Booklet: Information Security Section: Appendix C: Laws, Regulations, and Guidance |
| Congress |
| Federal Reserve Board |
| Federal Deposit Insurance Corporation |
| National Credit Union Administration |
| Office of the Comptroller of the Currency |
| Office of Thrift Supervision |
Type |
Source |
Title/Source |
Date |
|
InfoSec |
Laws |
Congress |
Bank Service Company Act, 12 U.S.C. 1867(c) |
July 2001 |
InfoSec |
Laws |
Congress |
Bank Protection Act, 12 U.S.C. 1882 | July 1968 |
InfoSec |
Laws |
Congress |
Gramm-Leach-Bliley Act, 15 U.S.C. 6801 and 6805(b) |
November 1999 |
InfoSec |
Laws |
Congress |
Fraud and Related Activity in Connection with Computers, 18 U.S.C. 1030 |
October 1996 |
InfoSec |
Laws |
Congress |
USA Patriot Act, Section 312, Special Due Diligence for Correspondent Accounts and Private Banking Accounts |
October 2001 |
 |
||||
Booklet |
Type |
Source |
Title/Source |
Date |
InfoSec |
Regulations |
FRB |
Interagency Guidelines Establishing Standards for Safeguarding Customer Information, Appendix D-2 (State Member Banks), 12 CFR, 208 | |
InfoSec |
Regulations |
FRB |
Interagency Guidelines Establishing Standards for Safeguarding Customer Information (uninsured state-licensed branch or agency of a foreign bank), 12 CFR, 211.24 | |
InfoSec |
Regulations |
FRB |
Interagency Guidelines Establishing Standards for Safeguarding Customer Information, Appendix F (bank holding companies and their non-bank subsidiaries or affiliates (except brokers, dealers, persons providing insurance, investment companies, and investment advisors)), 12 CFR, 225 | |
InfoSec |
Regulations |
FRB |
Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Edge or agreement corporation), 12 CFR, 211.5 (l) |
|
InfoSec |
Regulations |
FRB |
Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix D-1, 12 CFR, 208 | |
InfoSec |
Regulations |
FRB |
Minimum Security Devices and Procedures, 12 CFR 208.61 | |
InfoSec |
Regulations |
FRB |
Procedures for Monitoring Bank Secrecy Act Compliance, 12 CFR 208.63 | |
InfoSec |
Regulations |
FRB |
Reports of Suspicious Activities, 12 CFR 208.62 | |
InfoSec |
Guidance |
FRB |
FFIEC Brochure with Information on Internet "Phishing", SR Letter 04-14 | October 2004 |
InfoSec |
Guidance |
FRB |
FFIEC Guidance on the use of Open Source Software, SR Letter 04-17 | December 2004 |
InfoSec |
Guidance |
FRB |
Guidance on the Risk Management of Outsourced Technology Services, SR Letter 00–17 |
November
2000 |
InfoSec |
Guidance |
FRB |
Identity Theft and Pretext Calling, SR Letter 01–11 |
April
2001 |
InfoSec |
Guidance |
FRB |
Information Sharing Pursuant to Section 314(b) of the USA Patriot Act, SR Letter 02–6 |
March
2002 |
InfoSec |
Guidance |
FRB |
Interagency Guidance on Authentication in an Internet Banking Environment, SR Letter 05-19 | October 2005 |
InfoSec |
Guidance |
FRB |
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, SR Letter 05-23 | December 2005 |
InfoSec |
Guidance |
FRB |
Outsourcing of Information and Transaction Processing, SR Letter 00–4 |
February
2000 |
InfoSec |
Guidance |
FRB |
Safeguarding Customer Information, SR Letter 01–15 |
May
2001 |
InfoSec |
Guidance |
FRB |
