DSNews delivers stories, ideas, links, companies, people, events, and videos impacting the mortgage default servicing industry.
Issue link: http://digital.dsnews.com/i/660979
» VISIT US ONLINE @ DSNEWS.COM 73 While ISO27001 will not necessarily prevent a security incident from occurring, it will help ensure that all risks related to security are considered and appropriately managed. Minimizing the impact of advanced attacks requires a robust capability to detect and respond. Having a formal incident response plan, and carrying out regular Business Continuity Plan (BCP) exercises, help ensure that organizations are prepared for such events. In an environment of persistent attack, and near-constant compromise, incident response must be a priority for any organization responsible for financial information, personally identifiable information, or intellectual property. Organizational strategies must be based on proven best practices, and they must leverage expertise where required. Security programs must incorporate opportunities to automate and to constantly improve. Organizations with a robust incident response and business continuity capability will have the best chance of minimizing damage or loss from attack. While social engineering attacks are currently prevalent, threats continue to evolve and take many other forms. Today's workforce is more flexible, cross-functional, and mobile than ever. IT-driven organizations require rapid on-boarding of employees to apps, systems, and resources so that they can be productive right away. Traditional firewall approaches to network security are not enough anymore and organizations must secure data whether it resides inside or outside of the network. A holistic approach must be taken to consider all points of entry into proprietary systems and all software integrations. e traditional closed network is no longer a reality for today's businesses. e need to connect to clients, vendors, and third-party systems creates a complex network which spans outside of the organization. Protecting these expansive networks requires a multi-disciplined approach to manage organizational risk and meet compliance requirements. Networks can be compromised without an organization's knowledge. ese attacks can be silently mining data without raising any alerts or alarms. It is through regular audits across the network environment that this can be avoided. Auditing organizational processes and procedures is a not a new requirement for loan servicers, asset managers, appraisers, and property preservation providers, all of whom are all subject to the audit provisions established by the Dodd-Frank Act. Ensuring that regular audits are performed on internal and external systems is as important as the audits required for compliance within the industry. ese audits will highlight anomalies on the network, your property platform, and in relation to user access and activity within systems. Audit trails for sensitive data are vital in any system. Knowing how, when, and who last updated a particular sensitive data point can give a degree of comfort when it comes to understanding potential security flaws and preventing them in the future. Loan servicers, asset managers, appraisers, and property preservation providers require anytime, anywhere access to borrower and asset information. Technology solutions must enforce secure access consistently across internal IT systems, third-party applications, mobile- based apps, and infrastructure. ese solutions must balance security and convenience, while ensuring users have access to any information appropriate to their role. Secure access will empower employees and ensure that valuable information remains protected. TAKING MEASURES FOR PHYSICAL SECURITY Organizations can minimize their exposure to data breach by taking an inventory of physical opportunities to reduce vulnerabilities. Physical procedures include: » Locking laptops in cabinets and/or car trunks » Locking screens when employees leave their workstations » Providing privacy screens on computer monitors » Disabling ability to download data onto external drives » Monitoring data sent to unauthorized and/ or personal email addresses In today's security landscape, a security breach is not a matter of "if " but "when." While risk tolerance is up to each individual organization, the way risk is managed is important, and there are definitely best practices to follow. With increased regulatory pressure, and the cost involved, the financial services industry must carefully consider each investment decision and the impact it will have on the end consumer, regulatory requirements, and their bottom-line. e good news is that there are many opportunities for organizations to create win-win situations that improve customer interactions, preparedness, and resilience against security threats, while also helping to achieve long-term cost savings. Here are six key components of any security policy. Identification of organizational risks related to security Establishment of security governance Recognition of risks associated with remote access to client information Evaluation of risks associated with vendors and other third parties Policy, procedure, and oversight process development Strategic plan for developing the capability to detect unauthorized activity 1 2 3 4 5 6 COVER STORY INDUSTRY INSIGHT INDUSTRY INSIGHT