DSNews delivers stories, ideas, links, companies, people, events, and videos impacting the mortgage default servicing industry.
Issue link: http://digital.dsnews.com/i/486100
68 professional know whether the proper controls have been implemented and if the controls in place are sufficient? KNOWING YOUR ASSETS ere are standard formulas that must be followed that apply the basic security management protocols, such as access control lists, secure firewalls, Intrusion Prevention Systems, segmentation, logging, and monitoring. But these are the mechanics of prevention. To fully understand the depth of a highly dynamic and complex information system, the information security team needs to first understand why they would be a target of a cyber-attack in the first place; what do they have that would attract a hacker? To understand this, the information security team needs to think like a hacker and take a hacker-centric approach to security. What are the points of interest? For most hackers their interest lies in a company's data and/or systems. To understand what might be of value, a complete asset inventory is necessary. An asset, for example, can include such devices as computers, tablets, and smartphones. An asset can also include data and a company's physical operating system. Why would a hacker be interested in a system? Hackers are always looking to launch a hack from a better platform. A company may have minimal data, but their platform may entice a hacker. Mobile technology is one of the biggest competitive advantages for many customer- facing businesses. Whether your customers are consumers or other businesses, being able to harness the power of mobile technology has become a game changer. For several years mortgage field services companies have been investing millions of dollars annually in mobile technology and applications to better meet growing client needs, as well as the needs of their inspectors and vendors. Although field services companies cannot dictate which devices inspectors and vendors use to complete their assigned work in the field, they can require the use of only pre-approved, closed community applications that have been properly vetted and inventoried. Why is this important? We live in an interconnected world where business and personal time often overlap. One minute a tablet or smartphone could be used for work purposes, the next minute to send a personal email or access an external webpage. Without the proper controls in place, these devices can become a goldmine of information to exploit. Millions of points of data are generated each and every day, but not all data is created equally. To fully track this data, it is vitally important to clearly define the classification, or rank, of each data element and create a matrix that qualifies where each data element resides. is is important because the level of protection provided is controlled by the predetermined ranking of the data element, as well as the level of risk the information poses if exposed. It is equally important to classify and track all data that is shared externally. For example, confidential information, such as loan numbers, are ranked the highest and require SSL encryption to the end point. INTEGRATING INFORMATION SECURITY WITH BUSINESS Information security should be a welcome partner with the business functions of any organization. As such, it should be baked into business decisions from the onset. Do not think of it as just another cost of doing business, but rather a business initiative that provides service improvement and savings. For example, by keeping anti-virus software up-to-date, new vulnerabilities will be addressed through routine security patches that "plug the holes." For mobile devices, this is especially true as new software versions and applications are continually introduced. To be successful, information security should be an integral part of any organization's business culture. is integration starts at the top with executive ownership and support. Executive buy-in will help ensure the success of such internal undertakings as security and compliance advisory boards. ese boards can provide continuity of knowledge, leadership, executive oversight, and guidance for security and compliance policies and activities, and ensure ethical behavior within the organization. RISK-BASED MODELING Taking a risk-based, or threat-modeling, approach to information security is important to effectively assess risk exposure and to determine how to best balance risk with action. Once the types of systems and data that exist have been classified, they can be rated according to their acceptable risk and threat levels. Risk-based modeling identifies the data and quantifies the risk of exposure, and the potential risk to "Information security should be a welcome partner with the business functions of any organization. As such, it should be baked into business decisions from the onset. Do not think of it as just another cost of doing business, but rather a business initiative that provides service improvement and savings."