and a threat-focused national security organization with both intelligence and law enforcement responsibilities. The mission of the FBI is to protect and defend the U.S. against terrorist and foreign intelligence threats, to uphold and enforce the criminal laws of the U.S., and to provide leadership and criminal justice services to federal, state, municipal, and international agencies and partners. The FBI focuses on threats that involve dangers too large or complex for local or state authority to handle alone. One of the FBI's priorities is to protect the U.S. from cyber-based attacks and high-technology crimes.

The FBI employs 35,000 people, including special agents and support professionals such as intelligence analysts, language specialists, scientists, and information technology specialists. They work from their headquarters in Washington, D.C., 56 field offices located in major U.S. cities, more than 350 satellite offices in cities and towns across the U.S., and more than 60 international offices called legal attachés in U.S. embassies worldwide.
Department of the Treasury
- Treasury Directive 16-02 — requires that electronic funds transfer (EFT) transactions in federal systems be properly authenticated and conform to ANSI Standard X9.9.
- Treasury Directive 85-01 — documents the Treasury Information Technology (IT) Security Program which sets minimum standards and requirements for the security of information technology in Treasury bureaus that process, store, and communicate sensitive or classified information.
Federal Deposit Insurance Corporation (FDIC) — is America's deposit insurance agency for banks and thrifts. It provides Regulatory Guidance and Financial Institution Letters such as the following three:
1. FDIC Information Security and Privacy Strategic Plan: 2018-2021 — IS strategic plan.
2. Cybersecurity and Information Security — lists 43 FDIC Financial Institution Letters.
3. Interagency Guidelines Establishing Information Security Standards — provides standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
Federal Financial Institutions Examination Council (FFIEC) — is an interagency council comprised of representatives of federal agencies that regulate savings associations, banks, and credit unions (OTS, OCC, Federal Reserve, FDIC, NCUA). It promotes uniformity and consistency in regulations, supervisory policies and procedures, examiner training, and report forms. Its many publications include the following four:
1. FFIEC Information Security Awareness — initiatives to raise the awareness of financial institutions and their critical third-party service providers with respect to cybersecurity risks and the need to identify, assess, and mitigate those risks.
2. FFIEC Cybersecurity Assessment General Observations — presents general findings from a pilot cybersecurity assessment conducted during the summer of 2014 by FFIEC members at over 500 financial institutions to evaluate their preparedness to mitigate cyber risks.
3. FFIEC Cybersecurity Assessment Tool (Updated May 2017) — to help institutions identify their risks and determine their cybersecurity maturity.
4. FFIEC Cybersecurity and Resilience Against Cyber Attacks Booklet — to provide guidance to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices.
Federal Reserve Board (FRB) — is the central bank of the U.S. It serves many functions, such as supervising and regulating banking institutions, and maintaining the stability of the U.S. financial system. It has a public database (access it here) that gives online access to 483 documents, as of 1 Sep 2018, that contain either the word cybersecurity or the phrase information security. The following are examples of these documents:
1. FFIEC Information Technology Examination Handbook – Information Security Booklet — The FFIEC revised the July 2006 version of the Information Security booklet of the FFIEC Information Technology Examination Handbook (IT Handbook). The Information Security booklet is one of 11 booklets that make up the IT Handbook. This revised booklet provides guidance for assessing the level of security risks to an institution’s information systems. SR 16-14. September 19, 2016
2. Information Security Booklet SR 16-8 Off-site Review of Loan Files. Information Security Booklet SR 15-9 FFIEC Cybersecurity Assessment Tool — provides guidance on the following areas related to IT: Information Technology Examination Process, Cybersecurity, Business Continuity/Disaster Recovery, and Operational Resilience. Last Update: June 22, 2018
3. Interagency Guidelines Establishing Information Security Standards — provides the following: Introduction, Important Terms Used in the Security Guidelines, Developing and Implementing an Information Security Program, Designing Security Controls, Training Staff, Testing Key Controls, Overseeing Service Providers, Adjusting the Program, Responsibilities of and Reports to the Board of Directors, and an Appendix. Last Update: August 02, 2013
Federal Trade Commission (FTC) — enforces a variety of federal antitrust and consumer protection laws. The FTC enhances the smooth operation of the marketplace by eliminating acts or practices that are unfair or deceptive. It is the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy. The FTC pursues vigorous and effective law enforcement — and advances consumers’ interests by sharing its expertise with federal and state legislatures and U.S. and international government agencies. The following are examples of four popular areas of concern in which the FTC is active.
