Business users responsibilities
Business Users (Users) are responsible for protecting sensitive and personal information. The best security controls cannot completely prevent fraud, identity theft or a security breach. Your diligence is equally important to safeguarding information. Users may include the Board of Directors, members, third-party service providers and affiliated business partners. In order to perform authorized business, sensitive information may be shared or access may be granted to Members Only or other externally facing applications. Users are responsible for:
- Signing any required non-disclosure, confidentiality or security agreements to protect the confidentiality of non-public FHLB information.
- Utilizing information for only intended legitimate business purposes.
- Maintaining the confidentiality of any credentials issued to access information.
- Notifying the FHLB if credentials or information is lost, stolen or disclosed to unauthorized parties.
- Providing sensitive information to the FHLB in a secure manner.
Security is everyone’s responsibility
Information security is the responsibility of all Users who access FHLB information and information systems. Users are expected to adhere to the following standards.
FHLB must authorize access to the Members Only site (Members Only). Access is granted to authorized applications and resources only for legitimate business purposes. Conduct that interferes with the normal and proper operation of information systems, which adversely affects the ability of others to use these information systems, or which is harmful, illegal or offensive to others will not be permitted. Information created, captured, processed or stored on FHLB information systems is considered property of FHLB, and user activity may be logged and monitored. FHLB reserves the right to revoke the privileges of any user at any time.
FHLB will issue a unique user ID and password (account) for each individual accessing Members Only and supporting information systems. All activity performed with the account is the responsibility of that User. Users must take all necessary precautions to prevent unauthorized access to Members Only and FHLB information systems. When accessing Members Only:
- Always use a computer that has up-to-date antivirus software installed.
- Be cautious when using a shared computer. Refrain from using a public kiosk due to higher risks of malware and keyloggers residing on these computers.
- Do not save passwords in web browsers.
- Verify the ‘https” in the address bar when logging into Members Only.
- When your banking session is completed, always log off AND close all browsers. Your session could remain active on the computer if you do not complete these steps.
Passwords provide the primary level of access control and accountability. FHLB requires that you pick a long and strong password so that it is harder for a hacker to decipher and that you change the password periodically to prevent someone who could obtain your password by another means from continuing to have access to your account.
Our password standard includes:
- A 12-character minimum length (but can be longer).
- Using upper and lower case letters and at least one number and special character.
- Not permitting three sequential or repeated digits (for instance, 123, abc, 999, zzz).
- Requiring a password change every 90 days (of note, it cannot be set to one you have used in the last 10 previous changes).
To protect your account, FHLB will lock the account if there are three invalid logon attempts and time out the session after 15 minutes of inactivity.
Changing Your Password
If you ever feel that your password has been compromised, change it immediately on Members Only. You can do this by using the pull down menu under your user settings in the top right-hand corner of any page. Select "Reset Password" and follow instructions.
If you need assistance, contact the FHLB Service Desk using the FHLB Security Contact information listed below.
Best Practice for Protecting Your Passwords
- Do not provide your passwords on surveys, questionnaires or security forms.
- Beware of social engineering attempts to obtain your password (phishing emails, phone call). Never give your password to anyone, including in response to an email or phone call. FHLB will never ask for your password via email or phone.
- Because it is common for people to use the same passwords on multiple sites, it is recommended that you change your password periodically on third-party sites. This would prevent someone who obtained your password by another means from continuing to have access to your account. If you suspect your account is compromised, change your password immediately.
- For sites with confidential or sensitive FHLB information or personal information, do not use the automatic logon functionality (“Remember Me” or “Remember My Password”).
- Avoid using the same password for multiple accounts. Use different passwords for FHLB accounts than used for third party business and personal sites or system
Termination of access
After termination of employment or services from the FHLB, Member Bank or an affiliated business partner, you are no longer authorized to access the Members Only site. The Member Bank(s) or affiliated business partner(s) must contact FHLB so the terminated user’s access can be revoked immediately.
Correspondence and email
- Phishing emails are on the rise so treat all email suspiciously and refrain from opening attachments or clicking links from an unknown sender. If you are suspicious of any correspondence from us, call us using the number you have on file or the Service Desk number below, not the phone number listed in the message. The number in the message could lead to a fraudulent operator.
- Internet email is not secure. If you ever must send us sensitive or nonpublic personally identifiable information (PII), such as Social Security numbers, driver’s license numbers or account numbers, a secure delivery method must be used. Email encryption and secure file transfer are available. Please contact the FHLB Service Desk if you are interested in to having an account set up to perform secure file transfers on our web portal.
FHLB security contact
In the event you need assistance, notice suspicious activity or experience security related events, call the FHLB Service Desk at 800-781-3090 or email ServiceDesk@fhlbcin.com.
Security links for reference
The Department of Homeland Security offers resources on computer and network security.
- Cyber Security Tips from the Department of Homeland Security
- Stop Think Connect
- US-Cert Alerts and Tips
Tricks to a Longer Password
FHLB requires a minimum of 12 characters in a password, and with a couple tricks this can be done quite easily.
- Pick two or more words that have meaning to you.
- Combine with other keyboard characters not commonly used.
- Stagger a number, character, and upper case letter in the password (i.e. not all at the end).