Section 312 of the USA Patriot Act––Due Diligence for Correspondent and Private Banking Accounts, SR Letter 02–18 |
July
2002 |
InfoSec |
Guidance |
FRB |
Sound Practices Guidance for Information Security for Networks, SR Letter 97–32 |
December
1997 |
InfoSec |
Guidance |
FRB |
Uniform Rating System for Information Technology, SR Letter 99–8 |
March
1999 |
|
||||
Booklet |
Type |
Source |
Title/Source |
Date |
| InfoSec | Regulations | FDIC |
Interagency Guidelines Establishing Standards for Safeguarding Customer Information, Appendix B, 12 CFR 364 | |
| InfoSec | Regulations | FDIC |
Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A, 12 CFR 364 | |
| InfoSec | Regulations | FDIC |
Minimum Security Procedures, 12 CFR 326, Subpart A | |
| InfoSec | Regulations | FDIC |
Privacy of Consumer Financial Information, 12 CFR 332 | |
| InfoSec | Regulations | FDIC |
Procedures for Monitoring Bank Secrecy Act Compliance, 12 CFR 326, Subpart B | |
| InfoSec | Regulations | FDIC |
Suspicious Activity Reports, 12 CFR 353 | |
| InfoSec | Guidance | FDIC |
501(b) Examination Guidance, FIL–68–2001 | August
2001 |
| InfoSec | Guidance | FDIC |
Authentication In An Electronic Banking Environment, FIL–69–2001 | August
2001 |
| InfoSec | Guidance | FDIC |
Bank Technology Bulletin: Protecting Internet Domain Names, FIL–77–2000 | November
2000 |
| InfoSec | Guidance | FDIC |
Computer Software Due Diligence – Guidance on Developing an Effective Software Evaluation Program to Assure Quality and Regulatory Compliance, FIL-121-2004 | November 2004 |
| InfoSec | Guidance | FDIC |
Fair and Accurate Credit Transactions Act of 2003 Guidelines Requiring the Proper Disposal of Customer Information, FIL-7-2005 | February 2005 |
| InfoSec | Guidance | FDIC |
FFIEC Guidance Authentication in an Internet Banking Environment, FIL-103-2005 | October 2005 |
| InfoSec | Guidance | FDIC |
Final Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, FIL-27-2005 | April 2005 |
| InfoSec | Guidance | FDIC |
Guidance on Developing an Effective Software Patch Management Program, FIL-43-2003 | May 2003 |
| InfoSec | Guidance | FDIC |
Guidance on Developing and Effective Computer Virus Protection Program, FIL-62-2004 | June 2004 |
| InfoSec | Guidance | FDIC |
Guidance on Identity Theft and Pretext Calling, FIL-39-2001 | May
2001 |
| InfoSec | Guidance | FDIC |
Guidance on Identity Theft Response Programs, FIL-63-2003 | August 2003 |
| InfoSec | Guidance | FDIC |
Guidance on Instant Messaging, FIL-84-2004 | July 2004 |
| InfoSec | Guidance | FDIC |
Guidance on Safeguarding Customers Against E-Mail and Internet Related Fraud Schemes, FIL-27-2004 | March 2004 |
| InfoSec | Guidance | FDIC |
Identity Theft Study on “Account Hijacking” Identity Theft and Suggestions for Reducing Online Fraud, FIL-132-2004 | December 2004 |
| InfoSec | Guidance | FDIC |
Identity Theft Study Supplement on “Account Hijacking Identity Theft”, FIL-59-2005 | July 2005 |
| InfoSec | Guidance | FDIC |
Interagency Informational Brochure on Internet “Phishing” Scams, FIL-103-2004 | September 2004 |
| InfoSec | Guidance | FDIC |
“Pharming” – Guidance on How Financial Institutions can Protect against Pharming Attacks, FIL-64-2005 | July 2005 |
| InfoSec | Guidance | FDIC |
