View PDF

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

l l★K

Federal Reserve Bank
of Dallas

DALLAS, TEXAS
75265-5906

November 30, 1999
Notice 99-101
“A Year 2000 Readiness Disclosure”
TO: The Chief Executive Officer of each
financial institution and others concerned
in the Eleventh Federal Reserve District
SUBJECT
Information Security Precautions
Related to the Century Date Change
DETAILS
The Federal Financial Institutions Examination Council (FFIEC) has issued an advisory entitled Information Security Precautions During the Century Rollover Period. The statement encourages financial institutions to review their information security procedures and internal controls in light of the potential for malicious and fraudulent activity during the century date
change.
The advisory notes that an effective information security framework is key to maintaining the confidentiality, integrity, and availability of an institution’s information resources.
The advisory provides financial institutions with information to consider in order to strengthen
their security programs and avoid vulnerabilities in conjunction with the century date change.
ATTACHMENT
A copy of the FFIEC’s advisory is attached.
MORE INFORMATION
For more information, please contact Ann Worthy, (214) 922-6156, in the Banking
Supervision Department. For additional copies of this Bank’s notice, contact the Public Affairs
Department at (214) 922-5254.

For additional copies, bankers and others are encouraged to use one of the following toll-free numbers in contacting the Federal
Reserve Bank of Dallas: Dallas Office (800) 333-4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012;
Houston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San Antonio Branch Intrastate (800) 292-5810.

Federal Financial Institutions Examination Council

2000 K Street, NW, Suite 310. Washington, DC 20006. (202) 872-7500. FAX (202) 872-7501

Information Security Precautions
During the Century Rollover Period
November 19, 1999
To: The Board of Directors and Chief Executive Officers of all federally supervised financial
institutions, service providers, software vendors, federal branches and agencies, senior
management of each FFIEC agency, and all examining personnel.
Introduction
The Federal Financial Institutions Examination Council (FFIEC) believes that financial institutions
may be exposed to higher levels of fraudulent and malicious attempts to exploit information systems
during the century date change. Hackers and developers of malicious software may step up their
activities at a time when it may be difficult, without adequate safeguards, to detect or distinguish
among a routine software or operations problem, a Year 2000-related problem, and fraudulent or
malicious activity.
Much of the guidance contained in this statement has been included in various parts of several
previously issued FFIEC advisories. This statement is meant to compile that information for ease of
reference and to encourage the industry to focus attention on information security as the century date
change rapidly approaches. The FFIEC strongly encourages financial institutions to review their
security procedures, consistent with the institution’s size, reliance on automated systems and risk
profile, and where necessary, enhance internal controls and security procedures to deter and detect
unauthorized intrusions in late 1999 and early 2000.
Effective Information Security and Steps to be Considered
An effective information security framework is key to maintaining the confidentiality, integrity and
availability of information resources. Major components of a framework include information
security policies, authentication methods and access controls. Financial institutions should review
their information security framework in light of the potential for fraudulent or malicious activity
during the rollover period. Financial institutions should consider the following:
•

Staff Awareness - Brief staff about the need for heightened information security precautions
during the rollover period and how they should protect the institution and its customers.

Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit
Union Administration, Office of the Comptroller, Office of Thrift Supervision.

•

Passwords - Remind staff of the importance of keeping passwords and account names
confidential, despite pressures to reveal them by unauthorized parties under the guise of needing
them to solve an urgent problem.
Remind staff to regularly change their passwords. Unless passwords are replaced by smartcards
or biometric devices (e.g, fingerprint screening), authorized users should choose passwords that
are difficult to compromise. Strong passwords (e.g., passwords that employ unusual
combinations of upper and lower case letters and numbers) that have to be changed on a regular
basis form the first line of defense in protecting information resources from unauthorized access.

•

Background Checks - Ensure that information technology staff, contractors and others that can
make changes to information systems have passed background checks. Periodically revalidate
logon IDs and access lists.
Consider limiting access to the data center to key personnel during the rollover period. Similar
access safeguards should be considered for telecommunications equipment and key workstations
that may provide access to critical systems.

•

Authorize staff to take action - Ensure that staff on duty has the authority to take defensive
actions to protect information systems that become targets of malicious activity.

•

Response Team Information - Update information on how to contact software vendors, computer
emergency response teams (CERTs) and similar information security organizations.
Ensure that security and system administrators have readily available information on vendor
contact points, help desk numbers, special web sites and operating procedures for the rollover
period. Establish alert and escalation procedures with clearly defined lines of responsibility to
respond to suspicious activity. Ensure that necessary resources will be available when needed to
respond quickly to suspicious activity.

•

Contingency Plans - Review and update, as necessary, the procedures for recovering information
systems that may be damaged by malicious activity during the rollover period.
Business continuity and contingency plans are an important part of a financial institution’s
information security framework. Such plans define how an institution will recover its critical
business processes in the event of a security-related disruption to its operations. Financial
institutions should maintain backup copies of data files, books and records stored in electronic
form. These backup records will help to ensure continuity of service in the event an
organization’s information security safeguards are compromised and original data is unavailable.

•

Limit Security Exceptions - Review procedures and approval levels needed to grant exceptions
to security procedures and controls during the rollover period. If Year 2000 or other problems
do occur, institutions should ensure they do not compromise important security controls in a rush
to fix information systems.

•

Limit Changes - Limit software and hardware changes to those that are critical to maintain
operations.

2

If a change must be implemented, ensure that thorough change control procedures are applied
and that testing can be completed before the rollover period. Financial institutions should
consider using integrity checking software to identify unauthorized changes that have been made
to web sites and other systems.
•

Monitor systems - Survey your systems configurations periodically to ensure that security
controls are in place and operating effectively.
Ensure that known system vulnerabilities are eliminated or controlled, including those that
become known shortly before the rollover period. Systematic vulnerability analysis is an
effective way to identify and repair weaknesses in security controls. Establishing partnerships
with security experts at peer firms that use comparable information security products is one way
to maintain an awareness of system vulnerabilities and share security resources.

•

Review access to systems - Ensure that there is a timely review of machine logs prior to and
during the rollover period, particularly logs of firewalls and remote access service and computer
links. These logs should be analyzed frequently for signs of intrusion attempts (based on
complexity of the systems and the level of risk exposure). Automated intrusion detection
systems should be updated and supplemented with manual log reviews, as appropriate.

•

Contact Authorities - Inform appropriate law enforcement authorities of known or suspected
criminal activities pertaining to breaches in information security by filing Suspicious Activity
Reports in accordance with the FFIEC agencies’ reporting rules. Financial institutions should
also notify their primary federal supervisor when they experience material information security
problems that have a significant adverse effect on the institution’s ability to provide effective and
reliable services to customers.

International and Domestic Coordination
It is intended that a similar advisory statement will be issued by the Joint Year 2000 Council, Basel,
Switzerland, to international supervisors of banks, securities, insurance activities, and payment
systems. In some countries, National Y2K Coordinators are also sponsoring programs to educate
public and private sector firms regarding information security threats and vulnerabilities during the
century rollover period. In the United States, the FFIEC agencies are working closely with the
President’s Council on Year 2000 Conversion to address this issue.

3


Federal Reserve Bank of St. Louis, One Federal Reserve Bank Plaza, St. Louis, MO 63102