FACT Sections 114 and 315 - Identity Theft Red Flag Regulations


The Federal Trade Commission and the federal financial institution regulatory agencies set the rules on identity theft "red flags" and address discrepancies. The rules CIOs need to implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACT) for identity theft protection are clearly defined.

The rules require each enterprise that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:

  • Identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the Program;
  • Detect red flags that have been incorporated into the Program;
  • Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  • Ensure the Program is updated periodically to reflect changes in risks from identity theft.

Other government agencies have issued guidelines to assist CIOs and companies in developing and implementing a Program, including a supplement that provides examples of red flags.

  • Growth and Detection of Identity Theft
  • How Information Is Illegally Obtained and Used
  • Assisting Victims of Identity Theft
  • Basics of Prevention
  • Information Security Requirements
  • Customer Identification Program Requirements
  • Consumer Privacy and the Fair Credit Reporting Act
  • Related Policies and Procedures
  • Corporate Originators of ACH Transactions
  • Credit Card Fraud
  • Fraud Involving ATM and Debit Cards

The  regulation also requires credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. In addition, the final rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency.

That along Special Publication 800-60 (Volume 1, Volume 2), Guide for Mapping Types of Information and Information Systems to Security Categories, assists Federal agencies in identifying information types and information systems and assigning impact levels for confidentiality, integrity, and availability. Impact levels are based on the security categorization definitions in FIPS 199. Special Publication 800-60 contains two volumes. Volume I provides guidelines for identifying impact levels by information type and suggests impact levels for administrative and support information FIPS 199common to multiple agencies. Volume II includes rationale for information type and impact level recommendations and examples of recommendations for agency-specific, mission-related information.

Janco's Security Manual Template meets the compliance requirements of FIPS 199 and even provides an electronic form that can be utilized in the assessment process.

The Security Manual Template can be acquired separately or as part of the Business Continuity and Security Bundle.

Order the FIPS 199 Compliant Security Manual or the Business Continuity / Security Bundle

We have just the download you need to create a world class plan and assure you leave no stone unturned. With these Templates we walk you through the entire process, providing all the tools you need along the way. As an added benefit you can purchase an update service which keeps these templates abreast of the latest legislated and mandated requirements. All of our documents have been updated to comply with PCI-DSS, Sarbanes-Oxley, HIPAA, the ISO 27000 (formerly ISO 17799) series - 27001 & 27002, and PCI-DSS.

Both of these FIPS 199 compliant products come with a detail security audit program.

Security Manual Template - Standard Edition

Security Manual TemplateSecurity Manual Template

  • Business and IT Impact Questionnaire
  • Threat and Vulnerability Assessment Toolkit
  • Security Management Checklist
  • Full Detail Policies for
    • Blog and Personal Website Policy
    • Mobile Device Policy
    • Physical and Virtural File Server Policy
    • Sensitive Information Policy
    • Travel and Off-Site Meeting Policy
  • HIPAA Audit Program
  • Sarbanes Oxley Section 404 Checklist
  • Security Audit Program- fully editable -- Comes in MS EXCEL and PDF formats -- Meets ISO 28000, 27001, 27002, Sarbanes-Oxley, PCI-DSS, HIPAA FIPS 199, and NIS SP 800-53 requirements -- Over 400 unique tasks divided into 11 areas of audit focus which are the divided into 38 separate task groupings
  • Electronic forms that can be Emailed, completed via a computer or tablet, and stored electronically including: Blog Policy Compliance, BYOD Access and Use, Company Asset Employee Control Log, Email - Employee Acknowledgment, Employee Termination Checklist, FIPS 199 Assessment Electronic Form, Internet Access Request, Internet Use Approval, Internet & Electronic Communication - Employee Acknowledgment, Mobile Device Access and Use Agreement, Employee Security Acknowledgement Release, Preliminary Security Audit Checklist, Risk Assessment, Security Access Application, Security Audit Report, Security Violation Reporting, Sensitive Information Policy Compliance Agreement, Server Registration, and Threat and Vulnerability Assessment
  • eReader version of the Security Manual Template
Order Security ManualDownload Security Table of Contents

DR BC SecurityDisaster Recovery Business Continuity & Security Manual Templates Standard Edition Includes

  • Disaster Recovery Business Continuity Template
  • Disaster Recovery Business Continuity Audit Program
  • Security Manual Template
  • Business and IT Impact Questionnaire - 21 pages
  • Threat and Vulnerability Assessment Form
Order DRP BCP SecurityDownload Table of Contents Security and DRP templates