Pre-Employment Background Screening: Guidance on Developing an Effective Pre-Employment Background Screening Process, FIL-46-2005 | June 1, 2005 |
| InfoSec | Guidance | FDIC |
Pretext Phone Calling, FIL–98–98 | September
1998 |
| InfoSec | Guidance | FDIC |
Risk Assessment Tools and Practices, FIL–68–99 | July
1999 |
| InfoSec | Guidance | FDIC |
Risk Management of Free and Open Source Software FFIEC Guidance, FIL-114-2004 | October 2004 |
| InfoSec | Guidance | FDIC |
Risks Involving Client/Server Computer Systems, FIL–82–96 | October
1996 |
| InfoSec | Guidance | FDIC |
Security Monitoring of Computer Networks, FIL–67–2000 | October
2000 |
| InfoSec | Guidance | FDIC |
Security Risks Associated with the Internet, FIL–131–97 | December
1997 |
| InfoSec | Guidance | FDIC |
Security Standards for Customer Information, FIL–22–2001 | March
2001 |
| InfoSec | Guidance | FDIC |
Spyware – Guidance on Mitigating Risks From Spyware, FIL-66-2005 | July 2005 |
| InfoSec | Guidance | FDIC |
Suspicious Activity Reporting, FIL–124–97 | December
1997 |
| InfoSec | Guidance | FDIC |
Suspicious Activity Reports, FIL–48–2000 | July
2000 |
| InfoSec | Guidance | FDIC |
Wireless Networks And Customer Access, FIL–8–2002 | February
2002 |
|
||||
Booklet |
Type |
Source |
Title/Source |
Date |
InfoSec |
Regulations |
NCUA |
Federal Credit Union Incidental Powers Activities, 12 CFR, 721 |
|
InfoSec |
Regulations |
NCUA |
Privacy of Consumer Financial Information, and Appendix, 12 CFR, 716 |
|
InfoSec |
Regulations |
NCUA |
Requirements for Insurance, 12 CFR, 741 |
|
InfoSec |
Regulations |
NCUA |
Security Program, Report of Crime and Catastrophic Act and Bank Secrecy Act Compliance and Appendix, 12 CFR, 748 | |
InfoSec |
Guidance |
NCUA |
Authentication in an Electronic Banking Environment, NCUA Letter to Credit Unions 01-CU-10 |
August 2001 |
InfoSec |
Guidance |
NCUA |
Account Aggregation Services, NCUA Letter to Credit Unions 02-CU-08 |
April 2002 |
InfoSec |
Guidance |
NCUA |
Automated Response System Controls, NCUA Letter to Credit Unions 97-CU-1 |
January 1997 |
InfoSec |
Guidance |
NCUA |
Computer Software Patch Management, NCUA Letter to Credit Unions 03-CU-14 | September 2003 |
InfoSec |
Guidance |
NCUA |
Disaster Recovery and Business Resumption Contingency Plans, NCUA Letter to Credit Unions 01-CU-21 |
December 2001 |
InfoSec |
Guidance |
NCUA |
Due Diligence Over Third Party Service Providers, NCUA Letter to Credit Unions 01-CU-20 |
November 2001 |
InfoSec |
Guidance |
NCUA |
E-Commerce Insurance Considerations, NCUA Letter to Credit Unions 01-CU-12, |
October 2001 |
InfoSec |
Guidance |
NCUA |
Electronic Data Security Overview, NCUA Letter to Credit Unions 01-CU-11 |
August 2001 |
InfoSec |
Guidance |
NCUA |
Electronic Signatures in Global and National Commerce Act (E-Sign Act), NCUA Regulatory Alert 01-RA-03 |
March 2001 |
InfoSec |
Guidance |
NCUA |
E-Mail and Internet Related Fraudulent Schemes Guidance, NCUA Letter to Credit Unions 04-CU-06 | April 2004 |
InfoSec |
Guidance |
NCUA |
Fraudulent E-Mail Schemes, NCUA Letter to Credit Unions 04-CU-05 | April 2004 |
InfoSec |
Guidance |
NCUA |
Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions, NCUA Letter to Credit Unions 03-CU-12 | August 2003 |
