Home > News & Events > Inactive Financial
Inactive Financial Institution Letters
Federal Financial Institutions Examination Council
2000 K Street, NW, Suite 310. Washington, DC 20006. (202) 872-7500. FAX (202) 872-7501
November 19, 1999
Information Security Precautions
During the Century Rollover Period
To: The Board of Directors and Chief Executive Officers of all federally supervised financial institutions, service providers, software vendors, federal branches and agencies, senior management of each FFIEC agency, and all examining personnel.
The Federal Financial Institutions Examination Council (FFIEC) believes that financial institutions may be exposed to higher levels of fraudulent and malicious attempts to exploit information systems during the century date change. Hackers and developers of malicious software may step up their activities at a time when it may be difficult, without adequate safeguards, to detect or distinguish among a routine software or operations problem, a Year 2000-related problem, and fraudulent or malicious activity.
Much of the guidance contained in this statement has been included in various parts of several previously issued FFIEC advisories. This statement is meant to compile that information for ease of reference and to encourage the industry to focus attention on information security as the century date change rapidly approaches. The FFIEC strongly encourages financial institutions to review their security procedures, consistent with the institutionís size, reliance on automated systems and risk profile, and where necessary, enhance internal controls and security procedures to deter and detect unauthorized intrusions in late 1999 and early 2000.
Effective Information Security and Steps to be Considered
An effective information security framework is key to maintaining the confidentiality, integrity and availability of information resources. Major components of a framework include information security policies, authentication methods and access controls. Financial institutions should review their information security framework in light of the potential for fraudulent or malicious activity during the rollover period. Financial institutions should consider the following:
Remind staff to regularly change their passwords. Unless passwords are replaced by smartcards or biometric devices (e.g, fingerprint screening), authorized users should choose passwords that are difficult to compromise. Strong passwords (e.g., passwords that employ unusual combinations of upper and lower case letters and numbers) that have to be changed on a regular basis form the first line of defense in protecting information resources from unauthorized access.
Consider limiting access to the data center to key personnel during the rollover period. Similar access safeguards should be considered for telecommunications equipment and key workstations that may provide access to critical systems.
Ensure that security and system administrators have readily available information on vendor contact points, help desk numbers, special web sites and operating procedures for the rollover period. Establish alert and escalation procedures with clearly defined lines of responsibility to respond to suspicious activity. Ensure that necessary resources will be available when needed to respond quickly to suspicious activity.
Business continuity and contingency plans are an important part of a financial institutionís information security framework. Such plans define how an institution will recover its critical business processes in the event of a security-related disruption to its operations. Financial institutions should maintain backup copies of data files, books and records stored in electronic form. These backup records will help to ensure continuity of service in the event an organizationís information security safeguards are compromised and original data is unavailable.
If a change must be implemented, ensure that thorough change control procedures are applied and that testing can be completed before the rollover period. Financial institutions should consider using integrity checking software to identify unauthorized changes that have been made to web sites and other systems.
Ensure that known system vulnerabilities are eliminated or controlled, including those that become known shortly before the rollover period. Systematic vulnerability analysis is an effective way to identify and repair weaknesses in security controls. Establishing partnerships with security experts at peer firms that use comparable information security products is one way to maintain an awareness of system vulnerabilities and share security resources.
International and Domestic Coordination
It is intended that a similar advisory statement will be issued by the Joint Year 2000 Council, Basel, Switzerland, to international supervisors of banks, securities, insurance activities, and payment systems. In some countries, National Y2K Coordinators are also sponsoring programs to educate public and private sector firms regarding information security threats and vulnerabilities during the century rollover period. In the United States, the FFIEC agencies are working closely with the Presidentís Council on Year 2000 Conversion to address this issue.