Business users responsibilities

Business Users (Users) are responsible for protecting sensitive and personal information. The best security controls cannot completely prevent fraud, identity theft or a security breach. Your diligence is equally important to safeguarding information. Users may include the Board of Directors, Members, third-party service providers and affiliated business partners. In order to perform authorized business, sensitive information may be shared or access may be granted to Members Only or other externally facing applications. Users are responsible for: 

• Signing any required non-disclosure, confidentiality or security agreements to protect the confidentiality of non-public FHLB information;
• Utilizing information for only intended legitimate business purposes;
• Maintaining the confidentiality of any credentials issued to access information;
• Notifying the FHLB if credentials or information is lost, stolen, or disclosed to unauthorized parties; and
• Providing sensitive information to the FHLB in a secure manner.

Security is everyone’s responsibility

Information security is the responsibility of all individuals who access FHLB information and information systems. You are expected to adhere to the following standards.

Members Only

FHLB must authorize access to the Members Only site (Members Only). Access is granted to authorized applications and resources only for legitimate business purposes. Conduct that interferes with the normal and proper operation of information systems, which adversely affects the ability of others to use these information systems, or which is harmful, illegal, or offensive to others will not be permitted. Information created, captured, processed, or stored on FHLB information systems is considered property of FHLB, and user activity may be logged and monitored. FHLB reserves the right to revoke the privileges of any user at any time.

User access

FHLB will issue a unique user ID and password (account) for each individual accessing Members Only and supporting information systems. All activity performed with the account is the responsibility of that User.  Users must maintain complete confidentiality of their password and take all necessary precautions to prevent unauthorized access to Members Only and FHLB information systems. Users are not to share their passwords with any other individual, under any circumstances, including with other FHLB staff or third parties.

When accessing Members Only:

1. Always use a computer that has up-to-date antivirus software installed.
2. Be cautious when using a shared computer. Refrain from using a public kiosk due to higher risks of malware and keyloggers residing on these computers.
3. Do not save passwords in web browsers.
4. Verify the “https” in the address bar when logging into Members Only.
5. When your banking session is completed, always log-off AND close all browsers. Your session could remain active on the computer if you do not complete these steps. 

Passwords

Passwords provide the primary level of access control and accountability. FHLB requires that you pick a long and strong password so that it is harder for a hacker to decipher and that you change the password periodically to prevent someone who could obtain your password by another means from continuing to have access to your account.

Multifactor authentication (MFA) has proven to be a successful way of preventing account compromises. FHLB will deploy the use of MFA to protect FHLB information systems as appropriate. Factors used will
consider available technology and may include:

• Something You Know: A password or Personal Identification Number (PIN)
• Something You Have: A smart card, security token, an authentication application or a Short
• Message Service (SMS) text to the user’s mobile phone
• Something You Are: A fingerprint or retina pattern

Our password standard includes:

• A 14 character minimum length (but can be longer).
• 3 cases must be used (i.e. You would need to use upper and lower case letters and at least one number)
• Not permitting 3 sequential or repeated digits (i.e. 123, abc, 999, zzz).
• Requiring a periodic password change (of note, it cannot be a password that you have used in the last 10 previous changes)

Guidelines for Creating a Strong Password

• Longer is stronger. Length is the most important characteristic of a good password: In general, the longer the password, the better.
• Think pass-phrase, not pass-word: A “phrase” made up of 4 or more smaller words is much easier to remember.
• Don’t use variations of the word password (i.e. not Passw0rd, P@ssword, Pa$$w0rd), family names, or your account name. 

Password Example

• My son plays fullback.
• The bus is entertaining!
• 1lovedrivingmyTesla
• GONEhiking2day

To protect your account, additional controls (such as tokens, PINs, timeouts, and/or account lockout) may also be implemented. FHLB will lock the account if there are 5 invalid logon attempts and time out the session after 15 minutes of inactivity.

Changing Your Password

If you ever feel that your password has been compromised, change it immediately on Members Only. You can do this by using the pull-down menu under your name in the top right-hand corner of any page. Select "Reset Password" and follow instructions.

You will be requested to change your password periodically. This would prevent someone who obtained your password by another means from continuing to have access to your account.

If you need assistance, contact the FHLB Service Desk using the FHLB Security Contact information listed below.

Best Practice for Protecting Your Passwords

1. Never provide your passwords on surveys, questionnaires, or security forms.
2. Beware of social engineering attempts to obtain your password (phishing, phone call) that may attempt to trick them into providing their password or other identifying information. Never give to anyone, including in response to an email or phone call. FHLB will never ask for your password via email or phone.
3. For sites with confidential or sensitive FHLB information or personal information, do not use the automatic logon functionality (‘Remember Me’ or ‘Remember My Password’). 
4. Avoid using the same password for multiple accounts. Use different passwords for FHLB accounts than used for third party business and personal sites or system.

Termination of access

After termination of employment or services from the FHLB, Member Bank or an affiliated business partner, you are no longer authorized to access the Members Only site. The Member Bank(s) or affiliated business partner(s) must contact FHLB so the terminated user’s access can be revoked immediately.

Correspondence and email

• Phishing emails are on the rise so treat all email suspiciously and refrain from opening attachments or clicking links from an unknown sender. If you are suspicious of any correspondence from us, call us using the number you have on file or the Service Desk number below, not the phone number listed in the message. The number in the message could be from a bad actor.
  
  
• Internet email is not secure. If you ever must send us sensitive or non-public personally identifiable information (PII) or sensitive personally identifiable information (SPII), such as social security numbers, driver license numbers, account numbers, etc., a secure delivery method must be used. Email encryption and secure file transfer are available. Please contact the FHLB Service Desk if you are interested in to having an account set-up to perform secure file transfers on our web portal. 

FHLB security contact

In the event you need assistance, notice suspicious activity or experience security related events, call the FHLB Service Desk at 800-781-3090 or email ServiceDesk@fhlbcin.com.

Security Links for Reference

The following links are informational only and provide links to security resources and advisories. You will be leaving the FHLB site and entering a third-party website, and FHLB is not responsible and has no control over these sites. See also Terms of Use located on www.fhlbcin.com.

Cybersecurity & Infrastructure Security Agency (CISA) 

The United States Government has an official website for cyber security resources.

• Publications | CISA

• Cyber Safety | CISA

• Identity Theft and Personal Cyber Threats | Cybersecurity and Infrastructure Security Agency CISA