The MBA (Mortgage Bankers Association) recently released a whitepaper, The Basic Components of an Information Security Program. The document is intended to provide mortgage industry professionals with an overview of the security risks that affect the lending industry, along with advice for managing those risks. The document is aimed predominantly at small and medium sized businesses, however the advice below should also serve as a useful resource for larger organizations who wish to re-familiarize themselves with security best practices. The key points from the whitepaper are as follows:
Laws and Regulations
There are laws and regulations in place that all companies need to be aware of when developing an information security program. The whitepaper references guidance relating to: privacy & security, general information security, cyber security and vendor management.
First Priority Cybersecurity Practices
The MBA recommends that businesses carry out these high priority actions in order to protect their information, networks, and systems. The actions will help with the identification and recovery of potential cybersecurity risks.
- Risk management Identify the information security risks your business may be exposed to, and implement protective measures to minimize the impact of these risks. Using a framework such as NIST Cybersecurity or ISO 27000 can assist with the ongoing and evolutionary demand of the risk management process.
- Protect your information Protect your network of data, computers, and devices from malicious codes such as viruses and spyware by installing specialist protection software across all platforms.
- Protect your internet connection Any computer or network with a broadband internet connection is continuously exposed to threats from hackers and cyber criminals. Therefore, it is vital to have a hardware firewall installed and properly maintained. Regularly updating login details and passwords will also help minimise potential risk.
- Install software firewalls Reduce the risk of data theft by installing up-to-date software firewalls on every business machine.
- Patch your operating systems Remove potential security vulnerabilities in your programs and applications by installing the latest vendor-supported patches and updates.
- Backup your data Important information should be frequently backed up to aid recovery in the unfortunate event of data loss. Store the backups off site and regularly test that they are working.
- Control access to your devices Monitor everyone who has the potential to access your systems and networks including external visitors and staff members. Computer access should always be controlled via password and only granted to the necessary individuals.
- Secure your wireless networks Ensure that appropriate security measures are implemented for your wireless networks. Things to consider include encryption, passwords, and limited broadcast.
- Train your employees Develop a “culture of security” throughout your business with regular staff training. Request that employees sign a declaration stating they understand security policies and responsibilities, as well as non-compliance penalties.
- Implement individual user accounts Strong passwords should be added to individual user accounts and applications, and updated at least every 90 days.
- Limit employee access Restrict the levels of access to data and information for individuals who need it based on the tasks they will be completing.
- Prevent software installations Limit the authority to carry out software installations and downloads to a properly trained staff member by removing the administrative function from the other computers and devices.
- Establish security guidelines All businesses should have a written information security policy that is regularly reviewed and updated. Communicate these guidelines to all employees and have them sign an agreement of understanding.
Second Priority Cybersecurity Practices
Businesses should implement these practices as soon as the first priority practices have been actioned.
- Train employees on information security Data security breaches often derive from hackers who have manipulated employees into thinking they are a trusted entity. Staff should be efficiently trained to identify and prevent these actions.
- Avoid attachments and web links Employees should not open email attachments unless they are expected and have been sent from a trusted source. Web links should also be approached with similar caution.
- Avoid pop-ups Avoid harmful pop-ups by ensuring that these are always closed by pressing X in the top-right corner of the pop-up screen, or using “Ctrl-W” on the keyboard.
- Be aware of hacker tricks Hackers have been known to target businesses with infected USB drives by ‘dropping’ them in public places for curious individuals to find. By instructing your employees to not bring USB drives into the office, you can prevent the damaging effects of these malicious tricks.
- Social manipulation Staff should be vigilant at all times, particularly when being asked for information or system access from unauthorized people who claim they are involved in, or associated with the organization.
- Take care when hiring employees Carry out detailed background checks before hiring any new employees, these may include criminal, financial, education and employment assessments and screenings.
- Monitor employee internet usage Create an appropriate internet usage policy and educate your employees in conducting safe practices online. Installing a content filter will help the monitoring of online activity and prevent employees accessing any undesirable URLs.
- Get the right help When in doubt about any aspect of information security, it is important to seek help from a qualified and reputable expert.
- Properly dispose of old devices Sensitive information is often stolen from old business computers and devices so always ensure that storage hard disks and drives are properly destroyed when disposing of old devices.
- Have an asset inventory Identify all of your hardware, software and information assets and store the details in a secure inventory.
- Implement encryption Using a software program to encrypt sensitive information will protect data, making it unreadable to anyone without access to the encryption key.
- Third party risk management Third party business connections made within your organization potentially pose a security threat. This can easily be monitored with the use of a Vendor Risk Management program.
- Plan for disaster recovery There are various disasters and errors that can significantly impact the day to day running of your business. Planning for recovery of operations using your asset inventory will reduce costly downtime.
- BYOD security If your organization runs a ‘bring your own device’ program, ensure that appropriate procedures and policies are put in place to keep company data protected.
To download the full whitepaper visit https://www.mba.org/mba-newslinks/2015/september/mba-newslink-thursday-9-10-15/mba-releases-white-paper-on-information-security We know that mortgage lending is hard, and that security is really only one of the many challenges that today’s lenders face. XDOC is a secure electronic document management system that exists to simplify the complexities of today’s lending process, while simultaneously saving your company time and money. To find out more visit www.scrypt.com/xdoc. .