InfoSec |
Guidance |
NCUA |
Guidance on Authentication in Internet Banking Environment, NCUA Letter to Credit Unions 05-CU-18 | November 2005 |
InfoSec |
Guidance |
NCUA |
Identity Theft and Pretext Calling, NCUA Letter to Credit Unions 01-CU-09 |
September 2001 |
InfoSec |
Guidance |
NCUA |
Identity Theft Prevention, NCUA Letter to Credit Unions 00-CU-02 |
May 2000 |
InfoSec |
Guidance |
NCUA |
Information Processing Issues, NCUA Letter to Credit Unions 109 |
September 1989 |
InfoSec |
Guidance |
NCUA |
Integrating Financial Services and Emerging Technology, NCUA Letter to Credit Unions 01-CU-04 | March 2001 |
InfoSec |
Guidance |
NCUA |
Interagency Guidance on Electronic Financial Services and Consumer Compliance, NCUA Regulatory Alert 98-RA-4 |
July 1998 |
InfoSec |
Guidance |
NCUA |
Interagency Statement on Retail On-line PC Banking, NCUA Letter to Credit Unions 97-CU-5 |
April 1997 |
InfoSec |
Guidance |
NCUA |
NCUA’s Information Systems & Technology Examination Program, NCUA Letter to Credit Unions 00-CU-07 |
October 2000 |
InfoSec |
Guidance |
NCUA |
Phishing Guidance for Credit Union Members, NCUA Letter to Credit Unions 04-CU-12 | September 2004 |
InfoSec |
Guidance |
NCUA |
Phishing Guidance for Credit Unions and Their Members, NCUA Letter to Credit Unions 05-CU-20 | December 2005 |
InfoSec |
Guidance |
NCUA |
Pretext Phone Calling by Account Information Brokers, NCUA Regulatory Alert 99-RA-3 |
February 1999 |
InfoSec |
Guidance |
NCUA |
Privacy of Consumer Financial Information, NCUA Letter to Credit Unions 01-CU-02 |
February 2001 |
InfoSec |
Guidance |
NCUA |
Risk Management of Outsourced Technology Services (with Enclosure), NCUA Letter to Credit Unions 00-CU-11 |
December 2000 |
InfoSec |
Guidance |
NCUA |
Suspicious Activity Reporting (see section regarding Computer Intrusion), NCUA Letter to Credit Unions 00-CU-04 |
July 2000 |
InfoSec |
Guidance |
NCUA |
Tips to Safely Conduct Financial Transactions Over the Internet – An NCUA Brochure for Credit Union Members, NCUA Letter to Federal Credit Unions 02-FCU-11 |
July 2002 |
InfoSec |
Guidance |
NCUA |
Vendor Information Systems & Technology Reviews – Summary Results, NCUA Letter to Credit Unions 02-CU-13 |
July 2002 |
InfoSec |
Guidance |
NCUA |
Weblinking Relationships, NCUA Letter to Federal Credit Unions 02-FCU-04 |
March 2002 |
InfoSec |
Guidance |
NCUA |
Weblinking: Identifying Risks & Risk Management Techniques, NCUA Letter to Credit Unions 03-CU-08 | April 2003 |
InfoSec |
Guidance |
NCUA |
Wireless Technology, NCUA Letter to Credit Unions 03-CU-03 | February 2003 |
|
||||
Booklet |
Type |
Source |
Title/Source |
Date |
| InfoSec | Regulations | OCC |
Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 CFR, 30, Appendix B | |
| InfoSec | Regulations | OCC |
Interagency Guidelines Establishing Standards for Safety and Soundness, 12 CFR, 30, Appendix A | |
| InfoSec | Regulations | OCC |
Minimum Security Devices and Procedures, 12 CFR, 21, Subpart A | |
| InfoSec | Regulations | OCC |
Reports of Suspicious Activities, 12 CFR, 21, Subpart B | |
| InfoSec | Regulations | OCC |
Procedures for Monitoring Bank Secrecy Act Compliance, 12 CFR, 21, Subpart C | |
