DSNews delivers stories, ideas, links, companies, people, events, and videos impacting the mortgage default servicing industry.
Issue link: http://digital.dsnews.com/i/894814
72 this will only lead to frequent changes of the system's architecture when standards change. For example, FIPS 140-2, which is still used to ensure companies are following proper security precautions, was implemented in May 2001. While there were proposed updates to this standard, they were never adopted: » January 2005 – Federal Register announced development of FIPS 140-3 Cryptographic Modules » July 13, 2007 – Federal Register released the draft of Cryptographic Modules » December 2009 – a revised draft was released » August 2012 – there was a request for additional comments to FIPS 140-3 is process continued until the FIPS 140-3 update died, likely because some of the recommendations within it were out of date and already compromised. Still information security teams and the companies they work for are left with an antiquated standard of FIPS 140-2. ere have been thousands of security breaches and advances since that time, yet to be compliant, companies merely need to meet a 16-year old standard. To survive the onslaught of cyber attacks that continue to plague all industries, companies must be increasingly more vigilant. Do not wait for standards to be set for the industry but adopt tougher security protocols, encryption algorithms, and procedures before the current ones are exploited. In an industry like mortgage servicing where the compliance and regulatory requirements have changed dramatically since the 2008 mortgage crisis—including increased oversight and reporting of breaches—what are companies that support the industry, like mortgage field services, to do? Adopt a security-centric view of the industry and monitor, adapt, and react quickly to changes. e mortgage field services industry has an opportunity to help lead the way for its mortgage servicing clients, rather than waiting for directions from them on security protocols. PARTNER WITH BUSINESS/OPERATIONS An important lesson that can be learned from larger corporations regarding security is that they have already adopted the practice of including security advisors at their decision- making tables. New initiatives should go through a threat management evaluation in the same way that they are evaluated for fiscal viability and feasibility. If adding that new functionality to an application could compromise security and expose the company to the possibility of a breach, is it really worth the consequences? Regardless of the answer, the important concept is the evaluation process. Companies need to understand and weigh the implications of their options, good and bad, to reach an informed decision. In many organizations, security is still viewed as a necessary evil, rather than as a welcomed partner. In part, this is because security is often seen as an obstruction to new functionality in information technology. When properly aligned with other business interests, the offering of alternative, secure ways to implement business objectives actually foster the collaborative and beneficial relationship. MONITOR AND STAY VIGILANT A large part of the critical security process is staying up-to-date on the latest trends and vulnerabilities. In the past 10 years, there has been a growing segment of the information security industry that offers services ranging from incident response retainer to virtual chief information security officers (CISOs), and "Long before Darwin's theories and his book Origin of the Species was released, humans realized that the key to survival was adaptation. When the environment changed, those who were able to change along with it survived, those who were not perished."