User ID and Password Guidelines
- Never share passwords or security devices. Do not post passwords in or around work areas.
- Create “strong” passwords with at least 8 characters that include a combination of upper and lower case letters, numbers, and special characters.
- Create passwords that are not easy to guess (do not contain birth date, child’s name, pet’s name, or part of User ID).
- Change password frequently. If you suspect your password may be compromised change it immediately and notify Washington Trust Bank.
- Avoid using an automatic login feature that saves usernames and passwords.
- Do not use public or other unsecured computers
- Establish and pay attention to system alerts; examples include:
- Minimum Balance Alerts
- Debit Posted Alerts
- Password changed alerts
- Dedicate a PC solely for financial transactions; e.g., no web browsing, emails, or social media (an FBI recommended best practice).
- Check the last login date/time every time you sign on.
- Review account balances and detail transactions regularly (preferably daily) to confirm payment and other transaction data, and immediately report any suspicious transactions to Washington Trust Bank.
- When creating account nicknames or other titles, do not use account numbers, your social security number, or other account or personal information.
- Whenever possible, register your computer to avoid having to re-enter challenge questions and other authentication information with each login.
- Never leave a computer unattended while signed on.
- Never conduct banking transactions while multiple browsers are open on your computer.
- After completing your online activity, sign off to close the connection.
- Use separate accounts for electronic and paper transactions to simplify monitoring and tracking any discrepancies.
Employee Access and User Administration Guidelines
- Create a separate User ID for each individual that needs online access. Limit the “Admin” User ID to a single authorized employee.
- Delete User IDs as part of the exit procedure when employees leave your company.
- Limit administrative rights on users' workstations to help prevent the inadvertent downloading of malware or other viruses.
- Establish second approval requirements for changes to User Administration.
- Establish second approval requirements for transactions and separate entry and approval users.
- Establish transaction dollar limits for each user who initiates and approves online transactions. Establish limits for monetary transactions at multiple levels: per transaction, daily, weekly, or monthly limits.
- Establish formal security policies and procedures that clearly outline rules governing access to online applications, including remote and wireless connectivity.
- Educate employees on information and internet security and usage policies and procedures, including individual responsibilities.
- Review transaction histories and user activity audit logs regularly for unusual activity.
Tips to Avoid Phishing, Spyware and Malware
- Do not open e-mail from unknown sources. Be suspicious of e-mails purporting to be from a financial institution, government department, or other agency requesting account information, account verification, or banking access credentials such as usernames, passwords, PIN codes, and similar information. Opening file attachments or clicking on web links in suspicious e-mails could expose your system to malicious code that could hijack your computer.
- Never respond to a suspicious e-mail or click on any hyperlink embedded in a suspicious e-mail. Call the purported source if you are unsure who sent an e-mail.
- If an e-mail claiming to be from your financial organization seems unusual, check with your financial organization.
- Install anti-virus and spyware detection software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
- Update all of your computers regularly with the latest versions and patches of both anti-virus and anti-spyware software.
- Ensure computers are patched regularly, particularly operating system and key application with security patches.
- Install a dedicated, actively managed firewall, especially if using a broadband or dedicated connection to the Internet, such as DSL or cable. A firewall limits the potential for unauthorized access to your network and computers.
- Check your settings and select, at least, a medium level of security for your browsers.
- Clear the browser cache before starting any online session to eliminate copies of web pages that have been stored on the hard drive. How the cache is cleared depends on the browser and version you are using. This function is generally found in the browser's preferences menu.
- Be suspicious of unusual screens such as pop-up windows containing error messages, repeated prompts for your password/token code, being asked to answer challenge questions if your computer was previously registered.
Tips for Network Security
- Fully deploy computer firewalls, and have security procedure for firewall management.
- Use and update anti-virus software regularly.
- Update operating systems with most recent security patches.
- Test security systems and processes on a regular basis.
Tips for Wireless Network Management
Wireless networks can provide an unintended open door to your business network. Unless a valid business reason exists for wireless network use, it is recommended that all wireless networks be disabled. If a wireless network is to be used for legitimate business purposes, it is recommended that wireless networks be secured as follows:
- Change the wireless network hardware (router /access point) administrative password from the factory default to a complex password. Save the password in a secure location as it will be needed to make future changes to the device.
- Disable remote administration of the wireless network hardware (router / access point).
- If possible, disable broadcasting the network SSID.
- If your device offers WPA encryption, secure your wireless network by enabling WPA encryption of the wireless network. If your device does not support WPA encryption, enable WEP encryption.
- If only known computers will access the wireless network, consider enabling MAC filtering on the network hardware. Every computer network card is assigned a unique MAC address. MAC filtering will only allow computers with permitted MAC addresses access to the wireless network.
Tips for Physical Security
- Locate critical networks, servers, workstations and telecommunications equipment in physically secure locations that permit access only to authorized personnel.
- Provide access to financial and sensitive information (account numbers, social security numbers, checks, customer deposits, etc.) on an as-needed basis.