| InfoSec | Guidance | OCC |
Authentication in an Internet Banking Environment, Bulletin 2005-35 | October 2005 |
| InfoSec | Guidance | OCC |
Bank Provided Account Aggregation Services, OCC Bulletin 2001–12 | February
2001 |
| InfoSec | Guidance | OCC |
Certificate Authority Guidance, OCC Bulletin 99–20 | May
1999 |
| InfoSec | Guidance | OCC |
Customer Identity Theft: E-Mail-Related Fraud Threats, Bulletin 2003-11 | September 2003 |
| InfoSec | Guidance | OCC |
Examination Procedures for Guidelines to Safeguard Customer Information, Bulletin 2001–35 | July
2001 |
| InfoSec | Guidance | OCC |
Guidelines Establishing Standards for Safeguarding Customer Information, OCC Bulletin 2001–8 | February
2001 |
| InfoSec | Guidance | OCC |
Infrastructure Threats—Intrusion Risks, OCC Bulletin 2000–14 | May
2000 |
| InfoSec | Guidance | OCC |
Internet Security: Distributed Denial of Service Attacks, OCC Alert 2000–1 | February
2000 |
| InfoSec | Guidance | OCC |
Network Security Vulnerabilities, OCC Alert 2001–04 | April
2001 |
| InfoSec | Guidance | OCC |
Proper Disposal of Consumer Information, Bulletin 2005-1 | January 2005 |
| InfoSec | Guidance | OCC |
Protecting Internet Addresses of National Banks, OCC Alert 2000–9 | July
2000 |
| InfoSec | Guidance | OCC |
Response Programs for Unauthorized Access to Customer Information and Customer Notice: Final Guidance, Bulletin 2005-13 | April 2005 |
| InfoSec | Guidance | OCC |
Risk Management of Outsourcing Technology Services, OCC Advisory Letter 2000–12 | November
2000 |
| InfoSec | Guidance | OCC |
Risk Management of Wireless Networks, Bulletin 2003-10 | December 2003 |
| InfoSec | Guidance | OCC |
Suspicious Activity Report, Bulletin 2003-27 | June 2003 |
| InfoSec | Guidance | OCC |
Suspicious Activity Report, OCC Bulletin 2000–19 | June
2000 |
| InfoSec | Guidance | OCC |
Technology Risk Management, OCC Bulletin 98–3 | February
1998 |
| InfoSec | Guidance | OCC |
Technology Risk Management: PC Banking, OCC Bulletin 98–38 | August
1998 |
| InfoSec | Guidance | OCC |
Third Party Relationships, Bulletin 2001–47 | November
2001 |
| InfoSec | Guidance | OCC |
Threats from Fraudulent Bank Web Sites, Bulletin 2005-24 | July 2005 |
Booklet |
Type |
Source |
Title/Source |
Date |
| InfoSec | Regulations | OTS |
Electronic Operations, 12 CFR Part 555 | |
| InfoSec | Regulations | OTS |
Interagency Guidelines Establishing Information Security Standards, 12 CFR 570 Appendix B | |
| InfoSec | Regulations | OTS |
Interagency Guidelines Establishing Standards for Safety and Soundness, 12 CFR 570 Appendix A | |
| InfoSec | Regulations | OTS |
Privacy of Consumer Financial Information, 12 CFR 573 | |
| InfoSec | Regulations | OTS |
Procedures for Monitoring Bank Secrecy Act Compliance, 12 CFR 563.177 | |
| InfoSec | Regulations | OTS |
Security Procedures Under the Bank Protection Act, 12 CFR 568 | |
| InfoSec | Regulations | OTS |
Suspicious Activity Reports and Other Reports and Statements, 12 CFR 563.180 | |
| InfoSec | Guidance | OTS |
Compliance Guide- Interagency Guidelines Establishing Information Security Standards, CEO Ltr 231 | December 2005 |
| InfoSec | Guidance | OTS |
Identity Theft and Pretext Calling, CEO Ltr 139 | |
