As published in Scotsman Guide's Residential Edition, July 2008.
Legislation, regulation and customer contracts generally mandate that financial-services organizations, including mortgage companies, adhere to best practices for information security. Some companies also use third-party information-security specialists to assess whether they and their vendors have the appropriate controls in place.
If these companies are continually audited by internal and external auditors, government regulators and customers, however, why should they hire another firm?
For one reason: There's a distinct difference between being compliant with best practices and demonstrating this compliance for outsiders.
For some mortgage companies, the difficulty in demonstrating compliance arises from their need to protect customers' data from competitors. This often makes in-depth customer assessments impractical.
Because audits by internal and external auditors and government regulators are typically narrowly focused, companies may thus find that their best solution is a third-party, detailed information-security assessment.
To determine if a third-party information-security assessment is right for your mortgage company, consider what's involved in a typical assessment, as well as the additional security a third party may offer.
A typical assessment
Information-security professionals must gather information from a company about the controls and safeguards in place. To remain budget-conscious, such information is usually gathered through an in-house security assessment.
Unfortunately, these determinations often are based on limited information gathered through a questionnaire and a couple of conference calls. In-house information-security professionals rarely have the luxury of performing on-site reviews to verify the controls and measures in place personally. Instead, they often rely heavily on a company's vendors or business partners to represent their environment accurately. But when conclusions are based solely on questionnaire or phone responses, there is a risk of missing something.
The information-gathering tool's design is crucial to how well an analyst can determine an organization's information-security posture. A lot rides on how the tool is developed, including compliance to customer contracts and legislation. A number of considerations must be addressed during its development.
One obvious consideration is scope. Not only must organizations show that they follow best practices within their own organization, but they also must prove that the vendors with which they work also do so. Where does this responsibility stop? What about assessing the vendors that your vendors use? Customer data can be at risk with third-party vendors as well, so a company could actually bear some responsibility if security is breached.
Another concern is how broad the questions are. Questions about having firewalls and encryption on backup tapes are obvious. But what about information-security awareness training for users, generally the weakest link? What about the application-security methodology, which is fast becoming a favorite attack surface for hackers? Are background checks performed on everyone with access to the company's data? How does the company handle employment-termination procedures, user-access reviews and physical security of confidential information?
Page: 1 2 3 Next