1. Let's talk about cyberbullying — Last week, the FTC joined several other agencies and the First Lady for an important conversation about cyberbullying. August 28, 2018.
2. Protecting Kids Online — is important because of the opportunities kids have to socialize online come with benefits and significant risks. Adults can help reduce the risks by talking to kids about making safe and responsible decisions.
3. Identity Theft Home. Your National Resource for ID Theft — provides detailed information and guidance for persons whose identity has been stolen. The website has links to useful information from other federal agencies, states, and consumer organizations.
4. Scams — Learn about recent scams and how to recognize the warning signs. Read the FTC’s most recent alerts or browse scams by topic. August 21, 2018
Office of the Attorney General, State of California, Dept. of Justice — The Attorney General operates five regional Hi-Tech Crimes Task Forces and also administers the statewide Identity Theft Registry to assist identity-theft victims who are wrongfully identified as criminals. California Penal Code section 530.5 et. seq. makes it a crime to willfully obtain and use the personal identifying information of another person for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, or medical information without their consent.
Office of the Comptroller of the Currency — The OCC charters, regulates, and supervises national banks to ensure a safe, sound and competitive banking system. An excellent summary of electronic banking advisories and bulletins is available on the OCC Web site.
- Standards for Safeguarding Customer Information — Interagency guidelines, issued under Section 501(b) of the GLBA, establishing standards for safeguarding customer information. January 17, 2001.
- OCC Advisory Letter 97-9, Reporting Computer Related Crimes — Explains the federal criminal statute, 18 USC Sec. 1030, relating to computer crimes. It is intended to facilitate timely and accurate reporting of apparent statute violations to law enforcement agencies. November 19, 1997.
- OCC Bulletin 98-3, Technology Risk Management — Provides guidance on how national banks should identify, measure, monitor, and control risks associated with the use of technology. February 4, 1998.
- OCC Bulletin 99-9, Infrastructure Threats from Cyber-Terrorists — Identified and raised awareness of the threats and vulnerabilities created by cyber-terrorism to the financial services industry. March 5, 1999. Note: Bulletin 99-9 was superseded by the FFIEC Information Security Booklet on February 5, 2003.
- OCC Alert 2000-1, Internet Security: Distributed Denial of Service Attacks — Institutions should review and update their capacity for responding to these attacks and other emerging information security threats. Institutions should periodically test network security; update risk assessment techniques, risk mitigation controls, and policies and procedures. Feb. 11, 2000.
- OCC Bulletin 2000-14, Infrastructure Threats — Intrusion Risks — Guidance to financial institutions on how to prevent, detect and respond to intrusions into bank computer systems. May 15, 2000.
- OCC Bulletin 2000-25, Privacy Laws and Regulations — A summary of existing laws and regulations relating to the disclosure of consumer financial information. September 8, 2000.
- OCC Advisory Letter 2001-2, Privacy Preparedness — Guidance to prepare management for the implementation of the Privacy of Consumer Financial Information regulation, 12 CFR 40. The regulation became fully effective on July 1, 2001, and it affects all national banks, including most of their subsidiaries. A questionnaire is attached to use in preparation and in performing a self-assessment.
- OCC Alert 2001-4, Network Security Vulnerabilities — The alert is to raise awareness regarding potential threats in electronic banking systems and to remind banks and service providers to identify and correct network security vulnerabilities. April 24, 2001.
- OCC Advisory Letter 2001-4, Identity Theft and Pretext Calling — This advisory letter informs national banks about two areas of consumer bank fraud (identity theft and pretext calling) and advises them about measures to prevent and detect these types of fraud. April 30, 2001.
- OCC Bulletin 2001-26, Privacy of Consumer Financial Information — Summary of the examination procedures to be used for assessing privacy compliance for all national banks and federal branches. May 25, 2001.
- OCC Bulletin 2001-31, Weblinking — This bulletin highlights the risks and provides risk management guidance concerning banks' weblinking relationships with third parties. July 3, 2001.
- OCC Bulletin 2001-35 Attachment A, Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information — These examination procedures are derived from the interagency Guidelines Establishing Standards for Safeguarding Customer Information, as mandated by Section 501(b) of the Gramm-Leach-Bliley Act of 1999. The guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
Office of Thrift Supervision — The primary regulator of all federal and many state-chartered thrift institutions, which include savings banks and savings and loan associations. The OTS was established as an office of the Department of the Treasury.

Last updated 1 Sep 2018

Information Security:Enforcement Organizations

Information Security:
Enforcement Organizations