(go to previous page) (go to beginning)
For instance, data likely cannot be breached by competitors of other customers. In addition, a company will spend money and time on only one assessment, from which they can reuse the results.
When seeking an information-security assessment by a third party, mortgage companies should look for an assessment designed to reflect the relationship between it and its vendors. For general information-security best practices, companies can mandate that their business partners comply with International Organization for Standardization standards. If the entities share credit card information, vendors must adhere to payment-card-industry compliance controls appropriate for the transaction-volume level.
Third-party information-security firms are much like external financial auditors; it is in their best interest to be conservative about certifying a company's information-security posture. They differ from financial auditors in that their personnel focus only on analyzing a company's information security and not on how that information security supports financial data, as mandated by the Sarbanes-Oxley Act.
And much like when a high-profile accounting firm is discredited when a customer is discovered to have questionable financial records or ethics, third-party information-security companies may be held accountable if they fail to discover problems in the organizations they audit.
Due diligence still needed
Third-party assessment experts can provide mortgage companies comfort in that they demonstrate at least a basic level of security at the organization. This essentially means that the information-security fundamentals are in place and verified: Firewalls have been tested, up-to-date anti-virus software is in place on desktops, and basic processes (software development, change control, etc.) are present.
Other information-security aspects often must be verified, as well, even if a company has a third-party seal of approval. These include processes specific to an industry (e.g., Health Insurance Portability and Accountability Act requirements for electronic medical and other client or personnel records) or other controls that a company's customers mandate, such as periodic employee background checks, logical user-access reviews, etc.
Companies therefore must still conduct their own due diligence.
Even so, a third-party information-security assessment can provide a mortgage company with independent validation of its security posture. With these assessments in place, the customer can develop a level of confidence with a company's information security.
Thomas Leary is
a senior security analyst at Greensboro, N.C.-based AIG United Guaranty. AIG United Guaranty is a marketing term for United Guaranty Corp. and its subsidiaries. Leary holds the designations of certified information-systems-security professional and certified information-systems auditor. Reach him at firstname.lastname@example.org or (336) 335-7804. Visit www.ugcorp.com for more information.
Page: 1 2 3 Previous