DSNews delivers stories, ideas, links, companies, people, events, and videos impacting the mortgage default servicing industry.
Issue link: http://digital.dsnews.com/i/486100
» VISIT US ONLINE @ DSNEWS.COM 69 stakeholders should it be exposed. Risks to your applications and systems need to be included in the risk-based modeling exercise as well. is includes email, file transfer systems, and storage systems that are susceptible to data loss. Email is such a universally used tool in daily business and personal interactions that it has gotten to the point where it has become innocuous. Not many think to take into consideration the risks associated with something as simple as sending an email with a file attached to a non-company system. However, one must consider how that data is transferred or stored on the other side. It might not be a risk worth taking. CREATING A SECURITY-CENTRIC CULTURE Building a holistic security culture is probably the hardest thing to do in a non- security based company. Our world has been forever changed by social media and its integration into daily life. e challenge is a common one in today's world—how do we change behavior to maintain privacy and to protect what is important in this over- sharing, ever-communicating cyber world? Next generation employees grew up with a cell phone in their hands, constantly tied to social media and their network of friends. ey believe in sharing with one another everything from "selfies," to pictures of food, music, and even personal passwords to feel connected to the world. It has become a challenge for businesses to instill the exact opposite mentality—that nothing should be shared unless absolutely necessary. Education and continuous information security awareness programs are key. Field services companies must not only educate their employees on physical and data security best practices, but they also must monitor and track this education to ensure global compliance and understanding. To ensure compliance in the field, inspector and vendor networks must be educated on these same industry best practices. Ongoing information security education for everyone who has access to sensitive information is critical to ensure daily compliance with all information security protocols and applicable industry guidelines and requirements. Routine monitoring and auditing of vendor networks can help identify gaps that need to be addressed and certify that anyone who has access to confidential information knows and practices the appropriate steps to protect it. TESTING AND AUDITING Testing and auditing can be the most important part of measuring your data security controls. And, with the renewed focus and investment on vendor oversight within the financial services industry; internal, external and, vendor network testing and auditing have become commonplace. Regularly scheduled internal audits not only gauge the effectiveness of a data security strategy but can also point out areas of improvement and should be looked upon favorably. Field services companies typically receive and utilize confidential consumer data, and it is imperative that the security controls safeguarding this data are robust and comprehensive. External audits should be viewed similarly. As regulations within the financial services industry continue to expand, ongoing third- party vendor audits have become routine. Part of this audit consists of an information security assessment in which a review of such protocols as physical security, application permission and authority levels, data integrity and protection (encryption), and network vulnerability are tested. Much like the financial services industry, some field services companies have taken the audit process to the next level by implementing routine, on-site vendor audits as part of the overall audit protocol. A portion of this audit focuses on a vendor's data security compliance and frameworks. Routine monitoring and auditing of vendor networks can help identify security gaps so that anyone who has access to confidential information knows and practices the appropriate steps to protect it. GAUGING SECURITY SUCCESS Is there a measuring stick with which to gauge data security success? Some claim the ultimate measuring stick is not having been a victim of a cyber-attack. Unfortunately, that is a naive view of the information security world. A company cannot and should not claim success merely because it has not been the victim of a cyber-attack. e overall measure of a company's security framework is an amalgam of many different control principles. e field services industry has embraced and invested in the people and technology to meet the informa- tion security requirements head-on. It is one more way to strengthen the industry and provide clients with the security needed in this interconnected electronic business environment. "Building a holistic security culture is probably the hardest thing to do in a non-security based company." COVER STORY M ARKET PUL SE SUCCESS FORMUL AS INDUSTRY INSIGHT INDUSTRY INSIGHT